zeek September 2018

zeek@lists.zeek.org

32 participants
33 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

3 months, 3 weeks

[Bro] Bro 2.5.5 Duplicate UIDs

by MAÁN ABU SHAQRA

Hi, were facing this issue with bro whereby its duplicating entries see below: 1536746459.586520 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39011 - maanpc 1 C_INTERNET 32 NB F 1536746460.343566 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39011 - maanpc 1 C_INTERNET 32 NB F 1536746461.107930 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39011 - maanpc 1 C_INTERNET 32 NB F 1536746466.418528 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39013 - maanpc 1 C_INTERNET 32 NB F 1536746467.176333 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39013 - maanpc 1 C_INTERNET 32 NB F 1536746467.940695 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39013 - maanpc 1 C_INTERNET 32 NB F 1536746473.250630 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39017 - maanpc 1 C_INTERNET 32 NB F 1536746474.010337 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39017 - maanpc 1 C_INTERNET 32 NB F 1536746474.773560 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39017 - maanpc 1 C_INTERNET 32 NB F 1536746452.751762 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39009 - maanpc 1 C_INTERNET 32 NB F 1536746453.510702 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39009 - maanpc 1 C_INTERNET 32 NB F 1536746454.275116 CbxxYF1uTyqC499HDe 192.168.20.15 137 10.190.129.26 137 udp 39009 - maanpc 1 C_INTERNET 32 NB F there was like 40% dropped packets ive configured pf_ring and af_packet and managed to get less than 1% packets dropped. however im still seeing duplicated packets mostly in DNS. please advise thanks

3 years, 7 months

[Bro] HTTP Log filter

by Rick Chisholm

Need to find a way to filter all traffic from a particular user-agent so that it does not get logged. Been reading docs and reviewing .bro files, but still kind of stumped. Any help is greatly appreciated. TIA

3 years, 7 months

[Bro] - mismatch between conn's service and analyzer

by william de ping

Hi all, At various occasions I've came across a conn log indicating a session's service as dns (udp port 53). Yet I do not see that UID from bro's DNS log. Any ideas why ? Does conn's service field should indicate the bro analyzer being used ? Thank you B

3 years, 7 months

[Bro] Elasticsearch plugin compile error

by wangdj＠ffcs.cn

Hi, when i compile Bro elasticsearch plugin, i got the following error: [ 18%] Creating build/lib/bif for Bro::ElasticSearch Error copying directory from "/data/bro-2.5.4/aux/plugins/elasticsearch/build/bif" to "/data/bro-2.5.4/aux/plugins/elasticsearch/build/lib/bif". My compile step is: first, use the following command to compile Bro: #./configure --with-pcap=/usr/lib64 --prefix=/usr/local/bro #make #make install second, use the following command to compile elasticsearch plugin: #cd bro-2.5.4/aux/plugins/elasticsearch #./configure --with-libcurl=/usr/local #make #make install I am sure the libpcap and libcure library path is not wrong. When i make the dir "/data/bro-2.5.4/aux/plugins/elasticsearch/build/bif" manually and compile elasticsearch again, the error disappear. But i do not know what effect it will have if i do this. Can anyone tell me what may leds to this error and how to resolve it. Best Regards DeJin Wang

3 years, 7 months

[Bro] Sample file for to run detect-MHR.bro file

by rahul rakesh

Dear all C an you suggest me how to run detect-MHR.bro file?. I need some pdf file to test it. If anyone have it , pls send me. with regards bravi

3 years, 8 months

[Bro] Enable ssh detection?

by rahul rakesh

Hi all, Given SSH example from Bro site is working fine ,when it is tested from the command line . I mean SSH events such as failed and success are generated and also log is created. But with out using ssh guess pcap file, when i do ssh thing between two systems, these events such as ssh_auth_fail and success are *NOT *generating. Can you tell How to solve this issue?. or How can i enable SSH detection? with regards ravi

3 years, 8 months

[Bro] 答复：Re: Does BPF filter of worker has the ability of packet retransmition

by 王德劲

Hi Vern, The span of original sentence is a bit too large to understand for me. But understand now. Thanks for your reply. DeJin Wang ======last communication cotent======From :"Vern Paxson" <vern(a)corelight.com>; Date :09/24 2018 04:55:20To :"wangdj(a)ffcs.cn" <wangdj(a)ffcs.cn>Cc :"bro" <bro(a)bro.org>Subject :Re: [Bro] Does BPF filter of worker has the ability of packet retransmition > "The packets can then be passed directly to a monitoring host where > each worker has a BPF filter to limit its visibility to only that stream > of flows, or onward to a commodity switch to split the traffic out to > multiple 1G interfaces for the workers." > > Does this sentence means worker`s BPF filter can retransmit packets to other switch? The "or onward" part is talking about what the front-end does, rather than what the workers do. The front end *either* sends all packets to a host for which each individual worker applies a (disjoint) BPF filter to the stream to pick out those flows specifically for it; *or* the front end can send the traffic to a switch that explicitly load-balances the traffic across multiple 1G interfaces. Vern

3 years, 8 months

[Bro] Warning of "did not find requested field indicator" from intelligence data file

by wangdj＠ffcs.cn

Hi, According to instruction of intelligence framework, i wrote a intelligence framework text file myintel.txt which content is: #fields indicator indicator_type meta.source meta.desc meta.url 14.215.177.39 Intel::ADDR baidu use baidu search - Very simple. I also wrote a simple bro script file mytest.bro which content is: @load policy/frameworks/intel/seen @load policy/frameworks/intel/do_notice redef Intel::read_files += { "./myintel.txt" }; when i run this script with command "./bro -i eth3 mytest" on a shell terminal and run "ping 14.215.177.39" command on another shell terminal, i got the following warning and : warning: ./myintel.txt/Input::READER_ASCII: Did not find requested field indicator in input data file ./myintel.txt. It seems that there is no error with the myintel.txt file, then what happened leads to this warning. Best Regards DeJin Wang

3 years, 8 months

[Bro] BroCon 2018 is around the corner!

by Keith Lehigh

Hi Folks, We’re about 2 1/2 weeks out from BroCon 2018. We’ve got a good conference put together with presentations from the community on topics such as writing analyzers, new scripts and packages, working with Bro data and managing Bro deployments. We also have a great keynote scheduled from Marcus Ranum. We’ve extended the hotel block rate until Monday, September 24th so you’ve still got time to make reservations at reduced price. We’re looking forward to seeing everybody in D.C.! - Keith

3 years, 8 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek September 2018