zeek January 2019

zeek@lists.zeek.org

38 participants
31 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

5 months

Zeek workshop Europe @ CERN - call for presentations

by Johanna Amann

Hi, this email is a short reminder of the upcoming Zeek Workshop Europe 2019 (April 9–11 @CERN, Geneva, Switzerland). The program will consist of talks by the Bro development team and external contributors. As in our last event, a large part of the development team will be attending the workshop. There are still a bunch of open spots - you can register at https://indico.cern.ch/event/762505/ (also linked from https://zeek.org). We also are still looking for presenters - if you have a topic that you might want to give a talk about, please submit an talk abstract to info(a)zeek.org. The deadline for this submission is February 25th, 2019. Please note that there is a MISP training/workshop hosted at CERN right after the Zeek workshop - you can find more information linked from the event page. Johanna

3 years, 4 months

Compiling bro scripts

by Barbaros Kazan

Hello all How to compile bro scripts? Hilti?.can we use hilti compiled llvm bitcode?

3 years, 4 months

Re: [Zeek] Using af_packet in a host with two nics

by Carlos Lopez

On 29/01/2019, 19:37, "Patrick P Murphy" <pmurphy(a)nrao.edu> wrote: Carlos Lopez <clopmz(a)outlook.com> writes: CL> Uhmm ... I have changed my config to: CL> [prod-ids] CL> type=worker CL> host=172.22.58.2 CL> interface=af_packet::eth2 CL> af_packet_fanout_id=5 CL> # CL> [dmz-ids] CL> type=worker CL> host=172.22.58.2 CL> interface=af_packet::eth3 CL> af_packet_fanout_id=10 This may be a totally dumb/naive question, but... why do the interfaces have the same IP address? Because this host has two network interfaces ....

3 years, 4 months

Help with Docker Bro

by Lalitha B

Hello all, Has anyone worked with this Docker Bro? I have installed dpisano/docker-bro image and run the image using docker run command. Broctl shows the status of the bro node as crashed. The broctl diag does not give any error indication. ( except - core not found, install gdb for backtrace). Any poniters on where help can be found on docker bros, maybe any other docker bro image ? Thanks, Lalitha

3 years, 4 months

Using af_packet in a host with two nics

by Carlos Lopez

Hi all, Is not posible to start a zeek's worker with two network interfaces using AF_Packet as a data acquisition? I have tried using the following config: [prod-ids] type=worker host=172.22.58.2 interface=af_packet::eth2 # [dmz-ids] type=worker host=172.22.58.2 interface=af_packet::eth3 ... But fails. And I have tried using " interface=' af_packet::eth2 -i af_packet::eth3' and it doesn't work also ... So, is it not possible to use af_packet to sniff two nics? I am using Zeek 2.6.1 with af_packet plugin installed. Regards, C. L. Martinez

3 years, 4 months

Bro 2.6.1 packet loss

by COLIN BLAIR

We are testing the latest release on our sensors and are seeing larger packet drops than the previous 2.5.5. We are running a local cluster with the following node.cfg: [manager] localhost [logger] localhost [proxy-1] localhost [worker-1] localhost lb_method = pf_ring lb_procs = 20 pin_cpus = 0-19 System: Xeon D-1587 16 cores, 32 logical, 1.7 Ghz 128GB DDR4 2133Mhz 8TB SSD Intel 10GBase-T X557 We are dropping traffic @ 250 Mb/s with this config. We have already tuned the BIOS, NIC and sysctl.d. Did the netstats command get updated in the latest release? We did not see this poor performance with bro 2.5.5. Can you provide any other suggestions? Also, did the pf_ring plugin get removed? R, CB

3 years, 4 months

Re: [Zeek] Segmentation fault in one node of the cluster (SOLVED)

by Carlos Lopez

Solved, my mistake ... /etc/bro dir, where I store all configuration, doesn't exist in this worker node ... Regards, C. L. Martinez On 26/01/2019, 14:10, "zeek-bounces(a)zeek.org on behalf of Carlos Lopez" <zeek-bounces(a)zeek.org on behalf of clopmz(a)outlook.com> wrote: Hi all, As a test lab I have installed a Zeek's cluster with one manager and two workers. All works ok for manager and one node, but in the other node the following error appears every time I try to start it: /opt/bro/share/broctl/scripts/run-bro: line 110: 52802 Segmentation fault nohup "$mybro" "$@" Commands like "bro -b -i lo0" or "bro -I em0" don't return any error ... Any idea? Regards, C. L. Martinez _______________________________________________ Zeek mailing list zeek(a)zeek.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

3 years, 5 months

Segmentation fault in one node of the cluster

by Carlos Lopez

Hi all, As a test lab I have installed a Zeek's cluster with one manager and two workers. All works ok for manager and one node, but in the other node the following error appears every time I try to start it: /opt/bro/share/broctl/scripts/run-bro: line 110: 52802 Segmentation fault nohup "$mybro" "$@" Commands like "bro -b -i lo0" or "bro -I em0" don't return any error ... Any idea? Regards, C. L. Martinez

3 years, 5 months

Re: [Zeek] DNS log records do not have total_answers, total_queries, saw_reply and saw_query fields

by Dheeraj Gupta

Ah, thanks for pointing it out. I didn't know about the &log attribute On Fri 25 Jan, 2019, 22:15 Jon Siwek, <jsiwek(a)corelight.com> wrote: > On Fri, Jan 25, 2019 at 2:36 AM Dheeraj Gupta <dheeraj.gupta4(a)gmail.com> > wrote: > > > The fields logged in DNS logs are different from the ones shown in > official docs (DNS::Info seen at > https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.bro.html#ty…). > Concretely, the last four fields (total_answers, total_queries, saw_query > and saw_reply) fields are never part of the logs. > > The logs contain only fields with the &log attribute. Those fields do > not have &log, so they are not in the logs. > > - Jon >

3 years, 5 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek January 2019