zeek January 2019

zeek@lists.zeek.org

38 participants
31 discussions

Fwd: DNS log records do not have total_answers, total_queries, saw_reply and saw_query fields

by Dheeraj Gupta

Hi, I am running Bro/Zeek v 2.6.1. The fields logged in DNS logs are different from the ones shown in official docs (DNS::Info seen at https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.bro.html#ty…). Concretely, the last four fields (total_answers, total_queries, saw_query and saw_reply) fields are never part of the logs. This behaviour was seen in previous versions of Bro/Zeek as well (atleast from v.2.4). I looked at the dns/main.bro script and can't figure out why this is happening. Any ideas are greatly appreciated. Regards, Dheeraj

3 years, 4 months

configuring base option default values and ftp log

by Ambros Novak

Hello! Two separate questions: 1) How do you configure an option in ./base/ in site/local.bro? For example "base/protocols/ftp/info.bro:11: option default_capture_password = F;" would like that to be set to T but don't want to change it in a ./base/ file. 2) I see FTP traffic in connection log but there is no ftp.log generated. Must this be turned on. 3) Lastly (and sneaky third question), I am extracting all files types. I can extract the file via HTTP but am unable to extract the same over FTP. Must this be turned on for FTP and IRC? Thank you very much for the help.

3 years, 4 months

Write in realtime packets captured by Bro

by Carlos Lopez

Hi all, I am reading Bro's docs about how to write pcap file by Bro. According to docs, passing "-w" switch to bro via BroArgs options, will write a tcpdump file. That is perfect for what I am looking for, but: is it possible to rotate this tcpdump's file and remove it based on disk space and number of files? Regards, C. L. Martinez

3 years, 4 months

Netmap support in Bro 2.6.1

by Carlos Lopez

Hi all, What is the status of netmap's support in Bro 2.6.X under FreeBSD? Do I need to install via bro-pkg? Regards, C. L. Martinez

3 years, 4 months

Question regarding distributed clustering with Zeek!

by fatema bannatwala

Hi All, Currently we are monitoring the north-south traffic using Zeek cluster (with a manager/logger system and 4 dedicated systems running as workers), and recently we managed to get approval of monitoring some of the east-west traffic with Zeek as well (Yay). And we want the logs corresponding to the internal (east-west) traffic monitoring to be logged separately than the logs of north-south traffic (current Zeek deployment). Therefore wanted to ask if multiple managers (two potentially) can be setup on a single system for two separate Zeek clusters (internal and external)? Or does Zeek yet support distributed clustering? Any thoughts? or better way to achieve the same? Thanks, Fatema.

3 years, 4 months

Using the Corelight Splunk App with Zeek?

by William Arbaugh

Can anyone point me to how to set-up the corelight Splunk app with a zeek sensor? I initially followed these instructions: https://www.ericooi.com/zeekurity-zen-part-ii-how-to-send-zeek-bro-logs-to-… the JSON coming into Splunk wasn't going into the corelight index though and looked malformed. I then found this message from Seth: http://mailman.icsi.berkeley.edu/pipermail/zeek/2018-June/013364.html and I changed to using Json streaming logs, but still no joy. Hints, pointers, etc appreciated. Thanks, Bill

3 years, 4 months

Zeek install monitoring multiple interfaces, need interface in logs

by Darrell Miller

Hi, I've been running bro for a few years, a simple straightforward install. I recently have a need for my bro instance to monitor two interfaces (internal network and external network) I've gotten this working, it was straight forward. My issue is in most of the logs there is no tag or field indicating which interface the log entry is referring to. Some logs like weird.log do have a field called "peer" That indicates what seems to be the interface. DNS.log, and CONN.log do not. Is there an easy way to add this field, or add a field saying which node of the cluster the log entry originated from? I hope that makes sense Thank you, Darrell Miller The information transmitted in this e-mail message and any attachments is strictly confidential and is exclusively addressed to the recipient indicated above. If you are not the intended recipient, please be aware that any use, copying or disclosure of information contained in this e-mail message is strictly prohibited. If you have received this e-mail message in error, please notify us immediately by reply and then delete it from your system.

3 years, 4 months

Does Zeek support capture from nflog link type?

by Tom Donnelly

Hi, I’m looking to capture from nflog (netfilter integration), but Zeek doesn’t seem to like `BroArgs = -i nflog:4` Do I need to integrate a plugin for this to work? Tom Donnelly CONFIDENTIALITY NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by replying to this message and then delete it from your system. Thank You.

3 years, 4 months

handshake ssl

by Rober Fernández

1. Question i would like obtain the bytes related with the field certificates, but i don't see any event to get it. Attach a wireshark image with the field underlined. 2. Question There is a way to extract exclusively the payload generate in each packet of the ssl handshake? for example struct { ProtocolVersion client_version; Random random; SessionID session_id; CipherSuite cipher_suites<2..2^16-2>; CompressionMethod compression_methods<1..2^8-1>; select (extensions_present) { case false: struct {}; case true: Extension extensions<0..2^16-1>; }; } ClientHello; all bytes of this struct of Client Hello.

3 years, 4 months

handle 100Tbps of traffic

by 佳

Can Bro handle 100Tbps of traffic?

3 years, 4 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek January 2019