Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
Does it have this function?I just want to only analyze http packages.And
Does it can reduce capture loss rate via analyzing less packages? Thanks a
lot.
I'm trying to print the record type for each log stream at startup.
Something like:
for ( id in Log::active_streams ) {
local stream = Log::active_streams[id];
print stream$path, stream$columns;
}
doesn't work because $columns is a record type, and gets stringified "<no
value description>".
Is there a way to do this in zeek script?
Thanks,
Henri
Hello team,
we are doing a zeek poc.iam doing the integration with splunk.in the spunk
logs i see the ts value which is not in human readable
format.zeek-cut/bro-cut on the box can be used to convert ts to human
readable format using -d
the question is how can i do this before sending the json logs to splunk.is
there a way
Thanks
Venkatesh
After upgrading to zeek 3.0.0, we noticed that memory utilization on zeek
workers were constantly at 1G with vsize=1G. It was about half of the
usage with 2.6.1. Any ideas?
Hi there,
I have a question related to the ssl.log. As I am no expert of the SSL protocol, it is higly probable that I am missing something here.
I noticed in the ssl.log several cases where the field "established" is T, but there is no certificate found (no fuids) and the field validation_status in empty (-). In the code I saw that the field "established" is set to T if the event ssl_established is generated. Is it possible to establish an ssl session without certificates? Is it because some sessions can be resumed with tickets as described in RFC 5077?
I'd appreciate some help to save me some time...
Mauro
Hi all,
I have doing a clean install on RHEL8 host with Zeek 3.0.0. When I try to use any zeekctl option, it returns the following error:
root@rhel8host:~# zeekctl help
Warning: ZeekControl plugin uses legacy BroControl API. Use
'import ZeekControl.plugin' instead of 'import BroControl.plugin'
Error: no type given for node zeek
Maybe the problem is with python3 that comes with RHEL8? Any idea?
--
Regards,
C. L. Martinez
I mirrored the traffic between the core switch of our computer room and the public network firewall, but the zeek report contained a lot of packet loss (30%), and currently uses PFring for packet capture. I confirm that the hardware is fully capable of handling these packet。"Capture loss" and "dropped packets" have alarms。At the same time, in the werid log, a large number of TCP_seq/ack_underflow_or_misorder logs are included.
So I want to know why there is such a high rate of packet loss, how to trace the cause, and how to solve it.I look forward to receiving your reply.
Hi everyone.
We trying to use Zeek to monitor 4 interfaces in different machines. The idea is to have 1 Manager with 1 logger in one machine, and 4 workers to monitoring each of the interfaces. But this means that if the Manager crashes, everything goes down, I guess. So my question here is: ¿Is possible to configure a second Manager or something to reach high availability?
Regards.
Jorge García Rodríguez
Technical Consultant
Security Infrastructures
jgarciar(a)sia.es<mailto:jgarciar@sia.es>
Grupo SIA
Avda.Europa,2 - Alcor Plaza, Edificio B - Parque Oeste Alcorcón
28922 Alcorcón - Madrid
Tlf: +34 902 480 580<nxphone:+34%20902%20480%20580> Fax: +34 91 307 79 80<nxphone:+34%2091%20307%2079%2080>
www.siainternational.com<http://www.siainternational.com/>
delivering value
This e-mail and any attached files are intended solely for the addresse/s identified herein. It may contain confidential and/or legally privileged information and may not necessarily represent the opinion of SIA.
No legally binding commitments will be created by this E-mail message. Where we intend to create legally binding commitments these will be made through hard copy correspondence or documents. If you receive this message by mistake, please immediately notify the sender and delete it since you are not authorized to use, disclose, distribute, print or copy all or part of the contained information Thank you. It is understood that the message was sent to you accidentally, although you appear as the addressee, you can see from the frame of existing relations that you were not the final addressee.