Does it have this function?I just want to only analyze http packages.And
Does it can reduce capture loss rate via analyzing less packages? Thanks a
lot.
I'm trying to print the record type for each log stream at startup.
Something like:
for ( id in Log::active_streams ) {
local stream = Log::active_streams[id];
print stream$path, stream$columns;
}
doesn't work because $columns is a record type, and gets stringified "<no
value description>".
Is there a way to do this in zeek script?
Thanks,
Henri
Hello team,
we are doing a zeek poc.iam doing the integration with splunk.in the spunk
logs i see the ts value which is not in human readable
format.zeek-cut/bro-cut on the box can be used to convert ts to human
readable format using -d
the question is how can i do this before sending the json logs to splunk.is
there a way
Thanks
Venkatesh
After upgrading to zeek 3.0.0, we noticed that memory utilization on zeek
workers were constantly at 1G with vsize=1G. It was about half of the
usage with 2.6.1. Any ideas?
Hi there,
I have a question related to the ssl.log. As I am no expert of the SSL protocol, it is higly probable that I am missing something here.
I noticed in the ssl.log several cases where the field "established" is T, but there is no certificate found (no fuids) and the field validation_status in empty (-). In the code I saw that the field "established" is set to T if the event ssl_established is generated. Is it possible to establish an ssl session without certificates? Is it because some sessions can be resumed with tickets as described in RFC 5077?
I'd appreciate some help to save me some time...
Mauro
Hi all,
I have doing a clean install on RHEL8 host with Zeek 3.0.0. When I try to use any zeekctl option, it returns the following error:
root@rhel8host:~# zeekctl help
Warning: ZeekControl plugin uses legacy BroControl API. Use
'import ZeekControl.plugin' instead of 'import BroControl.plugin'
Error: no type given for node zeek
Maybe the problem is with python3 that comes with RHEL8? Any idea?
--
Regards,
C. L. Martinez
I mirrored the traffic between the core switch of our computer room and the public network firewall, but the zeek report contained a lot of packet loss (30%), and currently uses PFring for packet capture. I confirm that the hardware is fully capable of handling these packet。"Capture loss" and "dropped packets" have alarms。At the same time, in the werid log, a large number of TCP_seq/ack_underflow_or_misorder logs are included.
So I want to know why there is such a high rate of packet loss, how to trace the cause, and how to solve it.I look forward to receiving your reply.
Hi everyone.
We trying to use Zeek to monitor 4 interfaces in different machines. The idea is to have 1 Manager with 1 logger in one machine, and 4 workers to monitoring each of the interfaces. But this means that if the Manager crashes, everything goes down, I guess. So my question here is: ¿Is possible to configure a second Manager or something to reach high availability?
Regards.
Jorge García Rodríguez
Technical Consultant
Security Infrastructures
jgarciar(a)sia.es<mailto:jgarciar@sia.es>
Grupo SIA
Avda.Europa,2 - Alcor Plaza, Edificio B - Parque Oeste Alcorcón
28922 Alcorcón - Madrid
Tlf: +34 902 480 580<nxphone:+34%20902%20480%20580> Fax: +34 91 307 79 80<nxphone:+34%2091%20307%2079%2080>
www.siainternational.com<http://www.siainternational.com/>
delivering value
This e-mail and any attached files are intended solely for the addresse/s identified herein. It may contain confidential and/or legally privileged information and may not necessarily represent the opinion of SIA.
No legally binding commitments will be created by this E-mail message. Where we intend to create legally binding commitments these will be made through hard copy correspondence or documents. If you receive this message by mistake, please immediately notify the sender and delete it since you are not authorized to use, disclose, distribute, print or copy all or part of the contained information Thank you. It is understood that the message was sent to you accidentally, although you appear as the addressee, you can see from the frame of existing relations that you were not the final addressee.
I just Googled
bro sql injection detection
and this paper was the second result, right after a link to the Bro SQL
injection detection script.
https://www.sans.org/reading-room/whitepapers/detection/web-application-att…
You might have to look for Bro references as the Zeek rename is only a year
old.
Sincerely,
Richard
On Wed, Oct 23, 2019 at 9:26 AM edX <edx0004(a)gmail.com> wrote:
> I have done some research on detecting ssh bruteforce attacks. I found
> resource from hold my beer blog.
>
> edx0004.
>
> On Wed, Oct 23, 2019 at 3:49 PM Richard Bejtlich <richard(a)corelight.com>
> wrote:
>
>> Hello,
>>
>> What research have you done so far?
>>
>> Richard
>>
>> On Wed, Oct 23, 2019 at 4:04 AM edX <edx0004(a)gmail.com> wrote:
>>
>>> Hello! I am an intermediate zeek user. I would like a walk-through on
>>> how i can use zeek to detect different types of attacks such as sql
>>> injection, ddos, man in the middle attacks and the likes.
>>> Thanks.
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek(a)zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
>>
>> --
>> Richard Bejtlich
>> Principal Security Strategist, Corelight
>> https://corelight.blog/author/richardbejtlich/
>>
>
--
Richard Bejtlich
Principal Security Strategist, Corelight
https://corelight.blog/author/richardbejtlich/
