Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
Hello,
We have been seeing some crash reports on some of our nodes, regarding a tcmalloc error. I was wondering if anyone else has seen this before and if anyone has any suggestions on what the cause might be. We are running Zeek 2.6. Here is an example stderr.log output from one of these crashes:
==== stderr.log
Myricom: Local timesource
listening on p2p2
tcmalloc: large alloc 1329594368 bytes == 0xc701c000 @ 0x7f72a12604ef 0x7f72a1280d56 0x9623cf 0x9623ff 0x8d8c90 0x8d1b79 0x928352 0x92895f 0x928a71 0x9242bd 0x7b5908 0x7ff59f 0x7b535d 0x7b555f 0x7b3a98 0x8c422e 0x8c3a70 0x95d49e 0x95dc16 0x8c33cc 0x8c36f9 0x8c323f 0x8c18be 0x8bef32 0x95d352 0x5c61dd 0x676f75 0x677f1c 0x648a0f 0x914669 0x648ec5
tcmalloc: large alloc 1661992960 bytes == 0x11641c000 @ 0x7f72a12604ef 0x7f72a1280dad 0x9623cf 0x9623ff 0x8d8c90 0x8d1b79 0x928352 0x92895f 0x928a71 0x9242bd 0x7b5908 0x7ff59f 0x7b535d 0x7b555f 0x7b3a98 0x8c422e 0x8c3a70 0x95d49e 0x95dc16 0x8c33cc 0x8c36f9 0x8c323f 0x8c18be 0x8bef32 0x95d352 0x5c61dd 0x676f75 0x677f1c 0x648a0f 0x914669 0x648ec5
/usr/local/bro/share/broctl/scripts/run-bro: line 110: 138751 Killed nohup "$mybro" "$@"
Thanks!
--
Zach Rogers
Lead Security Analyst
Security and Network Monitoring
Oregon Research & Teaching Security Operations Center (ORTSOC)
Phone: 541.737.7723
GPG Fingerprint: ECC5 03A6 7E91 17C6 50C6 8FAC D6A0 8001 2869 BD52
I've built a 1U box (Xeon Bronze-3104 / 16 GB RAM / 10GBase-T ports with Intel X557) and I'm wondering if it's able to manage a certain level of traffic; in this case, a sustained daily rate of 10MBps, spiking at 15MBps (please note, MBps, not Mbps - I know I could easily handle a sustained 15 Mbps). I'll be analyzing traffic on a large corporate network. What do you think? Is it underpowered? Way overboard? Any best guesses about the max level of throughput it could handle?
Thanks in advance for your time and your thoughts!
BJW
Alex,
>> - Is the repository going to be maintain and updated
>> e.g new attacks and categories techniques ?
To be determined. We may do some small updates in the near future. Contributions from the Zeek community are welcome, and I believe we’ll be able to incorporate community contributions.
>>- Second isn't possible to detect pth attack throught
>> bzar_smb.bro ?
Pass-the-Hash (pth) was not in the initial scope of the BZAR work. I think it would be great to add it, but I haven’t done a market survey to see if anyone else has already developed pth detection for Zeek.
Cheers,
Mark
Hello,
I have a cluster of two active/active nodes of firewall. Each node of this
firewall is in separate datacenter. Every node of this cluster have a Zeek
server that is sniffing traffic from it through TAP. Each Zeek server works
as a separate node - they are not clustered togheter.
Problem is that I see a lot of "gaps" and percent_loss(from 30 to 70%) in
capute_loss.log.
broctl netstats also shows drops.
Someone told me that this may be a problem with this active/active cluster
and the method how it works - both nodes of this firewall receive traffic
but only one of them sends responses back based on his load etc.
As far as I know capture_loss and broctl netstats stats are based on data
that they get from TCP sessions. So if I think correctly if Zeek server
sees only part of the TCP session then he will log loss and dropped packets.
Does anybody had similar problem and have some tips how to solve this?
Best regards,
Łukasz
Gary,
>> bzar_smb.bro, line 39: "redef" used but not previously defined
(SMB::write_cmd_log)
Looks like "SMB::write_cmd_log" is removed from v2.6.x.
Mark
Gary,
I see the problem. There are rather significant changes between v2.5x and
v2.6.x, as follows:
DCE-RPC Event Differences:
v2.5.x: event dce_rpc_response(c: connection, fid: count, opnum: count,
stub_len: count);
v2.6.x: event dce_rpc_response(c: connection, fid: count, ctx_id: count,
opnum: count, stub_len: count);
SMB Event Differences:
v2.5.x: event smb2_create_request(c: connection, hdr: SMB2::Header, name:
string);
v2.6.x: event smb2_create_request(c: connection, hdr: SMB2::Header, request:
SMB2::CreateRequest);
Mark
-----Original Message-----
From: Weasel, Gary W CIV DISA RE (US) <gary.w.weasel2.civ(a)mail.mil>
Sent: Wednesday, March 27, 2019 3:53 PM
To: Fernandez, Mark I <mfernandez(a)mitre.org>; 'zeek(a)zeek.org'
<zeek(a)zeek.org>
Subject: [EXT] RE: [Zeek] Bro/Zeek ATT&CK-based Analytics and Reporting
(BZAR), by MITRE
I did change the SMB load directive but continued getting errors such as
Error in /opt/bro/share/bro/base/gif/plugins/./Bro_DCE_RPC.events.bif.bro,
line 125 and /opt/bro/share/bro/policy/bzar/./bzar_dce-rpc.bro, line 224:
incompatible types (event(c:connection; fid:count; ctx_id:count;
opnum:count; stub_len:count;) and event(c:connection: fid:count;
opnum:count; stud_len:count))
And after trying to reconcile that
Error in /opt/bro/share/bro/policy/bzar/./bzar_smb.bro, line 39: "redef"
used but not previously defined (SMB::write_cmd_log) Error in
/opt/bro/share/bro/base/bif/plugins/./Bro_SMB.smb2_com_create.bif.bro, line
17 and /opt/bro/share/bro/policy/bzar/./bzar_smb.bro, line 252: incompatible
types (event(c:connection; hdr:SMB2::Header; request:SMB2::CreateRequest;)
and event(c:connection; hdr:SMB2::Header; name:string;))
I stopped attempting to resolve on my own at that point.
v/r
Gary W. Weasel, Jr. | Computer Engineer
Incident Response and Recovery Team, RE62
COM: 717.267.5777
-----Original Message-----
From: Fernandez, Mark I <mfernandez(a)mitre.org>
Sent: Wednesday, March 27, 2019 3:03 PM
To: zeek(a)zeek.org; Weasel, Gary W CIV DISA RE (US)
<gary.w.weasel2.civ(a)mail.mil>
Subject: [Non-DoD Source] RE: [Zeek] Bro/Zeek ATT&CK-based Analytics and
Reporting (BZAR), by MITRE
Hi Gary,
>> Is this developed for Bro/Zeek 2.5.5? I'm getting errors when
>> attempting
to load this in Bro/Zeek 2.6.1.
Yes, I used v2.5.x. What types of errors are you getting? Is it @load
errors with SMB, by chance?
One thing I know changed with v2.6 is that the SMB analyzer was previously
disabled by default in v2.5.x and I believe it is enable by default in v2.6.
In main.bro line 10:
@load policy/protocols/smb. This should be backward compatible with older
versions of Bro/Zeek. But if you are getting @laod SMB errors, you could
try changing line 10 to this: @load base/protocols/smb.
Mark
Hi Gary,
>> Is this developed for Bro/Zeek 2.5.5? I'm getting errors when attempting
to load this in Bro/Zeek 2.6.1.
Yes, I used v2.5.x. What types of errors are you getting? Is it @load
errors with SMB, by chance?
One thing I know changed with v2.6 is that the SMB analyzer was previously
disabled by default in v2.5.x and I believe it is enable by default in v2.6.
In main.bro line 10:
@load policy/protocols/smb. This should be backward compatible with older
versions of Bro/Zeek. But if you are getting @laod SMB errors, you could
try changing line 10 to this: @load base/protocols/smb.
Mark
All,
MITRE has created a set of Bro/Zeek scripts to detect ATT&CK-like
adversarial activity. The project is called BZAR - Bro/Zeek ATT&CK-based
Analytics and Reporting.
MITRE ATT&CK is a publicly-available, curated knowledge base for cyber
adversary behavior, reflecting the various phases of the adversary lifecycle
and the platforms they are known to target. The ATT&CK model includes
behaviors of numerous threats groups.
BZAR is a set of Bro/Zeek scripts utilizing the SMB and DCE-RPC protocol
analyzers and the File Extraction Framework to detect ATT&CK-like activity,
correlate certain techniques, and write to the Notice Log.
BZAR is publicly released as open source, under MITRE case number 18-2489.
It is available for download at the following URL:
* https://github.com/mitre-attack/car/tree/master/implementations/bzar
For more information on MITRE ATT&CK, visit https://attack.mitre.org.
Mark I. Fernandez
The MITRE Corporation
<mailto:mfernandez@mitre.org> mfernandez(a)mitre.org
P.S. It does not yet support the Bro/Zeek Package Manager (this is on the
todo list).
Hi Seth, yes, that is on the todo list. Hopefully, I'll have a package for it and add it to the package-manager soon.
Mark
-----Original Message-----
From: Seth Hall <seth(a)corelight.com>
Sent: Wednesday, March 27, 2019 10:45 AM
To: Fernandez, Mark I <mfernandez(a)mitre.org>
Cc: zeek(a)zeek.org; Zeolla(a)GMail.com
Subject: [EXT] Re: [Zeek] Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE
Seconded! This is great, thanks for sharing Mark! Are guys planning on turning this into a package and adding it to the package manager?
https://bro-package-manager.readthedocs.io/en/stable/package.html
.Seth
On 27 Mar 2019, at 9:37, Zeolla(a)GMail.com wrote:
> Nice work, thanks for sharing!
>
> - Jon Zeolla
> Zeolla(a)GMail.Com
>
>
> On Wed, Mar 27, 2019 at 9:09 AM Fernandez, Mark I
> <mfernandez(a)mitre.org>
> wrote:
>
>> All,
>>
>>
>>
>> MITRE has created a set of Bro/Zeek scripts to detect ATT&CK-like
>> adversarial activity. The project is called BZAR – Bro/Zeek
>> ATT&CK-based Analytics and Reporting.
>>
>>
>>
>> MITRE ATT&CK is a publicly-available, curated knowledge base for
>> cyber adversary behavior, reflecting the various phases of the
>> adversary lifecycle and the platforms they are known to target. The
>> ATT&CK model includes behaviors of numerous threats groups.
>>
>>
>>
>> BZAR is a set of Bro/Zeek scripts utilizing the SMB and DCE-RPC
>> protocol analyzers and the File Extraction Framework to detect
>> ATT&CK-like activity, correlate certain techniques, and write to the
>> Notice Log.
>>
>>
>>
>> BZAR is publicly released as open source, under MITRE case number
>> 18-2489. It is available for download at the following URL:
>>
>> -
>> https://github.com/mitre-attack/car/tree/master/implementations/bzar
>>
>>
>>
>> For more information on MITRE ATT&CK, visit https://attack.mitre.org.
>>
>>
>>
>>
>>
>> *Mark I. Fernandez*
>>
>> The MITRE Corporation
>>
>> mfernandez(a)mitre.org
>>
>>
>>
>> P.S. It does not yet support the Bro/Zeek Package Manager (this is
>> on the todo list).
>> _______________________________________________
>> Zeek mailing list
>> zeek(a)zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> _______________________________________________
> Zeek mailing list
> zeek(a)zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Seth Hall * Corelight, Inc * www.corelight.com