zeek March 2019

zeek@lists.zeek.org

36 participants
28 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

5 months

tcmalloc large alloc

by Rogers, Zach

Hello, We have been seeing some crash reports on some of our nodes, regarding a tcmalloc error. I was wondering if anyone else has seen this before and if anyone has any suggestions on what the cause might be. We are running Zeek 2.6. Here is an example stderr.log output from one of these crashes: ==== stderr.log Myricom: Local timesource listening on p2p2 tcmalloc: large alloc 1329594368 bytes == 0xc701c000 @ 0x7f72a12604ef 0x7f72a1280d56 0x9623cf 0x9623ff 0x8d8c90 0x8d1b79 0x928352 0x92895f 0x928a71 0x9242bd 0x7b5908 0x7ff59f 0x7b535d 0x7b555f 0x7b3a98 0x8c422e 0x8c3a70 0x95d49e 0x95dc16 0x8c33cc 0x8c36f9 0x8c323f 0x8c18be 0x8bef32 0x95d352 0x5c61dd 0x676f75 0x677f1c 0x648a0f 0x914669 0x648ec5 tcmalloc: large alloc 1661992960 bytes == 0x11641c000 @ 0x7f72a12604ef 0x7f72a1280dad 0x9623cf 0x9623ff 0x8d8c90 0x8d1b79 0x928352 0x92895f 0x928a71 0x9242bd 0x7b5908 0x7ff59f 0x7b535d 0x7b555f 0x7b3a98 0x8c422e 0x8c3a70 0x95d49e 0x95dc16 0x8c33cc 0x8c36f9 0x8c323f 0x8c18be 0x8bef32 0x95d352 0x5c61dd 0x676f75 0x677f1c 0x648a0f 0x914669 0x648ec5 /usr/local/bro/share/broctl/scripts/run-bro: line 110: 138751 Killed nohup "$mybro" "$@" Thanks! -- Zach Rogers Lead Security Analyst Security and Network Monitoring Oregon Research & Teaching Security Operations Center (ORTSOC) Phone: 541.737.7723 GPG Fingerprint: ECC5 03A6 7E91 17C6 50C6 8FAC D6A0 8001 2869 BD52

3 years, 1 month

Projected Throughput

by Brett Warrick

I've built a 1U box (Xeon Bronze-3104 / 16 GB RAM / 10GBase-T ports with Intel X557) and I'm wondering if it's able to manage a certain level of traffic; in this case, a sustained daily rate of 10MBps, spiking at 15MBps (please note, MBps, not Mbps - I know I could easily handle a sustained 15 Mbps). I'll be analyzing traffic on a large corporate network. What do you think? Is it underpowered? Way overboard? Any best guesses about the max level of throughput it could handle? Thanks in advance for your time and your thoughts! BJW

3 years, 2 months

: Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

by Fernandez, Mark I

Alex, >> - Is the repository going to be maintain and updated >> e.g new attacks and categories techniques ? To be determined. We may do some small updates in the near future. Contributions from the Zeek community are welcome, and I believe we’ll be able to incorporate community contributions. >>- Second isn't possible to detect pth attack throught >> bzar_smb.bro ? Pass-the-Hash (pth) was not in the initial scope of the BZAR work. I think it would be great to add it, but I haven’t done a market survey to see if anyone else has already developed pth detection for Zeek. Cheers, Mark

3 years, 3 months

Sniffing on active/active firewalls

by Łukasz Biedka

Hello, I have a cluster of two active/active nodes of firewall. Each node of this firewall is in separate datacenter. Every node of this cluster have a Zeek server that is sniffing traffic from it through TAP. Each Zeek server works as a separate node - they are not clustered togheter. Problem is that I see a lot of "gaps" and percent_loss(from 30 to 70%) in capute_loss.log. broctl netstats also shows drops. Someone told me that this may be a problem with this active/active cluster and the method how it works - both nodes of this firewall receive traffic but only one of them sends responses back based on his load etc. As far as I know capture_loss and broctl netstats stats are based on data that they get from TCP sessions. So if I think correctly if Zeek server sees only part of the TCP session then he will log loss and dropped packets. Does anybody had similar problem and have some tips how to solve this? Best regards, Łukasz

3 years, 3 months

Re: [Zeek] Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

by Fernandez, Mark I

Gary, >> bzar_smb.bro, line 39: "redef" used but not previously defined (SMB::write_cmd_log) Looks like "SMB::write_cmd_log" is removed from v2.6.x. Mark

3 years, 3 months

Re: [Zeek] [EXT] RE: Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

by Fernandez, Mark I

Gary, I see the problem. There are rather significant changes between v2.5x and v2.6.x, as follows: DCE-RPC Event Differences: v2.5.x: event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count); v2.6.x: event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count); SMB Event Differences: v2.5.x: event smb2_create_request(c: connection, hdr: SMB2::Header, name: string); v2.6.x: event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest); Mark -----Original Message----- From: Weasel, Gary W CIV DISA RE (US) <gary.w.weasel2.civ(a)mail.mil> Sent: Wednesday, March 27, 2019 3:53 PM To: Fernandez, Mark I <mfernandez(a)mitre.org>; 'zeek(a)zeek.org' <zeek(a)zeek.org> Subject: [EXT] RE: [Zeek] Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE I did change the SMB load directive but continued getting errors such as Error in /opt/bro/share/bro/base/gif/plugins/./Bro_DCE_RPC.events.bif.bro, line 125 and /opt/bro/share/bro/policy/bzar/./bzar_dce-rpc.bro, line 224: incompatible types (event(c:connection; fid:count; ctx_id:count; opnum:count; stub_len:count;) and event(c:connection: fid:count; opnum:count; stud_len:count)) And after trying to reconcile that Error in /opt/bro/share/bro/policy/bzar/./bzar_smb.bro, line 39: "redef" used but not previously defined (SMB::write_cmd_log) Error in /opt/bro/share/bro/base/bif/plugins/./Bro_SMB.smb2_com_create.bif.bro, line 17 and /opt/bro/share/bro/policy/bzar/./bzar_smb.bro, line 252: incompatible types (event(c:connection; hdr:SMB2::Header; request:SMB2::CreateRequest;) and event(c:connection; hdr:SMB2::Header; name:string;)) I stopped attempting to resolve on my own at that point. v/r Gary W. Weasel, Jr. | Computer Engineer Incident Response and Recovery Team, RE62 COM: 717.267.5777 -----Original Message----- From: Fernandez, Mark I <mfernandez(a)mitre.org> Sent: Wednesday, March 27, 2019 3:03 PM To: zeek(a)zeek.org; Weasel, Gary W CIV DISA RE (US) <gary.w.weasel2.civ(a)mail.mil> Subject: [Non-DoD Source] RE: [Zeek] Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE Hi Gary, >> Is this developed for Bro/Zeek 2.5.5? I'm getting errors when >> attempting to load this in Bro/Zeek 2.6.1. Yes, I used v2.5.x. What types of errors are you getting? Is it @load errors with SMB, by chance? One thing I know changed with v2.6 is that the SMB analyzer was previously disabled by default in v2.5.x and I believe it is enable by default in v2.6. In main.bro line 10: @load policy/protocols/smb. This should be backward compatible with older versions of Bro/Zeek. But if you are getting @laod SMB errors, you could try changing line 10 to this: @load base/protocols/smb. Mark

3 years, 3 months

Re: [Zeek] Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

by Fernandez, Mark I

Hi Gary, >> Is this developed for Bro/Zeek 2.5.5? I'm getting errors when attempting to load this in Bro/Zeek 2.6.1. Yes, I used v2.5.x. What types of errors are you getting? Is it @load errors with SMB, by chance? One thing I know changed with v2.6 is that the SMB analyzer was previously disabled by default in v2.5.x and I believe it is enable by default in v2.6. In main.bro line 10: @load policy/protocols/smb. This should be backward compatible with older versions of Bro/Zeek. But if you are getting @laod SMB errors, you could try changing line 10 to this: @load base/protocols/smb. Mark

3 years, 3 months

Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

by Fernandez, Mark I

All, MITRE has created a set of Bro/Zeek scripts to detect ATT&CK-like adversarial activity. The project is called BZAR - Bro/Zeek ATT&CK-based Analytics and Reporting. MITRE ATT&CK is a publicly-available, curated knowledge base for cyber adversary behavior, reflecting the various phases of the adversary lifecycle and the platforms they are known to target. The ATT&CK model includes behaviors of numerous threats groups. BZAR is a set of Bro/Zeek scripts utilizing the SMB and DCE-RPC protocol analyzers and the File Extraction Framework to detect ATT&CK-like activity, correlate certain techniques, and write to the Notice Log. BZAR is publicly released as open source, under MITRE case number 18-2489. It is available for download at the following URL: * https://github.com/mitre-attack/car/tree/master/implementations/bzar For more information on MITRE ATT&CK, visit https://attack.mitre.org. Mark I. Fernandez The MITRE Corporation <mailto:mfernandez@mitre.org> mfernandez(a)mitre.org P.S. It does not yet support the Bro/Zeek Package Manager (this is on the todo list).

3 years, 3 months

Re: [Zeek] [EXT] Re: Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

by Fernandez, Mark I

Hi Seth, yes, that is on the todo list. Hopefully, I'll have a package for it and add it to the package-manager soon. Mark -----Original Message----- From: Seth Hall <seth(a)corelight.com> Sent: Wednesday, March 27, 2019 10:45 AM To: Fernandez, Mark I <mfernandez(a)mitre.org> Cc: zeek(a)zeek.org; Zeolla(a)GMail.com Subject: [EXT] Re: [Zeek] Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE Seconded! This is great, thanks for sharing Mark! Are guys planning on turning this into a package and adding it to the package manager? https://bro-package-manager.readthedocs.io/en/stable/package.html .Seth On 27 Mar 2019, at 9:37, Zeolla(a)GMail.com wrote: > Nice work, thanks for sharing! > > - Jon Zeolla > Zeolla(a)GMail.Com > > > On Wed, Mar 27, 2019 at 9:09 AM Fernandez, Mark I > <mfernandez(a)mitre.org> > wrote: > >> All, >> >> >> >> MITRE has created a set of Bro/Zeek scripts to detect ATT&CK-like >> adversarial activity. The project is called BZAR – Bro/Zeek >> ATT&CK-based Analytics and Reporting. >> >> >> >> MITRE ATT&CK is a publicly-available, curated knowledge base for >> cyber adversary behavior, reflecting the various phases of the >> adversary lifecycle and the platforms they are known to target. The >> ATT&CK model includes behaviors of numerous threats groups. >> >> >> >> BZAR is a set of Bro/Zeek scripts utilizing the SMB and DCE-RPC >> protocol analyzers and the File Extraction Framework to detect >> ATT&CK-like activity, correlate certain techniques, and write to the >> Notice Log. >> >> >> >> BZAR is publicly released as open source, under MITRE case number >> 18-2489. It is available for download at the following URL: >> >> - >> https://github.com/mitre-attack/car/tree/master/implementations/bzar >> >> >> >> For more information on MITRE ATT&CK, visit https://attack.mitre.org. >> >> >> >> >> >> *Mark I. Fernandez* >> >> The MITRE Corporation >> >> mfernandez(a)mitre.org >> >> >> >> P.S. It does not yet support the Bro/Zeek Package Manager (this is >> on the todo list). >> _______________________________________________ >> Zeek mailing list >> zeek(a)zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > _______________________________________________ > Zeek mailing list > zeek(a)zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Seth Hall * Corelight, Inc * www.corelight.com

3 years, 3 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek March 2019