zeek April 2019

zeek@lists.zeek.org

40 participants
33 discussions

by Martin, Eric J

I just installed from source (master) on a fresh pull, and I am unable to run bro deploy. When I do, I receive the following error: sudo /usr/local/bro/bin/broctl deploy checking configurations ... bro scripts failed. /usr/local/bro/bin/bro: error while loading shared libraries: libbinpac.so.0: cannot open shared object file: No such file or directory ldd confirms that libbinpac.so.0 isn’t linked, though the library installed, and the library is linked in ~/sandbox/zeek/build/src ldd /usr/local/bro/bin/bro linux-vdso.so.1 => (0x00007fff093de000) libbinpac.so.0 => not found libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007f13d7196000) ldd ~/sandbox/zeek/build/src/bro linux-vdso.so.1 => (0x00007ffc18dcb000) libbinpac.so.0 => /home/ejmartin2/sandbox/zeek/build/aux/binpac/lib/libbinpac.so.0 (0x00007f41ba9de000) lrwxrwxrwx. 1 root root 14 Apr 17 12:47 /usr/local/bro/lib64/libbinpac.so -> libbinpac.so.0 lrwxrwxrwx. 1 root root 20 Apr 17 12:47 /usr/local/bro/lib64/libbinpac.so.0 -> libbinpac.so.0.51-11 -rwxr-xr-x. 1 root root 96072 Apr 17 12:53 /usr/local/bro/lib64/libbinpac.so.0.51-11 to install, I • cloned the repository, made sure the submodules were recursively up to date • cloned PF_RING • Compiled • installed • ./configure —with-pcacp=/opt/pcap • make • sudo make install Can somebody please help me with what I’m doing incorrectly? Thank you, [cid:5E7156F0-3BAB-41F2-B32B-5702AED1A414] Eric Martin, CISSP Information Security Engineer Worcester Polytechnic Institute ejmartin2(a)wpi.edu<mailto:ejmartin2@wpi.edu> Key fingerprint = C74F 1EBF 2E80 7984 8CB5 064E BF17 D34C C704 B30F For security purposes, this message has been double ROT13 encoded

2 years, 7 months

threat intel questions

by Ambros Novak

Hello! I have several questions about the threat intel: Is there a way to add meta.url and meta.desc to intel.log? For Intel::FILE_NAME to work, does base/frameworks/intel/files.bro go in local.bro? Will Intel::FILE_HASH detect MD5, SHA1, SHA256, SHA256, imphash, and authentihash? Will Intel::CERT_HASH detect MD5 or SHA256? Will the intel frame detect part of part a URL or does only the full URL? Will "@domain.com" work in the Intel::EMAIL, or is it best to just remove the "@" and add it to Intel::Domain? Does meta.do_notice have to be set to T for an event to get logged into intel.log? Thank you for the help.

2 years, 7 months

(no subject)

by Daniel Herakovic

Hello, I've been trying to get Zeek installed on a Clear linux distribution machine for a while. I know my way around linux enough to get this done from the github source, but what caused me so much trouble was a missing pre-requisite - the C++ Actor framework. I'm not a linux beginner, and I installed all of the pre-requisits, but if this was added to the part of the instalation documentation under "To build Bro from source, the following additional dependencies are required:", installing from source would have been much smoother for me. If for some reason, this being left out is intentional, sorry to bring this up. After setting up all of the. cfg files and runnung install and start in broctrl, I got the following error: ‎ cl@clr-31868b162a544d5290cfe54c3dd15df1 /usr/local/bro/logs/current $ cat stderr.log *** failed to set config parameter work-stealing.moderate-sleep-duration-us: invalid name *** failed to set config parameter work-stealing.relaxed-sleep-duration-us: invalid name /usr/local/bro/share/broctl/scripts/run-bro: line 110: 1211 Segmentation fault (core dumped) nohup "$mybro" "$@"‎ The proces did not start. Any suggestions how to solve this or any links to possibles hints for a solution would be appreciated. I enjoyed the conference at Cern very much. Thanks. Dan.

2 years, 7 months

Unit test extensions

by Woot4moo

Has anyone in the community extended btest to support better test metrics? Currently btest will give me a pass or fail per file as opposed to having multiple scenarios in a file. The structure I am looking for is below: Example in one file @Scenario(First) #test code here @Scenario(Second) #test code here Success 2 out of 2 passed

2 years, 7 months

NIC benchmarks and selection criteria

by Woot4moo

Are there any available benchmarks by which the community measures NIC selection? I.E., How do others known which hardware baseline to choose for a given traffic volume while using Zeek.

2 years, 7 months

Interface Removed From Config but Keeps Monitoring Traffic

by Kevin Ross

Hi, I configured an afpacket interface in addition to one I was already using and it monitored fine but I want to stop monitoring this link for now and just leave it to Suricata at the moment. I have removed the configuration for it and redeployed, cleaned and everything else I can thing of and many config installs and when started while only the works configured on the original interface show in running jobs I am still getting traffic events from the other interface (I know this because of the IPs being monitored). Is there anything I can check or clean up to try and force bro to completely "forget" it ever knew about this interface? Thanks. Kind Regards, Kevin Ross

2 years, 7 months

Re: [Zeek] UPDATE: Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

by Weasel, Gary W CIV DISA RE (US)

Mark, Thank you for the update! Confirming on my end that we're able to get it running and producing notices. v/r Gary -----Original Message----- From: Fernandez, Mark I <mfernandez(a)mitre.org> Sent: Wednesday, April 10, 2019 12:39 PM To: zeek(a)zeek.org; Weasel, Gary W CIV DISA RE (US) <gary.w.weasel2.civ(a)mail.mil> Subject: [Non-DoD Source] UPDATE: Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser. ________________________________ Gary, All - We updated the BZAR scripts to be forward-compatible with Zeek v2.6.x and backward-compatible with v2.5.x and below, using '@if' directives to check the version number. Affected files include: main.bro, bzar_dce-rpc.bro, and bzar_smb.bro. Please visit the GitHub repo to find the updates files. * Caution-https://github.com/mitre-attack/car/tree/master/implementations/bzar < Caution-https://github.com/mitre-attack/car/tree/master/implementations/bzar > Cheers, Mark Mark I. Fernandez The MITRE Corporation mfernandez(a)mitre.org < Caution-mailto:mfernandez@mitre.org > P.S. The Bro/Zeek Package Manager for BZAR is coming soon.

2 years, 8 months

UPDATE: Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

by Fernandez, Mark I

Gary, All - We updated the BZAR scripts to be forward-compatible with Zeek v2.6.x and backward-compatible with v2.5.x and below, using '@if' directives to check the version number. Affected files include: main.bro, bzar_dce-rpc.bro, and bzar_smb.bro. Please visit the GitHub repo to find the updates files. * https://github.com/mitre-attack/car/tree/master/implementations/bzar Cheers, Mark Mark I. Fernandez The MITRE Corporation mfernandez(a)mitre.org<mailto:mfernandez@mitre.org> P.S. The Bro/Zeek Package Manager for BZAR is coming soon.

2 years, 8 months

Projected Throughput

by Brett Warrick

I've built a 1U box (Xeon Bronze-3104 / 16 GB RAM / 10GBase-T ports with Intel X557) and I'm wondering if it's able to manage a certain level of traffic; in this case, a sustained daily rate of 10MBps, spiking at 15MBps (please note, MBps, not Mbps - I know I could easily handle a sustained 15 Mbps). I'll be analyzing traffic on a large corporate network. What do you think? Is it underpowered? Way overboard? Any best guesses about the max level of throughput it could handle? Thanks in advance for your time and your thoughts! BJW

2 years, 8 months

Extract IP Header Options

by Justin Mullins

Hi, I was wondering is there an existing way in Zeek to log IP Header Options? The conn log has a lot of the IP Header fields but not the IP Header "Options" field data. Specifically looking at logging data related to CIPSO packet labeling (reference: https://tools.ietf.org/html/draft-ietf-cipso-ipsecurity-01). If not, can anyone point me to a decent example of a bro script logging similar data from the IP Header? (it's been quite a few years since I've looked at bro scripts and I haven't found any examples doing something similar to what I want) Thank guys any information you can provide would be helpful!

2 years, 8 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek April 2019