zeek April 2019

zeek@lists.zeek.org

40 participants
34 discussions

by Andrew Klaus

Hello, In my weird.log, I've noticed unknown_protocol_112 showing up regularly for me. I believe this to be the Virtual Router Redundancy Protocol (VRRP), which does match up with CARP that's enabled on our OpenBSD firewalls. Before I start looking further, has anyone built a parser for Zeek already? If not, I'll start reading the protocol spec and seeing if I'm able to write one. I believe it to be useful to have the protocol analyzed for noticing any anomalies, etc. Thanks! Andrew

3 years, 1 month

binpac error

by Martin, Eric J

I just installed from source (master) on a fresh pull, and I am unable to run bro deploy. When I do, I receive the following error: sudo /usr/local/bro/bin/broctl deploy checking configurations ... bro scripts failed. /usr/local/bro/bin/bro: error while loading shared libraries: libbinpac.so.0: cannot open shared object file: No such file or directory ldd confirms that libbinpac.so.0 isn’t linked, though the library installed, and the library is linked in ~/sandbox/zeek/build/src ldd /usr/local/bro/bin/bro linux-vdso.so.1 => (0x00007fff093de000) libbinpac.so.0 => not found libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007f13d7196000) ldd ~/sandbox/zeek/build/src/bro linux-vdso.so.1 => (0x00007ffc18dcb000) libbinpac.so.0 => /home/ejmartin2/sandbox/zeek/build/aux/binpac/lib/libbinpac.so.0 (0x00007f41ba9de000) lrwxrwxrwx. 1 root root 14 Apr 17 12:47 /usr/local/bro/lib64/libbinpac.so -> libbinpac.so.0 lrwxrwxrwx. 1 root root 20 Apr 17 12:47 /usr/local/bro/lib64/libbinpac.so.0 -> libbinpac.so.0.51-11 -rwxr-xr-x. 1 root root 96072 Apr 17 12:53 /usr/local/bro/lib64/libbinpac.so.0.51-11 to install, I • cloned the repository, made sure the submodules were recursively up to date • cloned PF_RING • Compiled • installed • ./configure —with-pcacp=/opt/pcap • make • sudo make install Can somebody please help me with what I’m doing incorrectly? Thank you, [cid:5E7156F0-3BAB-41F2-B32B-5702AED1A414] Eric Martin, CISSP Information Security Engineer Worcester Polytechnic Institute ejmartin2(a)wpi.edu<mailto:ejmartin2@wpi.edu> Key fingerprint = C74F 1EBF 2E80 7984 8CB5 064E BF17 D34C C704 B30F For security purposes, this message has been double ROT13 encoded

3 years, 1 month

threat intel questions

by Ambros Novak

Hello! I have several questions about the threat intel: Is there a way to add meta.url and meta.desc to intel.log? For Intel::FILE_NAME to work, does base/frameworks/intel/files.bro go in local.bro? Will Intel::FILE_HASH detect MD5, SHA1, SHA256, SHA256, imphash, and authentihash? Will Intel::CERT_HASH detect MD5 or SHA256? Will the intel frame detect part of part a URL or does only the full URL? Will "@domain.com" work in the Intel::EMAIL, or is it best to just remove the "@" and add it to Intel::Domain? Does meta.do_notice have to be set to T for an event to get logged into intel.log? Thank you for the help.

3 years, 1 month

(no subject)

by Daniel Herakovic

Hello, I've been trying to get Zeek installed on a Clear linux distribution machine for a while. I know my way around linux enough to get this done from the github source, but what caused me so much trouble was a missing pre-requisite - the C++ Actor framework. I'm not a linux beginner, and I installed all of the pre-requisits, but if this was added to the part of the instalation documentation under "To build Bro from source, the following additional dependencies are required:", installing from source would have been much smoother for me. If for some reason, this being left out is intentional, sorry to bring this up. After setting up all of the. cfg files and runnung install and start in broctrl, I got the following error: ‎ cl@clr-31868b162a544d5290cfe54c3dd15df1 /usr/local/bro/logs/current $ cat stderr.log *** failed to set config parameter work-stealing.moderate-sleep-duration-us: invalid name *** failed to set config parameter work-stealing.relaxed-sleep-duration-us: invalid name /usr/local/bro/share/broctl/scripts/run-bro: line 110: 1211 Segmentation fault (core dumped) nohup "$mybro" "$@"‎ The proces did not start. Any suggestions how to solve this or any links to possibles hints for a solution would be appreciated. I enjoyed the conference at Cern very much. Thanks. Dan.

3 years, 1 month

Unit test extensions

by Woot4moo

Has anyone in the community extended btest to support better test metrics? Currently btest will give me a pass or fail per file as opposed to having multiple scenarios in a file. The structure I am looking for is below: Example in one file @Scenario(First) #test code here @Scenario(Second) #test code here Success 2 out of 2 passed

3 years, 1 month

NIC benchmarks and selection criteria

by Woot4moo

Are there any available benchmarks by which the community measures NIC selection? I.E., How do others known which hardware baseline to choose for a given traffic volume while using Zeek.

3 years, 1 month

Interface Removed From Config but Keeps Monitoring Traffic

by Kevin Ross

Hi, I configured an afpacket interface in addition to one I was already using and it monitored fine but I want to stop monitoring this link for now and just leave it to Suricata at the moment. I have removed the configuration for it and redeployed, cleaned and everything else I can thing of and many config installs and when started while only the works configured on the original interface show in running jobs I am still getting traffic events from the other interface (I know this because of the IPs being monitored). Is there anything I can check or clean up to try and force bro to completely "forget" it ever knew about this interface? Thanks. Kind Regards, Kevin Ross

3 years, 1 month

Re: [Zeek] UPDATE: Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

by Weasel, Gary W CIV DISA RE (US)

Mark, Thank you for the update! Confirming on my end that we're able to get it running and producing notices. v/r Gary -----Original Message----- From: Fernandez, Mark I <mfernandez(a)mitre.org> Sent: Wednesday, April 10, 2019 12:39 PM To: zeek(a)zeek.org; Weasel, Gary W CIV DISA RE (US) <gary.w.weasel2.civ(a)mail.mil> Subject: [Non-DoD Source] UPDATE: Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser. ________________________________ Gary, All - We updated the BZAR scripts to be forward-compatible with Zeek v2.6.x and backward-compatible with v2.5.x and below, using '@if' directives to check the version number. Affected files include: main.bro, bzar_dce-rpc.bro, and bzar_smb.bro. Please visit the GitHub repo to find the updates files. * Caution-https://github.com/mitre-attack/car/tree/master/implementations/bzar < Caution-https://github.com/mitre-attack/car/tree/master/implementations/bzar > Cheers, Mark Mark I. Fernandez The MITRE Corporation mfernandez(a)mitre.org < Caution-mailto:mfernandez@mitre.org > P.S. The Bro/Zeek Package Manager for BZAR is coming soon.

3 years, 1 month

UPDATE: Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

by Fernandez, Mark I

Gary, All - We updated the BZAR scripts to be forward-compatible with Zeek v2.6.x and backward-compatible with v2.5.x and below, using '@if' directives to check the version number. Affected files include: main.bro, bzar_dce-rpc.bro, and bzar_smb.bro. Please visit the GitHub repo to find the updates files. * https://github.com/mitre-attack/car/tree/master/implementations/bzar Cheers, Mark Mark I. Fernandez The MITRE Corporation mfernandez(a)mitre.org<mailto:mfernandez@mitre.org> P.S. The Bro/Zeek Package Manager for BZAR is coming soon.

3 years, 1 month

Projected Throughput

by Brett Warrick

I've built a 1U box (Xeon Bronze-3104 / 16 GB RAM / 10GBase-T ports with Intel X557) and I'm wondering if it's able to manage a certain level of traffic; in this case, a sustained daily rate of 10MBps, spiking at 15MBps (please note, MBps, not Mbps - I know I could easily handle a sustained 15 Mbps). I'll be analyzing traffic on a large corporate network. What do you think? Is it underpowered? Way overboard? Any best guesses about the max level of throughput it could handle? Thanks in advance for your time and your thoughts! BJW

3 years, 1 month

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek April 2019