Hello,
In my weird.log, I've noticed unknown_protocol_112 showing up regularly for
me. I believe this to be the Virtual Router Redundancy Protocol (VRRP),
which does match up with CARP that's enabled on our OpenBSD firewalls.
Before I start looking further, has anyone built a parser for Zeek already?
If not, I'll start reading the protocol spec and seeing if I'm able to
write one. I believe it to be useful to have the protocol analyzed for
noticing any anomalies, etc.
Thanks!
Andrew
I just installed from source (master) on a fresh pull, and I am unable to run bro deploy. When I do, I receive the following error:
sudo /usr/local/bro/bin/broctl deploy
checking configurations ...
bro scripts failed.
/usr/local/bro/bin/bro: error while loading shared libraries: libbinpac.so.0: cannot open shared object file: No such file or directory
ldd confirms that libbinpac.so.0 isn’t linked, though the library installed, and the library is linked in ~/sandbox/zeek/build/src
ldd /usr/local/bro/bin/bro
linux-vdso.so.1 => (0x00007fff093de000)
libbinpac.so.0 => not found
libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007f13d7196000)
ldd ~/sandbox/zeek/build/src/bro
linux-vdso.so.1 => (0x00007ffc18dcb000)
libbinpac.so.0 => /home/ejmartin2/sandbox/zeek/build/aux/binpac/lib/libbinpac.so.0 (0x00007f41ba9de000)
lrwxrwxrwx. 1 root root 14 Apr 17 12:47 /usr/local/bro/lib64/libbinpac.so -> libbinpac.so.0
lrwxrwxrwx. 1 root root 20 Apr 17 12:47 /usr/local/bro/lib64/libbinpac.so.0 -> libbinpac.so.0.51-11
-rwxr-xr-x. 1 root root 96072 Apr 17 12:53 /usr/local/bro/lib64/libbinpac.so.0.51-11
to install, I
• cloned the repository, made sure the submodules were recursively up to date
• cloned PF_RING
• Compiled
• installed
• ./configure —with-pcacp=/opt/pcap
• make
• sudo make install
Can somebody please help me with what I’m doing incorrectly?
Thank you,
[cid:5E7156F0-3BAB-41F2-B32B-5702AED1A414]
Eric Martin, CISSP
Information Security Engineer
Worcester Polytechnic Institute
ejmartin2(a)wpi.edu<mailto:ejmartin2@wpi.edu>
Key fingerprint = C74F 1EBF 2E80 7984 8CB5 064E BF17 D34C C704 B30F
For security purposes, this message has been double ROT13 encoded
Hello!
I have several questions about the threat intel:
Is there a way to add meta.url and meta.desc to intel.log?
For Intel::FILE_NAME to work, does base/frameworks/intel/files.bro go in
local.bro?
Will Intel::FILE_HASH detect MD5, SHA1, SHA256, SHA256, imphash, and
authentihash?
Will Intel::CERT_HASH detect MD5 or SHA256?
Will the intel frame detect part of part a URL or does only the full URL?
Will "@domain.com" work in the Intel::EMAIL, or is it best to just remove
the "@" and add it to Intel::Domain?
Does meta.do_notice have to be set to T for an event to get logged into
intel.log?
Thank you for the help.
Hello,
I've been trying to get Zeek installed on a Clear linux distribution machine for a while. I know my way around linux enough to get this done from the github source, but what caused me so much trouble was a missing pre-requisite - the C++ Actor framework.
I'm not a linux beginner, and I installed all of the pre-requisits, but if this was added to the part of the instalation documentation under "To build Bro from source, the following additional dependencies are required:", installing from source would have been much smoother for me. If for some reason, this being left out is intentional, sorry to bring this up.
After setting up all of the. cfg files and runnung install and start in broctrl, I got the following error:
cl@clr-31868b162a544d5290cfe54c3dd15df1 /usr/local/bro/logs/current $ cat stderr.log
*** failed to set config parameter work-stealing.moderate-sleep-duration-us: invalid name
*** failed to set config parameter work-stealing.relaxed-sleep-duration-us: invalid name
/usr/local/bro/share/broctl/scripts/run-bro: line 110: 1211 Segmentation fault (core dumped) nohup "$mybro" "$@"
The proces did not start. Any suggestions how to solve this or any links to possibles hints for a solution would be appreciated.
I enjoyed the conference at Cern very much.
Thanks.
Dan.
Has anyone in the community extended btest to support better test metrics?
Currently btest will give me a pass or fail per file as opposed to having
multiple scenarios in a file. The structure I am looking for is below:
Example in one file
@Scenario(First)
#test code here
@Scenario(Second)
#test code here
Success 2 out of 2 passed
Are there any available benchmarks by which the community measures NIC
selection? I.E., How do others known which hardware baseline to choose for
a given traffic volume while using Zeek.
Hi,
I configured an afpacket interface in addition to one I was already using
and it monitored fine but I want to stop monitoring this link for now and
just leave it to Suricata at the moment.
I have removed the configuration for it and redeployed, cleaned and
everything else I can thing of and many config installs and when started
while only the works configured on the original interface show in running
jobs I am still getting traffic events from the other interface (I know
this because of the IPs being monitored).
Is there anything I can check or clean up to try and force bro to
completely "forget" it ever knew about this interface? Thanks.
Kind Regards,
Kevin Ross
Mark,
Thank you for the update! Confirming on my end that we're able to get it running and producing notices.
v/r
Gary
-----Original Message-----
From: Fernandez, Mark I <mfernandez(a)mitre.org>
Sent: Wednesday, April 10, 2019 12:39 PM
To: zeek(a)zeek.org; Weasel, Gary W CIV DISA RE (US) <gary.w.weasel2.civ(a)mail.mil>
Subject: [Non-DoD Source] UPDATE: Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE
All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser.
________________________________
Gary, All -
We updated the BZAR scripts to be forward-compatible with Zeek v2.6.x and backward-compatible with v2.5.x and below, using '@if' directives to check the version number. Affected files include: main.bro, bzar_dce-rpc.bro, and bzar_smb.bro.
Please visit the GitHub repo to find the updates files.
* Caution-https://github.com/mitre-attack/car/tree/master/implementations/bzar < Caution-https://github.com/mitre-attack/car/tree/master/implementations/bzar >
Cheers,
Mark
Mark I. Fernandez
The MITRE Corporation
mfernandez(a)mitre.org < Caution-mailto:mfernandez@mitre.org >
P.S. The Bro/Zeek Package Manager for BZAR is coming soon.
Gary, All -
We updated the BZAR scripts to be forward-compatible with Zeek v2.6.x and backward-compatible with v2.5.x and below, using '@if' directives to check the version number. Affected files include: main.bro, bzar_dce-rpc.bro, and bzar_smb.bro.
Please visit the GitHub repo to find the updates files.
* https://github.com/mitre-attack/car/tree/master/implementations/bzar
Cheers,
Mark
Mark I. Fernandez
The MITRE Corporation
mfernandez(a)mitre.org<mailto:mfernandez@mitre.org>
P.S. The Bro/Zeek Package Manager for BZAR is coming soon.
I've built a 1U box (Xeon Bronze-3104 / 16 GB RAM / 10GBase-T ports with Intel X557) and I'm wondering if it's able to manage a certain level of traffic; in this case, a sustained daily rate of 10MBps, spiking at 15MBps (please note, MBps, not Mbps - I know I could easily handle a sustained 15 Mbps). I'll be analyzing traffic on a large corporate network. What do you think? Is it underpowered? Way overboard? Any best guesses about the max level of throughput it could handle?
Thanks in advance for your time and your thoughts!
BJW