zeek May 2019

zeek@lists.zeek.org

35 participants
40 discussions

by Avila, Kay

Alan Commike's Bro protocol analyzer talk from BroCon 18 on YouTube is missing the slides link (https://www.youtube.com/watch?v=UtEe-VTPcDY&t=145s). Looks like the slides for other talks are hosted at https://www.zeek.org/brocon2018/slides/ but directory indexing has been turned off. Could anyone share those with me, please? Thanks, Kay Kay Avila Senior Security Engineer, Cybersecurity and Networking Division National Center for Supercomputing Applications (NCSA) University of Illinois, Urbana-Champaign P: (217) 300-1754 F: (217) 244-1987

2 years, 4 months

logger node in a cluster

by Palumbo Mauro

Hi Zeek-devs, I am not sure I am getting it right, but i t seems to me that a Zeek logger in a cluster configuration simply sits there waiting for logs and then writes them down. Does it do any additional work? For example, checking for duplicated logs from workers? If yes, where is the code for this additional checks? Mauro

2 years, 4 months

Help with zeek script

by Manju Lalwani

Hi Team, I am working on a Zeek script and would like to understand how can I make Zeek look only for the first ten packets in a tcp session.The first ten packets are enough to fingerprint the traffic I am trying to identify and so would to ensure my script also looks at only the first 10 packets to save processing time. The communication is as follows : There is the initial 3 way handshake and then there are 7 packets with variable lengths and on a non-default destination port/service. So I had to use the tcp_packet event in my script. Is there a better way of doing it ? Using tcp_packet would make my script to check for all tcp packets increasing the load on my zeek system. Please do let me know if you have any suggestions for me on this. Looking forward to your response. Thanks, Manju Lalwani

2 years, 4 months

Extracting packets from a particular connection

by Raghunath, Ananditha - 0557 - MITLL

Hi, I was hoping to understand how Zeek aggregates packets by connection. Is there any documentation that summarizes the approach? Is there a way to extract all the packets that correspond to a particular connection? Thank you, Ananditha Raghunath - 0557 Assistant Staff Cyber Operations and Analysis Technology MIT Lincoln Laboratory ananditha.raghunath(a)ll.mit.edu | 781-981-9035

2 years, 4 months

Duplicate DNS packets

by Kurtis Lawson

Hello fellow Zeekers, I am new to the mailing list and fairly new to Zeek. I am having an issue where DNS traffic is duplicated. It seem fairly obvious to me that the issue is that the manager is sending a single "session" to all of the workers defined in node.cfg. Example duplicate logs (sanitized a bit): user1@site1bro:~$ awk -F '\t' '{ if($1 == "1558556089.463824") print $0;}' dns.date-time.log 1558556089.463824 Ce6WGH1tX7fUQCJkEb 10.1.1.1 49675 10.5.5.5 53 udp 58613 - yahoo.uservoice.com 1 C_INTERNET 1 A - - F F T F 0 SITE1BRO-4 1558556089.463824 CxhWh33b65uCcQlUR2 10.1.1.1 49675 10.5.5.5 53 udp 58613 - yahoo.uservoice.com 1 C_INTERNET 1 A - - F F T F 0 SITE1BRO-8 1558556089.463824 CNBy3ykdFSvXydiW7 10.1.1.1 49675 10.5.5.5 53 udp 58613 - yahoo.uservoice.com 1 C_INTERNET 1 A - - F F T F 0 SITE1BRO-9 1558556089.463824 CV6w2f3NKeaAwhAvJf 10.1.1.1 49675 10.5.5.5 53 udp 58613 - yahoo.uservoice.com 1 C_INTERNET 1 A - - F F T F 0 SITE1BRO-7 1558556089.463824 Cc5rcP3N92OGHYUKA2 10.1.1.1 49675 10.5.5.5 53 udp 58613 - yahoo.uservoice.com 1 C_INTERNET 1 A - - F F T F 0 SITE1BRO-6 My node.cfg file: [manager] type=manager host=10.10.10.10 [proxy-1] type=proxy host=10.10.10.10 [SITE1BRO] type=worker host=10.10.10.10 interface=eth5 lb_method=pf_ring lb_procs=10 pin_cpus=2,3,4,5,6,7,8,9,10,11 Other info: - The span feed is clean of duplicates (validated with multiple packet captures) - Other logs are generally not duplicated, and I suspect that this only happens with UDP traffic - I've tried changing the LB type in the broctl.cfg file to 2-tuple, 5-tuple, and round-robin (4-tuple is default) but none of those resolved the issue - I've tried installing the latest dev version of pf_ring to no avail - From previously archived threads, it appears that this is not a new issue, and that it also happens with af_packet ... which is what I was going to try next :( Any insights as to how I can fix, or at least filter these duplicates before they are written to file and/or sent to Kafka would be greatly appreciated. KCL

2 years, 4 months

Zeek Myricom port aggregation

by Greg Grasmehr

Hello, Hoping someone has some insight into whatever I am doing wrong as try as I might, I can't seem to get the Myricom plugin working if configured to aggregate port data. Zeek starts and then crashes in every case, regardless of configuration ie interface=myricom::3 interface=myricom::* and snf_aggregate = T Here is related dmesg output logged by kdump [67471.838822] BUG: unable to handle kernel paging request at 00007f0d8459607f [67471.838863] IP: [<ffffffffc0bed569>] snf_eop_ioctl+0x609/0xc60 [myri_snf] [67471.838897] PGD 8000000a93bb9067 PUD 12d142c067 PMD 12d142d067 PTE 8000001d54829025 [67471.838927] Oops: 0001 [#1] SMP [67471.838942] Modules linked in: binfmt_misc macsec tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag myri_snf(OE) mpt2sas raid_class scsi_transport_sas mptctl mptbase ip6t_rpfilter ipt_REJECT nf_reject_ipv4 nf_log_ipv4 ip6t_REJECT nf_reject_ipv6 nf_log_ipv6 nf_log_common xt_LOG xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter dell_rbu sunrpc dcdbas iTCO_wdt iTCO_vendor_support sb_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul joydev [67471.839241] ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd mxm_wmi ext4 mbcache jbd2 pcspkr ipmi_ssif mei_me lpc_ich mei sg ipmi_si ipmi_devintf ipmi_msghandler wmi acpi_power_meter ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crct10dif_pclmul crct10dif_common crc32c_intel drm_panel_orientation_quirks ahci libahci dca libata tg3 megaraid_sas ptp pps_core dm_mirror dm_region_hash dm_log dm_mod [last unloaded: myri10ge] [67471.839450] CPU: 24 PID: 92952 Comm: bro Kdump: loaded Tainted: G OE ------------ 3.10.0-957.10.1.el7.x86_64 #1 [67471.839483] Hardware name: Dell Inc. PowerEdge R730xd/072T6D, BIOS 2.9.1 12/04/2018 [67471.839508] task: ffff95d0e7c41040 ti: ffff95e3197c0000 task.ti: ffff95e3197c0000 [67471.839531] RIP: 0010:[<ffffffffc0bed569>] [<ffffffffc0bed569>] snf_eop_ioctl+0x609/0xc60 [myri_snf] [67471.839564] RSP: 0018:ffff95e3197c3d38 EFLAGS: 00010006 [67471.839583] RAX: 0000000000000286 RBX: 0000000000000001 RCX: 0000000000000000 [67471.839605] RDX: ffff95d0526253d0 RSI: 00007f0d84596000 RDI: ffffb70f589ba7f8 [67471.839627] RBP: ffff95e3197c3df8 R08: ffffb70f599bb000 R09: 0000000000000003 [67471.839648] R10: 0000000000000000 R11: 0000000000000000 R12: ffff95d052625000 [67471.839670] R13: 00007ffeb542d710 R14: 00007ffeb542d710 R15: 0000000000000000 [67471.839693] FS: 00007f180d6a7900(0000) GS:ffff95eefe900000(0000) knlGS:0000000000000000 [67471.839717] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [67471.839735] CR2: 00007f0d8459607f CR3: 0000001ff663c000 CR4: 00000000003607e0 [67471.839757] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [67471.839778] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [67471.839800] Call Trace: [67471.839818] [<ffffffff98d67ef2>] ? down_read+0x12/0x40 [67471.839840] [<ffffffffc0bdfba0>] mx_common_ioctl+0x40/0x90 [myri_snf] [67471.839865] [<ffffffffc0bd44e2>] mx_ioctl+0x72/0x290 [myri_snf] [67471.839888] [<ffffffff98856880>] do_vfs_ioctl+0x3a0/0x5a0 [67471.839908] [<ffffffff98d70608>] ? __do_page_fault+0x228/0x500 [67471.839928] [<ffffffff98856b21>] SyS_ioctl+0xa1/0xc0 [67471.839947] [<ffffffff98d75ddb>] system_call_fastpath+0x22/0x27 [67471.839966] Code: d3 e6 44 85 ce 74 e1 48 83 bf b8 00 00 00 00 75 d1 4c 8b 87 c0 00 00 00 4c 63 d9 41 8b 70 04 48 c1 e6 09 4b 03 b4 dc c0 06 00 00 <0f> b6 76 7f 41 39 30 75 b4 4c 89 a7 b8 00 00 00 49 89 bc 24 60 [67471.840084] RIP [<ffffffffc0bed569>] snf_eop_ioctl+0x609/0xc60 [myri_snf] [67471.840112] RSP <ffff95e3197c3d38> [67471.840125] CR2: 00007f0d8459607f

2 years, 4 months

17 May 2019 - LT Meeting Minutes

by Amber Graner

Hi all, The minutes from the 17 May 2019 LT Meeting can be found at: https://blog.zeek.org/2019/05/open-source-leadership-team-meeting.html Please let us know if you have any questions, comments, feedback or suggestions for topics for the the LT to discuss. Also a reminded that the Registration and Call for Participation for ZeekWeek 2019 is now open. If you want to suggest a presentation topic or presentation or if you want to become a sponsor please go to: https://www.zeekweek.com Thanks, ~Amber -- *Amber Graner* Director of Community Corelight, Inc 828.582.9469 * Ask me about how you can participate in the Zeek (formerly Bro) community. * Remember - ZEEK AND YOU SHALL FIND!!

2 years, 4 months

Ask for help: zeek/modbus

by Salwa Alem

Hello, I'm novice in zeek use and command line interpretation. But when I did this command, I get the below error: ~/bro$ bro -r 09052019.pcap /home/salwa/bro/scripts/base/protocols/modbus/main.zeek fatal error in /home/salwa/bro/scripts/base/protocols/modbus/main.zeek, line 5: can't find ./consts My goal is to analyze my pcap file with zeek and extract the maximum of statistics to train my neural network. The more statistics I have, the better my learning of the neural network. That's why I used the modbus script but I ignore the reason of the above error. Thanks in advance for your help. Best regards, Salwa

2 years, 4 months

Bro 2.6.2 release (security update)

by Jon Siwek

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A security patch release, Bro v2.6.2, is now available for download: https://www.zeek.org/download/index.html The following Denial of Service vulnerabilities are addressed: * Integer type mismatches in BinPAC-generated parser code and Bro analyzer code may allow for crafted packet data to cause unintentional code paths in the analysis logic to be taken due to unsafe integer conversions causing the parser and analysis logic to each expect different fields to have been parsed. One such example, reported by Maksim Shudrak, causes the Kerberos analyzer to dereference a null pointer. CVE-2019-12175 was assigned for this issue. * The Kerberos parser allows for several fields to be left uninitialized, but they were not marked with an &optional attribute and several usages lacked existence checks. Crafted packet data could potentially cause an attempt to access such uninitialized fields, generate a runtime error/exception, and leak memory. Existence checks and &optional attributes have been added to the relevent Kerberos fields. * BinPAC-generated protocol parsers commonly contain fields whose length is derived from other packet input, and for those that allow for incremental parsing, BinPAC did not impose a limit on how large such a field could grow, allowing for remotely-controlled packet data to cause growth of BinPAC's flowbuffer bounded only by the numeric limit of an unsigned 64-bit integer, leading to memory exhaustion. There is now a generalized limit for how large flowbuffers are allowed to grow, tunable by setting "BinPAC::flowbuffer_capacity_max". -----BEGIN PGP SIGNATURE----- iQIzBAEBAgAdFiEE6WkLK32KwaGfkhxKxotJTfVqzH4FAlzvRkwACgkQxotJTfVq zH4pLA//SO5JEvq1OLU5MFUvaMD2FraqcAsE/nj7+Yt+UbyRqG3NAwdgE19ZmtCb bRTbHpdnRo+chM+JdtB+alyojgAt0sBtMQyVqMSR2UhQgCn68OJvCT9Qi7FbCI/q ZqxKYwZ9Lfrgx4EJWnbS2hNhrBsSt9kBtqm/6YsPjyIIk3zt4q5xxJwaAouQIDFy DxTQqwaIeDNvjjV9HxYkzrWJINt4CzxG512yfXBgX1sRa2rNAhiSGOubd6uFjkWu WABfzJUDQILN0RiefT8MilEf1OBCcLtUNhVAnIgqkUkmkWm48VZu2Sup6THwU3nU N3x8XFYBLLbV3+l1dt8fqWAyzBPWs2irQBY2xmPT2xBkq4gQXxlR1Le41b/hZXCJ azmmDepedm6vfSl2Q0S9wNqEVpFAx98wj7cGZuce4VLom3W0ANl67jchXrzIX2UT BZ78jc50F8+FM7/yjYsUf+kd5t6zOWGSCq2iraZBDOaNKa1bVKBirbmFySkVuCDt fKXyLw7OKSsZD18P2SVQWHKv/JdfOTm7SRixm5Sbr+yNFceNU0KTrMSu8WI+4kxE qpVSjbMqf5XpUWZYygtGZQgg5lsrgArkOWoIfxldGDLpjQM5vUdvY3uJEdOxIsZT AmdS3SFoorzHPhKywiSANRbGdMn4o8E3y1UCdyoerKrZJoy2ZZc= =XuB+ -----END PGP SIGNATURE-----

2 years, 4 months

Send email on any SSH attempt

by Merril Mathew

Hi All, I am very new to Zeek. I was trying to send an email on any SSH attempt, regardless of success or fail. The notice framework is really confusing and I could not find much information online. :) Would be great if someone can explain to me what I need to do to solve this specific issue. Please find attached what I have tried so far. Please also note that whenever I tried to run my scripts with pcap file it generates a notice.log. However if I load my script to local.zeek then I cannot find any notice.log in $PREFIX/bro/logs/current. zeek_mail.zeek is where the Notice implementation is done and zeek_mail2.zeek is where the notice hook is applied. Kind regards, Merril.

2 years, 4 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek May 2019