zeek July 2019

zeek@lists.zeek.org

31 participants
33 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

4 months, 4 weeks

Communication channels

by Woot4moo

Are there any plans to use another communication platform besides IRC? To the best of my knowledge the IRC channel does not record history, so any new member is unaware of prior chats / discoveries. Is there a desire in the community to move to something along the lines of Discord or Slack? Granted Slack would come at a premium.

2 years, 8 months

http body q.

by Dk Jack

Hi, I am trying to understand the behavior of bro with respect to logging http request when the http request has a large body. In my script, I am trying to log http body. I agree, http bodies can be large. However, I need the body for further parsing and analysis of traffic based on the content of the body content. To capture the body, I am setup events for http_entity_data and http_end_entity. In the 'http_entity_data' event, I am accumulating the body data into a request variable. In the end_entity event I am encoding body data using base64_encode (since body can include non printable characters). This seems to work fine for small bodies. However, for large bodies, I noticed that the log gets written without the body getting encoded. To debug, I added a log filter. In the log predicate call, I can see the http log writing happening before the end_entity even is called. Is this how it's supposed to work?

2 years, 10 months

26 July 2019 - Zeek Leadership Team (LT) Meeting Minutes - Now Available

by Amber Graner

Hi all, The LT Meeting minutes from the 26 July 2019 LT Meeting are now available at: https://blog.zeek.org/2019/07/open-source-zeek-leadership-team.html Please let me know if you have any questions. Thanks, ~Amber PS - Don't forget registration for ZeekWeek is still open - https://www.zeekweek.com -- *Amber Graner* Director of Community Corelight, Inc 828.582.9469 * Ask me about how you can participate in the Zeek (formerly Bro) community. * Remember - ZEEK AND YOU SHALL FIND!!

2 years, 10 months

known_*

by Palumbo Mauro

Hi everybody, there are a number of scripts (known_services, known_hosts, known_certs) which are implemented both using a broker store and sending broker events. It is possible to switch from one mode to the other using the option use_service_store. Is there any particular reason for this? Is one option more efficient than the other? Thanks, Mauro

2 years, 11 months

Zeek XDP Plugin - Ubuntu Compile problem

by Vinod

Hi, I am trying to compile the Zeek XDP plugin ( https://github.com/irtimmer/bro-xdp_packet-plugin) and running into lots of errors. posting the configuration and errors below Host: Ubuntu 18.04 Kernels tested with: 4.18.0.18 and 5.1 Any help will be greatly appreciated. neo@base-ubuntu:~/bro-xdp_packet-plugin$ ./configure --bro-dist=/home/neo/zeek --with-kernel=/usr/src/linux-5.1 --with-bpf=/usr/local --with-clang=/usr/bin/clang --with-llc=/usr/bin/llc Build Directory : build Bro Source Directory : /home/neo/zeek -- Bro executable : /home/neo/zeek/build/src/bro -- Bro source : /home/neo/zeek -- Bro build : /home/neo/zeek/build -- Bro install prefix : /opt/bro -- Bro plugin directory: /opt/bro/lib/bro/plugins -- Bro debug mode : false -- Found KernelHeaders: /usr/src/linux-5.1 -- Configuring done -- Generating done -- Build files have been written to: /home/neo/bro-xdp_packet-plugin/build neo@base-ubuntu:~/bro-xdp_packet-plugin$ make Makefile:11: recipe for target 'build-it' failed make: [build-it] Error 1 (ignored) ( cd build && make ) make[1]: Entering directory '/home/neo/bro-xdp_packet-plugin/build' make[2]: Entering directory '/home/neo/bro-xdp_packet-plugin/build' make[3]: Entering directory '/home/neo/bro-xdp_packet-plugin/build' Scanning dependencies of target bif-plugin-irtimmer_af_xdp-af_xdp.bif make[3]: Leaving directory '/home/neo/bro-xdp_packet-plugin/build' make[3]: Entering directory '/home/neo/bro-xdp_packet-plugin/build' [ 7%] [BIFCL] Processing src/af_xdp.bif make[3]: Leaving directory '/home/neo/bro-xdp_packet-plugin/build' [ 7%] Built target bif-plugin-irtimmer_af_xdp-af_xdp.bif make[3]: Entering directory '/home/neo/bro-xdp_packet-plugin/build' Scanning dependencies of target generate_outputs make[3]: Leaving directory '/home/neo/bro-xdp_packet-plugin/build' [ 7%] Built target generate_outputs make[3]: Entering directory '/home/neo/bro-xdp_packet-plugin/build' Scanning dependencies of target af_xdp_bpf make[3]: Leaving directory '/home/neo/bro-xdp_packet-plugin/build' make[3]: Entering directory '/home/neo/bro-xdp_packet-plugin/build' [ 15%] Generating af_xdp_bpf.ll In file included from /home/neo/bro-xdp_packet-plugin/src/bpf/bpf.c:5: */home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:75:11: error: use of undeclared identifier 'BPF_FUNC_sock_ops_cb_flags_set' (void *) BPF_FUNC_sock_ops_cb_flags_set; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:79:11: error: use of undeclared identifier 'BPF_FUNC_sk_redirect_hash' (void *) BPF_FUNC_sk_redirect_hash; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:85:11: error: use of undeclared identifier 'BPF_FUNC_sock_hash_update' (void *) BPF_FUNC_sock_hash_update; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:93:11: error: use of undeclared identifier 'BPF_FUNC_override_return' (void *) BPF_FUNC_override_return; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:95:11: error: use of undeclared identifier 'BPF_FUNC_msg_redirect_map' (void *) BPF_FUNC_msg_redirect_map; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:98:11: error: use of undeclared identifier 'BPF_FUNC_msg_redirect_hash' (void *) BPF_FUNC_msg_redirect_hash; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:100:11: error: use of undeclared identifier 'BPF_FUNC_msg_apply_bytes' (void *) BPF_FUNC_msg_apply_bytes; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:102:11: error: use of undeclared identifier 'BPF_FUNC_msg_cork_bytes' (void *) BPF_FUNC_msg_cork_bytes; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:104:11: error: use of undeclared identifier 'BPF_FUNC_msg_pull_data' (void *) BPF_FUNC_msg_pull_data; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:106:11: error: use of undeclared identifier 'BPF_FUNC_bind' (void *) BPF_FUNC_bind; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:108:11: error: use of undeclared identifier 'BPF_FUNC_xdp_adjust_tail' (void *) BPF_FUNC_xdp_adjust_tail; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:111:11: error: use of undeclared identifier 'BPF_FUNC_skb_get_xfrm_state' (void *) BPF_FUNC_skb_get_xfrm_state; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:113:11: error: use of undeclared identifier 'BPF_FUNC_get_stack' (void *) BPF_FUNC_get_stack; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:114:48: warning: declaration of 'struct bpf_fib_lookup' will not be visible outside of this function [-Wvisibility]static int (*bpf_fib_lookup)(void *ctx, struct bpf_fib_lookup *params, ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:116:11: error: use of undeclared identifier 'BPF_FUNC_fib_lookup' (void *) BPF_FUNC_fib_lookup; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:119:11: error: use of undeclared identifier 'BPF_FUNC_lwt_push_encap' (void *) BPF_FUNC_lwt_push_encap; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:122:11: error: use of undeclared identifier 'BPF_FUNC_lwt_seg6_store_bytes' (void *) BPF_FUNC_lwt_seg6_store_bytes; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:125:11: error: use of undeclared identifier 'BPF_FUNC_lwt_seg6_action' (void *) BPF_FUNC_lwt_seg6_action; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:128:11: error: use of undeclared identifier 'BPF_FUNC_lwt_seg6_adjust_srh' (void *) BPF_FUNC_lwt_seg6_adjust_srh; ^/home/neo/bro-xdp_packet-plugin/src/bpf/bpf_helpers.h:130:11: error: use of undeclared identifier 'BPF_FUNC_rc_repeat' (void *) BPF_FUNC_rc_repeat;* ^ fatal error: too many errors emitted, stopping now [-ferror-limit=] 1 warning and 20 errors generated. CMakeFiles/af_xdp_bpf.dir/build.make:64: recipe for target 'af_xdp_bpf.ll' failed make[3]: *** [af_xdp_bpf.ll] Error 1 make[3]: Leaving directory '/home/neo/bro-xdp_packet-plugin/build' CMakeFiles/Makefile2:169: recipe for target 'CMakeFiles/af_xdp_bpf.dir/all' failed make[2]: *** [CMakeFiles/af_xdp_bpf.dir/all] Error 2 make[2]: Leaving directory '/home/neo/bro-xdp_packet-plugin/build' Makefile:151: recipe for target 'all' failed make[1]: *** [all] Error 2 make[1]: Leaving directory '/home/neo/bro-xdp_packet-plugin/build' Makefile:11: recipe for target 'build-it' failed make: *** [build-it] Error 2 Regards, Vinod

2 years, 11 months

(no subject)

by Vinod

2 years, 11 months

Reminder - Call for Papers for ZeekWeek Ends Today

by Amber Graner

Hi all, ZeekWeek 2019 Call for Papers ends tonight. There's still a few hours left to get that talk in. Submission Link - http://bit.ly/zeekweek19talksubmission Thanks, ~Amber -- *Amber Graner* Director of Community Corelight, Inc 828.582.9469 * Ask me about how you can participate in the Zeek (formerly Bro) community. * Remember - ZEEK AND YOU SHALL FIND!!

2 years, 11 months

ZeekDays - Technical User Workshops - Poll

by Amber Graner

Hi all, Various organizations are considering sponsoring a series of single-day Zeek User Workshops across multiple geographies, starting in Atlanta, GA this fall. I've created a short (7 question) survey poll to find out what topics are of interest to you. This will allow me work with the sponsoring organizations to provide the most relevant content. Please take a moment to give your feedback - https://www.surveymonkey.com/r/G7PLPDZ Also if you or your organization would like to host a Zeek Event, please let me know. Thanks, ~Amber -- *Amber Graner* Director of Community Corelight, Inc 828.582.9469 * Ask me about how you can participate in the Zeek (formerly Bro) community. * Remember - ZEEK AND YOU SHALL FIND!!

2 years, 11 months

Announcing The Zeek Package Contest

by Amber Graner

Hi all, I'm excited to announce the Zeek Package Contest. - Are you a Zeek user? - Do you enjoy writing Zeek scripts? - Do you like being recognized for your awesome work? - Do you want to make the world’s networks safer? - Do you like winning prizes and claiming bragging rights? - Do you want the opportunity to present your work at Zeek events? More information and details on how you can participate can be found on the Zeek Blog at: https://blog.zeek.org/2019/07/zeek-package-contest_25.html Please let us know if you have any questions. Thanks, ~Amber -- *Amber Graner* Director of Community Corelight, Inc 828.582.9469 * Ask me about how you can participate in the Zeek (formerly Bro) community. * Remember - ZEEK AND YOU SHALL FIND!!

2 years, 11 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek July 2019