Are there any plans to use another communication platform besides IRC? To
the best of my knowledge the IRC channel does not record history, so any
new member is unaware of prior chats / discoveries.
Is there a desire in the community to move to something along the lines of
Discord or Slack? Granted Slack would come at a premium.
Hi,
I am trying to understand the behavior of bro with respect to logging http
request when the http request has a large body.
In my script, I am trying to log http body. I agree, http bodies can be
large. However, I need the body for further parsing and analysis of traffic
based on the content of the body content. To capture the body, I am setup
events for http_entity_data and http_end_entity. In the 'http_entity_data'
event, I am accumulating the body data into a request variable. In the
end_entity event I am encoding body data using base64_encode (since body
can include non printable characters).
This seems to work fine for small bodies. However, for large bodies, I
noticed that the log gets written without the body getting encoded. To
debug, I added a log filter. In the log predicate call, I can see the http
log writing happening before the end_entity even is called.
Is this how it's supposed to work?
Hi all,
The LT Meeting minutes from the 26 July 2019 LT Meeting are now available
at: https://blog.zeek.org/2019/07/open-source-zeek-leadership-team.html
Please let me know if you have any questions.
Thanks,
~Amber
PS - Don't forget registration for ZeekWeek is still open -
https://www.zeekweek.com
--
*Amber Graner*
Director of Community
Corelight, Inc
828.582.9469
* Ask me about how you can participate in the Zeek (formerly Bro)
community.
* Remember - ZEEK AND YOU SHALL FIND!!
Hi everybody,
there are a number of scripts (known_services, known_hosts, known_certs) which are implemented both using a broker store and sending broker events. It is possible to switch from one mode to the other using the option use_service_store.
Is there any particular reason for this? Is one option more efficient than the other?
Thanks,
Mauro
Hi all,
ZeekWeek 2019 Call for Papers ends tonight. There's still a few hours left
to get that talk in.
Submission Link - http://bit.ly/zeekweek19talksubmission
Thanks,
~Amber
--
*Amber Graner*
Director of Community
Corelight, Inc
828.582.9469
* Ask me about how you can participate in the Zeek (formerly Bro)
community.
* Remember - ZEEK AND YOU SHALL FIND!!
Hi all,
Various organizations are considering sponsoring a series of single-day
Zeek User Workshops across multiple geographies, starting in Atlanta, GA
this fall.
I've created a short (7 question) survey poll to find out what topics are
of interest to you. This will allow me work with the sponsoring
organizations to provide the most relevant content.
Please take a moment to give your feedback -
https://www.surveymonkey.com/r/G7PLPDZ
Also if you or your organization would like to host a Zeek Event, please
let me know.
Thanks,
~Amber
--
*Amber Graner*
Director of Community
Corelight, Inc
828.582.9469
* Ask me about how you can participate in the Zeek (formerly Bro)
community.
* Remember - ZEEK AND YOU SHALL FIND!!
Hi all,
I'm excited to announce the Zeek Package Contest.
- Are you a Zeek user?
- Do you enjoy writing Zeek scripts?
- Do you like being recognized for your awesome work?
- Do you want to make the world’s networks safer?
- Do you like winning prizes and claiming bragging rights?
- Do you want the opportunity to present your work at Zeek events?
More information and details on how you can participate can be found on the
Zeek Blog at:
https://blog.zeek.org/2019/07/zeek-package-contest_25.html
Please let us know if you have any questions.
Thanks,
~Amber
--
*Amber Graner*
Director of Community
Corelight, Inc
828.582.9469
* Ask me about how you can participate in the Zeek (formerly Bro)
community.
* Remember - ZEEK AND YOU SHALL FIND!!
发自我的iPhone
------------------ Original ------------------
From: zeek-request <zeek-request(a)zeek.org>
Date: Sat,Jul 13,2019 4:07 PM
To: zeek <zeek(a)zeek.org>
Subject: Re: Zeek Digest, Vol 159, Issue 14
Send Zeek mailing list submissions to
zeek(a)zeek.org
To subscribe or unsubscribe via the World Wide Web, visit
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
or, via email, send a message with subject or body 'help' to
zeek-request(a)zeek.org
You can reach the person managing the list at
zeek-owner(a)zeek.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Zeek digest..."
Today's Topics:
1. Re: Query reagrding Bro Ids (Jim Mellander)
2. Re: Query reagrding Bro Ids (Aashish Sharma)
3. Re: Query reagrding Bro Ids (Manoj Petshali)
----------------------------------------------------------------------
Message: 1
Date: Fri, 12 Jul 2019 13:17:25 -0700
From: Jim Mellander <jmellander(a)lbl.gov>
Subject: Re: [Zeek] Query reagrding Bro Ids
To: Manoj Petshali <manoj.petshali(a)paytm.com>
Cc: Payments Network Team <payments.networkteam(a)paytm.com>,zeek
<zeek(a)zeek.org>
Message-ID:
<CADju=b7zCBZrTyKQU_axFxh7Pf=5onmWcvRjQ6fNhbG7f3NpbQ(a)mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi Manoj:
The issue you described seems more on the networking side, rather than the
IDS side. However, it seems likely that a much bigger issue that a
business like yours would face would be that of cybersecurity, in
particular, securing your servers from unauthorized intrusion and data
exfiltration. In this, Zeek (the opensource IDS formerly known as Bro) can
play an important role in early detection of possible intrusions.
Hope this helps,
Jim
On Fri, Jul 12, 2019 at 1:33 AM Manoj Petshali <manoj.petshali(a)paytm.com>
wrote:
> Hi Team,
>
> Please respond as we need to implement the same at the earliest.
>
> Thanks
> Manoj Petshali
> Sr. Manager - Payments Engineering
> Mobile +91-9891066456
>
> www.paytm.com
>
>
>
> On Fri, Jul 12, 2019 at 10:21 AM Manoj Petshali <manoj.petshali(a)paytm.com>
> wrote:
>
>> Hi Team,
>>
>> I am very eager about the Bro and need to know below information :
>>
>> -We are working in india's biggest transactional system and facing many
>> issues e.g.
>>
>> : if some user request is coming from pubic or private network (Internal
>> request) and traverses across many servers and if user receives timeout (
>> e.g. connection time out, read time out ,rst etc) then we need to know the
>> deep analysis of the same means :
>>
>> : Why/where the request timed out ?
>> : Upto which hop the request travelled?
>> : Network latency between these hopes to know if the latency is the issue?
>> : tcp handshake and ssl handshake latency and the reason for the same?
>> : Applicatency latency ? means if the network latency is fine
>>
>> We searched on wen and got feeling that the Bro is more oriented toward
>> security and do deep packe inspection.But we have many problems like above
>> to resolve .May you please let us know that how Bro can help us to resolve
>> above issues?
>>
>> Thanks
>> Manoj Petshali
>> Sr. Manager - Payments Engineering
>> Mobile +91-9891066456
>>
>> www.paytm.com
>>
>> _______________________________________________
> Zeek mailing list
> zeek(a)zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190712/b233dc…
------------------------------
Message: 2
Date: Fri, 12 Jul 2019 13:34:41 -0700
From: Aashish Sharma <asharma(a)lbl.gov>
Subject: Re: [Zeek] Query reagrding Bro Ids
To: Manoj Petshali <manoj.petshali(a)paytm.com>
Cc: Payments Network Team <payments.networkteam(a)paytm.com>,
zeek(a)zeek.org
Message-ID: <20190712203440.GH2789(a)MacPro-2331.local>
Content-Type: text/plain; charset=us-ascii
Hello Manoj,
you can sure use zeek to get more visibility into your traffic and connections.
It has a pretty good and powerful tcp analysis engine built into. I am sure zeek
can get you a lot of diagnostic data - I say that from our experience at
Berkeley Lab where we do a lot of proactive blocking and always rely on zeek's
conn.log (and similar) to look into connectivity issues. So to me what you
seek, is not too difficult.
The difficult part for you is going to be getting this traffic into zeek or
putting taps/sensors at the right places.
Do you have taps on the points you want to monitor ?
Aashish
On Fri, Jul 12, 2019 at 01:54:43PM +0530, Manoj Petshali wrote:
> Hi Team,
>
> Please respond as we need to implement the same at the earliest.
>
> Thanks
> Manoj Petshali
> Sr. Manager - Payments Engineering
> Mobile +91-9891066456
>
> www.paytm.com
>
>
>
> On Fri, Jul 12, 2019 at 10:21 AM Manoj Petshali <manoj.petshali(a)paytm.com>
> wrote:
>
> > Hi Team,
> >
> > I am very eager about the Bro and need to know below information :
> >
> > -We are working in india's biggest transactional system and facing many
> > issues e.g.
> >
> > : if some user request is coming from pubic or private network (Internal
> > request) and traverses across many servers and if user receives timeout (
> > e.g. connection time out, read time out ,rst etc) then we need to know the
> > deep analysis of the same means :
> >
> > : Why/where the request timed out ?
> > : Upto which hop the request travelled?
> > : Network latency between these hopes to know if the latency is the issue?
> > : tcp handshake and ssl handshake latency and the reason for the same?
> > : Applicatency latency ? means if the network latency is fine
> >
> > We searched on wen and got feeling that the Bro is more oriented toward
> > security and do deep packe inspection.But we have many problems like above
> > to resolve .May you please let us know that how Bro can help us to resolve
> > above issues?
> >
> > Thanks
> > Manoj Petshali
> > Sr. Manager - Payments Engineering
> > Mobile +91-9891066456
> >
> > www.paytm.com
> >
> >
> _______________________________________________
> Zeek mailing list
> zeek(a)zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
------------------------------
Message: 3
Date: Sat, 13 Jul 2019 13:37:04 +0530
From: Manoj Petshali <manoj.petshali(a)paytm.com>
Subject: Re: [Zeek] Query reagrding Bro Ids
To: Aashish Sharma <asharma(a)lbl.gov>
Cc: Payments Network Team <payments.networkteam(a)paytm.com>,
zeek(a)zeek.org
Message-ID:
<CAENooKzrtMUKQWdqFu+PcFQCeNv-PLAH4NM_=t0nivw1hZJj7w(a)mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi Ashish,
Thanks a lot for your response.
we do not have taps/sensors as of now. if we have taps placed at right
places , may you elaborate what kind of difficulty we may face?
Also let me know if we can filter and send the traffic (without payload)
according to our requirement e.g. flags only like syn, synack,ack, timeout
etc to zeek for troubleshooting.
May you please share some data/charts depicting the information we are
looking for (as per the trail mail ) so that we may proceed further.
Thanks
Manoj Petshali
Sr. Manager - Payments Engineering
Mobile +91-9891066456
www.paytm.com
On Sat, Jul 13, 2019 at 2:04 AM Aashish Sharma <asharma(a)lbl.gov> wrote:
> Hello Manoj,
>
> you can sure use zeek to get more visibility into your traffic and
> connections.
> It has a pretty good and powerful tcp analysis engine built into. I am
> sure zeek
> can get you a lot of diagnostic data - I say that from our experience at
> Berkeley Lab where we do a lot of proactive blocking and always rely on
> zeek's
> conn.log (and similar) to look into connectivity issues. So to me what you
> seek, is not too difficult.
>
> The difficult part for you is going to be getting this traffic into zeek
> or
> putting taps/sensors at the right places.
>
> Do you have taps on the points you want to monitor ?
>
> Aashish
>
> On Fri, Jul 12, 2019 at 01:54:43PM +0530, Manoj Petshali wrote:
> > Hi Team,
> >
> > Please respond as we need to implement the same at the earliest.
> >
> > Thanks
> > Manoj Petshali
> > Sr. Manager - Payments Engineering
> > Mobile +91-9891066456
> >
> > www.paytm.com
> >
> >
> >
> > On Fri, Jul 12, 2019 at 10:21 AM Manoj Petshali <
> manoj.petshali(a)paytm.com>
> > wrote:
> >
> > > Hi Team,
> > >
> > > I am very eager about the Bro and need to know below information :
> > >
> > > -We are working in india's biggest transactional system and facing many
> > > issues e.g.
> > >
> > > : if some user request is coming from pubic or private network
> (Internal
> > > request) and traverses across many servers and if user receives
> timeout (
> > > e.g. connection time out, read time out ,rst etc) then we need to know
> the
> > > deep analysis of the same means :
> > >
> > > : Why/where the request timed out ?
> > > : Upto which hop the request travelled?
> > > : Network latency between these hopes to know if the latency is the
> issue?
> > > : tcp handshake and ssl handshake latency and the reason for the same?
> > > : Applicatency latency ? means if the network latency is fine
> > >
> > > We searched on wen and got feeling that the Bro is more oriented toward
> > > security and do deep packe inspection.But we have many problems like
> above
> > > to resolve .May you please let us know that how Bro can help us to
> resolve
> > > above issues?
> > >
> > > Thanks
> > > Manoj Petshali
> > > Sr. Manager - Payments Engineering
> > > Mobile +91-9891066456
> > >
> > > www.paytm.com
> > >
> > >
>
>
>
> > _______________________________________________
> > Zeek mailing list
> > zeek(a)zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190713/c66ed5…
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/png
Size: 944 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190713/c66ed5…
------------------------------
_______________________________________________
Zeek mailing list
Zeek(a)zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
End of Zeek Digest, Vol 159, Issue 14
*************************************
