Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
Are there any plans to use another communication platform besides IRC? To
the best of my knowledge the IRC channel does not record history, so any
new member is unaware of prior chats / discoveries.
Is there a desire in the community to move to something along the lines of
Discord or Slack? Granted Slack would come at a premium.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Release Candidate 2 for Zeek 3.0.0 is now available for
testing:
https://www.zeek.org/downloads/zeek-3.0.0-rc2.tar.gzhttps://www.zeek.org/downloads/zeek-3.0.0-rc2.tar.gz.asc
See the CHANGES file for a list of changes since RC1.
This major release will have many additions and changes, the
most prominent being a comprehensive adaptation to use Zeek
instead of Bro. See the NEWS file for the full list of
important differences to be aware of when upgrading and testing.
Our blog also describes the upcoming release and potential
issues when upgrading:
https://blog.zeek.org
Please report bugs at our GitHub project:
https://github.com/zeek/zeek/issues
Or feel free to give feedback directly on the Zeek mailing list.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBAgAdFiEE6WkLK32KwaGfkhxKxotJTfVqzH4FAl1nE94ACgkQxotJTfVq
zH4i9g//bPeNtIckaFzdRJqevLqqj4H4TU6CWPnKaELVV0GljFcmuFzfMA4W35yx
xFDUKOxUcIgLoQ79mhOm2x3VOaSpKmSz/8BXII5fvSshQ70CkNeTfOr79SQZ+Lvb
wPTmq96y2UxSanPH4NanUO7AnI3o7rw9Fu8QGB0MgE0a9Cn1iPaE4dBA4ivAjrI1
JhLqMcuA7hLYwJSkPG3XjJTLumtELsiXxL8LLmbCKQDPYLm6gLSMTKq4p9n8+zo0
GJ/ltwPwmsSYcgmhiifEcVns/HpU7qLEI4uP5XnHQ5Fcgvmu7BPvxA5eV6ZwafxP
5u2rYiPyC6n5qOOiS/mvMP0Y39H8XDC2Oa6TJ+xy0fC5BHYPCBhRcBNlz31Fp8UR
2k1AMAMh+9pSEBz5c7F18H38zblt+swxbp/wN7D+Mg4gwX0qMP1ZUwuGzcYiT5mf
Of5rUh2kZa1emrjBMqBe85hpd2Yfn6kvSjwqVeoYoMqgMBb3yhmQPH/itqBq/T1M
G9ULuLB8rYRGvwD5DEnPRqzaXP8T0GGAP+1WNTEZxIL8vD6Ksw/oon1h+odTCtT8
zu68Jl/2nDCk7Y6kiHr6x5cOVOT0yEPvc5JlRgb9ZWWuWvvqujJI8aHqzLwiz9Wo
XYKwpgroPGijax95pr8Y7Jzgqmcm66GPyBnRaNWXg2bohGOMycg=
=8xcQ
-----END PGP SIGNATURE-----
Just as a reminder - TODAY is the last day to submit a package for the Zeek
Package Contest. https://blog.zeek.org/2019/07/zeek-package-contest_25.html
Thanks,
~Amber--
*Amber Graner*
Director of Community
Corelight, Inc
828.582.9469
* Ask me about how you can participate in the Zeek (formerly Bro)
community.
* Remember - ZEEK AND YOU SHALL FIND!!
Hi all,
Check out the ZeekWeek Agenda today for 4 days of sessions, trainings,
networking opportunities and more.
====
REGISTER NOW for ZeekWeek 2019 before prices go up August 31st! -
http://bit.ly/zeekweek19_registration
====
Join all the leaders and contributors to the Zeek project as well as many
of the most expert users from around the world at ZeekWeek 2019. Here's
just a taste of the in-depth programming you'll be part of if you're in
Seattle:
- Learn how BZAR scripts created by MITRE can help you inspect SMB and RPC
functions
Presented by Mark Fernandez, Lead Cybersecurity Engineer, The MITRE
Corporation
- A case study on the DNSSEC Protocol parser
Presented by Fatema Banat Wala, Security Engineer, University of Delaware
- Understand how to profile production Zeek systems
Presented by Justin Azoff, Senior Support Engineer, Corelight
View the Full Agenda: http://bit.ly/zeekweek19agenda
Register Now: http://bit.ly/zeekweek19_registration
====
Zeek out on workshops, training, and community presentations from leaders
in the Zeek community.
Visit with vendors, sponsors, and other Zeek community members.
Save on your conference pass by registering now. Ticket prices rise August
31.
Haven't been to a Zeek event? Check out last year's BroCon lineup:
https://www.zeek.org/community/brocon2018.html
====
ZeekWeek 2019 is at the Embassy Suites by Hilton Downtown Pioneer Square in
Seattle, Washington. We have negotiated a special group rate for our
attendees who purchase in our room block. Deadline to reserve is September
16.
Learn more: http://bit.ly/zeekweek19
====
--
*Amber Graner*
Director of Community
Corelight, Inc
828.582.9469
* Ask me about how you can participate in the Zeek (formerly Bro)
community.
* Remember - ZEEK AND YOU SHALL FIND!!
Hello,
I'd like to write a script for HTTP requests, but I need the raw and
untruncated headers to do this. I can't seem to find an event that will
give me this data to work with. I've looked at http_all_headers and
http_header, but they still strip whitespace.
Is there any (current) way of doing this? It'd be nice to be able to do
this without having to modify the analyzer.
Thanks!
Andrew
Hi,
When feeding PCAPs to Zeek, is there any functionality to decrypt HTTPS traffic?
I see that the SSL log contains “a record of SSL sessions, including certificates being used” - can these certificates be used to decrypt PCAPs before Zeek processes them to ensure HTTP logs are correctly populated?
Thanks,
Jonah
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A security patch release, Bro v2.6.4, is now available for
download:
https://www.zeek.org/downloads/bro-2.6.4.tar.gzhttps://www.zeek.org/downloads/bro-2.6.4.tar.gz.asc
Bro v2.6.4 addresses a potential Denial of Service
vulnerability:
* The NTLM analyzer did not properly handle AV Pair sequences
that were either empty or unterminated, resulting in invalid
memory access or heap buffer over-read. The NTLM analyzer
is enabled by default and used in the analysis of SMB,
DCE/RPC, and GSSAPI protocols.
Thanks to Chris Hinshaw for reporting the issue.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBAgAdFiEE6WkLK32KwaGfkhxKxotJTfVqzH4FAl1nE/kACgkQxotJTfVq
zH6Few//S2ErQbxV2StBTRECbX7BeAOZy9y+UYhH1BYCQuYLplhdg+Slgj1cPxas
y0Tkm8B6EX8uBcAX3QRzui+bZvwVtlJDo3sGAAkjiLAK6djf8ix1i9aAZgfzi7/I
yiACWnpXe+2r3/XN020uoL8LQk7M0GZ7g3v6WMykdncCortneEVuQGPjb9lbXQ7B
f5KYXaThV53t6axHBhnbMwEtiXzJQ/uWAwDd+owpuWYl7DpeVZ3WL3iGzaEsA66T
pY6mjElOjeaHI4ttmdMsjbrxyseC+bhnlY5Q4NB9RJtQwbKjoP/FPwvOvD1qD3mD
2hY5h7t+GzENr3XHiuidmJvYRYrTn6wQLw5c6WL1Qs7raBdpRfpCmadrIYLYJVkY
TnTc/8BO4Pu09pGoQB6JiCOdt4Q452RJkrEt7LcOmWYOLBThXGYejM/PvKkdWsft
sGJ4bpsxKQoTWVLKKXTSnVvbwaDahyHl4/YZ776FEtBh5BTY4fHZw/GmwnbxEbDC
dp7gZ3GvhIQwOzrofm3T5aX3AvIZglZcDTwwRYyQ8d8ZZ/s/HCE4GNX3JTjZCxlx
ebKC9n5F+F6PSOdpeLsC7z9fT5/WPJHW9hxAhT5mHUToGeYohp6jqb+OAgHR0nXr
aonvtN4Y/5MC4Ink+PAxHUdW228e9bv3Bxe7/0kCITeEBU6zX8Q=
=Biua
-----END PGP SIGNATURE-----
Hola!
How can URLs be extracted from SMTP emails, HTTP pages and files?
Is there an analyzer or option that needs to be loaded or enabled?
Side question --- is the an analyzer for JSON requests?
Thank you for your help.
Ambros
Hello,
Is there a way to fingerprinting operating systems in zeek?
I have done some testing using *OS_version_found* event
https://docs.zeek.org/en/stable/scripts/base/bif/event.bif.bro.html#id-OS_v…
and by modify this old script:
https://github.com/ewust/telex/blob/master/telex-station/station/bro-1.5.1/…
But without much success.
I stumpled upon the (WIP) release notes from Zeek 3.1.0 and read the
following:
- Removed p0f (passive OS fingerprinting) support. The version of
p0f shipped with zeek was ancient, probably did not give
any reliable support anymore and did not offer a clear
upgrade path. The ``OS_version_found`` event as well as the
``generate_OS_version_event`` configuration option were removed.
So I'm assuming my apprach it will be a failure.
Is there another way to get OS information? Are there some zeek scripts
that offer this functionality?
--
Federico Foschini.