zeek August 2019

zeek@lists.zeek.org

32 participants
42 discussions

by Keith M

I'm new to Zeek. I noticed my Zeek is crashing every few days. I have the below bt Core was generated by `/opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p logger local.b'. Program terminated with signal 11, Segmentation fault. #0 0x0000000000894795 in logging::Manager::CheckFilterWriterConflict(logging::Manager::WriterInfo const*, logging::Manager::Filter const*) () (gdb) bt #0 0x0000000000894795 in logging::Manager::CheckFilterWriterConflict(logging::Manager::WriterInfo const*, logging::Manager::Filter const*) () #1 0x000000000089999f in logging::Manager::Write(EnumVal*, RecordVal*) () #2 0x00000000005d5436 in BifFunc::Log::bro___write(Frame*, ValPList*) () #3 0x00000000005e502f in BuiltinFunc::Call(ValPList*, Frame*) const () #4 0x00000000005c7f46 in CallExpr::Eval(Frame*) const () #5 0x0000000000639351 in StmtList::Exec(Frame*, stmt_flow_type&) const () #6 0x00000000005f1294 in BroFunc::Call(ValPList*, Frame*) const () #7 0x00000000005c7f46 in CallExpr::Eval(Frame*) const () #8 0x000000000063aee4 in ExprStmt::Exec(Frame*, stmt_flow_type&) const () #9 0x0000000000639351 in StmtList::Exec(Frame*, stmt_flow_type&) const () #10 0x00000000005f1294 in BroFunc::Call(ValPList*, Frame*) const () #11 0x00000000005ade1a in EventHandler::Call(ValPList*, bool) () #12 0x00000000005ad106 in EventMgr::Drain() () #13 0x0000000000601b49 in net_run() () #14 0x000000000055e4a3 in main () I'm not sure what do make out of it. Everything was stable until two things changed. I went from stand alone to clustermode on the one server as I brought in another interface for a different set of networks. So now there are two network interfaces receiving packets in a cluster on one physical server. Any troubleshooting steps appreciated. thanks

2 years, 9 months

Zeek 3.0.0 RC1 available

by Jon Siwek

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A Release Candidate for Zeek 3.0.0 is now available for testing: https://www.zeek.org/downloads/zeek-3.0.0-rc1.tar.gz https://www.zeek.org/downloads/zeek-3.0.0-rc1.tar.gz.asc This major release will have many additions and changes, the most prominent being a comprehensive adaptation to use Zeek instead of Bro. See the NEWS file for the full list of important differences to be aware of when upgrading and testing. Our blog also describes the upcoming release and potential issues when upgrading: https://blog.zeek.org Please report bugs at our GitHub project: https://github.com/zeek/zeek/issues Or feel free to give feedback directly on the Zeek mailing list. -----BEGIN PGP SIGNATURE----- iQIzBAEBAgAdFiEE6WkLK32KwaGfkhxKxotJTfVqzH4FAl1MtgAACgkQxotJTfVq zH5PwQ//UfT3kqp6kXy+XG0f3mhHNinKWK857ihkhnYB4MR66EKERJCe+1GKiEJV 9fK8eCXNKGsf5SPB2FRwxtdsv8QFmIecuv5VHGtZNGOYY4Jqe7gHXy+6/dCicqK+ R9FaVzp4C/EMP5E/4UOygFLvr4dehK/tuLUgVmDqDh7LbtCPZdabNo8oamIzEi7p pymLCJyQP2u4KFmOV5GYufJl5AZ9/Lv96FmhqOb0mdFcSKgI6PMZPVl5tyA8+rb8 o9P1EU5Gxinc2ys2VH+w8XUErVSR9eMvHopd13Na0OZQt1D8A0X3R+cEKGwsP7di /vZJ1qz2hDYho+zhiKqle0bCsWk5k8D8uHAi19wxPLSQcbikAcjH4CRWLfoJbJfE wMSvd+7TQYE8YMOwtgTzBa0phrgq43+DD4vQYYxc1GbJCSa3dTkyQ8JW1+CuhmbS /9yZz5aQvXadBRply77cnZtoIC+4cIwqk51Bzd5lpBsRuaeQVArUJmSvsHx7EP1x PTiS9TsyzyrmzAU4Dbtqzr9oW3XT9VkUhziExT0g5tt9tsRDE0tY47p3z05rsJpH jer3vTLJs/eMg8bAmUJjn9VXtZjp1vNiTBQSvuewF6KeTduWRuM7eR4FrijlYrpA 5w9zGVPiTbyP/HoOL1APMHBWTsJikHta7zl751gBFotu8naPvL8= =XsHc -----END PGP SIGNATURE-----

2 years, 9 months

Bro 2.6.3 release (security update)

by Jon Siwek

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A security patch release, Bro v2.6.3, is now available for download: https://www.zeek.org/downloads/bro-2.6.3.tar.gz https://www.zeek.org/downloads/bro-2.6.3.tar.gz.asc Bro v2.6.3 addresses the following Denial of Service vulnerabilities: * Null pointer dereference in the RPC analysis code. RPC analyzers (e.g. MOUNT or NFS) are not enabled in the default configuration. * Signed integer overflow in BinPAC-generated parser code. The result of this is Undefined Behavior with respect to the array bounds checking conditions that BinPAC generates, so it's unpredictable what an optimizing compiler may actually do under the assumption that signed integer overlows should never happen. The specific symptom which lead to finding this issue was with the PE analyzer causing out-of-memory crashes due to large allocations that were otherwise prevented when the array bounds checking logic was changed to prevent any possible signed integer overlow. -----BEGIN PGP SIGNATURE----- iQIzBAEBAgAdFiEE6WkLK32KwaGfkhxKxotJTfVqzH4FAl1MpNQACgkQxotJTfVq zH6psg/9FZq5HVhRNymHzB1VHXlf1ELDW/lKC26ekl17Ri25Ec0YPm2U7xP1R/D+ XzLGcF5Wh74gB8IgbePHPq4RynVYYOyeRboN2yjrCCZvUBQcVn32wDOWo2QJer/0 kro+EDDaxWNUPhhM3xD09UYscWJ7SlyHfQciMnn9FWkccYOUqciIydiIcAdQ6Ako uoG3pGh9BDfFQVMbYpC0pQPFNU6LAzyUOMq0I7cKKKxT+GRj5GuHVOnWfSqdulUA w05Dk7isxeea7slR+g6FgCrBX/xqdMhnoJPNuKnMZ7+aKlg1a/MOB45tmeqm/OTs jOg6+BB0W3rOc8McZf6ksnOFj/1CK7Nhf9ccFNgqXGTjOYRfcFEw9L9QbJyPcRDW 6fDIaXWLQx4NTgf74EIR/k4uZ4iLWKSahq1V9w0qPbQQXIvZEf5a9E4bCJHbhA5K 5WngU0NGZiKQACNGf0Ja0y470/V/u6EDFDge4lgIKsef7bysuOhNpRNPHTx8bMrM dPOSvLoWabirdGCYXD50egJujFl1bgVUfJ0f61C23fobefm/M0X9goNTtIbnDYuX WAeaEk7snMWwZman4PyEMk1pTulW3yt8rhXCNJxpchwqZYiF69wM8o41gbBD/sly ECL8vEHK1hiShTuZcjn9VW/pRkGq4YyXjon19bnCREgJNiGZhtY= =jf49 -----END PGP SIGNATURE-----

2 years, 9 months

Threat Intel Framework not generating intel.log

by Richter, Cody

Hello there, I have spent hours attempting to get the threat intel framework running on Zeek, but still am having no luck. Despite following the tutorials to a T, there is no intel.log generated with the rest of the log files. Running the scripts against a generated pcap will create the intel.log file, but nothing is being made in the logs folder as normal traffic passes through. All other logs are generating, and I can't seem to find any issues. Thank you, Cody

2 years, 9 months

How large can the Intel file .dat be?

by Jens Rembe

Hello Zeek Community, I am doing some researches to Zeek. Maybe one of you can help me with that question. How large can the intel file (intel-1.dat from try.zeek.org) can be? I'm asking that question because if you fill that file with tons of IP's/domains , there should be some performance issues with the large incoming IP'S and matching these to the list. I hope somebody can help me. Thank you for your time and I am looking forward to hearing from you Best Regards, Jens Mit freundlichen Grüßen, Best Regards, Jens Rembe ***Privileged & Confidential-Attorney-Client Communication-Prepared at the Request of Counsel, Vertrauliche Verteidigerkorrespondenz.*** -- Find us on: Facebook<https://www.facebook.com/pages/Ernst-Young/195665063800329> | LinkedIn<http://www.linkedin.com/company/1073> | Twitter<http://twitter.com/EYnews> | YouTube<http://www.youtube.com/ernstandyoungglobal> [cid:image001.gif@01D54B81.4FA4EA50] Jens Rembe | Staff/Assistant | Assurance | Forensic & Integrity Services | Forensic Technologies Ernst & Young GmbH Wirtschaftsprüfungsgesellschaft Mergenthalerallee 3-5, 65760, Eschborn/Frankfurt am Main, Germany Office: +49 (6196) 996 11543 | Mobile: +49 (6196) 939 11543 | jens.rembe(a)de.ey.com<mailto:jens.rembe@de.ey.com> Website: http://www.ey.com ______________________________________________________ Ernst & Young GmbH Wirtschaftsprüfungsgesellschaft Unabhängiges Mitglied von Ernst & Young Global Limited Aufsichtsratsvorsitzender: WP/StB Georg Graf Waldersee - Geschäftsführung: WP/StB Hubert Barth, Vorsitzender CPA Julie Linn Teigland - WP/StB Alexander Kron - WP/StB Mathieu Meyer WP/StB Claus-Peter Wagner - WP/StB Prof. Dr. Peter Wollmert - RA/StB Dr. Henrik Ahlers - Constantin M. Gall Sitz der Gesellschaft: Stuttgart - Rechtsform: GmbH - Amtsgericht Stuttgart HRB 730277 - VAT: DE 147799609 Capital Insights - the latest thinking from Ernst & Young on your Capital Agenda: investing through M&A transactions; raising funds; and optimizing finances. Visit www.capitalinsights.info This e-mail communication (and any attachment/s) is confidential and intended only for the individual(s) or entity named above and to others who have been specifically authorized to receive it. If you are not the intended recipient, please do not read, copy, use or disclose the contents of this communication to others. Please notify the sender that you have received this e-mail in error, by calling the phone number indicated or by e-mail, and delete the e-mail (including any attachment/s) subsequently. This information may be subject to professional secrecy (e. g. of auditor, tax or legal advisor), other privilege or otherwise be protected by work product immunity or other legal rules. Thank you. Data privacy notice: The Ernst & Young GmbH Wirtschaftsprüfungsgesellschaft protects your personal data. Please find more information about how we process your personal data in our privacy notice: www.de.ey.com/datenschutz-EYGmbH. Furthermore the Ernst & Young Member Firms share an international system for the maintenance and administration of your personal contact details in order to be able to send you up-to-date information and invitations tailored to you and your needs. If you do not wish to make use of this service offered by Ernst & Young, please send a mail to EY.CRM(a)EY.COM

2 years, 9 months

PE import table

by Neslog

I'd like to generate an alert for Go binaries for Windows platforms. Looks like there's a .symtab section and I'd like to pattern match in that section. I'd like to do something like below. event pe_section_header(f: fa_file, h: PE::SectionHeader) if ( /symtab/ in h$name ) if ( /Go build ID/ in h$data ) #h$data not available yet? Raise notice. Has anyone done anything like this yet?

2 years, 9 months

signature update without restarting zeek

by Palumbo Mauro

Hi everybody, I think it would be nice to be able to update a user-defined signature file without restarting zeek, possibly using the input framework. However, I believe this is not available yet nor it seems easy to implement. After a quick look at the code, it is my understanding that the rule parsing is done for signature files using bison/yacc machinery. Signature files are loaded and parsed when starting zeek, in main.cc. It would save me a great deal of time if somebody could tell me how easy it would be to implement this feature and point me in the right direction. Thanks in advance, Mauro

2 years, 9 months

Elastic Meetups and Workshops - Open Source Network Security Monitoring Using Zeek and Elastic

by Amber Graner

Hi all, Below are the first in a series of Elastic Meetups and Workshops where Zeek will be featured: The series is titled: Open Source Network Security Monitoring Using Zeek and Elastic. Dates and details below. Salt Lake City, UT - 20 August 19 (Meetup) - https://ela.st/slc-zeek-meetup Denver, CO - 22 August (Meetup) - https://ela.st/den-zeek-meetup Denver, CO) - 24 August (Workshop) - https://ela.st/den-zeek-workshop These meetups and workshops are free and open to the public, but registration is required. During these meetups the presenters will introduce Zeek and demonstrate how to easily ingest logs generated by Zeek into Elasticsearch and how perform Threat Hunting and Incident Response using Kibana. If you're in the Salt Lake City, or Denver areas we hope to see you there. Please let me know if you have any questions. Thanks, ~Amber -- *Amber Graner* Director of Community Corelight, Inc 828.582.9469 * Ask me about how you can participate in the Zeek (formerly Bro) community. * Remember - ZEEK AND YOU SHALL FIND!!

2 years, 9 months

Logs Conversion

by Shahzaib Shah

Hi there. I have been collecting log file using bro and all the log file that I received is in .log file and I logs in .json formate. Is there any way to convert that log files into .json formate?? any idea?? I am trying to convert this using " sudo bro -i wlp1s0 -e 'redef LogAscii::use_json=T;' " But getting no result.? thanks regards Syed Shahzaib

2 years, 9 months

bro init () method

by rahul rakesh

Hi all, I have written simple below script in testaddedsig.bro file *CODE:* module Test; event bro_init() &priority=5 { print "testaddedsig : bro init method"; } And also this file declared in local.bro ,like this. @load testaddedsig. My doubt is , where this print stmt is printed. If is not printing ,then what is the problem.how to reslove it. with regards ravi

2 years, 9 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek August 2019