zeek December 2020

zeek@lists.zeek.org

10 participants
11 discussions

by Vlad Grigorescu

We recently purchased some Intel XXV710 NICs for our Zeek systems. However, symmetric hashing does not seem to work on them, at least not completely. There was some discussion here regarding adding some functionality to the driver to make it work, however this never landed: https://sourceforge.net/p/e1000/mailman/message/35199068/ This post discusses how the X710 controller must be configured differently from the 82599 10G controller (used by the X520 cards): https://haryachyy.wordpress.com/2019/01/18/learning-dpdk-symmetric-rss/ The odd part is that following the SEPTun-MarkII guide[1] makes it *mostly* work, but we're consistently finding that ~1-2% of the traffic is not being symmetrically hashed. We're testing with can-i-use-afpacket-fanout[2] and Zeek 3.2. The most damning evidence is an Intel rep telling[3] a customer: > Unfortunately, we have been informed that the only support to setup symmetric RSS is via DPDK. Searching the mailing list archives, I found a couple of posts where people were encouraged to use X710-based cards, so I'm left wondering: Are there people using these? Are they also seeing this 1-2% asymmetry? Or am I missing a configuration tweak? Thanks, --Vlad [1] - < https://github.com/pevma/SEPTun-Mark-II/blob/master/SEPTun-Mark-II.rst> [2] - <https://github.com/JustinAzoff/can-i-use-afpacket-fanout> [3] - < https://community.intel.com/t5/Ethernet-Products/X-L-710-supports-symmetric… >

2 months

Scanner and victim reverse condition in scan.zeek

by Eiji Yanagi

Hello, I frequently see a lot of scans from external hosts and some of them are with only TCP-Ack flag ("H" in history) set packets, but these packets appear to have been alerted as Port_Scan activities originated from internal hosts possibly due to the following code snippet in scan.zeek script. Is there any reason for this default code that reverses the network direction if "H" or "s" flag seen in the TCP flag ? event connection_attempt(c: connection) { local is_reverse_scan = F; if ( "H" in c$history ) is_reverse_scan = T; add_sumstats(c$id, is_reverse_scan); } Thank you

1 year

Telnet.log Implementation

by zeinabha36.zh＠gmail.com

Hello Everyone, I'm new to Zeek here and still learning the ropes. When searching through the protocols I didn't find telnet capture implementation in Zeek scripts. Then going through the docs I found there is a login_plugin that has defined functions/events that can be used with telnet. Can somebody help me on how i can use them to write a telnet capture script ? or if there is a simple ready script that I can start with. Thanks in advance,

1 year

HTTP GeoLocation

by Robert Gabriel

Hi, My manager wants geolocation info in the http.log. I have looked at several scripts and only see geolocation info in conn.log and ssh.log etc. Is it a sound idea to have geolocation info in the http.log? Thank you.

1 year

2021 - Content Schedule - What would you like us to cover?

by Amber Graner

Hi all, As we prepare the Zeek Project content schedule for next year, we'd like to get some feedback from the community on the areas listed below. _______________________________________________________ *Interview Series* - we'd like to have one interview per month - who from the NSM/Threat Hunting/Incident Responder/Zeek Community or adjacent communities/projects would you like us to interview and why. Here's who has been suggested so far: - Eric Ooi - Lexi Brent - Richard Bejtlich - Fatema Bannat Wala - Jeff Atkinson If you would like to help with this series, please let me know. _______________________________________________________ *Topics of interest that have been suggested: * - How to's - Installing Zeek (Ubuntu, CentOS, Fedora, Debian, BSD), - Getting started with Zeek Logs (More details about using the logs in your SIEM. Suggested SIEMS include - Elastic, Humio, Splunk, Raw logs) - Upcoming Releases and how to test them - More posts about the upcoming changes and details on the point releases and fixes - New additions to the documentation - Quarterly reports on the Project If you have suggestions for other topics, again, please let me know. _______________________________________________________ *Guest Bloggers* Who would you like to see blog posts from and what would you like them to cover. _______________________________________________________ *Webinars* Next year we would like to have 2 Zeek Related webinars per month. For February, March and April of 2021 we are going to do one per month in the European Time Zone and one that is US centric to see what participation looks like. Topics include those that are listed above and also various panel discussions. Please let me know if you are interested in leading a webinar and what your topics of expertise are. Also, if there is anything you would like to see cover that is not listed please let me know that as well. Please let me know if there is other content you'd like us to cover that I haven't included above. Thanks in advance! ~Amber

1 year, 1 month

Zeek releases: 3.0.12 (bugfix), 3.2.3 (security + bugfix), and 4.0.0 RC1

by Jon Siwek

Downloads for Zeek 3.0.12 (LTS), 3.2.3, and 4.0.0 RC1 are available: https://zeek.org/get-zeek Note that 3.2.3 has an important security bug fix, but 3.0.12 was not impacted and contains only non-security bug fixes. See the release notes for details: https://github.com/zeek/zeek/releases/tag/v3.0.12 https://github.com/zeek/zeek/releases/tag/v3.2.3 For info about the 4.0.0 Release Candidate, see the following blog post and release notes: https://zeek.org/2020/12/15/zeek-4-0-release-candidate/ https://github.com/zeek/zeek/releases/tag/v4.0.0-rc1 Binary packages for the new releases will also be available shortly: https://github.com/zeek/zeek/wiki/Binary-Packages

1 year, 1 month

End of the Year Zeek Community Call. 18 Dec 2020 - 3pm (eastern)

by Amber Graner

Hi all, We've moved this month's community call to the 18th so that we can update the community on yearly growth, 4th quarter goals and look at high level goals for 2021. Please use the following link to register for this call: https://corelight.zoom.us/meeting/register/tJcldO6qrTMrG9Kwsu6_qHsUeAvdjLmM… Thanks, ~Amber

1 year, 1 month

LTS support policy for transition from 3.0 to 4.0

by Robin Sommer

We're close to releasing the next Zeek LTS version, 4.0 -- looks like we should have a first release candidate ready next week. In that context we're wondering how to best manage the transition from one LTS track (3.0.x) to the next (4.0.x). Generally, our policy currently states that support for the prior track ends when the new one comes out. However, in order to give people time to upgrade, we would like to provide for some overlap period during which we continue to support 3.0.x as well. We're thinking to commit to providing updates to 3.0.x for another two months after the release of 4.0.0. We would be interested in any opinions on whether that's a reasonable amount of time. (The trade-off of course is against the work it takes the development team to maintain multiple versions at the same time; that goes out of the budget for working on new stuff.) If you have any thoughts, please reply here or in #general on Slack. Whatever we do for the current transition, will then probably become our new standard policy going forward. Thanks, Robin -- Robin Sommer * Corelight, Inc. * robin(a)corelight.com * www.corelight.com

1 year, 1 month

Zeek::PIA analyzer details

by Brett D. Rasmussen

Hello. Does anyone have any additional documentation for the Zeek::PIA plugin? What does "PIA" stand for? There are two plugin instantiations within the plugin code, i.e. Analyzer::ANALYZER_TCP Analyzer::ANALYZER_UDP The plugin's 'description' field says: "Analyzers implementing Dynamic Protocol" Are these for packet level analysis (i.e. OSI Layer 2 protocols) Thanks, Brett Rasmussen Cyber Security Researcher Supporting the DHS CIOCC Advanced Analytical Lab Phone: (208) 526-5486 Fax: (208) 526-6173 Email: Brett.Rasmussen(a)inl.gov<mailto:Jan.Wright@inl.gov>

1 year, 1 month

Re: [EXT] Zeek can't recognize some UDP based DCE/RPC "connections"

by Mark I Fernandez

Hi Brett, I am familiar with DCE-RPC, but I haven't worked with DCE-RPC over UDP in a long time. Looking at the PCAP you sent, it appears PROFINET_IO_CM protocol does not use the DCE-RPC endpoint mapper service. I think this is the problem. If it used the endpoint mapper service, then I believe you would first see DCE-RPC traffic to port 135 (with the epmapper UUID in the DCE-RPC header); then it would get mapped to an ephemeral high port; and I think Zeek might stand a chance of recognizing the entire transaction. Instead, the PROFINET_IO_CM serve just changes the port from which it responds, without the formalities of the epmapper service, making it appear like a new "connection". Mark Mark I. Fernandez MITRE Corporation Email: <mailto:mfernandez@mitre.org> mfernandez(a)mitre.org From: Brett D. Rasmussen via zeek <zeek(a)lists.zeek.org> Sent: Monday, November 30, 2020 10:12 PM To: zeek(a)lists.zeek.org Cc: Keith D. Mecham <Keith.Mecham(a)inl.gov> Subject: [EXT] [Zeek] Zeek can't recognize some UDP based DCE/RPC "connections" Hello. I'm currently developing a Zeek plugin that parses the Profinet_IO_CM protocol traffic. The PROFINET_IO_CM protocol is transported within a DCE/RPC protocol wrapper. The DCE/RPC protocol is transported within a UDP packet. So, I've run into a problem, when Zeek is trying to detect UDP based DCE/RPC "connections." Zeek can correctly recognize "normal" UDP based client/server connections. (e.g. From a DNS client to a DNS server) but, it runs into problems when parsing the UDP based PROFINET_IO_CM protocol. I've attached a detailed write-up (.txt) document that describes the nature of the problem (along with a proposed solution) -and- a small .pcapng file that contains actual PROFINET_IO_CM protocol traffic. Any ideas on how to resolve this issue? It seems like a "Zeek source code change" will be required, to correct this issue? Thanks, --Brett Brett Rasmussen Cyber Security Researcher Supporting the DHS CIOCC Advanced Analytical Lab Phone: (208) 526-5486 Fax: (208) 526-6173 Email: Brett.Rasmussen(a)inl.gov <mailto:Jan.Wright@inl.gov>

1 year, 1 month

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek December 2020