zeek December 2020

zeek@lists.zeek.org

10 participants
12 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

4 months, 4 weeks

Anyone using Intel X710 NICs?

by Vlad Grigorescu

We recently purchased some Intel XXV710 NICs for our Zeek systems. However, symmetric hashing does not seem to work on them, at least not completely. There was some discussion here regarding adding some functionality to the driver to make it work, however this never landed: https://sourceforge.net/p/e1000/mailman/message/35199068/ This post discusses how the X710 controller must be configured differently from the 82599 10G controller (used by the X520 cards): https://haryachyy.wordpress.com/2019/01/18/learning-dpdk-symmetric-rss/ The odd part is that following the SEPTun-MarkII guide[1] makes it *mostly* work, but we're consistently finding that ~1-2% of the traffic is not being symmetrically hashed. We're testing with can-i-use-afpacket-fanout[2] and Zeek 3.2. The most damning evidence is an Intel rep telling[3] a customer: > Unfortunately, we have been informed that the only support to setup symmetric RSS is via DPDK. Searching the mailing list archives, I found a couple of posts where people were encouraged to use X710-based cards, so I'm left wondering: Are there people using these? Are they also seeing this 1-2% asymmetry? Or am I missing a configuration tweak? Thanks, --Vlad [1] - < https://github.com/pevma/SEPTun-Mark-II/blob/master/SEPTun-Mark-II.rst> [2] - <https://github.com/JustinAzoff/can-i-use-afpacket-fanout> [3] - < https://community.intel.com/t5/Ethernet-Products/X-L-710-supports-symmetric… >

7 months, 2 weeks

Scanner and victim reverse condition in scan.zeek

by Eiji Yanagi

Hello, I frequently see a lot of scans from external hosts and some of them are with only TCP-Ack flag ("H" in history) set packets, but these packets appear to have been alerted as Port_Scan activities originated from internal hosts possibly due to the following code snippet in scan.zeek script. Is there any reason for this default code that reverses the network direction if "H" or "s" flag seen in the TCP flag ? event connection_attempt(c: connection) { local is_reverse_scan = F; if ( "H" in c$history ) is_reverse_scan = T; add_sumstats(c$id, is_reverse_scan); } Thank you

1 year, 5 months

Telnet.log Implementation

by zeinabha36.zh＠gmail.com

Hello Everyone, I'm new to Zeek here and still learning the ropes. When searching through the protocols I didn't find telnet capture implementation in Zeek scripts. Then going through the docs I found there is a login_plugin that has defined functions/events that can be used with telnet. Can somebody help me on how i can use them to write a telnet capture script ? or if there is a simple ready script that I can start with. Thanks in advance,

1 year, 6 months

HTTP GeoLocation

by Robert Gabriel

Hi, My manager wants geolocation info in the http.log. I have looked at several scripts and only see geolocation info in conn.log and ssh.log etc. Is it a sound idea to have geolocation info in the http.log? Thank you.

1 year, 6 months

2021 - Content Schedule - What would you like us to cover?

by Amber Graner

Hi all, As we prepare the Zeek Project content schedule for next year, we'd like to get some feedback from the community on the areas listed below. _______________________________________________________ *Interview Series* - we'd like to have one interview per month - who from the NSM/Threat Hunting/Incident Responder/Zeek Community or adjacent communities/projects would you like us to interview and why. Here's who has been suggested so far: - Eric Ooi - Lexi Brent - Richard Bejtlich - Fatema Bannat Wala - Jeff Atkinson If you would like to help with this series, please let me know. _______________________________________________________ *Topics of interest that have been suggested: * - How to's - Installing Zeek (Ubuntu, CentOS, Fedora, Debian, BSD), - Getting started with Zeek Logs (More details about using the logs in your SIEM. Suggested SIEMS include - Elastic, Humio, Splunk, Raw logs) - Upcoming Releases and how to test them - More posts about the upcoming changes and details on the point releases and fixes - New additions to the documentation - Quarterly reports on the Project If you have suggestions for other topics, again, please let me know. _______________________________________________________ *Guest Bloggers* Who would you like to see blog posts from and what would you like them to cover. _______________________________________________________ *Webinars* Next year we would like to have 2 Zeek Related webinars per month. For February, March and April of 2021 we are going to do one per month in the European Time Zone and one that is US centric to see what participation looks like. Topics include those that are listed above and also various panel discussions. Please let me know if you are interested in leading a webinar and what your topics of expertise are. Also, if there is anything you would like to see cover that is not listed please let me know that as well. Please let me know if there is other content you'd like us to cover that I haven't included above. Thanks in advance! ~Amber

1 year, 6 months

Zeek releases: 3.0.12 (bugfix), 3.2.3 (security + bugfix), and 4.0.0 RC1

by Jon Siwek

Downloads for Zeek 3.0.12 (LTS), 3.2.3, and 4.0.0 RC1 are available: https://zeek.org/get-zeek Note that 3.2.3 has an important security bug fix, but 3.0.12 was not impacted and contains only non-security bug fixes. See the release notes for details: https://github.com/zeek/zeek/releases/tag/v3.0.12 https://github.com/zeek/zeek/releases/tag/v3.2.3 For info about the 4.0.0 Release Candidate, see the following blog post and release notes: https://zeek.org/2020/12/15/zeek-4-0-release-candidate/ https://github.com/zeek/zeek/releases/tag/v4.0.0-rc1 Binary packages for the new releases will also be available shortly: https://github.com/zeek/zeek/wiki/Binary-Packages

1 year, 6 months

End of the Year Zeek Community Call. 18 Dec 2020 - 3pm (eastern)

by Amber Graner

Hi all, We've moved this month's community call to the 18th so that we can update the community on yearly growth, 4th quarter goals and look at high level goals for 2021. Please use the following link to register for this call: https://corelight.zoom.us/meeting/register/tJcldO6qrTMrG9Kwsu6_qHsUeAvdjLmM… Thanks, ~Amber

1 year, 6 months

LTS support policy for transition from 3.0 to 4.0

by Robin Sommer

We're close to releasing the next Zeek LTS version, 4.0 -- looks like we should have a first release candidate ready next week. In that context we're wondering how to best manage the transition from one LTS track (3.0.x) to the next (4.0.x). Generally, our policy currently states that support for the prior track ends when the new one comes out. However, in order to give people time to upgrade, we would like to provide for some overlap period during which we continue to support 3.0.x as well. We're thinking to commit to providing updates to 3.0.x for another two months after the release of 4.0.0. We would be interested in any opinions on whether that's a reasonable amount of time. (The trade-off of course is against the work it takes the development team to maintain multiple versions at the same time; that goes out of the budget for working on new stuff.) If you have any thoughts, please reply here or in #general on Slack. Whatever we do for the current transition, will then probably become our new standard policy going forward. Thanks, Robin -- Robin Sommer * Corelight, Inc. * robin(a)corelight.com * www.corelight.com

1 year, 6 months

Zeek::PIA analyzer details

by Brett D. Rasmussen

Hello. Does anyone have any additional documentation for the Zeek::PIA plugin? What does "PIA" stand for? There are two plugin instantiations within the plugin code, i.e. Analyzer::ANALYZER_TCP Analyzer::ANALYZER_UDP The plugin's 'description' field says: "Analyzers implementing Dynamic Protocol" Are these for packet level analysis (i.e. OSI Layer 2 protocols) Thanks, Brett Rasmussen Cyber Security Researcher Supporting the DHS CIOCC Advanced Analytical Lab Phone: (208) 526-5486 Fax: (208) 526-6173 Email: Brett.Rasmussen(a)inl.gov<mailto:Jan.Wright@inl.gov>

1 year, 6 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek December 2020