Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
We recently purchased some Intel XXV710 NICs for our Zeek systems. However,
symmetric hashing does not seem to work on them, at least not completely.
There was some discussion here regarding adding some functionality to the
driver to make it work, however this never landed:
https://sourceforge.net/p/e1000/mailman/message/35199068/
This post discusses how the X710 controller must be configured differently
from the 82599 10G controller (used by the X520 cards):
https://haryachyy.wordpress.com/2019/01/18/learning-dpdk-symmetric-rss/
The odd part is that following the SEPTun-MarkII guide[1] makes it *mostly*
work, but we're consistently finding that ~1-2% of the traffic is not being
symmetrically hashed. We're testing with can-i-use-afpacket-fanout[2] and
Zeek 3.2.
The most damning evidence is an Intel rep telling[3] a customer:
> Unfortunately, we have been informed that the only support to setup
symmetric RSS is via DPDK.
Searching the mailing list archives, I found a couple of posts where people
were encouraged to use X710-based cards, so I'm left wondering: Are there
people using these? Are they also seeing this 1-2% asymmetry? Or am I
missing a configuration tweak?
Thanks,
--Vlad
[1] - <
https://github.com/pevma/SEPTun-Mark-II/blob/master/SEPTun-Mark-II.rst>
[2] - <https://github.com/JustinAzoff/can-i-use-afpacket-fanout>
[3] - <
https://community.intel.com/t5/Ethernet-Products/X-L-710-supports-symmetric…
>
Hello,
I frequently see a lot of scans from external hosts and some of them are with only TCP-Ack flag ("H" in history) set packets, but these packets appear to have been alerted as Port_Scan activities originated from internal hosts possibly due to the following code snippet in scan.zeek script. Is there any reason for this default code that reverses the network direction if "H" or "s" flag seen in the TCP flag ?
event connection_attempt(c: connection)
{
local is_reverse_scan = F;
if ( "H" in c$history )
is_reverse_scan = T;
add_sumstats(c$id, is_reverse_scan);
}
Thank you
Hello Everyone,
I'm new to Zeek here and still learning the ropes. When searching through the protocols I didn't find telnet capture implementation in Zeek scripts.
Then going through the docs I found there is a login_plugin that has defined functions/events that can be used with telnet.
Can somebody help me on how i can use them to write a telnet capture script ? or if there is a simple ready script that I can start with.
Thanks in advance,
Hi,
My manager wants geolocation info in the http.log.
I have looked at several scripts and only see geolocation info in conn.log and ssh.log etc.
Is it a sound idea to have geolocation info in the http.log?
Thank you.
Hi all,
As we prepare the Zeek Project content schedule for next year, we'd like to
get some feedback from the community on the areas listed below.
_______________________________________________________
*Interview Series* - we'd like to have one interview per month - who from
the NSM/Threat Hunting/Incident Responder/Zeek Community or adjacent
communities/projects would you like us to interview and why. Here's who
has been suggested so far:
- Eric Ooi
- Lexi Brent
- Richard Bejtlich
- Fatema Bannat Wala
- Jeff Atkinson
If you would like to help with this series, please let me know.
_______________________________________________________
*Topics of interest that have been suggested: *
- How to's - Installing Zeek (Ubuntu, CentOS, Fedora, Debian, BSD),
- Getting started with Zeek Logs (More details about using the logs in
your SIEM. Suggested SIEMS include - Elastic, Humio, Splunk, Raw logs)
- Upcoming Releases and how to test them
- More posts about the upcoming changes and details on the point releases
and fixes
- New additions to the documentation
- Quarterly reports on the Project
If you have suggestions for other topics, again, please let me know.
_______________________________________________________
*Guest Bloggers*
Who would you like to see blog posts from and what would you like them to
cover.
_______________________________________________________
*Webinars*
Next year we would like to have 2 Zeek Related webinars per month.
For February, March and April of 2021 we are going to do one per month in
the European Time Zone and one that is US centric to see what participation
looks like. Topics include those that are listed above and also various
panel discussions.
Please let me know if you are interested in leading a webinar and what your
topics of expertise are. Also, if there is anything you would like to see
cover that is not listed please let me know that as well.
Please let me know if there is other content you'd like us to cover that I
haven't included above.
Thanks in advance!
~Amber
Hi all,
We've moved this month's community call to the 18th so that we can update
the community on yearly growth, 4th quarter goals and look at high level
goals for 2021.
Please use the following link to register for this call:
https://corelight.zoom.us/meeting/register/tJcldO6qrTMrG9Kwsu6_qHsUeAvdjLmM…
Thanks,
~Amber
We're close to releasing the next Zeek LTS version, 4.0 -- looks like
we should have a first release candidate ready next week.
In that context we're wondering how to best manage the transition from
one LTS track (3.0.x) to the next (4.0.x). Generally, our policy
currently states that support for the prior track ends when the new
one comes out. However, in order to give people time to upgrade, we
would like to provide for some overlap period during which we continue
to support 3.0.x as well. We're thinking to commit to providing
updates to 3.0.x for another two months after the release of 4.0.0. We
would be interested in any opinions on whether that's a reasonable
amount of time. (The trade-off of course is against the work it takes
the development team to maintain multiple versions at the same time;
that goes out of the budget for working on new stuff.)
If you have any thoughts, please reply here or in #general on Slack.
Whatever we do for the current transition, will then probably become
our new standard policy going forward.
Thanks,
Robin
--
Robin Sommer * Corelight, Inc. * robin(a)corelight.com * www.corelight.com
Hello.
Does anyone have any additional documentation for the Zeek::PIA plugin?
What does "PIA" stand for?
There are two plugin instantiations within the plugin code, i.e.
Analyzer::ANALYZER_TCP
Analyzer::ANALYZER_UDP
The plugin's 'description' field says: "Analyzers implementing Dynamic Protocol"
Are these for packet level analysis (i.e. OSI Layer 2 protocols)
Thanks,
Brett Rasmussen
Cyber Security Researcher
Supporting the DHS CIOCC Advanced Analytical Lab
Phone: (208) 526-5486
Fax: (208) 526-6173
Email: Brett.Rasmussen(a)inl.gov<mailto:Jan.Wright@inl.gov>