zeek March 2020

zeek@lists.zeek.org

41 participants
41 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

3 months, 3 weeks

"zq" command-line processor for Zeek logs

by Phil Rzewski

Zeek community, We’re writing to let you know about zq <https://github.com/brimsec/zq>, an open source command-line processor for structured logs, built for Zeek. (In fact, we’ve been told zq is “like zeek-cut on steroids”.) Those of you who were on the “Ask the Zeeksperts” call on January 16th saw Seth Hall and Justin Azoff give an early peek of zq (thanks guys!), so this is just an “official” announcement. Come one, come all! You can get involved by: • Checking out the zq GitHub repo <https://github.com/brimsec/zq> for install info, code, and docs • Joining our public Slack <https://join.slack.com/t/brimsec/shared_invite/enQtOTMwMDczODg2ODgyLTk1NTdj…> workspace for announcements, Q&A, and to trade query ideas • Contacting us directly via email <mailto:info@brimsecurity.com> to schedule a Zoom videoconference All you need is some Zeek logs (and there’s sample logs <https://github.com/brimsec/zq-sample-data> to help you get started). Here’s just a taste of what’s possible: - A table of top hosts in a subnet that are experiencing the most SYNs-without-ACK: zq -f table "10.164.94.0/24 conn_state=S0 | count() by id.orig_h | sort -r" * - A regex search for certain HTTP methods, with full events output as NDJSON: zq -f ndjson "method=/^(PUT|PATCH|UPDATE)$/" * - Connections open a long time with low traffic, printed as a Zeek TSV log: zq -f zeek "duration>1000 orig_bytes<10 resp_bytes<10" * Of course, that’s just scratching the surface. Please try it out and let us know what you think on GitHub <https://github.com/brimsec/zq> or Slack <https://join.slack.com/t/brimsec/shared_invite/enQtOTMwMDczODg2ODgyLTk1NTdj…>. Happy hunting, Zeeking, & zq’ing! -- The Brim team

2 years

Long running connection using threshold

by Petr Medonos

Hi, I tried to write simple script to detect long running connection using zeek (3.0) threshold. I set duration in connection established event and then using duration_threshold_crossed logged connection above the limit. But Notice log is then flooded with every new established connection. Simple PoC bellow. Did I missed something? Is there any better way to detect long running connection? I tried Corelight bro-long-connections but there is lot overhead in my environment. Thanks for pointing me the right way! -- Petr PoC: @load base/protocols/conn module LongConnection; export { redef enum Log::ID += { LOG }; redef enum Notice::Type += { LongConnection::found }; const duration: interval = 12hr &redef; } event connection_established(c: connection) { ConnThreshold::set_duration_threshold(c, duration); } event ConnThreshold::duration_threshold_crossed(c: connection, threshold: interval, is_orig: bool) { local message = fmt("%s:%s -> %s:%s remained alive for longer than %s", c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p, threshold); NOTICE([$note=LongConnection::found, $msg=message, $sub=fmt("%.2f", threshold), $conn=c]); }

2 years, 1 month

Zeek and CLA

by Matteo Rizzo

Hello, I wanted to ask whether contributing code to Zeek requires signing a Contributor License Agreement (CLA). I have not seen any mentions of this in Zeek's documentation but I'm asking just to make sure. Thanks in advance, Matteo Rizzo

2 years, 1 month

How to turn verbose on (Can't load packages)?

by Mauricio Tavares

So in my local.bro file I have @load packages <---- line 119 When I run zeekctl check I get manager scripts failed. fatal error in /usr/local/bro/site/local.bro, line 119: can't find packages which makes me think there is be a package it cannot load either because of corruption or said package is just not there. Is there a way to crank up the verbose level so I can see what it was doing when it went boink?

2 years, 1 month

Announcing Zeek From Home Webinar Series

by Amber Graner

Hi all, Since we won’t be holding any in-person Zeek events for the foreseeable future, we’d like to invite you to be part of a new weekly ‘Zeek From Home’ webinar series to kick off in April. The schedule will be announced once we have a few submissions queued up. These presentations will be recorded and shared via the Zeek mailing list, blog and Twitter account. Please take a look at the blog post (link below) and consider submitting a presentation for the Zeek From Home series. https://zeek.org/2020/03/31/zeek-from-home/ If you have any questions you can email me, reply to this thread or email info(a)zeek.org. With gratitude, ~Amber

2 years, 1 month

ZeekWeek 2020 Austin - Cancelled - Open Letter to the Community

by Keith Lehigh

Dear Zeek Community, It is our hope that all of you are staying safe and healthy during this uncertain time. We’re all navigating unfamiliar territory together, as the COVID 19 crisis affects every aspect of our lives both personally and professionally. We all wish we knew what the future might hold for 1 month, 3 months, 6 months or more from now. It would make planning for events easier and more efficient; however, that is not the case. While we sincerely hope the world and our daily activities will be back to normal in the fall, we can’t be assured of that. Given the uncertainty, we’ve made the difficult decision to cancel ZeekWeek 2020 in Austin. Rest assured that we are looking at other options to bring the community together as things improve and become more predictable. Those options include a virtual event during the same time frame, and if it’s safe to bring people together, then we will look at holding a smaller event in a different location. However, we won’t know until we get closer to October. Don’t file away those ZeekWeek talks you were going to pitch!! We will be announcing some new initiatives for you to share your knowledge and bring the community together. In the meantime, there are many ways for you to connect with the Zeek Community - Mailing Lists <https://zeek.org/mailing-lists/>, Slack Workspace <https://join.slack.com/t/zeekorg/shared_invite/enQtOTc3MzMxNDI1NDYxLTA1Nzhh…>, Webinars <http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-March/015193.html> and more. We look forward to seeing you in-person once it is safe to do so. Until then, remember, without you there is no community! Together we are better, whether in-person or online. Stay Safe and Zeek on!! The Zeek Leadership Team Blog Post of this message - https://zeek.org/2020/03/31/zeekweek-2020-austin-cancelled-open-letter-to-t…

2 years, 1 month

Anyone using Bro doctor plugin?

by Carlos Lopez

Hi all, I have enable bro doctor plugin in my Zeek 3.0.3 cluster and I see the following error: ################################################################### # Checking if connections are unevenly distributed across workers # ################################################################### error: Traceback (most recent call last): File "/usr/lib64/python3.6/cmd.py", line 214, in onecmd func = getattr(self, 'do_' + cmd) AttributeError: 'ZeekCtlCmdLoop' object has no attribute 'do_doctor' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py", line 596, in cmd_custom results.ok = f() and results.ok File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py", line 457, in check_connection_distribution variance = reduce(lambda var, cnt: var + (cnt - mean)**2, nodes.values(), 0) / len(nodes) NameError: name 'reduce' is not defined All other doctor options works ok, but not this one … Is it a bug? Do I need to install some other python module? Zeek is running as unprivileged user … -- Regards, C. L. Martinez

2 years, 1 month

Subject: Drop packet by signature event

by Vincenzo

I have a configuration of FreeBSD with Zeek, my goal is to analyze network traffic on one network interface and block (IPS) the packet to the other interface, if this falls within my list of signatures that I have defined in my signatures.sig. I have searched far and wide for a solution, but I have not come up with feasible solutions for this purpose (since Zeek was not born as IPS, as snort and suricata), do you have any advice? Zeek 3.0.3 FreeBSD 11 bro-netmap installed Thanks very much

2 years, 1 month

Is it possible to inspect TCP reserved bits with Zeek?

by Tomek Koziak

Hi All, I'm testing Zeek/Bro capabilities in terms of detecting different types of steganography. After working with the ICMP protocol now I am trying to inspect the TCP protocol. I want to detect if the reserved bits in TCP are changed with help of TCP events. Unfortunately without success. Is it possible to inspect TCP reserved bits with Zeek events? If not is there any other possible way to detect wheter those bits where changed? Best regards, Tomasz Koziak

2 years, 1 month

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek March 2020