Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
Using the drawing from https://docs.zeek.org/en/current/cluster/ as
reference, I have some workers which are being used for other tasks. As
such, I would like to offload as much as I can to the proxies as I can
build them to fit my needs instead of just riding on an already running
server (the workers). How can I tune the analysis done at worker vs the
proxy to fit my need?
Hi everyone!
Im trying to Split the http logs in two.
What I want to accomplish is that when the http event tags have the "URI_SQLI", instead of being logged in the normal http.log I want it to be logged in a new http-sqli.log.
I have tried a lot of different ways but with no success, since this is the very first script that im writing for Zeek.
This is one of the ways that i´ve tried:
event zeek_init()
{
Log::remove_default_filter(HTTP::LOG);
Log::add_filter(HTTP::LOG, [$name = "http-sqli",
$path_func(id: Log::ID, path: string, rec: HTTP::Info) = {
return ([URI_SQLI] in c$http$tags ? "http-sqli" : "http");
}]);
}
The problem here seems that I cannot refer properly to the "tags" field.
Thanks for your time.
Regards!
Jorge García Rodríguez
Technical Consultant
Security Infrastructures
jgarciar(a)sia.es<mailto:jgarciar@sia.es>
Grupo SIA
Avda.Europa,2 - Alcor Plaza, Edificio B - Parque Oeste Alcorcón
28922 Alcorcón - Madrid
Tlf: +34 902 480 580<nxphone:+34%20902%20480%20580> Fax: +34 91 307 79 80<nxphone:+34%2091%20307%2079%2080>
www.siainternational.com<http://www.siainternational.com/>
delivering value
This e-mail and any attached files are intended solely for the addresse/s identified herein. It may contain confidential and/or legally privileged information and may not necessarily represent the opinion of SIA.
No legally binding commitments will be created by this E-mail message. Where we intend to create legally binding commitments these will be made through hard copy correspondence or documents. If you receive this message by mistake, please immediately notify the sender and delete it since you are not authorized to use, disclose, distribute, print or copy all or part of the contained information Thank you. It is understood that the message was sent to you accidentally, although you appear as the addressee, you can see from the frame of existing relations that you were not the final addressee.
Hello,
I'm reading a bunch of papers on interesting features for machine learning
applied on network traffic. For example CSE-CIC (
https://www.unb.ca/cic/datasets/ids-2018.html)
My question is: is it possible to add this type of statistic on conn.log?
- average packet size
- minimum packet size
- maximum packet size
- total time between two packets
- mean time between two packets etc.
- etc.
Reading in the documentation I saw this events
https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_TCP.events.b…
but,
as state by the documentation itself, it will lead to very poor performance.
The other code I think it could be relevant is the TCP analyzer:
https://github.com/zeek/zeek/blob/1affbad4b7b8c8cf230ded8224c9c364607b67e9/…
I've never contributed to Zeek before and I don't know the codebase at all,
so do you think Zeek would be capable of generating this type of stats? Is
TCP.cc the right place to implement those features? Are there issues I am
overlooking?
--
Federico Foschini.
Does zeek have support to send syslog events?
Looked in the logger and notice frameworks but did not see anything there.
Documentation has a fair amount about ingesting syslog messages but nothing about outputting them.
Running zeek 3.1.1 currently.
Wanted to be able to send certain events such as SSH password guessing events to a syslog server which can open tickets on such events.
Guessing would need to add another type to the logger framework with config items in zeekctl.cfg for the syslog server address.
And use logger -n with that option to send the message to the specific host.
Ideas?
Hi all,
Over the past 2 years there have been many questions, speculations and
misunderstandings about Corelight and its role in the Zeek Project. Many
of your questions have been answered in direct conversations or at Zeek
Week, but we realize many in the Zeek community are new and may not know
the history and the commitment Corelight has to the project.
This week on Wednesday, 24 June, Greg Bell, CEO of Corelight will be giving
a presentation on Corelight's Role in The Zeek Project. Richard Bejtlich
will be hosting the discussion.
Zeek From Home is recorded and will be shared with the community. These
webinars are free and open to the public, but registration is required. You
can register to attend at:
https://corelight.zoom.us/webinar/register/WN_88w_WCX_TnOen7uUI_YckA
If you have any questions about the Corelight and it's relationship and
commitment to the Zeek Project and its community please help me queue up
those questions so that Greg can make sure he includes the answers and
addresses each of them.
Sample questions include (have been asked over the past year):
* Does Corelight own the Zeek Project?
* Does Corelight drive the technical direction of the Zeek Project?
* What all does Corelight contribute in terms of time, resources and
financial support?
* The project uses a lot of Corelight resources is information shared with
Corelight Sales or Marketing? How is it kept separate and
compartmentalized?
Please feel free to add your questions to this thread or to the webform
(link below):
https://forms.gle/mXbGWEXM5zfqwSEs7
You can also drop your questions into the slack Webinars channel. You can
join the slack space at: http://bit.ly/ZeekOrgSlackInvite
I'll send your questions to Greg and Richard before the call.
Thanks in advance everyone and we look forward to seeing you on the call!
With gratitude,
~Amber
Hello,
Given that this appears to be scanning originating from Google DNS, I
just want to make sure there is no chance this is in error or maybe I am
misunderstanding what I am reading here.
Lines like this are written to a custom log on event
connection_state_remove
ts orig_ip orig_port dest_ip dest_port conn_state orig_pkts dest_pkts proto
2020-06-21T01:19:55 8.8.8.8 22979 redacted 8080 S0 2 0 tcp
2020-06-21T01:19:59 8.8.8.8 53096 redacted 8080 S0 1 0 tcp
2020-06-21T01:22:02 8.8.8.8 53096 redacted 8080 S0 2 0 tcp
Thanks in advance for any insight.
Greg
Hi all,
Running ubuntu 18.04 and I download zeek-3.1.4.
Ran ./configure && make no issues, when I ran make install,
CMake Error at src/cmake_install.cmake:47 (file):
file INSTALL cannot copy file "/home/mbaki/zeek-3.1.4/build/src/zeek" to
"/usr/local/zeek/bin/zeek".
Call Stack (most recent call first):
cmake_install.cmake:138 (include)
Makefile:85: recipe for target 'install' failed
make[1]: *** [install] Error 1
make[1]: Leaving directory '/home/mbaki/zeek-3.1.4/build'
Makefile:18: recipe for target 'install' failed
make: *** [install] Error 2
Thanks
Monah
Hi all,
Has anyone tried installing https://github.com/WqyJh/zeek-netmap under FreeBSD 12.1<https://github.com/WqyJh/zeek-netmap%20under%20FreeBSD%2012.1>? In my installation returns:
Scanning dependencies of target bro-plugin-Zeek_Netmap
[ 20%] Creating __bro_plugin__ for Zeek::Netmap
[ 20%] Built target bro-plugin-Zeek_Netmap
Scanning dependencies of target copy-scripts-Zeek_Netmap
[ 20%] Built target copy-scripts-Zeek_Netmap
Scanning dependencies of target generate_outputs
[ 20%] Built target generate_outputs
Scanning dependencies of target Zeek-Netmap.freebsd-amd64
[ 40%] Building CXX object CMakeFiles/Zeek-Netmap.freebsd-amd64.dir/src/Plugin.cc.o
In file included from /tmp/oo/zeek-netmap/src/Plugin.cc:3:
In file included from /tmp/oo/zeek-netmap/src/Netmap.h:10:
In file included from /usr/include/net/netmap_user.h:104:
In file included from /usr/include/net/netmap.h:816:
/usr/include/stdatomic.h:141:21: error: reference to 'memory_order' is ambiguous
atomic_thread_fence(memory_order __order __unused)
^
/usr/include/stdatomic.h:134:3: note: candidate found by name lookup is 'memory_order'
} memory_order;
^
/usr/include/c++/v1/atomic:628:3: note: candidate found by name lookup is 'std::__1::memory_order'
} memory_order;
^
In file included from /tmp/oo/zeek-netmap/src/Plugin.cc:3:
In file included from /tmp/oo/zeek-netmap/src/Netmap.h:10:
In file included from /usr/include/net/netmap_user.h:104:
In file included from /usr/include/net/netmap.h:816:
/usr/include/stdatomic.h:154:21: error: reference to 'memory_order' is ambiguous
atomic_signal_fence(memory_order __order __unused)
^
/usr/include/stdatomic.h:134:3: note: candidate found by name lookup is 'memory_order'
} memory_order;
^
/usr/include/c++/v1/atomic:628:3: note: candidate found by name lookup is 'std::__1::memory_order'
} memory_order;
^
In file included from /tmp/oo/zeek-netmap/src/Plugin.cc:3:
In file included from /tmp/oo/zeek-netmap/src/Netmap.h:10:
In file included from /usr/include/net/netmap_user.h:104:
In file included from /usr/include/net/netmap.h:816:
/usr/include/stdatomic.h:186:17: error: unknown type name '_Bool'
typedef _Atomic(_Bool) atomic_bool;
……
Regards,
C. L. Martinez