Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
Any insight would be helpful.
Using the drawing from https://docs.zeek.org/en/current/cluster/ as
reference, I have some workers which are being used for other tasks. As
such, I would like to offload as much as I can to the proxies as I can
build them to fit my needs instead of just riding on an already running
server (the workers). How can I tune the analysis done at worker vs the
proxy to fit my need?
I'm using Zeek for quite some time now and I must say that it is one of the
best IDSs out there today. Thanks a lot for a the hard work!!
I know and use Zeek's ability to extract mysql commands, users, rows count
and status from the network traffic. Is it possible to do the same for
PostgreSQL? If not, how complicated do you think it would be for me to
Thanks in advance,
If you would like to submit a talk for Virtual ZeekWeek 2020 you have until
6pm PDT today, 31 August.
NOTE: talks are only 20 mins for the day 2 user track this year - If you've
given a talk in the past please consider submitting a talk.
More information can be found at:
Please let me know if you have any questions.
Kindly I want to create a simulation environment for Zeek detection capability as IDS and calculate detection time.
The simulation environment will be on citrix xencenter hypervisor. I want to install 2 virtual machines , one of them is zeek IDS and the other one is the attacker machine. I want to send traffic from attacker machine and the traffic is mirrored to Zeek vm to detect attack.
Any help for this setup.
Here are the idea submissions we received for the Ideas Phase of ZPC-3
* Package to detect known C2 frameworks such as Empire, Koadic, FactionC2,
Covenant, Merlin, etc. based on their unique traffic patterns.
* Package to generate a new ARP log, and to detect known attacks such as
ARP spoofing, flooding, scanning, etc
* Package to generate NFS log, and detect anomalous NFS activity.
* Spicy parser for IGMP
If you're a developer and you'd like to help with one of the ideas that
were submitted then take a look at the following blog post
https://zeek.org/2020/08/21/zpc-3-developers-phase-open/ for more
Hoping to understand the data in PacketFilter::Dropped_packets notices
better. What do each of the counts indicate?
Wondering because I have a small percentage of notices from a variety
of sensors that are logging the following in the notices, and the
counts end up being too large of integers for some post-processing
utilities to help compute some metrics on. I suspect that these come
from Bro 2.6 sensors. Examples:
18446744069482849436 packets dropped after filtering,
18446744069489230937 received, 6381501 on link
18446744069467467531 packets dropped after filtering,
18446744069467980684 received, 513153 on link
18446744069774533196 packets dropped after filtering,
18446744069778234931 received, 3701735 on link
18446744069437332601 packets dropped after filtering,
18446744069462690099 received, 25357498 on link
18446744069540779703 packets dropped after filtering,
18446744069561221983 received, 20442280 on link
18446744069457313223 packets dropped after filtering,
18446744069457748075 received, 434852 on link
18446744069561323156 packets dropped after filtering,
18446744069583649097 received, 22325941 on link
I was attempting to track percentage of dropped packets from this
notice by dividing the total received (2nd number) by the count
dropped after filtering (1st number) based on what seems like the more
common types of reports we see, like this one:
1 packets dropped after filtering, 2724370 received, 2724369 on link
(1/2724370 => 0.000000367057338). But I can't conceive that the
messages above are carrying realistic numbers to calculate on.
A resource I keep going to with 3rd parties is an FAQ at
https://zeek.org/faq/. This page, in comparison with the old FAQ
(https://old.zeek.org/documentation/faq.html) does not currently
support anchors on the page to link directly to a specific entry.
Would it be possible to renovate the FAQ to make this possible?
(And/or: what about moving the FAQ into the better documentation
engine at https://docs.zeek.org/ and linking to it there)?