zeek January 2021

zeek@lists.zeek.org

15 participants
13 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

3 months, 3 weeks

Anyone using Intel X710 NICs?

by Vlad Grigorescu

We recently purchased some Intel XXV710 NICs for our Zeek systems. However, symmetric hashing does not seem to work on them, at least not completely. There was some discussion here regarding adding some functionality to the driver to make it work, however this never landed: https://sourceforge.net/p/e1000/mailman/message/35199068/ This post discusses how the X710 controller must be configured differently from the 82599 10G controller (used by the X520 cards): https://haryachyy.wordpress.com/2019/01/18/learning-dpdk-symmetric-rss/ The odd part is that following the SEPTun-MarkII guide[1] makes it *mostly* work, but we're consistently finding that ~1-2% of the traffic is not being symmetrically hashed. We're testing with can-i-use-afpacket-fanout[2] and Zeek 3.2. The most damning evidence is an Intel rep telling[3] a customer: > Unfortunately, we have been informed that the only support to setup symmetric RSS is via DPDK. Searching the mailing list archives, I found a couple of posts where people were encouraged to use X710-based cards, so I'm left wondering: Are there people using these? Are they also seeing this 1-2% asymmetry? Or am I missing a configuration tweak? Thanks, --Vlad [1] - < https://github.com/pevma/SEPTun-Mark-II/blob/master/SEPTun-Mark-II.rst> [2] - <https://github.com/JustinAzoff/can-i-use-afpacket-fanout> [3] - < https://community.intel.com/t5/Ethernet-Products/X-L-710-supports-symmetric… >

6 months, 1 week

Short zeek.org email outage (Thursday 1/28, 9am pacific)

by Johanna Amann

Hi everyone, We will perform a change to the email setup of zeek.org on Thursday 1/28, 9am pacific. It is sadly not possible to perform this change without a service interruption. For up to an hour after 9am pacific, @zeek.org email addresses will not be able to receive emails. Mails sent to @zeek.org addresses during this time might bounce. The mailing lists are not impacted by this, as long as you use the @lists.zeek.org domain to send your emails (so e.g. zeek(a)lists.zeek.org). If you notice any email problems after the switch on Thursday, please contact me. I will post another email here when the migration is over. Thank you, Johanna

1 year, 3 months

Zeek 4.0.0 RC2 available

by Jon Siwek

Zeek 4.0.0 RC2 is now available: https://zeek.org/get-zeek/ Most differences from RC1 can be found in the CHANGES files: https://github.com/zeek/zeek/blob/release/4.0/CHANGES There is also a notable change in Broker that attempts to resolve a fundamental issue with its internal design/architecture that has potential to cause deadlocks in Zeek clusters, although that's never been reported in practice. General info about the upcoming Zeek 4.0.0 release can be found at these locations (unchanged since last RC1 announcement): https://zeek.org/2020/12/15/zeek-4-0-release-candidate/ https://github.com/zeek/zeek/releases/tag/v4.0.0-rc2

1 year, 3 months

CommunityID Install

by David Decker

Looking for assistance in getting CommunityID installed. I am using SecurityOnion 16.04, due to EOL on that system not much details are available. I wanted to see if anyone has been able to get it up and running. Looks like SO does not have the Package manager installed (Is it possible to install a plugin without having to install the package manager)? Thanks

1 year, 4 months

filtering out unwanted domains from bro dns.log

by Charles Dillard

Hello, my company is running Bro 2.5 on 300 CentOS 7 servers. How would we blacklist a set of domains that are being logged to dns.log? Have about 50 domains we want to ignore. Does this require any kind of re-compile of bro? Does bro require a restart afterwards? Documentation would be good (have searched around for this, no luck) There appears to be a ...postbody/postbody.bro but think that is for http. I see a "filter_dns_ssl_conn" directory on our serves, but files in it don't contain much. Any way, if you could advise, we would appreciate it.

1 year, 4 months

Problem adding a field from http.log to the xss.log

by Garcia Rodriguez, Jorge

Hi everyone! We have integrated the plugin to detect xss attacks. However we find useful to include some of the fields in the http.log in the xss.log. For example we want to add the field "referrer" existing in the http.log to the xss.log. I have been trying to include this field in the xss.log as following: export { redef enum Log::ID += {LOG}; type Info: record { referrer: string &log &optional; }; event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) { local xss_payload = sanitize(unescaped_URI); if ( match_xss_reflected in xss_payload) { local rec: XSS::Info = [ $ts=network_time(), $id=c$id, $proto=get_port_transport_proto(c$id$resp_p), $method=method, $xss_payload=xss_payload, $referrer=c$http$referrer ]; Log::write(XSS::LOG, rec); } } This way "Zeekctl deploy" shows no errors, but the xss.zeek script doesn't print new events. Can someone help me with this problem? Thanks for your time. Best regards! [cid:image001.png@01D6EE49.E7A0D9B0] Jorge García Rodríguez Technical Consultant Cybersecurity Services and Solutions - Protect +34 902 480 580 | jgarciar(a)sia.es<mailto:jgarciar@sia.es> ________________________________ Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Si no es vd. el destinatario indicado, queda notificado que la lectura, utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente. Evite imprimir este mensaje si no es estrictamente necesario. This email and any file attached to it (when applicable) contain(s) confidential information that is exclusively addressed to its recipient(s). If you are not the indicated recipient, you are informed that reading, using, disseminating and/or copying it without authorisation is forbidden in accordance with the legislation in effect. If you have received this email by mistake, please immediately notify the sender of the situation by resending it to their email address. Avoid printing this message if it is not absolutely necessary.

1 year, 4 months

SQL injection on cookies and POST Method

by jgarciaro＠sia.es

Hello everyone! We have been testing the detect-sqli script from Zeek and seems to work fine. But we have notice that this script don’t detect SQL injection in cookies or injection through POST method. Is there a known script or plugin to detect this methods or anything that could help with this attacks? Thank you. Regards!

1 year, 4 months

zeek-3.2.2 build error, when '--enable-debug' mode is enabled; OS: macOS Catalina

by Brett D. Rasmussen

Hello. I've run into a problem, when trying to build the zeek-3.2.2 release under macOS Catalina, verion 10.15.6. The problem only occurs when compiling zeek in 'debug' mode. It successfully compiles in non-debug mode. Please see the attached build output file. (Side note: I was able to build the 'debug' version of zeek-3.2.2 under Ubuntu 18.04, without error.) Thanks, Brett Rasmussen Cyber Security Researcher Supporting the DHS CIOCC Advanced Analytical Lab Phone: (208) 526-5486 Fax: (208) 526-6173 Email: Brett.Rasmussen(a)inl.gov<mailto:Jan.Wright@inl.gov>

1 year, 4 months

Scanner and victim reverse condition in scan.zeek

by Eiji Yanagi

Hello, I frequently see a lot of scans from external hosts and some of them are with only TCP-Ack flag ("H" in history) set packets, but these packets appear to have been alerted as Port_Scan activities originated from internal hosts possibly due to the following code snippet in scan.zeek script. Is there any reason for this default code that reverses the network direction if "H" or "s" flag seen in the TCP flag ? event connection_attempt(c: connection) { local is_reverse_scan = F; if ( "H" in c$history ) is_reverse_scan = T; add_sumstats(c$id, is_reverse_scan); } Thank you

1 year, 4 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek January 2021