zeek January 2021

zeek@lists.zeek.org

15 participants
11 discussions

Short zeek.org email outage (Thursday 1/28, 9am pacific)

by Johanna Amann

Hi everyone, We will perform a change to the email setup of zeek.org on Thursday 1/28, 9am pacific. It is sadly not possible to perform this change without a service interruption. For up to an hour after 9am pacific, @zeek.org email addresses will not be able to receive emails. Mails sent to @zeek.org addresses during this time might bounce. The mailing lists are not impacted by this, as long as you use the @lists.zeek.org domain to send your emails (so e.g. zeek(a)lists.zeek.org). If you notice any email problems after the switch on Thursday, please contact me. I will post another email here when the migration is over. Thank you, Johanna

3 months, 2 weeks

Zeek 4.0.0 RC2 available

by Jon Siwek

Zeek 4.0.0 RC2 is now available: https://zeek.org/get-zeek/ Most differences from RC1 can be found in the CHANGES files: https://github.com/zeek/zeek/blob/release/4.0/CHANGES There is also a notable change in Broker that attempts to resolve a fundamental issue with its internal design/architecture that has potential to cause deadlocks in Zeek clusters, although that's never been reported in practice. General info about the upcoming Zeek 4.0.0 release can be found at these locations (unchanged since last RC1 announcement): https://zeek.org/2020/12/15/zeek-4-0-release-candidate/ https://github.com/zeek/zeek/releases/tag/v4.0.0-rc2

3 months, 3 weeks

CommunityID Install

by David Decker

Looking for assistance in getting CommunityID installed. I am using SecurityOnion 16.04, due to EOL on that system not much details are available. I wanted to see if anyone has been able to get it up and running. Looks like SO does not have the Package manager installed (Is it possible to install a plugin without having to install the package manager)? Thanks

3 months, 3 weeks

filtering out unwanted domains from bro dns.log

by Charles Dillard

Hello, my company is running Bro 2.5 on 300 CentOS 7 servers. How would we blacklist a set of domains that are being logged to dns.log? Have about 50 domains we want to ignore. Does this require any kind of re-compile of bro? Does bro require a restart afterwards? Documentation would be good (have searched around for this, no luck) There appears to be a ...postbody/postbody.bro but think that is for http. I see a "filter_dns_ssl_conn" directory on our serves, but files in it don't contain much. Any way, if you could advise, we would appreciate it.

3 months, 3 weeks

Problem adding a field from http.log to the xss.log

by Garcia Rodriguez, Jorge

Hi everyone! We have integrated the plugin to detect xss attacks. However we find useful to include some of the fields in the http.log in the xss.log. For example we want to add the field "referrer" existing in the http.log to the xss.log. I have been trying to include this field in the xss.log as following: export { redef enum Log::ID += {LOG}; type Info: record { referrer: string &log &optional; }; event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) { local xss_payload = sanitize(unescaped_URI); if ( match_xss_reflected in xss_payload) { local rec: XSS::Info = [ $ts=network_time(), $id=c$id, $proto=get_port_transport_proto(c$id$resp_p), $method=method, $xss_payload=xss_payload, $referrer=c$http$referrer ]; Log::write(XSS::LOG, rec); } } This way "Zeekctl deploy" shows no errors, but the xss.zeek script doesn't print new events. Can someone help me with this problem? Thanks for your time. Best regards! [cid:image001.png@01D6EE49.E7A0D9B0] Jorge García Rodríguez Technical Consultant Cybersecurity Services and Solutions - Protect +34 902 480 580 | jgarciar(a)sia.es<mailto:jgarciar@sia.es> ________________________________ Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Si no es vd. el destinatario indicado, queda notificado que la lectura, utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente. Evite imprimir este mensaje si no es estrictamente necesario. This email and any file attached to it (when applicable) contain(s) confidential information that is exclusively addressed to its recipient(s). If you are not the indicated recipient, you are informed that reading, using, disseminating and/or copying it without authorisation is forbidden in accordance with the legislation in effect. If you have received this email by mistake, please immediately notify the sender of the situation by resending it to their email address. Avoid printing this message if it is not absolutely necessary.

3 months, 3 weeks

SQL injection on cookies and POST Method

by jgarciaro＠sia.es

Hello everyone! We have been testing the detect-sqli script from Zeek and seems to work fine. But we have notice that this script don’t detect SQL injection in cookies or injection through POST method. Is there a known script or plugin to detect this methods or anything that could help with this attacks? Thank you. Regards!

4 months

zeek-3.2.2 build error, when '--enable-debug' mode is enabled; OS: macOS Catalina

by Brett D. Rasmussen

Hello. I've run into a problem, when trying to build the zeek-3.2.2 release under macOS Catalina, verion 10.15.6. The problem only occurs when compiling zeek in 'debug' mode. It successfully compiles in non-debug mode. Please see the attached build output file. (Side note: I was able to build the 'debug' version of zeek-3.2.2 under Ubuntu 18.04, without error.) Thanks, Brett Rasmussen Cyber Security Researcher Supporting the DHS CIOCC Advanced Analytical Lab Phone: (208) 526-5486 Fax: (208) 526-6173 Email: Brett.Rasmussen(a)inl.gov<mailto:Jan.Wright@inl.gov>

4 months, 1 week

Scanner and victim reverse condition in scan.zeek

by Eiji Yanagi

Hello, I frequently see a lot of scans from external hosts and some of them are with only TCP-Ack flag ("H" in history) set packets, but these packets appear to have been alerted as Port_Scan activities originated from internal hosts possibly due to the following code snippet in scan.zeek script. Is there any reason for this default code that reverses the network direction if "H" or "s" flag seen in the TCP flag ? event connection_attempt(c: connection) { local is_reverse_scan = F; if ( "H" in c$history ) is_reverse_scan = T; add_sumstats(c$id, is_reverse_scan); } Thank you

4 months, 1 week

Zeek-based Solution for detecting Sunburst/Dark Hallo

by Artemis User

The SolarWinds security breach was dominating the security headlines last month. Fireeye published some Snort and Yara rules along with IOCs to guide how to defend against the Sunburst malware (used in the SolarWinds attack). I was wondering if anyone in the Zeek community has done anything to develop a zeek-based solution for this? Thanks a lot in advance! Snort/Yara-based countermeasures: https://github.com/fireeye/sunburst_countermeasures -- ND

4 months, 1 week

Bro 2.5.5 source code

by Gary Huband

Is the Bro 2.5.5 source code still available on-line?

4 months, 1 week

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek January 2021