zeek March 2021

zeek@lists.zeek.org

13 participants
11 discussions

by Vlad Grigorescu

We recently purchased some Intel XXV710 NICs for our Zeek systems. However, symmetric hashing does not seem to work on them, at least not completely. There was some discussion here regarding adding some functionality to the driver to make it work, however this never landed: https://sourceforge.net/p/e1000/mailman/message/35199068/ This post discusses how the X710 controller must be configured differently from the 82599 10G controller (used by the X520 cards): https://haryachyy.wordpress.com/2019/01/18/learning-dpdk-symmetric-rss/ The odd part is that following the SEPTun-MarkII guide[1] makes it *mostly* work, but we're consistently finding that ~1-2% of the traffic is not being symmetrically hashed. We're testing with can-i-use-afpacket-fanout[2] and Zeek 3.2. The most damning evidence is an Intel rep telling[3] a customer: > Unfortunately, we have been informed that the only support to setup symmetric RSS is via DPDK. Searching the mailing list archives, I found a couple of posts where people were encouraged to use X710-based cards, so I'm left wondering: Are there people using these? Are they also seeing this 1-2% asymmetry? Or am I missing a configuration tweak? Thanks, --Vlad [1] - < https://github.com/pevma/SEPTun-Mark-II/blob/master/SEPTun-Mark-II.rst> [2] - <https://github.com/JustinAzoff/can-i-use-afpacket-fanout> [3] - < https://community.intel.com/t5/Ethernet-Products/X-L-710-supports-symmetric… >

2 months

Questions about NICs, PF_RING, and AF_Packet

by Steve Edgar

I am new to Zeek and will be setting up a Zeek system which will use a 10G NIC. I am not sure what NIC/driver configuration to use, and have some questions about PF_RING and AF_Packet. At … https://docs.zeek.org/en/current/cluster-setup.html#using-pf-ring … it looks like PF_RING, also known as "Vanilla PF_RING" … https://www.ntop.org/guides/pf_ring/vanilla.html#vanilla-pf-ring … makes it possible to assign worker processes to CPU cores by using "packet clustering" … https://www.ntop.org/guides/pf_ring/vanilla.html#packet-clustering Is this essentially implementing symmetric Receive Side Scaling? If so, can Vanilla PF_RING take advantage of a NIC which does symmetric hashing in hardware? The Zeek docs reference PF_RING+DNA … https://docs.zeek.org/en/current/cluster-setup.html#using-pf-ring … although from looking at the ntop site, DNA/Libzero was replaced some time ago with PF_RING ZC (Zero Copy) … https://www.ntop.org/guides/pf_ring/zc.html Does Zeek support PF_RING ZC? If so, in Zeek's node.cfg, how does one know what options to use for … interface= lb_method= It looks like the AF_Packet plugin … https://github.com/J-Gras/zeek-af_packet-plugin … does what Vanilla PF_RING does, in that it allows Zeek to have multiple worker processes which use different CPU cores. Can AF_Packet take advantage of a NIC which does symmetric hashing in hardware? It looks like AF_Packet does not provide a "Zero Copy" type of functionality, found in PF_RING ZC. Is that correct? I know this is a lot of questions. Any guidance is appreciated. -- Steve.

9 months, 4 weeks

Deduplication of log entries from redundant clusters

by Chris Herdt

We run 2 redundant Zeek clusters, which provides some safeguards against individual host or process failure, and virtually eliminates downtime due to periodic maintenance. However, ingesting terabytes of logs daily into Splunk eats into our Splunk license. Has anyone tried deduplicating redundant Zeek logs before sending them to Splunk (or Elastic Stack, Humio, Graylog, etc.)? My other thought is to simply not send one redundant set to Splunk unless an outage has occurred, but I thought I'd check on deduplication. -- Chris Herdt Security Analyst | University Information Security (UIS) University of Minnesota | umn.edu he, him, his

10 months

Using Spicy to develop the analyzer in "middle layers"?

by Hugo

Hi, Transitioning from the previous experience of developing analyzer in Binpac, I find that Spicy provides some additional flexibility, independence, and portability, making zeek-side of the codes cleaner. I have already tried to develop an application layer analyzer for a custom protocol based on TCP that I used for the class that I am teaching right now. From Spicy documentation, I see that we can also use Spicy to develop analyzers on top of "RawLayer" as well as over TCP/UDP. *My question is that is it possible to use Spicy to develop analyzers for protocols in middle layers? For example, for protocol running directly on top of Ethernet or protocols running directly on top of IP layer?* Thank you and best regards, Hui Lin

10 months, 1 week

Zeek security advisories?

by Ambros Novak

Hello, Is there a page that tracks Zeek security advisories, or at least a page tracking known Zeek vulnerabilities and affected versions? Thank you AN ——

10 months, 1 week

Daily stats issue after upgrade to 4.

by James Lay

From the email inline: Traceback (most recent call last): File "/opt/zeek/lib/zeek/python/SubnetTree.py", line 14, in swig_import_helper return importlib.import_module(mname) File "/usr/lib/python3.6/importlib/__init__.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "<frozen importlib._bootstrap>", line 994, in _gcd_import File "<frozen importlib._bootstrap>", line 971, in _find_and_load File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 658, in _load_unlocked File "<frozen importlib._bootstrap>", line 571, in module_from_spec File "<frozen importlib._bootstrap_external>", line 922, in create_module File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed ImportError: dynamic module does not define module export function (PyInit__SubnetTree) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/zeek/bin/trace-summary", line 30, in <module> import SubnetTree File "/opt/zeek/lib/zeek/python/SubnetTree.py", line 17, in <module> _SubnetTree = swig_import_helper() File "/opt/zeek/lib/zeek/python/SubnetTree.py", line 16, in swig_import_helper return importlib.import_module('_SubnetTree') File "/usr/lib/python3.6/importlib/__init__.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) ImportError: dynamic module does not define module export function (PyInit__SubnetTree) Command exited with non-zero status 1 0:00.27 real, 0.09 user, 0.00 sys, 0K total memory -- [Automatically generated.] James

10 months, 1 week

Zeek 4.0.0 released

by Jon Siwek

Zeek 4.0.0 is now available: https://zeek.org/get-zeek/ This is a Long-Term Support (LTS) release, receiving critical bug-fixes and security patches for the next year. The previous LTS branch of Zeek 3.0.x may still receive any important security patches for the next two months, but won't be maintained afterward. General info about this release can be found in the release notes as well as a previous blog post from the release-candidate phase: https://github.com/zeek/zeek/releases/tag/v4.0.0 https://zeek.org/2020/12/15/zeek-4-0-release-candidate/

10 months, 2 weeks

February ZeeK Webinar Links

by Amber Graner

Hi all, If you missed the February Zeek Webinars on the new Zeek Documentation below are the links. - 9 February - Book of Zeek Webinar - https://www.dropbox.com/s/j4kuqvflioiqztr/Book_of_Zeek_Webinar_9FEB2021_553… - 23 February - Book of Zeek Webinar - https://www.dropbox.com/s/qqowmnx8obf2pqy/Book_of_Zeek_Webinar_570042-18211… 0 Please let me know if you have any questions or if you have suggestions for webinars or content for the Zeek documentation <https://docs.zeek.org/en/master/>. Thanks, ~Amber

10 months, 2 weeks

Recordings for the February and March Monthly Zeek Community Calls

by Amber Graner

Hi all, In case you weren't able to attend the February or March Monthly Community Calls below are the links to the recordings. Agenda for the meetings are as follows: - Update from Zeek LT - Zeek Technical Update - Zeek Documentation - Other =========== FEBRUARY =========== * Audio - https://www.dropbox.com/s/vy6vdddurm7597b/GMT20210203-175522_Monthly-Ze.m4a… * Video - https://www.dropbox.com/s/f0bn2vq8rpk64k0/GMT20210203-175522_Monthly-Ze_640… <https://www.dropbox.com/s/f0bn2vq8rpk64k0/GMT20210203-175522_Monthly-Ze_640…> =========== MARCH 2021 =========== Audio - https://www.dropbox.com/s/cwtyh3nguzehqyf/Audio_Only_March_2021_Zeek_Commun… Video - https://www.dropbox.com/s/ce5zl5ml3oci70a/Video_March_Zeek_Monthly_Communit… With Gratitude, ~Amber

10 months, 2 weeks

Reminder - Zeek Community Monthly Call - Today - 3 March - 1pm Eastern

by Amber Graner

Reminder - Zeek Community Monthly Call - Today - 3 March - 1pm Eastern - Zeek LT Update - Zeek Technical Update - Zeek Docs Update - Other items Use the following link to register: https://corelight.zoom.us/meeting/register/tJAqdu6gqzgvG9LqPt_zpfGex7NtR_HW… Thanks, ~Amber

10 months, 2 weeks

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek March 2021