zeek March 2021

zeek@lists.zeek.org

13 participants
10 discussions

Questions about NICs, PF_RING, and AF_Packet

by Steve Edgar

I am new to Zeek and will be setting up a Zeek system which will use a 10G NIC. I am not sure what NIC/driver configuration to use, and have some questions about PF_RING and AF_Packet. At … https://docs.zeek.org/en/current/cluster-setup.html#using-pf-ring … it looks like PF_RING, also known as "Vanilla PF_RING" … https://www.ntop.org/guides/pf_ring/vanilla.html#vanilla-pf-ring … makes it possible to assign worker processes to CPU cores by using "packet clustering" … https://www.ntop.org/guides/pf_ring/vanilla.html#packet-clustering Is this essentially implementing symmetric Receive Side Scaling? If so, can Vanilla PF_RING take advantage of a NIC which does symmetric hashing in hardware? The Zeek docs reference PF_RING+DNA … https://docs.zeek.org/en/current/cluster-setup.html#using-pf-ring … although from looking at the ntop site, DNA/Libzero was replaced some time ago with PF_RING ZC (Zero Copy) … https://www.ntop.org/guides/pf_ring/zc.html Does Zeek support PF_RING ZC? If so, in Zeek's node.cfg, how does one know what options to use for … interface= lb_method= It looks like the AF_Packet plugin … https://github.com/J-Gras/zeek-af_packet-plugin … does what Vanilla PF_RING does, in that it allows Zeek to have multiple worker processes which use different CPU cores. Can AF_Packet take advantage of a NIC which does symmetric hashing in hardware? It looks like AF_Packet does not provide a "Zero Copy" type of functionality, found in PF_RING ZC. Is that correct? I know this is a lot of questions. Any guidance is appreciated. -- Steve.

6 months

Deduplication of log entries from redundant clusters

by Chris Herdt

We run 2 redundant Zeek clusters, which provides some safeguards against individual host or process failure, and virtually eliminates downtime due to periodic maintenance. However, ingesting terabytes of logs daily into Splunk eats into our Splunk license. Has anyone tried deduplicating redundant Zeek logs before sending them to Splunk (or Elastic Stack, Humio, Graylog, etc.)? My other thought is to simply not send one redundant set to Splunk unless an outage has occurred, but I thought I'd check on deduplication. -- Chris Herdt Security Analyst | University Information Security (UIS) University of Minnesota | umn.edu he, him, his

6 months, 1 week

Using Spicy to develop the analyzer in "middle layers"?

by Hugo

Hi, Transitioning from the previous experience of developing analyzer in Binpac, I find that Spicy provides some additional flexibility, independence, and portability, making zeek-side of the codes cleaner. I have already tried to develop an application layer analyzer for a custom protocol based on TCP that I used for the class that I am teaching right now. From Spicy documentation, I see that we can also use Spicy to develop analyzers on top of "RawLayer" as well as over TCP/UDP. *My question is that is it possible to use Spicy to develop analyzers for protocols in middle layers? For example, for protocol running directly on top of Ethernet or protocols running directly on top of IP layer?* Thank you and best regards, Hui Lin

6 months, 2 weeks

Zeek security advisories?

by Ambros Novak

Hello, Is there a page that tracks Zeek security advisories, or at least a page tracking known Zeek vulnerabilities and affected versions? Thank you AN ——

6 months, 2 weeks

Daily stats issue after upgrade to 4.

by James Lay

From the email inline: Traceback (most recent call last): File "/opt/zeek/lib/zeek/python/SubnetTree.py", line 14, in swig_import_helper return importlib.import_module(mname) File "/usr/lib/python3.6/importlib/__init__.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "<frozen importlib._bootstrap>", line 994, in _gcd_import File "<frozen importlib._bootstrap>", line 971, in _find_and_load File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 658, in _load_unlocked File "<frozen importlib._bootstrap>", line 571, in module_from_spec File "<frozen importlib._bootstrap_external>", line 922, in create_module File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed ImportError: dynamic module does not define module export function (PyInit__SubnetTree) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/zeek/bin/trace-summary", line 30, in <module> import SubnetTree File "/opt/zeek/lib/zeek/python/SubnetTree.py", line 17, in <module> _SubnetTree = swig_import_helper() File "/opt/zeek/lib/zeek/python/SubnetTree.py", line 16, in swig_import_helper return importlib.import_module('_SubnetTree') File "/usr/lib/python3.6/importlib/__init__.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) ImportError: dynamic module does not define module export function (PyInit__SubnetTree) Command exited with non-zero status 1 0:00.27 real, 0.09 user, 0.00 sys, 0K total memory -- [Automatically generated.] James

6 months, 2 weeks

Zeek 4.0.0 released

by Jon Siwek

Zeek 4.0.0 is now available: https://zeek.org/get-zeek/ This is a Long-Term Support (LTS) release, receiving critical bug-fixes and security patches for the next year. The previous LTS branch of Zeek 3.0.x may still receive any important security patches for the next two months, but won't be maintained afterward. General info about this release can be found in the release notes as well as a previous blog post from the release-candidate phase: https://github.com/zeek/zeek/releases/tag/v4.0.0 https://zeek.org/2020/12/15/zeek-4-0-release-candidate/

6 months, 2 weeks

February ZeeK Webinar Links

by Amber Graner

Hi all, If you missed the February Zeek Webinars on the new Zeek Documentation below are the links. - 9 February - Book of Zeek Webinar - https://www.dropbox.com/s/j4kuqvflioiqztr/Book_of_Zeek_Webinar_9FEB2021_553… - 23 February - Book of Zeek Webinar - https://www.dropbox.com/s/qqowmnx8obf2pqy/Book_of_Zeek_Webinar_570042-18211… 0 Please let me know if you have any questions or if you have suggestions for webinars or content for the Zeek documentation <https://docs.zeek.org/en/master/>. Thanks, ~Amber

6 months, 3 weeks

Recordings for the February and March Monthly Zeek Community Calls

by Amber Graner

Hi all, In case you weren't able to attend the February or March Monthly Community Calls below are the links to the recordings. Agenda for the meetings are as follows: - Update from Zeek LT - Zeek Technical Update - Zeek Documentation - Other =========== FEBRUARY =========== * Audio - https://www.dropbox.com/s/vy6vdddurm7597b/GMT20210203-175522_Monthly-Ze.m4a… * Video - https://www.dropbox.com/s/f0bn2vq8rpk64k0/GMT20210203-175522_Monthly-Ze_640… <https://www.dropbox.com/s/f0bn2vq8rpk64k0/GMT20210203-175522_Monthly-Ze_640…> =========== MARCH 2021 =========== Audio - https://www.dropbox.com/s/cwtyh3nguzehqyf/Audio_Only_March_2021_Zeek_Commun… Video - https://www.dropbox.com/s/ce5zl5ml3oci70a/Video_March_Zeek_Monthly_Communit… With Gratitude, ~Amber

6 months, 3 weeks

Reminder - Zeek Community Monthly Call - Today - 3 March - 1pm Eastern

by Amber Graner

Reminder - Zeek Community Monthly Call - Today - 3 March - 1pm Eastern - Zeek LT Update - Zeek Technical Update - Zeek Docs Update - Other items Use the following link to register: https://corelight.zoom.us/meeting/register/tJAqdu6gqzgvG9LqPt_zpfGex7NtR_HW… Thanks, ~Amber

6 months, 3 weeks

zeek 4.0 packet analysis questions

by Brett D. Rasmussen

Hello. Please see the attached zeek 4.0 questions file. Thanks! Brett Rasmussen Cyber Security Researcher Supporting the DHS CIOCC Advanced Analytical Lab Phone: (208) 526-5486 Fax: (208) 526-6173 Email: Brett.Rasmussen(a)inl.gov<mailto:Jan.Wright@inl.gov>

6 months, 3 weeks

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek March 2021