Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
We recently purchased some Intel XXV710 NICs for our Zeek systems. However,
symmetric hashing does not seem to work on them, at least not completely.
There was some discussion here regarding adding some functionality to the
driver to make it work, however this never landed:
https://sourceforge.net/p/e1000/mailman/message/35199068/
This post discusses how the X710 controller must be configured differently
from the 82599 10G controller (used by the X520 cards):
https://haryachyy.wordpress.com/2019/01/18/learning-dpdk-symmetric-rss/
The odd part is that following the SEPTun-MarkII guide[1] makes it *mostly*
work, but we're consistently finding that ~1-2% of the traffic is not being
symmetrically hashed. We're testing with can-i-use-afpacket-fanout[2] and
Zeek 3.2.
The most damning evidence is an Intel rep telling[3] a customer:
> Unfortunately, we have been informed that the only support to setup
symmetric RSS is via DPDK.
Searching the mailing list archives, I found a couple of posts where people
were encouraged to use X710-based cards, so I'm left wondering: Are there
people using these? Are they also seeing this 1-2% asymmetry? Or am I
missing a configuration tweak?
Thanks,
--Vlad
[1] - <
https://github.com/pevma/SEPTun-Mark-II/blob/master/SEPTun-Mark-II.rst>
[2] - <https://github.com/JustinAzoff/can-i-use-afpacket-fanout>
[3] - <
https://community.intel.com/t5/Ethernet-Products/X-L-710-supports-symmetric…
>
Hi everyone,
Zeek documentation states one way to ignore bad packet checksums is to add '-C' options to the zeek command. I use zeekctl to start the zeek process. Which configuration file and/or variable should I use to specify this option?
Regards,
Hi,
I have been reading the Zeek Intel docs (
https://docs.zeek.org/en/master/frameworks/intel.html) and trying to get it
to work on my Zeek (4.0.0 on CentOS-7).
I have correctly formatted Intel files and a custom script to load them
redef Intel::read_files += {
"/usr/share/feed/ip.txt",
"/usr/share/feed/domain.txt",
"/usr/share/feed/email.txt",
};
@load frameworks/intel/seen
@load frameworks/intel/do_notice
On trying to do a DNS query for a known bad domain, nothing gets logged in
intel.log or notice.log
However, I do get the following entry in reporter.log
xxxxxx.xxx Reporter::WARNING failed to convert remote event
'Intel::match_remote' arg #0, got vector, expected record (empty)
If anybody has any pointers on how to proceed, I will be grateful.
Thanks,
Dheeraj
Good afternoon,
Has anyone used threatbus to integrate MISP IOCs into Zeek? Personally I have used DoveHawk in some installations and the result was satisfactory.
This time I have to integrate more than one CTI platform with Zeek and I was thinking of using ThreatBus.
Any experiences or problems encountered with ThreatBUS? Or is it better to keep Dovehawk?
Many thanks.
Hi all,
I have detected a behaviour in my Zeek cluster that I would like to avoid, if it is possible. I am using Zeek 4.0.1 under FreeBSD 13.
The problem comes because Zeek detects multiple duplicate packages, as reported to me by bro-doctor:
######################################################################
# Checking if any recent connections have been logged multiple times #
######################################################################
error: 98.80%, 1731 out of 1752 connections appear to be duplicate
As you can see, Zeek detects too much duplicated sessions. This is because I have workers monitoring three networks: net1, net2 and net3. On net1,I have services exposed to all my internal networks such as DNS, SMTP, HTTPS ..... These services are consumed from all the networks and I understand that for that reason, Zeek tells me that there are duplicate sessions.
My question is: is it possible to filter traffic (using bpf filters) by worker in a cluster environments? Or is it only possible to avoid this situation by deploying Zeek in standalone mode?
Best regards,
C. L. Martinez
Hi, everyone. When I use zeek-agent, I have some problems.
This is my enviroment:
CentOS Linux release 7.8.2003
OSquery 4.2.0
zeek 3.0.12
zeek-agent 1.0.2
zeek-agent-framework 0.4
My work:
- installed zeek, OSquery, zeek-agent, zeek-agent-framework successfully
- config zeek-agent
{
"server_address": "127.0.0.1",
"server_port": 9999,
"log_folder": "/var/log/zeek",
"max_queued_row_count": 5000,
"osquery_extensions_socket": "/var/osquery/osquery.em",
"group_list": []
}- config /opt/zeek/share/zeek/site/local.zeek , add this at the end:
@load zeek-agent- config /opt/zeek/share/zeek/site/zeek-agent/__load__.zeek , add this at the end:
@load ./examples/auditd- start auditd service, start osqueryd
- start zeek-agent
sudo zeek-agent- start zeekctl
zeekctl deployzeekctl [ZeekControl] > start
Everything is right. I could find logs in /opt/zeek/logs/current:
broker.log conn.log dns.log ntp.log stats.log stdout.log zeek-agent.log
capture_loss.log dhcp.log loaded_scripts.log packet_filter.log stderr.log weird.logbut I can't see any log name starting with "agent_" , such as: agent_socket_events.log agent_process_events.log (from vZW20 - Day 2 - Zeek Agent: Correlating Host & Network Logs for Better Forensics - Wajih Ul Hassan).
My questions:
1. Was there any wrong in my actions?
2. Where are agent_socket_events.log agent_process_events.log?
3. What is the relation between virtual tables and "agent_*.log" ?
4. Virtual tables are stored in sqlite or osquery?
Thank you very much!
Forgot a subject...
On Wed, May 5, 2021, 8:25 PM craig bowser <reswob10(a)gmail.com> wrote:
>
> I'm have a VM running in VMWARE workstation that I've installed Splunk and
> zeek. Splunk is not running while I trouble shoot this problem.
> The VM has 4 sockets with 2 cores and 8GB ram. There is only one NIC.
> And the vm is configured to do NAT
>
>
> I've disabled syslog, ssh, shop, ssl, x509, and weird streams.
>
> The goal is to build a simple environment for testing and teaching.
> So I'm focused on the conn.log, the dns.log, and the http.log
>
> To test, I'm using curl -L, wget, and python requests.
>
> The dns.log is capturing queries. And the conn.log is showing connections.
> However, the http log is not capturing the host.
>
> Am I missing something?
> Tips for troubleshooting?
>
>
> Thanks
>