zeek January 2022

zeek@lists.zeek.org

13 participants
9 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

3 months, 2 weeks

Working with tsv and json log files at the same time

by Carlos Lopez

Hi all, Just a quick question: is it possible to store Zeek’s log files in TSV and JSON formats at the same time, and storing in separate directories for each format? Many thanks.

3 months, 2 weeks

Zeek bugfix release: 4.0.5

by Tim Wojtulewicz

Downloads for Zeek 4.0.5 are available: https://zeek.org/get-zeek https://download.zeek.org/zeek-4.0.5.tar.gz See the release notes for details of the addressed bugs and security issues: https://github.com/zeek/zeek/releases/tag/v4.0.5 Binary packages for the new releases will also be available shortly: https://github.com/zeek/zeek/wiki/Binary-Packages

3 months, 3 weeks

Zeek feature release: 4.2.0

by Tim Wojtulewicz

Downloads for Zeek 4.2.0 are available: https://zeek.org/get-zeek https://download.zeek.org/zeek-4.2.0.tar.gz See the release notes for details of the addressed bugs and security issues: https://github.com/zeek/zeek/releases/tag/v4.2.0 Binary packages for the new releases will also be available shortly: https://github.com/zeek/zeek/wiki/Binary-Packages

3 months, 3 weeks

Zeek LT election process for the 2022 and future elections

by Johanna Amann

Hello Everyone, As you probably know, the next LT elections are coming up in a bit less than a year – the plan is to hold elections around August 2021. Half the current LT seats will be up for re-election. The current election process is documented in our wiki at https://github.com/zeek/zeek/wiki/Zeek-Project--Leadership-Team----Process-…. It was first used in the 2020 election. In a nutshell, the current process allows community members to nominate themselves (or someone else) for a seat on the LT. After contacting all the nominees, the LT publishes the list of nominations and encourages the community to provide testimonials for the nominees. The current LT then votes on the candidates. For the 2022 election the LT wants to update the above mentioned LT Process and Description document. As described in the document, we are hereby seeking community input. Specifically, the LT Process and Description currently states that we want to have an open community election starting with the 2022 election. The LT discussed this in the last few meetings. It is the opinion of the LT that at the current time there is not yet a sufficient number of community-led groups to have a meaningful broader voting process. Hence, we propose to remove the sentences that refer to changing the election process for the 2022 and following elections, keeping the current voting process. A future LT can revisit this topic, once there are more active members in community-led groups. If you have any feedback about this change, please let us know within the next four weeks (by 2021-12-15), either by responding to this message, by mailing the LT at lt(a)lists.zeek.org, or by mailing me directly. Thank you, Johanna Amann (for the Zeek LT)

3 months, 4 weeks

Cron job intermittently reports that hosts are down

by ravi48＠purdue.edu

Hi, We've set up a Zeek cluster (version 4.1.1) with 8 worker nodes and a manager node (which is also the logger and the proxy). All nodes are on the same physical rack and configured to be on the same subnet. We have an issue where the zeek cron job intermittently reports that one (or a few) hosts are down. Within 5 minutes when the cron job runs again, we get a mail saying that the hosts are back up. There doesn't seem to be any notable reasons for this behavior. We've checked all settings from the firewall rules to increasing the connection timeout. The CPU and memory usage seems fine too. Whenever 'zeekctl status' is run manually, the output shows all nodes to be working and the logs are indeed being generated. The exact same hardware (and network architecture) had been running Bro (version 2.5.4) for 2+ years without any issues. While we used to see such alert emails once a month, we now see them as frequently as 5 times a day. It would be great if someone can help us diagnose this issue. Thanks and Regards

4 months, 1 week

I've learned a lot and appreciate you all - Thank you all for the last 3 years!

by Amber Graner

Hi all, I’ve been presented with an amazing career growth opportunity that I have decided to accept, somewhat unexpectedly. I’ve decided to take a position as Vice President of Community for a new ‘MLOps’ startup, where I’ll have the opportunity to build a product-oriented community as well as a community of practice. I am incredibly grateful for these last 3 years in the Zeek Community. Together with the support of Corelight and collaboration with the Zeek Project Leadership team, we have grown the Zeek community significantly, added systems and processes, and hopefully made it easier for you, the users and developers of Zeek to interact and contribute. “THANK YOU,” doesn’t begin to cover the gratitude I feel for this experience. Corelight is recruiting for my replacement already, and I’ll be working with the Zeek Project Leadership Team and Corelight to ensure a smooth transition. If you would like to stay connected my LinkedIn profile is: https://www.linkedin.com/in/akgraner/ Again, thank you all so much for being an amazing community to collaborate with and serve. With gratitude and deepest appreciation, ~Amber

4 months, 1 week

Warning: ignoring unrecognized node config option 'af_packet_fanout_id'

by Kayode Enwerem

Hello, Can someone assist me with this. Just upgrade zeek to 4.1.1 on Centos 7 (kernel: 3.10.0-1160.49.1.el7.x86_64). I am using AF_packet in my node.cfg and I have in installed via zkg [worker-1] type=worker host=localhost interface=af_packet::ensXX lb_method=custom lb_procs=30 pin_cpus=6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35 af_packet_fanout_id=10 af_packet_fanout_mode=AF_Packet::FANOUT_HASH zeek/j-gras/zeek-af_packet-plugin (installed: 3.0.1) - This plugin provides native AF_Packet support for Zeek. But I get the following error when I try to start zeek and the workers terminate right away. zeekctl deploy Warning: ignoring unrecognized node config option 'af_packet_fanout_id' given for node 'worker-1' Warning: ignoring unrecognized node config option 'af_packet_fanout_mode' given for node 'worker-1'

4 months, 1 week

Zeek feature release: 4.2.0-rc1

by Tim Wojtulewicz

Downloads for the first release candidate of Zeek 4.2.0 are available: https://zeek.org/get-zeek <https://zeek.org/get-zeek> https://download.zeek.org/zeek-4.2.0-rc1.tar.gz <https://download.zeek.org/zeek-4.2.0-rc1.tar.gz> See the release notes for details of the addressed bugs and security issues: https://github.com/zeek/zeek/releases/tag/v4.2.0-rc1 <https://github.com/zeek/zeek/releases/tag/v4.2.0-rc1> Binary packages for the new releases will also be available shortly: https://github.com/zeek/zeek/wiki/Binary-Packages <https://github.com/zeek/zeek/wiki/Binary-Packages>

4 months, 1 week

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek January 2022