Hi everyone,
as previously announced
(https://lists.zeek.org/archives/list/zeek-announce@lists.zeek.org/thread/33…),
we will move all our mailing lists to Discourse.
All mailing lists will be switched into read-only mode on Tuesday, May
24th 2022. The current state of the mailing lists will then be imported
into Discourse. We will expect this to take up to two days.
Thus, on or before Thursday, May 26th, the Zeek Discourse server will be
available at https://community.zeek.org. We will send one last posting
on this mailing list when the Discourse server is operational. Please
note that you will have to manually re-subscribe to the lists that you
are interested in.
If you have any questions or concerns about this, either email me
directly, or email the Zeek Leadership team at lt(a)zeek.org.
Johanna Amann (for the Zeek LT)
I'm currently using the Seiso/Kafka plugin to stream each unique Zeek log type to a different topic in Kafka and it works great https://github.com/SeisoLLC/zeek-kafka#example-4---send-each-zeek-log-to-a-…. I've been using SSL configurations to specify the directory path + filename for my .crt, .key and .pem files so in the $config variable, my table looks like this:
$config = table(
["metadata.broker.ist"] = "broker1:9092",
["ssl.ca.location"] = "/path/to/ca/file.pem",
["ssl.certificate.location"] = "/path/to/certificate/file.crt",
["ssl.key.location"] = "/path/to/key/file.key",
["security.protocol"] = "ssl"
Instead of manually entering the "/path/to/certificate/file.crt" along with ca and key, I'd like to use either a bif (but I can't find one specifically for this use case) or create a function to parse the file names. I only need to be able to grab the file names, not the full directory path.
Here's what I have so far:
@load base/utils/exec
redef exit_only_after_terminate=T;
global command: string = "ls -A";
function get_certificate(): string
{
local cmd = Exec::Command($cmd=command);
when (local res = Exec::run(cmd))
{
local results = res$stdout;
for ( i in results )
{
if ( ends_with(results[i], ".crt") )
{
local match = match_pattern(results[i], /^([^.]+)\.crt/);
return match$str;
}
}
}
}
event zeek_init()
{
local certificate: string = get_certificate();
print $certificate;
}
I'm attempting to assign the return of the function (match$str) because that gives me the file name I'm looking for. Once I have the string in a variable, I think I should be able to insert that into the Kafka $config table for ssl.certificate.location. This script currently fails though with this error.
warning: non-void function returning without a value: get_certificate
expression error in ./get_certs.zeek, line 28: value used but not set (certificate)
fatal error: errors occurred while initializing
If I change return match$str to print match$str, then just simply call get_certificate() in the zeek_init(), it successfully prints the file name I want. How can I get this function to return match$str so I can save it into a variable for later use?
Thanks!
Hi all,
I am trying to install zeek-long-connections in a Zeek 4.0.6 under
FreeBSD 13 and returns the following errors:
root@fbsdmgmt:~ # zpkg install zeek/corelight/zeek-long-connections
The following packages will be INSTALLED:
zeek/corelight/zeek-long-connections (v1.3.0)
Proceed? [Y/n]
Running unit tests for "zeek/corelight/zeek-long-connections"
error: "zeek/corelight/zeek-long-connections" tests failed, inspect
contents of /opt/zeek/var/lib/zkg/testing/zeek-long-connections for
details, especially any "zkg.test_command.{stderr,stdout}" files within
/opt/zeek/var/lib/zkg/testing/zeek-long-connections/clones/zeek-long-connections
Proceed to install anyway? [N/y]
Abort.
With Zeek 4.0.5 works perfect ... Any idea why fails under Zeek 4.0.6?
--
Best regards,
C. L. Martinez
Hi Everyone,
You might remember our post about the state of the mailing lists in
November 2021 (see
https://lists.zeek.org/archives/list/zeek@lists.zeek.org/thread/VLAAMGVG3NW…),
where we proposed to migrate our mailing lists to Discourse. The
feedback on this has been universally positive.
As a result of this, we are going to migrate all Zeek project mailing
lists to Discourse. We expect this migration process to be finished
around mid-May.
We are going to copy the entire history of all our mailing lists to
Discourse – so there will be no loss of information; all posts will
still be available. For technical reasons, we are not going to migrate
subscription information to discourse. This means that you will have to
sign up to our discourse server once it is available, and manually
enable notifications for posts if you wish to receive them. We will post
an announcement here once the Discourse server is publicly available,
and you can sign up to it. At that time we will also put the mailing
lists into read-only mode.
If you have any questions or concerns about this, either email me
directly, or email the Zeek Leadership team at lt(a)zeek.org.
Johanna Amann (for the Zeek LT)
Hi All
I need assistance with spicy plugin,the btest failed dad with the error
"can't find base/init-bare.zeek" , I did not install zeek because I'm using
corelight platform, but should I install zeek, however I did install
spicy shortly after the corelight installation.
I'm still new in the world of zeeky , I'm ready to create my first plugin
but I realized that my environment and btest is not working with the fresh
download plugin provide with spicy team. Those 3 projects give the same
error: zeek_spicy_openvpn/ zeek-spicy-radius/csv_naive/ those projects
compile fine but btest fails , also I had some issue when I installed the
plugin :
zkg create (failed)
zkg test . ( failed)
cmake install . ( work)
make install . ( work) created .hlto / and copy in corelight modules
btest -->
[ 0%] analyzer.availability ... failed
% 'zeek -NN | grep -qi ANALYZER_SPICY_OpenVPN' failed unexpectedly (exit
code 1)
% cat .stderr
fatal error: can't find base/init-bare.zeek
[ 16%] analyzer.openvpn ... failed
% 'zeek -C -r ${TRACES}/openvpn.pcap
/home/jl/zeek-spicy-openvpn/tests/.tmp/analyzer.openvpn/openvpn.zeek
>openvpn.out' failed unexpectedly (exit code 1)
% cat .stderr
fatal error: can't find base/init-bare.zeek
[ 33%] analyzer.openvpnhmac ... failed
% 'zeek -C -r ${TRACES}/openvpn_udp_tls-auth.pcap
/home/jl/zeek-spicy-openvpn/tests/.tmp/analyzer.openvpnhmac/openvpnhmac.zeek
>openvpn.out' failed unexpectedly (exit code 1)
% cat .stderr
fatal error: can't find base/init-bare.zeek
[ 50%] analyzer.openvpnhmac256 ... failed
% 'zeek -C -r ${TRACES}/openvpn_udp_hmac_256.pcap
/home/jl/zeek-spicy-openvpn/tests/.tmp/analyzer.openvpnhmac256/openvpnhmac256.zeek
>openvpn.out' failed unexpectedly (exit code 1)
% cat .stderr
fatal error: can't find base/init-bare.zeek
[ 66%] analyzer.openvpntcp ... failed
% 'zeek -C -r ${TRACES}/openvpn_tcp_nontlsauth.pcap
/home/jl/zeek-spicy-openvpn/tests/.tmp/analyzer.openvpntcp/openvpntcp.zeek
>openvpn.out' failed unexpectedly (exit code 1)
% cat .stderr
fatal error: can't find base/init-bare.zeek
[ 83%] analyzer.openvpntcphmac ... failed
% 'zeek -C -r ${TRACES}/openvpn-tcp-tls-auth.pcap
/home/jl/zeek-spicy-openvpn/tests/.tmp/analyzer.openvpntcphmac/openvpntcphmac.zeek
>openvpn.out' failed unexpectedly (exit code 1)
% cat .stderr
fatal error: can't find base/init-bare.zeek
Thanks
*JeanLuc*
Software Engineer
MedSec
+1 305 396 6900
JeanlucCouillard(a)medsec.com <YourEmail(a)medsec.com>
--
CONFIDENTIALITY NOTICE: This message (including any attachments) may
contain proprietary, business-confidential, and/or privileged material
intended solely for the addressee(s). If you are not the intended
recipient, you are hereby notified that any use, dissemination,
distribution, or duplication of this communication is strictly prohibited.
If you are not the intended recipient, please contact the sender by reply
email and destroy all copies of the original message.
Hey Zeekers,
I've been running several production instances of Zeek version 3.0.11 with
the Kafka library (version 1.4.2) and the older Metreon Kafka Plugin. No
problems and it is very stable, but it is time to upgrade to LTS and I've
been having serious issues getting a good build of 4.0.5 with a functional
Zeek plugin.
I have tried the newer (supported?) version of the plugin (
https://github.com/SeisoLLC/zeek-kafka), following the instructions (zkg
install seisollc/zeek-kafka --version 1.0.0), and it fails because the
1.0.0 brianch is no longer there. The compile and install works if I leave
the version off or specify --main, but it just never tries to send to
Kafka. I've tried Kafka library version 1.4.2, which is called out in the
docs, and I've even tried the newer stable version 1.6.2.
I even tried using the older Metreon plugin on Zeek 4.0.5, which compiles
but doesn't pass the zeekctl check.
I've tried clean installs from scratch, and upgrades.
Does anyone have Zeek 4.0.5 working with the Kafka plugin? My OS is Ubuntu
18.0.4.
Kurtis Lawson
OK, maybe it's cause it's the end of the week and my brain is fried, but I
can't find the documentation to uninstall zeek.
Basically, I need to remove an old version from one server so I can install
a new version somewhere else...
a link to the documentation would be great....
thanks
zeek version 4.0.1
Craig L Bowser
____________________________
This email is measured by size. Bits and bytes may have settled during
transport.