zeek

zeek@lists.zeek.org

6 participants
5548 discussions

Cron job intermittently reports that hosts are down

by ravi48＠purdue.edu

Hi, We've set up a Zeek cluster (version 4.1.1) with 8 worker nodes and a manager node (which is also the logger and the proxy). All nodes are on the same physical rack and configured to be on the same subnet. We have an issue where the zeek cron job intermittently reports that one (or a few) hosts are down. Within 5 minutes when the cron job runs again, we get a mail saying that the hosts are back up. There doesn't seem to be any notable reasons for this behavior. We've checked all settings from the firewall rules to increasing the connection timeout. The CPU and memory usage seems fine too. Whenever 'zeekctl status' is run manually, the output shows all nodes to be working and the logs are indeed being generated. The exact same hardware (and network architecture) had been running Bro (version 2.5.4) for 2+ years without any issues. While we used to see such alert emails once a month, we now see them as frequently as 5 times a day. It would be great if someone can help us diagnose this issue. Thanks and Regards

1 week

I've learned a lot and appreciate you all - Thank you all for the last 3 years!

by Amber Graner

Hi all, I’ve been presented with an amazing career growth opportunity that I have decided to accept, somewhat unexpectedly. I’ve decided to take a position as Vice President of Community for a new ‘MLOps’ startup, where I’ll have the opportunity to build a product-oriented community as well as a community of practice. I am incredibly grateful for these last 3 years in the Zeek Community. Together with the support of Corelight and collaboration with the Zeek Project Leadership team, we have grown the Zeek community significantly, added systems and processes, and hopefully made it easier for you, the users and developers of Zeek to interact and contribute. “THANK YOU,” doesn’t begin to cover the gratitude I feel for this experience. Corelight is recruiting for my replacement already, and I’ll be working with the Zeek Project Leadership Team and Corelight to ensure a smooth transition. If you would like to stay connected my LinkedIn profile is: https://www.linkedin.com/in/akgraner/ Again, thank you all so much for being an amazing community to collaborate with and serve. With gratitude and deepest appreciation, ~Amber

1 week

Warning: ignoring unrecognized node config option 'af_packet_fanout_id'

by Kayode Enwerem

Hello, Can someone assist me with this. Just upgrade zeek to 4.1.1 on Centos 7 (kernel: 3.10.0-1160.49.1.el7.x86_64). I am using AF_packet in my node.cfg and I have in installed via zkg [worker-1] type=worker host=localhost interface=af_packet::ensXX lb_method=custom lb_procs=30 pin_cpus=6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35 af_packet_fanout_id=10 af_packet_fanout_mode=AF_Packet::FANOUT_HASH zeek/j-gras/zeek-af_packet-plugin (installed: 3.0.1) - This plugin provides native AF_Packet support for Zeek. But I get the following error when I try to start zeek and the workers terminate right away. zeekctl deploy Warning: ignoring unrecognized node config option 'af_packet_fanout_id' given for node 'worker-1' Warning: ignoring unrecognized node config option 'af_packet_fanout_mode' given for node 'worker-1'

1 week

Zeek feature release: 4.2.0-rc1

by Tim Wojtulewicz

Downloads for the first release candidate of Zeek 4.2.0 are available: https://zeek.org/get-zeek <https://zeek.org/get-zeek> https://download.zeek.org/zeek-4.2.0-rc1.tar.gz <https://download.zeek.org/zeek-4.2.0-rc1.tar.gz> See the release notes for details of the addressed bugs and security issues: https://github.com/zeek/zeek/releases/tag/v4.2.0-rc1 <https://github.com/zeek/zeek/releases/tag/v4.2.0-rc1> Binary packages for the new releases will also be available shortly: https://github.com/zeek/zeek/wiki/Binary-Packages <https://github.com/zeek/zeek/wiki/Binary-Packages>

1 week, 5 days

Re: display zeek logs to arkime

by Seth Grover

This is one of the primary aims of the project I work on at the Idaho National Lab called Malcolm. - https://github.com/idaholab/Malcolm - https://www.youtube.com/channel/UCFPhxEhTxyC5xVsIHh0vsSg It's open source, so you're welcome to use or adapt the project as would fit your needs. Or, if you just want to see the code where we're parsing the Zeek logs (in logstash) and making them correspond to the Arkime schema: - https://github.com/idaholab/Malcolm/blob/main/logstash/pipelines/zeek/11_ze… - https://github.com/idaholab/Malcolm/blob/main/arkime/etc/config.ini -SG -- Seth Grover Be kind to all of your neighbors Because they're just like you. And you're nothing special Unless they are too.

3 weeks, 3 days

Re: [Bro] xml / json parsers

by Jean Luc Couillard

Hello Zeek world I'm still very new with the Zeek thing, I want to create a new analyser for the Poct1a protocol, this protocol is base or looks like a XML format. I got most of the analyzer structure in place in my plugin, but I hit the wall with the PDU parsing. Do you have some examples where I could learn how to parse a XML frame. I have to get multiple fields and then populate in the Log file. 1 305 396 6900 JeanlucCouillard(a)medsec.com <YourEmail(a)medsec.com> -- CONFIDENTIALITY NOTICE: This message (including any attachments) may contain proprietary, business-confidential, and/or privileged material intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

3 weeks, 4 days

display zeek logs to arkime

by sami＠cirt.gov.bd

Hi, How can we display the zeek logs in ARKIME dashboard as individual field value? I need to know how to map the zeek logs to ARKIME sessions through elasticsearch. Thanks, Sami

3 weeks, 5 days

Testing only spicy analyzers

by Carlos Lopez

Good morning, Maybe this is a stupid question, but is it possible to test only spicy analyzers in a standalone zeek installation? I would like to test these analyzers before to deploy them in our zeek cluster and use a Zeek standalone instance with minimal default Zeek analyzers. Regards.

3 weeks, 5 days

Disable dns.log

by Gary Huband

My company runs Zeek on an Arm embedded device and we would like to minimize the CPU load from Zeek. Is there any way to disable the dns.log, we do not use it. Thanks Gary Gary Huband Sr. Software and Systems Engineer Office: 434.284.8071 x720 Direct: 434.260.4995 Gary(a)MissionSecure.com Follow Us! LinkedIn<https://www.linkedin.com/company/mission-secure-inc-> | Blog<https://www.missionsecure.com/blog?utm_source=email-signature&utm_medium=em…> | Website<https://www.missionsecure.com/?utm_source=email-signature&utm_medium=email&…> : : : : : : : : : : : : : : : : : : : : : : : : : : : [MSi] This email and any files transmitted with it are confidential and proprietary and intended solely for the use of the individual or entity to whom they are addressed. Any dissemination, distribution or copying of this communication is strictly prohibited without our prior permission. If you received this in error, please contact the sender and delete the material from any computer.

3 weeks, 6 days

Report SumStat$epoch_result with no observations

by Pedro Magalhães

Hey guys, I've written this small Zeek script to count and print the number of ICMP requests seen every specific time interval. Unfortunately, it does not report the value if there are no observations in that time interval... Any suggestion on how I could make it so it still reports 0 if there are no observations? Best regards, Pedro @load base/frameworks/sumstats module METRIC_TRACK; export { const icmp_request_epoch_interval = 5secs &redef; } event zeek_init() { local icmp_request_r = SumStats::Reducer($stream="metric.icmp.request", $apply=set(SumStats::SUM)); SumStats::create([$name = "metric.icmp.request.count", $reducers = set(icmp_request_r), $epoch = icmp_request_epoch_interval, $epoch_result(s: time, key: SumStats::Key, result: SumStats::Result) = { print(fmt("Found %d icmp requests in the last interval", double_to_count(result["metric.icmp.request"]$sum))); } ]); } event icmp_echo_request(c: connection, info: icmp_info, id: count, seq: count, payload: string) { SumStats::observe("metric.icmp.request", SumStats::Key(), SumStats::Observation($num=1)); }

1 month

Jump to page:

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek