27 Nov
2020
27 Nov
'20
12:52 p.m.
Hi,
I installed zeek 3.2.2 on CentOS 7 (amd64)
I want to be able to log the ssl ciphers and protocols used on a host so we can get an
overview of how many old clients are connecting
However, in the ssl.log, it does not log that information.
[root@zeek current]# ll
insgesamt 68
-rw-r--r--. 1 root zeek 2316 27. Nov 21:44 conn.log
-rw-r--r--. 1 root zeek 581 27. Nov 21:44 dns.log
-rw-r--r--. 1 root zeek 26221 27. Nov 21:43 loaded_scripts.log
-rw-r--r--. 1 root zeek 600 27. Nov 21:44 ntp.log
-rw-r--r--. 1 root zeek 227 27. Nov 21:43 packet_filter.log
-rw-r--r--. 1 root zeek 666 27. Nov 21:44 reporter.log
-rw-r--r--. 1 root zeek 497 27. Nov 21:44 ssl.log
-rw-r--r--. 1 root zeek 686 27. Nov 21:43 stats.log
-rw-r--r--. 1 root zeek 20 27. Nov 21:43 stderr.log
-rw-r--r--. 1 root zeek 188 27. Nov 21:43 stdout.log
-rw-r--r--. 1 root zeek 983 27. Nov 21:44 weird.log
[root@zeek current]# cat ssl.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssl
#open 2020-11-27-21-44-28
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string
1606509862.986251 CCB2e543osaLm9T38 192.168.1.238 52108 aaa.bb.ccc.68 443 - - - server68.domain.org F - - F - - - - - - -
In share/zeek/site/local.zeek
I’ve added
@load protocols/ssl/weak-keys
In
share/zeek/policy/protocols/ssl/weak-keys.zeek
I’ve set
option tls_minimum_version = TLSv12;
Is there anything else to do?
I run this in a local VMWare Fusion VM.
I connected to the host above via curl -v —tlsv1.0
Rainer
28 Nov
28 Nov
11:19 a.m.
Hi Rainer,
If you are running Zeek on the same machine as your server, Zeek
probably sees the packets that your server generates as having incorrect
checksums - and drops them.
This would fit with your log file, which only contains the client-side
information (like the hostname) and not the server-side information. You
can tell Zeek to ignore checksum mismatches by calling it with the -C
flag.
If you are not running Zeek on the same machine as your server, it looks
like your monitoring machine might only see one side of the traffic -
for that, conn.log would be the first place to start an investigation -
see if the history field of the connection looks ok, and if there are
any missed bytes.
I hope this helps,
Johanna
On 27 Nov 2020, at 20:52, Rainer Duffner wrote:
> Hi,
>
> I installed zeek 3.2.2 on CentOS 7 (amd64)
>
> I want to be able to log the ssl ciphers and protocols used on a host
> so we can get an overview of how many old clients are connecting
>
> However, in the ssl.log, it does not log that information.
>
>
> [root@zeek current]# ll
> insgesamt 68
> -rw-r--r--. 1 root zeek 2316 27. Nov 21:44 conn.log
> -rw-r--r--. 1 root zeek 581 27. Nov 21:44 dns.log
> -rw-r--r--. 1 root zeek 26221 27. Nov 21:43 loaded_scripts.log
> -rw-r--r--. 1 root zeek 600 27. Nov 21:44 ntp.log
> -rw-r--r--. 1 root zeek 227 27. Nov 21:43 packet_filter.log
> -rw-r--r--. 1 root zeek 666 27. Nov 21:44 reporter.log
> -rw-r--r--. 1 root zeek 497 27. Nov 21:44 ssl.log
> -rw-r--r--. 1 root zeek 686 27. Nov 21:43 stats.log
> -rw-r--r--. 1 root zeek 20 27. Nov 21:43 stderr.log
> -rw-r--r--. 1 root zeek 188 27. Nov 21:43 stdout.log
> -rw-r--r--. 1 root zeek 983 27. Nov 21:44 weird.log
> [root@zeek current]# cat ssl.log
> #separator \x09
> #set_separator ,
> #empty_field (empty)
> #unset_field -
> #path ssl
> #open 2020-11-27-21-44-28
>
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher curve server_name resumed last_alert next_protocol established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer validation_status
>
#types time string addr port addr port string string string string bool string string bool vector[string] vector[string] string string string string string
>
1606509862.986251 CCB2e543osaLm9T38 192.168.1.238 52108 aaa.bb.ccc.68 443 - - - server68.domain.org F - - F - - - - - - -
>
>
> In share/zeek/site/local.zeek
>
> I’ve added
>
> @load protocols/ssl/weak-keys
>
> In
> share/zeek/policy/protocols/ssl/weak-keys.zeek
>
> I’ve set
> option tls_minimum_version = TLSv12;
>
>
> Is there anything else to do?
>
> I run this in a local VMWare Fusion VM.
>
> I connected to the host above via curl -v —tlsv1.0
>
>
>
> Rainer
>
> --
> zeek mailing list -- zeek(a)lists.zeek.org
> To unsubscribe send an email to zeek-leave(a)lists.zeek.org
12:02 p.m.
Am 28.11.2020 um 20:19 schrieb Johanna Amann
<johanna(a)icir.org>rg>:
Hi Rainer,
If you are running Zeek on the same machine as your server, Zeek probably sees the
packets that your server generates as having incorrect checksums - and drops them.
This would fit with your log file, which only contains the client-side information (like
the hostname) and not the server-side information. You can tell Zeek to ignore checksum
mismatches by calling it with the -C flag.
If you are not running Zeek on the same machine as your server, it looks like your
monitoring machine might only see one side of the traffic - for that, conn.log would be
the first place to start an investigation - see if the history field of the connection
looks ok, and if there are any missed bytes.
I hope this helps,
Johanna
Hi Johanna,
yes, this was it.
I added „zeekargs= -C“ to zeekctl.cfg.
I ran curl outside of the VM and it would just see the connection but not log the SSL
details, but once I run curl inside the VM, it sees everything.
Thanks a lot!
Best Regards
Rainer
544
days inactive
545
days old
2 comments
2 participants
participants (2)
-
Johanna Amann -
Rainer Duffner