[Zeek] Noticing "SumStat key request for the.." in reporter.log Zeek 3.0

fatema bannatwala fatema.bannatwala at gmail.com
Sat Dec 7 16:24:49 PST 2019


Hi Jon,

Thanks for the insights.
I don't have the misc/scan enabled in local.zeek, actually using Justin's
simple scan detection script.

Also, checked the local scripts that are currently enabled in local.zeek
and found two scripts - detect-ms15-034.bro and
http-basic-auth-bruteforce.bro that use SumStat framework. I have disabled
them to see if the SumStat warnings are reduced in the reporter.log.

Thanks!
Fatema

On Fri, Dec 6, 2019 at 8:26 PM Jon Siwek <jsiwek at corelight.com> wrote:

> On Fri, Dec 6, 2019 at 2:06 PM fatema bannatwala
> <fatema.bannatwala at gmail.com> wrote:
>
> > I upgraded our external zeek cluster right before ThanksGiving to zeek
> 3.0, and have started noticing a fair amount of following warnings in
> reporter.log file:
> >
> > "SumStat key request for the 7PJNSqZOUs8 SumStat uid took longer than 1
> minute and was automatically cancelled."
>
> Did you happen to copy over a previous local.bro that still has "@load
> misc/scan" in it?  The new local.zeek has that commented out due to it
> being frequent cause of performance issues.
>
> > Also, interesting thing is that after the upgrade, generation of
> software.log file has become pretty sporadic (no software.log file for last
> one week)..
>
> One reason for that may be if you don't have any proxy nodes in your
> cluster config (or they aren't reachable for some reason).
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191207/1741d858/attachment.html 


More information about the Zeek mailing list