From rodrigokroll at gmail.com Sun Feb 3 09:26:05 2019 From: rodrigokroll at gmail.com (-- Rodrigo Kroll --) Date: Sun, 3 Feb 2019 12:26:05 -0500 Subject: [Zeek] Bro IDS IP-based global whitelist for bro scripts Message-ID: Hello guys, I've been working on a project where we have multiple bro rules and it is challenging to manage whitelists for each rule. I've created a bro module that helps managing whitelists for bro scripts in a single file. More info: https://github.com/rodrigokroll/zeek_globalwhitelist I intend to improve capabilities adding CIDR and domain names. Feedbacks are welcome. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190203/de83c531/attachment.html From neyens.s at gmail.com Mon Feb 4 18:03:55 2019 From: neyens.s at gmail.com (Stephen Neyens) Date: Mon, 4 Feb 2019 21:03:55 -0500 Subject: [Zeek] Bro 2.5/2.6 on FIPS-enabled Host Message-ID: I have tried my Google-fu far and wide, but I have not found a solution yet to operate Bro on a FIPS-enabled host. When FIPS is enabled via the kernel, Bro refuses to start because of its use of MD5. Any assistance in the matter would be appreciated. - Stephen From johanna at icir.org Tue Feb 5 02:01:31 2019 From: johanna at icir.org (Johanna Amann) Date: Tue, 05 Feb 2019 19:01:31 +0900 Subject: [Zeek] Bro 2.5/2.6 on FIPS-enabled Host In-Reply-To: References: Message-ID: <96BA696A-E605-431C-A7DA-C3489F74F7E9@icir.org> Hi Stephen, a pull request about this was actually just merged; see https://github.com/zeek/zeek/pull/232 and https://github.com/zeek/zeek/pull/255. This will be in the 2.7 version once it is released. For 2.6 and earlier, the easiest is probably to set the magic ?MD5 is allowed? environment variable that most distributions that I know offer and to note in your security policy that this is ok because Zeek does not use MD5 for security, only to output hash information. Johanna On 5 Feb 2019, at 11:03, Stephen Neyens wrote: > I have tried my Google-fu far and wide, but I have not found a > solution yet to operate Bro on a FIPS-enabled host. When FIPS is > enabled via the kernel, Bro refuses to start because of its use of > MD5. Any assistance in the matter would be appreciated. > > - Stephen > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From neyens.s at gmail.com Tue Feb 5 04:46:02 2019 From: neyens.s at gmail.com (Stephen Neyens) Date: Tue, 5 Feb 2019 07:46:02 -0500 Subject: [Zeek] Bro 2.5/2.6 on FIPS-enabled Host In-Reply-To: <96BA696A-E605-431C-A7DA-C3489F74F7E9@icir.org> References: <96BA696A-E605-431C-A7DA-C3489F74F7E9@icir.org> Message-ID: <1180282E-8229-4633-BB36-188B35C30E43@gmail.com> Johanna, Thank you. This has put me in the right direction. - Stephen > On Feb 5, 2019, at 05:01, Johanna Amann wrote: > > Hi Stephen, > > a pull request about this was actually just merged; see https://github.com/zeek/zeek/pull/232 and https://github.com/zeek/zeek/pull/255. > > This will be in the 2.7 version once it is released. For 2.6 and earlier, the easiest is probably to set the magic ?MD5 is allowed? environment variable that most distributions that I know offer and to note in your security policy that this is ok because Zeek does not use MD5 for security, only to output hash information. > > Johanna > >> On 5 Feb 2019, at 11:03, Stephen Neyens wrote: >> >> I have tried my Google-fu far and wide, but I have not found a >> solution yet to operate Bro on a FIPS-enabled host. When FIPS is >> enabled via the kernel, Bro refuses to start because of its use of >> MD5. Any assistance in the matter would be appreciated. >> >> - Stephen >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From krasinski at cines.fr Tue Feb 5 06:34:35 2019 From: krasinski at cines.fr (Nicolas KRASINSKI) Date: Tue, 5 Feb 2019 15:34:35 +0100 (CET) Subject: [Zeek] Multiple email recipients In-Reply-To: <1180282E-8229-4633-BB36-188B35C30E43@gmail.com> References: <96BA696A-E605-431C-A7DA-C3489F74F7E9@icir.org> <1180282E-8229-4633-BB36-188B35C30E43@gmail.com> Message-ID: <1622563208.101056039.1549377275402.JavaMail.zimbra@cines.fr> Hello, Is there a way ton have multiple recipient of the Bro alerts ? I have a script that sends emails for 5 alerts. I would like to send some alerts to some different recipients... Could define this directly in my script or in brotctl.cfg or others ? Thanks in advance for your help Nicolas -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190205/e897d7cd/attachment.html From rdownie at mitre.org Wed Feb 6 07:19:37 2019 From: rdownie at mitre.org (Downie, Bob) Date: Wed, 6 Feb 2019 15:19:37 +0000 Subject: [Zeek] ftp filesize Message-ID: Bro ftp log only seems to record file_size for files that are pulled down from the interwebs. It does not record file size for files that are uploaded. Is this the expected behavior? We are running bro-2.5.3. Any help would be appreciated. Thanks, -Bob -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190206/f17479c2/attachment.html From pssunu6 at gmail.com Thu Feb 7 02:26:46 2019 From: pssunu6 at gmail.com (ps sunu) Date: Thu, 7 Feb 2019 15:56:46 +0530 Subject: [Zeek] bro-osquery Message-ID: Hi Iam using bro version 2.5 and i tried to enable bro-osquery and i got below error broctl deploy /osquery/./framework/./hosts_send.bro, line 76: unknown identifier Broker::subscribe, at or near "Broker::subscribe" -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190207/0bbb5abd/attachment.html From krasinski at cines.fr Thu Feb 7 08:08:47 2019 From: krasinski at cines.fr (Nicolas KRASINSKI) Date: Thu, 7 Feb 2019 17:08:47 +0100 (CET) Subject: [Zeek] Multiple email recipients In-Reply-To: <1622563208.101056039.1549377275402.JavaMail.zimbra@cines.fr> References: <96BA696A-E605-431C-A7DA-C3489F74F7E9@icir.org> <1180282E-8229-4633-BB36-188B35C30E43@gmail.com> <1622563208.101056039.1549377275402.JavaMail.zimbra@cines.fr> Message-ID: <507627059.4041973.1549555727810.JavaMail.zimbra@cines.fr> Hello, I found "Notice::mail_dest", So I define this in my script : redef Notice::mail_dest = "user at domain.com"; redef Notice::emailed_types += { SSH::Password_Guessing, }; hook Notice::policy(n: Notice::Info) { if ( n$note == SSH::Password_Guessing ) add n$actions[Notice::ACTION_EMAIL]; } It doesn't work... the alert is always sent to the default email in broctl.cfg. I see in documentation : "Note this is overridden by the BroControl MailTo option." Do you how I can use ' mail_dest' option correctly ? Thanks Nicolas. De: "krasinski" ?: "zeek" Envoy?: Mardi 5 F?vrier 2019 15:34:35 Objet: [Zeek] Multiple email recipients Hello, Is there a way ton have multiple recipient of the Bro alerts ? I have a script that sends emails for 5 alerts. I would like to send some alerts to some different recipients... Could define this directly in my script or in brotctl.cfg or others ? Thanks in advance for your help Nicolas _______________________________________________ Zeek mailing list zeek at zeek.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190207/86e15eee/attachment.html From daniel.guerra69 at gmail.com Thu Feb 7 15:25:30 2019 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Fri, 8 Feb 2019 00:25:30 +0100 Subject: [Zeek] [zeek] udp/tcp nat hole punching Message-ID: Hi All, Has anybody experience on detecting nat hole punching methods ? It is used by several chat programs that use stun or could be used? to intrude. The purpose is creating a peer to peer connection thrue multiple NAT firewalls. It produces lots off connections with connection_state S0 and history S, e.g. syn only packets. This rfc explains https://tools.ietf.org/html/rfc5128. From daniel.guerra69 at gmail.com Fri Feb 8 04:08:53 2019 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Fri, 8 Feb 2019 13:08:53 +0100 Subject: [Zeek] ftp filesize In-Reply-To: References: Message-ID: <183e642e-db93-7a42-ed46-efa8fccc2bf6@gmail.com> Hi Bob, Files live in the file log. The uid from the ftp log leads to the file in the file log. In the file log you can find the size of the file. Regards, Daniel Op 06-02-19 om 16:19 schreef Downie, Bob: > > Bro ftp log ?only seems to record file_size for files that are pulled > down from the interwebs. It does not record file size for files that > are uploaded. Is this the expected behavior? We are running bro-2.5.3. > Any help would be appreciated. > > Thanks, > > -Bob > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190208/ee34599c/attachment.html From ejmartin2 at wpi.edu Sat Feb 9 03:39:44 2019 From: ejmartin2 at wpi.edu (Martin, Eric J) Date: Sat, 9 Feb 2019 11:39:44 +0000 Subject: [Zeek] PFRING support on RPM packages Message-ID: I?m overhauling some East / West sensors, and one thought is to deploy Zeek to minimize what we need to manage (as opposed to individual Snort / Argus sensors). Since these machines are using Intel 525 cards, I will be using PFRing as a load balancer. Does the bro RPM support this? I looked and don?t think so, though I wanted to ask here before rolling my own RPM. Please excuse any typos / brevity, I'm on my mobile. Thank you, -- Eric Martin Information Security Engineer Worcester Polytechnic Institute From ericooi at gmail.com Sat Feb 9 06:51:19 2019 From: ericooi at gmail.com (Eric Ooi) Date: Sat, 9 Feb 2019 08:51:19 -0600 Subject: [Zeek] PFRING support on RPM packages In-Reply-To: References: Message-ID: Don?t think they do either, especially since the official Zeek documentation includes a step on compiling from source to do it. https://www.zeek.org/documentation/load-balancing.html Just in case it helps, I wrote an article on installing Zeek from source with PF_RING on CentOS. https://www.ericooi.com/zeekurity-zen-part-i-how-to-install-zeek-bro-on-centos-7/ I?m eventually going to change it to use AF_PACKET instead, as that?s what seems to be recommended in past threads from the Zeek folks. I?ve also been using AF_PACKET in my own production system at work without issues. On Sat, Feb 9, 2019 at 5:54 AM Martin, Eric J wrote: > I?m overhauling some East / West sensors, and one thought is to deploy > Zeek to minimize what we need to manage (as opposed to individual Snort / > Argus sensors). Since these machines are using Intel 525 cards, I will be > using PFRing as a load balancer. Does the bro RPM support this? I looked > and don?t think so, though I wanted to ask here before rolling my own RPM. > > Please excuse any typos / brevity, I'm on my mobile. > Thank you, > -- > Eric Martin > Information Security Engineer > Worcester Polytechnic Institute > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190209/d46c97cc/attachment.html From thushjandan.ponnudurai at id.unibe.ch Mon Feb 11 01:13:04 2019 From: thushjandan.ponnudurai at id.unibe.ch (thushjandan.ponnudurai at id.unibe.ch) Date: Mon, 11 Feb 2019 09:13:04 +0000 Subject: [Zeek] Mirror the first N packets of a flow to Zeek Message-ID: <135ee90ffebc4150b02fc4014e843e01@id.unibe.ch> Hi guys, I consider to evaluate Zeek for my organization. To reduce the data, which could accumulate if we start mirroring the traffic, my team is considering to not mirror the full traffic. To achieve this goal we have found on our Extreme Networks K- and S-Series Switches a very interesting feature. They are able to mirror the first few packets of a flow. It is possible to adjust this value. For example like the first 15 packets of a flow. Can Zeek also work well with the first 15 packets of a flow? Best regards, Thushjandan -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190211/2671efc6/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5502 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190211/2671efc6/attachment.bin From jan.grashoefer at gmail.com Mon Feb 11 08:10:57 2019 From: jan.grashoefer at gmail.com (=?UTF-8?Q?Jan_Grash=c3=b6fer?=) Date: Mon, 11 Feb 2019 17:10:57 +0100 Subject: [Zeek] PFRING support on RPM packages In-Reply-To: References:

Message-ID: <30909ef6-62f7-da46-f577-b350e606ea55@gmail.com> On 09/02/2019 15:51, Eric Ooi wrote:> I?m eventually going to change it to use AF_PACKET instead, as that?s what > seems to be recommended in past threads from the Zeek folks. I?ve also > been using AF_PACKET in my own production system at work without issues. Note that the AF_Packet plugin does not need Bro/Zeek sources anymore to build as Bro/Zeek 2.6 comes with the necessary include files. Jan From ssakai at sdsc.edu Mon Feb 11 10:42:16 2019 From: ssakai at sdsc.edu (Scott Sakai) Date: Mon, 11 Feb 2019 10:42:16 -0800 Subject: [Zeek] Mirror the first N packets of a flow to Zeek In-Reply-To: <135ee90ffebc4150b02fc4014e843e01@id.unibe.ch> References: <135ee90ffebc4150b02fc4014e843e01@id.unibe.ch> Message-ID: <9cd5ec4c-1bdf-7a5b-6399-4e9cb611cbd5@sdsc.edu> That largely depends on what you want to get out of Zeek, and the size of the packets. As an example, the packets may vary in size from 576 bytes to 1500 or 9000+ bytes. If your mirror only counts packets, not payload bytes, that's the difference between somewhat usable data from the protocol analyzers and garbage. You may also want the -last- packets in the flow, in particular the fin, fin+ack, and rst; otherwise the conn log won't have accurate information about the flow's duration or size. If you just need a "there was an attempted connection that probably succeeded", then yeah, 15 packets will do. Deeper analysis requires more data, though not necessarily all of the flow. It seems like your switches may be able to track flows. If this is the case, maybe see if they can also drop flows from the mirror on demand. Zeek has the capability to say "Stop sending me this flow, I am done with it." (implementing the flow shunting on an uncommon switch may be an exercise for the student). In such a case, you'll still want to get Zeek the packet headers with ack, fin, rst, so the connection tracking still works. On 02/11/2019 01:13 AM, thushjandan.ponnudurai at id.unibe.ch wrote: > Hi guys, > > > > I consider to evaluate Zeek for my organization. To reduce the data, which > could accumulate if we start mirroring the traffic, my team is considering > to not mirror the full traffic. To achieve this goal we have found on our > Extreme Networks K- and S-Series Switches a very interesting feature. They > are able to mirror the first few packets of a flow. It is possible to > adjust this value. For example like the first 15 packets of a flow. > > > > Can Zeek also work well with the first 15 packets of a flow? > > > > Best regards, > > Thushjandan > > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > -- Scott Sakai Security Analyst San Diego Supercomputer Center ssakai at sdsc.edu +1-858-822-0851 From mnmblair at hotmail.com Tue Feb 12 11:38:03 2019 From: mnmblair at hotmail.com (COLIN BLAIR) Date: Tue, 12 Feb 2019 19:38:03 +0000 Subject: [Zeek] Unusual broctl netstats reporting with pf_ring Message-ID: Hi All, Our Bro is reporting very strange netstats statistics. The drop number is more than twice the link number. Any ideas on what is happening here? broctl netstats: Average packet loss as percent across all Bro workers: 251.835667 worker-1-1: 1550022753.774609 recvd=35689158 dropped=86096548 link=35689158 worker-1-2: 1550022753.788585 recvd=34277909 dropped=87669653 link=34277909 worker-1-3: 1550022753.789779 recvd=34412791 dropped=87326521 link=34412791 worker-1-4: 1550022753.794761 recvd=34869235 dropped=86902007 link=34869235 worker-1-5: 1550022753.799623 recvd=34265107 dropped=87488621 link=34265107 worker-1-6: 1550022753.804947 recvd=34060558 dropped=87602513 link=34060558 worker-1-7: 1550022753.814827 recvd=34218781 dropped=87558368 link=34218781 worker-1-8: 1550022753.820166 recvd=34766455 dropped=86960847 link=34766455 worker-1-9: 1550022753.834761 recvd=34332784 dropped=87497148 link=34332784 worker-1-10: 1550022753.835729 recvd=35214323 dropped=86518901 link=35214323 capture_loss.log: 1550021287.104721 900.000010 worker-1-10 272473 425817 63.988286 1550021287.109046 900.000035 worker-1-3 270351 423410 63.850877 1550021287.107021 900.000046 worker-1-7 259620 400463 64.829959 1550021287.114122 900.000029 worker-1-6 245851 376472 65.303927 1550021287.112851 900.000041 worker-1-9 248946 382272 65.12274 1550021287.115733 900.000003 worker-1-1 282999 446957 63.316829 1550021287.234103 900.000051 worker-1-2 265041 413733 64.06088 1550021293.032640 905.925803 worker-1-4 261831 403461 64.896235 1550021296.088983 908.982076 worker-1-8 259122 398183 65.076108 1550021306.079690 918.960314 worker-1-5 251744 384902 65.4047 I have verified Bro is linked to pfring libpcap and pfringclusterid = 21 is in broctl.cfg. ========================================================================= Capture Interface ========================================================================= eth0: flags=4547 mtu 1500 ether 0c:c4:7a:cf:66:b8 txqueuelen 1000 (Ethernet) RX packets 1220292429 bytes 283890695229 (264.3 GiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ========================================================================= PF_RING ========================================================================= PF_RING Version : 7.5.0 (unknown) Total rings : 13 Standard (non ZC) Options Ring slots : 65536 Slot version : 17 Capture TX : No [RX only] IP Defragment : No Socket Mode : Standard Cluster Fragment Queue : 0 Cluster Fragment Discard : 0 Name: eth0 Index: 14 Address: 0C:C4:7A:CF:66:B8 Polling Mode: NAPI Type: Ethernet Family: Standard NIC # Bound Sockets: 13 TX Queues: 32 RX Queues: 32 node.cfg: [manager] type=manager host=localhost [logger] type=logger host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=eth0 lb_method=pf_ring lb_procs=10 pin_cpus=1,2,3,4,5,6,7,8,9,10 Thank you in advance. CB -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190212/22dac1e0/attachment.html From thushjandan.ponnudurai at id.unibe.ch Tue Feb 12 23:13:15 2019 From: thushjandan.ponnudurai at id.unibe.ch (thushjandan.ponnudurai at id.unibe.ch) Date: Wed, 13 Feb 2019 07:13:15 +0000 Subject: [Zeek] Mirror the first N packets of a flow to Zeek In-Reply-To: <9cd5ec4c-1bdf-7a5b-6399-4e9cb611cbd5@sdsc.edu> References: <135ee90ffebc4150b02fc4014e843e01@id.unibe.ch> <9cd5ec4c-1bdf-7a5b-6399-4e9cb611cbd5@sdsc.edu> Message-ID: Hi Scott, Thank you for your detailed explanation! The switches we mentioned are actually configured as such they export netflow-v9 information about all flows and additionally the first 15 payload packets of each flow. So we think that with those two information sources each flow should be fully identified. We'll contact the switch vendor - Extreme Networks - to ask about the possibility to stop sending flow information and partial mirror packets on demand. Best regards, Thushjandan -----Original Message----- From: zeek-bounces at zeek.org On Behalf Of Scott Sakai Sent: Montag, 11. Februar 2019 19:42 To: zeek at zeek.org Subject: Re: [Zeek] Mirror the first N packets of a flow to Zeek That largely depends on what you want to get out of Zeek, and the size of the packets. As an example, the packets may vary in size from 576 bytes to 1500 or 9000+ bytes. If your mirror only counts packets, not payload bytes, that's the difference between somewhat usable data from the protocol analyzers and garbage. You may also want the -last- packets in the flow, in particular the fin, fin+ack, and rst; otherwise the conn log won't have accurate information about the flow's duration or size. If you just need a "there was an attempted connection that probably succeeded", then yeah, 15 packets will do. Deeper analysis requires more data, though not necessarily all of the flow. It seems like your switches may be able to track flows. If this is the case, maybe see if they can also drop flows from the mirror on demand. Zeek has the capability to say "Stop sending me this flow, I am done with it." (implementing the flow shunting on an uncommon switch may be an exercise for the student). In such a case, you'll still want to get Zeek the packet headers with ack, fin, rst, so the connection tracking still works. On 02/11/2019 01:13 AM, thushjandan.ponnudurai at id.unibe.ch wrote: > Hi guys, > > > > I consider to evaluate Zeek for my organization. To reduce the data, > which could accumulate if we start mirroring the traffic, my team is > considering to not mirror the full traffic. To achieve this goal we > have found on our Extreme Networks K- and S-Series Switches a very > interesting feature. They are able to mirror the first few packets of > a flow. It is possible to adjust this value. For example like the first 15 packets of a flow. > > > > Can Zeek also work well with the first 15 packets of a flow? > > > > Best regards, > > Thushjandan > > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > -- Scott Sakai Security Analyst San Diego Supercomputer Center ssakai at sdsc.edu +1-858-822-0851 _______________________________________________ Zeek mailing list zeek at zeek.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5502 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190213/efca6c97/attachment.bin From seth at corelight.com Wed Feb 13 07:38:06 2019 From: seth at corelight.com (Seth Hall) Date: Wed, 13 Feb 2019 07:38:06 -0800 Subject: [Zeek] ftp filesize In-Reply-To: References: Message-ID: File sizes for FTP are a bit tricky. The scripts are just watching for the server to indicate the file size in a reply message. I'm not sure if the file size is transmitted by the client when a file is being uploaded, I'd have to refer to some pcaps. If it is indicated by the client then I think we could view that as a missing implementation though. .Seth On Wed, Feb 6, 2019 at 7:29 AM Downie, Bob wrote: > > Bro ftp log only seems to record file_size for files that are pulled down from the interwebs. It does not record file size for files that are uploaded. Is this the expected behavior? We are running bro-2.5.3. Any help would be appreciated. > > Thanks, > > -Bob > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com From johanna at icir.org Wed Feb 13 15:55:10 2019 From: johanna at icir.org (Johanna Amann) Date: Wed, 13 Feb 2019 15:55:10 -0800 Subject: [Zeek] Zeek workshop Europe @ CERN - call for presentations In-Reply-To: <20190122190857.wmetbuyskniat5by@Trafalgar.local> References: <20190122190857.wmetbuyskniat5by@Trafalgar.local> Message-ID: <20190213235505.hdo7aijzlccqlzaj@Trafalgar.local> Hello everyone, this is a reminder that the deadline for presentation submissions is the 25th. If you have something that you want to talk about at the Zeek Workshop at CERN, please drop an email to info at zeek.org. Thanks a lot, Johanna On Tue, Jan 22, 2019 at 11:08:57AM -0800, Johanna Amann wrote: > Hi, > > this email is a short reminder of the upcoming Zeek Workshop Europe 2019 > (April 9?11 @CERN, Geneva, Switzerland). > > The program will consist of talks by the Bro development team and external > contributors. As in our last event, a large part of the development team > will be attending the workshop. > > There are still a bunch of open spots - you can register at > https://indico.cern.ch/event/762505/ (also linked from https://zeek.org). > > We also are still looking for presenters - if you have a topic that you > might want to give a talk about, please submit an talk abstract to > info at zeek.org. The deadline for this submission is February 25th, 2019. > > Please note that there is a MISP training/workshop hosted at CERN right > after the Zeek workshop - you can find more information linked from the > event page. > > Johanna > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > From krasinski at cines.fr Thu Feb 14 06:18:40 2019 From: krasinski at cines.fr (Nicolas KRASINSKI) Date: Thu, 14 Feb 2019 15:18:40 +0100 (CET) Subject: [Zeek] Multiple email recipients In-Reply-To: <507627059.4041973.1549555727810.JavaMail.zimbra@cines.fr> References: <96BA696A-E605-431C-A7DA-C3489F74F7E9@icir.org> <1180282E-8229-4633-BB36-188B35C30E43@gmail.com> <1622563208.101056039.1549377275402.JavaMail.zimbra@cines.fr> <507627059.4041973.1549555727810.JavaMail.zimbra@cines.fr> Message-ID: <1308016171.13741200.1550153920307.JavaMail.zimbra@cines.fr> Can somebody help me ? I tried to put const mail_dest = "user at domain.com" &redef; in /framework/notice/main.bro or my local.bro but nothing work, I tried also to put in my script redef Notice::mail_dest = "user at domain.com"; but nothing work, How can I send ACTION_ALARM to the email of "mail_dest" ? I'm realy lost... Thanks in advance, Nicolas. De: "krasinski" ?: "zeek" Envoy?: Jeudi 7 F?vrier 2019 17:08:47 Objet: Re: [Zeek] Multiple email recipients Hello, I found "Notice::mail_dest", So I define this in my script : redef Notice::mail_dest = "user at domain.com"; redef Notice::emailed_types += { SSH::Password_Guessing, }; hook Notice::policy(n: Notice::Info) { if ( n$note == SSH::Password_Guessing ) add n$actions[Notice::ACTION_EMAIL]; } It doesn't work... the alert is always sent to the default email in broctl.cfg. I see in documentation : "Note this is overridden by the BroControl MailTo option." Do you how I can use ' mail_dest' option correctly ? Thanks Nicolas. De: "krasinski" ?: "zeek" Envoy?: Mardi 5 F?vrier 2019 15:34:35 Objet: [Zeek] Multiple email recipients Hello, Is there a way ton have multiple recipient of the Bro alerts ? I have a script that sends emails for 5 alerts. I would like to send some alerts to some different recipients... Could define this directly in my script or in brotctl.cfg or others ? Thanks in advance for your help Nicolas _______________________________________________ Zeek mailing list zeek at zeek.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek _______________________________________________ Zeek mailing list zeek at zeek.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190214/081d3fcc/attachment.html From rdownie at mitre.org Thu Feb 14 14:00:06 2019 From: rdownie at mitre.org (Downie, Bob) Date: Thu, 14 Feb 2019 22:00:06 +0000 Subject: [Zeek] corelight/bro-community-id seed Message-ID: <84629DE1-03F3-4A84-A8B6-D0CE81C21111@mitre.org> Can someone tell me how to set the bro community id seed value? Redef? Thanks, -Bob -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190214/e9f1176f/attachment.html From jsiwek at corelight.com Thu Feb 14 14:40:07 2019 From: jsiwek at corelight.com (Jon Siwek) Date: Thu, 14 Feb 2019 16:40:07 -0600 Subject: [Zeek] Multiple email recipients In-Reply-To: <1308016171.13741200.1550153920307.JavaMail.zimbra@cines.fr> References: <96BA696A-E605-431C-A7DA-C3489F74F7E9@icir.org> <1180282E-8229-4633-BB36-188B35C30E43@gmail.com> <1622563208.101056039.1549377275402.JavaMail.zimbra@cines.fr> <507627059.4041973.1549555727810.JavaMail.zimbra@cines.fr> <1308016171.13741200.1550153920307.JavaMail.zimbra@cines.fr> Message-ID: On Thu, Feb 14, 2019 at 8:21 AM Nicolas KRASINSKI wrote: > I tried also to put in my script > redef Notice::mail_dest = "user at domain.com"; > but nothing work, > > How can I send ACTION_ALARM to the email of "mail_dest" ? If you are using BroControl, have you tried setting the MailTo option and/or MailAlarmsTo option in broctl.cfg ? As you saw from the documentation, those take precedence over values defined in scripts. - Jon From jsiwek at corelight.com Thu Feb 14 14:46:50 2019 From: jsiwek at corelight.com (Jon Siwek) Date: Thu, 14 Feb 2019 16:46:50 -0600 Subject: [Zeek] corelight/bro-community-id seed In-Reply-To: <84629DE1-03F3-4A84-A8B6-D0CE81C21111@mitre.org> References: <84629DE1-03F3-4A84-A8B6-D0CE81C21111@mitre.org> Message-ID: On Thu, Feb 14, 2019 at 4:04 PM Downie, Bob wrote: > > Can someone tell me how to set the bro community id seed value? Redef? Yeah, judging from [1], looks like you want something like: redef CommunityID::seed = 123; - Jon [1] https://github.com/corelight/bro-community-id/blob/ff1d566982591da846f76d4c4d4b595cb6d9ce41/scripts/Corelight/CommunityID/__load__.bro#L8 From nafisa.mandliwala at gmail.com Thu Feb 14 17:04:57 2019 From: nafisa.mandliwala at gmail.com (Nafisa Mandliwala) Date: Thu, 14 Feb 2019 17:04:57 -0800 Subject: [Zeek] Compilation without linux-vdso Message-ID: Hi all, I've been trying the get Zeek to work on a platform that does not support linux-vdso. I see that vdso has 4 syscalls out of which the first 3 are used in the code- 1. gettimeofday 2. clock_gettime 3. time 4. getcpu A few things that I already tried doing- 1. For the time being, removing all usages of "gettimeofday" and "clock_gettime" 2. Commenting out the following from cmake files and bro-config- check_include_files(HAV_SYS_TIME_H) check_include_files("time.h;sys/time.h", TIME_WITH_SYS_TIME) I'm not sure I'm doing everything to replace/remove the occurrences of the syscalls because ldd still shows that the bro execuatble is linking to linux-vdso.so and the LD logs show that symbols for those syscalls are being fetched (segfaults at this point) Please let me know if I'm missing something? Thanks, Nafisa -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190214/a0fcd8f1/attachment.html From jsiwek at corelight.com Fri Feb 15 09:17:27 2019 From: jsiwek at corelight.com (Jon Siwek) Date: Fri, 15 Feb 2019 11:17:27 -0600 Subject: [Zeek] Compilation without linux-vdso In-Reply-To: References: Message-ID: On Thu, Feb 14, 2019 at 7:13 PM Nafisa Mandliwala wrote: > I've been trying the get Zeek to work on a platform that does not support linux-vdso. > > I see that vdso has 4 syscalls out of which the first 3 are used in the code- > 1. gettimeofday > 2. clock_gettime > 3. time > 4. getcpu > > A few things that I already tried doing- > 1. For the time being, removing all usages of "gettimeofday" and "clock_gettime" > 2. Commenting out the following from cmake files and bro-config- > check_include_files(HAV_SYS_TIME_H) > check_include_files("time.h;sys/time.h", TIME_WITH_SYS_TIME) > > I'm not sure I'm doing everything to replace/remove the occurrences of the syscalls because ldd still shows that the bro execuatble is linking to linux-vdso.so and the LD logs show that symbols for those syscalls are being fetched (segfaults at this point) Bro shouldn't depend on vDSO directly, it's libc that optionally depends on vDSO, so I don't think you want to patch the Bro source code to remove those syscalls -- it's just using standard library functionality. I haven't looked much into how to disable vDSO, you can maybe search that out more on your own if that's really what you need, but I'd guess there's some kernel/boot option for it. It also was not clear why you say the platform doesn't support vDSO, but the kernel goes ahead and maps/links linux-vdso.so anyway -- seems weird, so you may have to give more specifics on the particular platform. - Jon From nafisa.mandliwala at gmail.com Fri Feb 15 19:02:20 2019 From: nafisa.mandliwala at gmail.com (Nafisa Mandliwala) Date: Fri, 15 Feb 2019 19:02:20 -0800 Subject: [Zeek] Compilation without linux-vdso In-Reply-To: References:

Message-ID: Thanks a lot for the response. I did a little bit of debugging myself and the problem is now reduced to using a custom (with some modifications for the platform) version of gcc. To make this happen- I tried set(CMAKE_C_COMPILER) but ./configure goes into an infinite loop which I think is bug - https://public.kitware.com/pipermail/cmake/2009-November/033133.html I then tried to run configure like this- CC= CXX= CFLAGS= CXXFLAGS= ./configure This picks the right compiler but runs into issues with openssl (header not found). I tried adding root and include paths for openssl by calling append_cache_entry() but it doesn't work. Was just wondering if I'm missing something here? Are there more changes required to safely replace the default compiler? Thanks, Nafisa On Fri, Feb 15, 2019 at 9:17 AM Jon Siwek wrote: > On Thu, Feb 14, 2019 at 7:13 PM Nafisa Mandliwala > wrote: > > > I've been trying the get Zeek to work on a platform that does not > support linux-vdso. > > > > I see that vdso has 4 syscalls out of which the first 3 are used in the > code- > > 1. gettimeofday > > 2. clock_gettime > > 3. time > > 4. getcpu > > > > A few things that I already tried doing- > > 1. For the time being, removing all usages of "gettimeofday" and > "clock_gettime" > > 2. Commenting out the following from cmake files and bro-config- > > check_include_files(HAV_SYS_TIME_H) > > check_include_files("time.h;sys/time.h", TIME_WITH_SYS_TIME) > > > > I'm not sure I'm doing everything to replace/remove the occurrences of > the syscalls because ldd still shows that the bro execuatble is linking to > linux-vdso.so and the LD logs show that symbols for those syscalls are > being fetched (segfaults at this point) > > Bro shouldn't depend on vDSO directly, it's libc that optionally > depends on vDSO, so I don't think you want to patch the Bro source > code to remove those syscalls -- it's just using standard library > functionality. > > I haven't looked much into how to disable vDSO, you can maybe search > that out more on your own if that's really what you need, but I'd > guess there's some kernel/boot option for it. It also was not clear > why you say the platform doesn't support vDSO, but the kernel goes > ahead and maps/links linux-vdso.so anyway -- seems weird, so you may > have to give more specifics on the particular platform. > > - Jon > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190215/0a50ff6e/attachment.html From krasinski at cines.fr Mon Feb 18 01:54:16 2019 From: krasinski at cines.fr (Nicolas KRASINSKI) Date: Mon, 18 Feb 2019 10:54:16 +0100 (CET) Subject: [Zeek] Multiple email recipients In-Reply-To: References: <96BA696A-E605-431C-A7DA-C3489F74F7E9@icir.org> <1180282E-8229-4633-BB36-188B35C30E43@gmail.com> <1622563208.101056039.1549377275402.JavaMail.zimbra@cines.fr> <507627059.4041973.1549555727810.JavaMail.zimbra@cines.fr> <1308016171.13741200.1550153920307.JavaMail.zimbra@cines.fr> Message-ID: <771325385.19828190.1550483656599.JavaMail.zimbra@cines.fr> Thanks, It works fine with MailAlarmsTo in broctl.cfg. But MailAlarmsTo works with ACTION_ALARM and send only alarm summary mails, not directly the alarm... Thank you, Nicolas. De: "Jon Siwek" ?: "krasinski" Cc: "zeek" Envoy?: Jeudi 14 F?vrier 2019 23:40:07 Objet: Re: [Zeek] Multiple email recipients On Thu, Feb 14, 2019 at 8:21 AM Nicolas KRASINSKI wrote: > I tried also to put in my script > redef Notice::mail_dest = "user at domain.com"; > but nothing work, > > How can I send ACTION_ALARM to the email of "mail_dest" ? If you are using BroControl, have you tried setting the MailTo option and/or MailAlarmsTo option in broctl.cfg ? As you saw from the documentation, those take precedence over values defined in scripts. - Jon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190218/1b6be3c1/attachment.html From jsiwek at corelight.com Mon Feb 18 08:13:31 2019 From: jsiwek at corelight.com (Jon Siwek) Date: Mon, 18 Feb 2019 10:13:31 -0600 Subject: [Zeek] Compilation without linux-vdso In-Reply-To: References:

Message-ID: On Fri, Feb 15, 2019 at 9:02 PM Nafisa Mandliwala wrote: > I then tried to run configure like this- > CC= CXX= CFLAGS= CXXFLAGS= ./configure > > This picks the right compiler but runs into issues with openssl (header not found). I tried adding root and include paths for openssl by calling append_cache_entry() but it doesn't work. I'd first try using the --with-openssl= configure option before manually patching in workarounds. Or if you must patch, I'd probably hack in custom paths just before "FindRequiredPackage(OpenSSL)" in CMakeLists.txt rather than the configure script. If you're patching source code directly and still have problems, it's hard to help further unless you give the exact patch you are using. > Was just wondering if I'm missing something here? Are there more changes required to safely replace the default compiler? I think you were setting the compiler fine, but sounds like now the OpenSSL headers not being found is likely a separate/unrelated issue to figure out. - Jon From nothinrandom at gmail.com Mon Feb 18 22:52:06 2019 From: nothinrandom at gmail.com (TQ) Date: Mon, 18 Feb 2019 22:52:06 -0800 Subject: [Zeek] MAC Address In Logs Message-ID: Is there a way to include MAC address in all of the logs or custom written logs? I saw the documentation ( https://docs.zeek.org/en/latest/scripts/policy/protocols/conn/mac-logging.bro.html), but didn't see any MAC addresses even though I could see them in Wireshark. Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190218/3980da9f/attachment.html From shirkdog.bsd at gmail.com Tue Feb 19 06:29:46 2019 From: shirkdog.bsd at gmail.com (Michael Shirk) Date: Tue, 19 Feb 2019 09:29:46 -0500 Subject: [Zeek] MAC Address In Logs In-Reply-To: References: Message-ID: You need to add the following to your local.bro script to enable it, as it is not on by default: @load policy/protocols/conn/mac-logging On Tue, Feb 19, 2019 at 2:07 AM TQ wrote: > > Is there a way to include MAC address in all of the logs or custom written logs? I saw the documentation (https://docs.zeek.org/en/latest/scripts/policy/protocols/conn/mac-logging.bro.html), but didn't see any MAC addresses even though I could see them in Wireshark. > > Thanks, > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Michael Shirk Daemon Security, Inc. https://www.daemon-security.com From nothinrandom at gmail.com Tue Feb 19 15:38:39 2019 From: nothinrandom at gmail.com (TQ) Date: Tue, 19 Feb 2019 15:38:39 -0800 Subject: [Zeek] MAC Address In Logs In-Reply-To: References: Message-ID: Thanks for reply Michael. So I went into /usr/local/bro/share/bro/site/local.bro and uncommented this line: @load policy/protocols/conn/mac-logging. I reran bro and checked all log files, but none contain the MAC address. This is running on Zeek 2.6.1. I'm not sure what to expect (i.e. two columns for source/destination MAC?). Maybe I'm missing another step? Thanks, On Tue, Feb 19, 2019 at 6:30 AM Michael Shirk wrote: > You need to add the following to your local.bro script to enable it, > as it is not on by default: > > @load policy/protocols/conn/mac-logging > > On Tue, Feb 19, 2019 at 2:07 AM TQ wrote: > > > > Is there a way to include MAC address in all of the logs or custom > written logs? I saw the documentation ( > https://docs.zeek.org/en/latest/scripts/policy/protocols/conn/mac-logging.bro.html), > but didn't see any MAC addresses even though I could see them in Wireshark. > > > > Thanks, > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > -- > Michael Shirk > Daemon Security, Inc. > https://www.daemon-security.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190219/100723cf/attachment.html From chris at cwalsh.org Tue Feb 19 17:02:45 2019 From: chris at cwalsh.org (Chris Walsh) Date: Tue, 19 Feb 2019 19:02:45 -0600 Subject: [Zeek] MAC Address In Logs In-Reply-To: References: Message-ID: In my 2.5.3 installation, the comment above the line in question says that the MAC addrs will be logged to the conn.log file. This is what happens for me. From there, they can be linked to other logs via the uid field. Are you sure that your conn.log does not have the orig_l2_addr and resp_l2_addr fields? Chris > On Feb 19, 2019, at 5:38 PM, TQ wrote: > > Thanks for reply Michael. So I went into /usr/local/bro/share/bro/site/local.bro and uncommented this line: @load policy/protocols/conn/mac-logging. I reran bro and checked all log files, but none contain the MAC address. This is running on Zeek 2.6.1. I'm not sure what to expect (i.e. two columns for source/destination MAC?). Maybe I'm missing another step? > > Thanks, From nothinrandom at gmail.com Tue Feb 19 17:40:38 2019 From: nothinrandom at gmail.com (TQ) Date: Tue, 19 Feb 2019 17:40:38 -0800 Subject: [Zeek] MAC Address In Logs In-Reply-To: References:

Message-ID: Hi Chris, I only see these headers for conn.log: #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents Using the same commands I always use: sudo ./bro -C -r ~/Desktop/pcap/test.pcap Wireshark shows MAC just fine. I don't need to rebuild bro again, right? Just need to edit the /usr/local/bro/share/bro/site/local.bro file. The only file that shows a column for mac is the dhcp.log Thanks, On Tue, Feb 19, 2019 at 5:02 PM Chris Walsh wrote: > In my 2.5.3 installation, the comment above the line in question says that > the MAC addrs will be logged to the conn.log file. This is what happens > for me. From there, they can be linked to other logs via the uid field. > > Are you sure that your conn.log does not have the orig_l2_addr and > resp_l2_addr fields? > > Chris > > > On Feb 19, 2019, at 5:38 PM, TQ wrote: > > > > Thanks for reply Michael. So I went into > /usr/local/bro/share/bro/site/local.bro and uncommented this line: @load > policy/protocols/conn/mac-logging. I reran bro and checked all log files, > but none contain the MAC address. This is running on Zeek 2.6.1. I'm not > sure what to expect (i.e. two columns for source/destination MAC?). Maybe > I'm missing another step? > > > > Thanks, > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190219/605c0672/attachment.html From michalpurzynski1 at gmail.com Tue Feb 19 18:21:56 2019 From: michalpurzynski1 at gmail.com (=?UTF-8?B?TWljaGHFgiBQdXJ6ecWEc2tp?=) Date: Tue, 19 Feb 2019 18:21:56 -0800 Subject: [Zeek] MAC Address In Logs In-Reply-To: References:

Message-ID: If testing with a cluster - have you re-deployed your Zeek? "broctl deploy" needs to be run after each change to scripts and configuration. You can see what scripts are loaded with the "broctl scripts" command, so just run broctl scripts | grep mac If testing with a pcap - some scripts are not loaded by default when you just run zeek from the command line. You can try with bro -C -r policy/protocols/conn/mac-logging to explicitly load this script. On Tue, Feb 19, 2019 at 5:46 PM TQ wrote: > Hi Chris, > > I only see these headers for conn.log: > #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service > duration orig_bytes resp_bytes conn_state local_orig local_resp > missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes > tunnel_parents > > Using the same commands I always use: sudo ./bro -C -r > ~/Desktop/pcap/test.pcap > > Wireshark shows MAC just fine. I don't need to rebuild bro again, right? > Just need to edit the /usr/local/bro/share/bro/site/local.bro file. The > only file that shows a column for mac is the dhcp.log > > Thanks, > > On Tue, Feb 19, 2019 at 5:02 PM Chris Walsh wrote: > >> In my 2.5.3 installation, the comment above the line in question says >> that the MAC addrs will be logged to the conn.log file. This is what >> happens for me. From there, they can be linked to other logs via the uid >> field. >> >> Are you sure that your conn.log does not have the orig_l2_addr and >> resp_l2_addr fields? >> >> Chris >> >> > On Feb 19, 2019, at 5:38 PM, TQ wrote: >> > >> > Thanks for reply Michael. So I went into >> /usr/local/bro/share/bro/site/local.bro and uncommented this line: @load >> policy/protocols/conn/mac-logging. I reran bro and checked all log files, >> but none contain the MAC address. This is running on Zeek 2.6.1. I'm not >> sure what to expect (i.e. two columns for source/destination MAC?). Maybe >> I'm missing another step? >> > >> > Thanks, >> >> _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190219/15ad4a77/attachment.html From nothinrandom at gmail.com Tue Feb 19 20:29:04 2019 From: nothinrandom at gmail.com (TQ) Date: Tue, 19 Feb 2019 20:29:04 -0800 Subject: [Zeek] MAC Address In Logs In-Reply-To: References:

Message-ID: Hi Michal, This is strange. I went into the source folder bro-2.6.1/scripts/site/ and changed local.bro and even rebuild again. No MAC address in log. However, running your suggestion of "bro -C -r policy/protocols/conn/mac-logging" allows me to see MAC address in conn.log now. So do you know what exactly is the issue here? Is there a way to include MAC address in other logs such as http.log, dns.log, etc? Thanks for your help! Thanks, On Tue, Feb 19, 2019 at 6:22 PM Micha? Purzy?ski wrote: > If testing with a cluster - have you re-deployed your Zeek? > > "broctl deploy" needs to be run after each change to scripts and > configuration. You can see what scripts are loaded with the "broctl > scripts" command, so just run > > broctl scripts | grep mac > > If testing with a pcap - some scripts are not loaded by default when you > just run zeek from the command line. You can try with > > bro -C -r policy/protocols/conn/mac-logging > > to explicitly load this script. > > > > On Tue, Feb 19, 2019 at 5:46 PM TQ wrote: > >> Hi Chris, >> >> I only see these headers for conn.log: >> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service >> duration orig_bytes resp_bytes conn_state local_orig local_resp >> missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes >> tunnel_parents >> >> Using the same commands I always use: sudo ./bro -C -r >> ~/Desktop/pcap/test.pcap >> >> Wireshark shows MAC just fine. I don't need to rebuild bro again, >> right? Just need to edit the /usr/local/bro/share/bro/site/local.bro >> file. The only file that shows a column for mac is the dhcp.log >> >> Thanks, >> >> On Tue, Feb 19, 2019 at 5:02 PM Chris Walsh wrote: >> >>> In my 2.5.3 installation, the comment above the line in question says >>> that the MAC addrs will be logged to the conn.log file. This is what >>> happens for me. From there, they can be linked to other logs via the uid >>> field. >>> >>> Are you sure that your conn.log does not have the orig_l2_addr and >>> resp_l2_addr fields? >>> >>> Chris >>> >>> > On Feb 19, 2019, at 5:38 PM, TQ wrote: >>> > >>> > Thanks for reply Michael. So I went into >>> /usr/local/bro/share/bro/site/local.bro and uncommented this line: @load >>> policy/protocols/conn/mac-logging. I reran bro and checked all log files, >>> but none contain the MAC address. This is running on Zeek 2.6.1. I'm not >>> sure what to expect (i.e. two columns for source/destination MAC?). Maybe >>> I'm missing another step? >>> > >>> > Thanks, >>> >>> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190219/d4081089/attachment-0001.html From michalpurzynski1 at gmail.com Tue Feb 19 20:45:20 2019 From: michalpurzynski1 at gmail.com (=?UTF-8?B?TWljaGHFgiBQdXJ6ecWEc2tp?=) Date: Tue, 19 Feb 2019 20:45:20 -0800 Subject: [Zeek] MAC Address In Logs In-Reply-To: References:

Message-ID: It's what I said already. Running Bro without installation, from the command line, does not load the local.bro. The mac-addr script, when loaded manually, will add your MAC address to the conn.log and nowhere else. Frankly, there is no need for that as you usually pivot between various log files. On Tue, Feb 19, 2019 at 8:29 PM TQ wrote: > Hi Michal, > > This is strange. I went into the source folder bro-2.6.1/scripts/site/ > and changed local.bro and even rebuild again. No MAC address in log. > However, running your suggestion of "bro -C -r > policy/protocols/conn/mac-logging" allows me to see MAC address in conn.log > now. So do you know what exactly is the issue here? Is there a way to > include MAC address in other logs such as http.log, dns.log, etc? Thanks > for your help! > > Thanks, > > On Tue, Feb 19, 2019 at 6:22 PM Micha? Purzy?ski < > michalpurzynski1 at gmail.com> wrote: > >> If testing with a cluster - have you re-deployed your Zeek? >> >> "broctl deploy" needs to be run after each change to scripts and >> configuration. You can see what scripts are loaded with the "broctl >> scripts" command, so just run >> >> broctl scripts | grep mac >> >> If testing with a pcap - some scripts are not loaded by default when you >> just run zeek from the command line. You can try with >> >> bro -C -r policy/protocols/conn/mac-logging >> >> to explicitly load this script. >> >> >> >> On Tue, Feb 19, 2019 at 5:46 PM TQ wrote: >> >>> Hi Chris, >>> >>> I only see these headers for conn.log: >>> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service >>> duration orig_bytes resp_bytes conn_state local_orig local_resp >>> missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes >>> tunnel_parents >>> >>> Using the same commands I always use: sudo ./bro -C -r >>> ~/Desktop/pcap/test.pcap >>> >>> Wireshark shows MAC just fine. I don't need to rebuild bro again, >>> right? Just need to edit the /usr/local/bro/share/bro/site/local.bro >>> file. The only file that shows a column for mac is the dhcp.log >>> >>> Thanks, >>> >>> On Tue, Feb 19, 2019 at 5:02 PM Chris Walsh wrote: >>> >>>> In my 2.5.3 installation, the comment above the line in question says >>>> that the MAC addrs will be logged to the conn.log file. This is what >>>> happens for me. From there, they can be linked to other logs via the uid >>>> field. >>>> >>>> Are you sure that your conn.log does not have the orig_l2_addr and >>>> resp_l2_addr fields? >>>> >>>> Chris >>>> >>>> > On Feb 19, 2019, at 5:38 PM, TQ wrote: >>>> > >>>> > Thanks for reply Michael. So I went into >>>> /usr/local/bro/share/bro/site/local.bro and uncommented this line: @load >>>> policy/protocols/conn/mac-logging. I reran bro and checked all log files, >>>> but none contain the MAC address. This is running on Zeek 2.6.1. I'm not >>>> sure what to expect (i.e. two columns for source/destination MAC?). Maybe >>>> I'm missing another step? >>>> > >>>> > Thanks, >>>> >>>> _______________________________________________ >>> Zeek mailing list >>> zeek at zeek.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190219/ecbc7b7f/attachment.html From nothinrandom at gmail.com Tue Feb 19 21:14:45 2019 From: nothinrandom at gmail.com (TQ) Date: Tue, 19 Feb 2019 21:14:45 -0800 Subject: [Zeek] MAC Address In Logs In-Reply-To: References:

Message-ID: I did install bro using "sudo ./configure && sudo make && sudo make install", but still no MAC address unless I force loading like you suggested. I have a special use case where I need MAC address on every single custom script log, so I peeked into /usr/local/bro/share/bro/policy/protocols/conn/mac-logging.bro and noticed that I just needed to add these into the record: ## Link-layer address of the originator, if available. orig_l2_addr: string &log &optional; ## Link-layer address of the responder, if available. resp_l2_addr: string &log &optional; and these into the events: if ( c$orig?$l2_addr ) c$conn$orig_l2_addr = c$orig$l2_addr; if ( c$resp?$l2_addr ) c$conn$resp_l2_addr = c$resp$l2_addr; Everything is working great now. Thanks all for the help! On Tue, Feb 19, 2019 at 8:45 PM Micha? Purzy?ski wrote: > It's what I said already. > > Running Bro without installation, from the command line, does not load the > local.bro. The mac-addr script, when loaded manually, will add your MAC > address to the conn.log and nowhere else. Frankly, there is no need for > that as you usually pivot between various log files. > > > On Tue, Feb 19, 2019 at 8:29 PM TQ wrote: > >> Hi Michal, >> >> This is strange. I went into the source folder bro-2.6.1/scripts/site/ >> and changed local.bro and even rebuild again. No MAC address in log. >> However, running your suggestion of "bro -C -r >> policy/protocols/conn/mac-logging" allows me to see MAC address in conn.log >> now. So do you know what exactly is the issue here? Is there a way to >> include MAC address in other logs such as http.log, dns.log, etc? Thanks >> for your help! >> >> Thanks, >> >> On Tue, Feb 19, 2019 at 6:22 PM Micha? Purzy?ski < >> michalpurzynski1 at gmail.com> wrote: >> >>> If testing with a cluster - have you re-deployed your Zeek? >>> >>> "broctl deploy" needs to be run after each change to scripts and >>> configuration. You can see what scripts are loaded with the "broctl >>> scripts" command, so just run >>> >>> broctl scripts | grep mac >>> >>> If testing with a pcap - some scripts are not loaded by default when you >>> just run zeek from the command line. You can try with >>> >>> bro -C -r policy/protocols/conn/mac-logging >>> >>> to explicitly load this script. >>> >>> >>> >>> On Tue, Feb 19, 2019 at 5:46 PM TQ wrote: >>> >>>> Hi Chris, >>>> >>>> I only see these headers for conn.log: >>>> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service >>>> duration orig_bytes resp_bytes conn_state local_orig local_resp >>>> missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes >>>> tunnel_parents >>>> >>>> Using the same commands I always use: sudo ./bro -C -r >>>> ~/Desktop/pcap/test.pcap >>>> >>>> Wireshark shows MAC just fine. I don't need to rebuild bro again, >>>> right? Just need to edit the /usr/local/bro/share/bro/site/local.bro >>>> file. The only file that shows a column for mac is the dhcp.log >>>> >>>> Thanks, >>>> >>>> On Tue, Feb 19, 2019 at 5:02 PM Chris Walsh wrote: >>>> >>>>> In my 2.5.3 installation, the comment above the line in question says >>>>> that the MAC addrs will be logged to the conn.log file. This is what >>>>> happens for me. From there, they can be linked to other logs via the uid >>>>> field. >>>>> >>>>> Are you sure that your conn.log does not have the orig_l2_addr and >>>>> resp_l2_addr fields? >>>>> >>>>> Chris >>>>> >>>>> > On Feb 19, 2019, at 5:38 PM, TQ wrote: >>>>> > >>>>> > Thanks for reply Michael. So I went into >>>>> /usr/local/bro/share/bro/site/local.bro and uncommented this line: @load >>>>> policy/protocols/conn/mac-logging. I reran bro and checked all log files, >>>>> but none contain the MAC address. This is running on Zeek 2.6.1. I'm not >>>>> sure what to expect (i.e. two columns for source/destination MAC?). Maybe >>>>> I'm missing another step? >>>>> > >>>>> > Thanks, >>>>> >>>>> _______________________________________________ >>>> Zeek mailing list >>>> zeek at zeek.org >>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >>> >>> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190219/901d37e7/attachment.html From christian at corelight.com Wed Feb 20 16:43:37 2019 From: christian at corelight.com (Christian Kreibich) Date: Wed, 20 Feb 2019 16:43:37 -0800 Subject: [Zeek] ftp filesize In-Reply-To: References: Message-ID: On 2/13/19 7:38 AM, Seth Hall wrote: > I'm not sure if the file size is transmitted by the client when a > file is being uploaded, I'd have to refer to some pcaps. If it is > indicated by the client then I think we could view that as a missing > implementation though. Fwiw, from the examples I have I don't see a size indication -- not in the STORs, nor in commands/responses surrounding it. Best, -C. From johanna at icir.org Mon Feb 25 09:07:08 2019 From: johanna at icir.org (Johanna Amann) Date: Mon, 25 Feb 2019 09:07:08 -0800 Subject: [Zeek] Zeek workshop Europe @ CERN - call for presentations In-Reply-To: <20190213235505.hdo7aijzlccqlzaj@Trafalgar.local> References: <20190122190857.wmetbuyskniat5by@Trafalgar.local> <20190213235505.hdo7aijzlccqlzaj@Trafalgar.local> Message-ID: <20190225170708.5meceiyajfdpstd4@Trafalgar.local> And another reminder - the deadline for presentation submissions at the Zeek workshop at CERN on April 9 - 11 is today. If you are interested in giving a talk, please send an email to info at zeek.org. Johanna On Wed, Feb 13, 2019 at 03:55:10PM -0800, Johanna Amann wrote: > Hello everyone, > > this is a reminder that the deadline for presentation submissions is the > 25th. If you have something that you want to talk about at the Zeek > Workshop at CERN, please drop an email to info at zeek.org. > > Thanks a lot, > Johanna > > On Tue, Jan 22, 2019 at 11:08:57AM -0800, Johanna Amann wrote: > > Hi, > > > > this email is a short reminder of the upcoming Zeek Workshop Europe 2019 > > (April 9?11 @CERN, Geneva, Switzerland). > > > > The program will consist of talks by the Bro development team and external > > contributors. As in our last event, a large part of the development team > > will be attending the workshop. > > > > There are still a bunch of open spots - you can register at > > https://indico.cern.ch/event/762505/ (also linked from https://zeek.org). > > > > We also are still looking for presenters - if you have a topic that you > > might want to give a talk about, please submit an talk abstract to > > info at zeek.org. The deadline for this submission is February 25th, 2019. > > > > Please note that there is a MISP training/workshop hosted at CERN right > > after the Zeek workshop - you can find more information linked from the > > event page. > > > > Johanna > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > From phatbuckett at gmail.com Tue Feb 26 17:14:37 2019 From: phatbuckett at gmail.com (Darren S.) Date: Tue, 26 Feb 2019 18:14:37 -0700 Subject: [Zeek] File detection signature - ISO Message-ID: ISO files (ISO 9660 media images) - magic bytes 43 44 30 30 31 (CD001) at offset(s). Is this omitted intentionally for any reason (confidence or similar), or is it sensible to add a signature for this? Just noting delivery of malicious ISO files as malware containers over recent years. I notice recent libmagic having a couple of entries for this. How would an update or addition typically happen? https://github.com/zeek/zeek/tree/master/scripts/base/frameworks/files/magic -- Darren Spruell phatbuckett at gmail.com From jsiwek at corelight.com Wed Feb 27 08:21:39 2019 From: jsiwek at corelight.com (Jon Siwek) Date: Wed, 27 Feb 2019 10:21:39 -0600 Subject: [Zeek] File detection signature - ISO In-Reply-To: References: Message-ID: On Tue, Feb 26, 2019 at 7:17 PM Darren S. wrote: > > ISO files (ISO 9660 media images) - magic bytes 43 44 30 30 31 (CD001) > at offset(s). Is this omitted intentionally for any reason (confidence > or similar), Maybe omitted because of the way the matching works -- it buffers up to a certain number of bytes (default is 4096) at the beginning of the file and then checks for matches once upon the buffer becoming full. Seems the offset needed to check for the magic 'CD001' identifier is 32k+ ? That may be a bit much to do generally. > or is it sensible to add a signature for this? You can try extending the signatures with your own for it, but may also need to increase the `default_file_bof_buffer_size` option and test that doesn't have undesired performance effects. > How would an update or addition typically happen? > > https://github.com/zeek/zeek/tree/master/scripts/base/frameworks/files/magic Typically, a simple pull request to add a signature would be considered, but here I'm not sure how likely it would be to include one for ISO 9660 by default since it also means an increase in the default buffer sizes used for all file type matching. That requires more cautious performance and resource utilization testing/review. Though maybe an alternate route would be if there's changes to the file matching engine to make it sophisticated enough to better match this case with minimal resources -- that would be something to consider, but also more involved/effortful. - Jon From eshelton at butler.net Wed Feb 27 19:47:57 2019 From: eshelton at butler.net (eshelton) Date: Wed, 27 Feb 2019 20:47:57 -0700 Subject: [Zeek] Detection of packets with no TCP flags set Message-ID: Good evening, My Google-fu is failing me right now, so I wanted to reach out to the list to see if anyone has ever attempted to use Zeek to detect packets with no TCP flags set? In Snort land, a signature would look something like this: alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"LOCAL Port 443 and no TCP flags set"; flags:0; classtype:misc-activity; sid:7;) Before anyone asks, I'll just ahead and state that "yes Virginia, these packets do really exist in the real world..." (though rare). Thanks in advance, -E -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190227/6bed1c25/attachment.html From jawren at cisco.com Thu Feb 28 08:15:41 2019 From: jawren at cisco.com (Jay Wren (jawren)) Date: Thu, 28 Feb 2019 16:15:41 +0000 Subject: [Zeek] Access the encrypted TLS payload Message-ID: Hello, Apologies for my ignorant question, my C++ is worse than rusty and I'm completely new to binpac. I'm trying to access the CiphertextRecord restofdata here: https://github.com/zeek/zeek/blob/master/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac#L59 I'm expecting SSLRecord to have the data in the rec vector, based on how SSLRecord is defined. I must be misunderstanding something: https://github.com/jrwren/zeek/blob/6f7b2973bd23690b6cac65b4d8c0f8fa64e72758/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac#L61 The RecordText vector is always empty. How can I get at the encrypted data? Thanks, -- Jay -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190228/67a4a331/attachment.html From anthony.kasza at gmail.com Thu Feb 28 08:43:51 2019 From: anthony.kasza at gmail.com (anthony kasza) Date: Thu, 28 Feb 2019 09:43:51 -0700 Subject: [Zeek] Detection of packets with no TCP flags set In-Reply-To: References: Message-ID: I tried feeding Zeek two pcap files. The first was a single TCP SYN packet with the flags nulled out. Zeek complained that the pcap only contained TCP control packets. The single entry in the conn.log file had a conn_state of OTH. The second was a single TLS connection over TCP. I nulled out the TCP flags of a single encrypted data packet (after the TCP and TLS handshakes had completed) and ran it through Zeek. Zeek processed the stream normally, with correct files, conn, x509, and ssl log entries, as if the packet I changed had the appropriate flags. Could you say more about the null-flag packets you are referring to? Do you know what they are generated from? -AK On Wed, Feb 27, 2019, 20:51 eshelton wrote: > Good evening, > > My Google-fu is failing me right now, so I wanted to reach out to the list > to see if anyone has ever attempted to use Zeek to detect packets with no > TCP flags set? > > In Snort land, a signature would look something like this: > > alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"LOCAL Port 443 and no > TCP flags set"; flags:0; classtype:misc-activity; sid:7;) > > Before anyone asks, I'll just ahead and state that "yes Virginia, these > packets do really exist in the real world..." (though rare). > > Thanks in advance, > > -E > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190228/2cea3562/attachment.html From bill.de.ping at gmail.com Thu Feb 28 13:54:13 2019 From: bill.de.ping at gmail.com (william de ping) Date: Thu, 28 Feb 2019 23:54:13 +0200 Subject: [Zeek] - Writer for FIFO files Message-ID: Hi everyone, I was wondering if anyone knows any way for Bro ASCII writer to output directly to FIFO file ? I wish to output logs to FIFO file and have a reader app listening to it, without the need for file postprocessor actions. Thanks B -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190228/2fdb70e6/attachment.html From jmellander at lbl.gov Thu Feb 28 10:57:18 2019 From: jmellander at lbl.gov (Jim Mellander) Date: Thu, 28 Feb 2019 10:57:18 -0800 Subject: [Zeek] Detection of packets with no TCP flags set In-Reply-To: References:

Message-ID: Zeek is mainly connection oriented, rather than packet oriented. However, you *could* write a policy that allows for detection of these packets using the raw_packet, new_packet, or tcp packet events, bearing in mind the caveats in the documentation, particularly the expense of triggering events at the packet level. If there is a particular concern about these packets (covert communication channel, perhaps?), it would be of interest. Hope this helps, Jim On Thu, Feb 28, 2019 at 9:02 AM anthony kasza wrote: > I tried feeding Zeek two pcap files. > > The first was a single TCP SYN packet with the flags nulled out. Zeek > complained that the pcap only contained TCP control packets. The single > entry in the conn.log file had a conn_state of OTH. > > The second was a single TLS connection over TCP. I nulled out the TCP > flags of a single encrypted data packet (after the TCP and TLS handshakes > had completed) and ran it through Zeek. Zeek processed the stream normally, > with correct files, conn, x509, and ssl log entries, as if the packet I > changed had the appropriate flags. > > Could you say more about the null-flag packets you are referring to? Do > you know what they are generated from? > > -AK > > > On Wed, Feb 27, 2019, 20:51 eshelton wrote: > >> Good evening, >> >> My Google-fu is failing me right now, so I wanted to reach out to the >> list to see if anyone has ever attempted to use Zeek to detect packets with >> no TCP flags set? >> >> In Snort land, a signature would look something like this: >> >> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"LOCAL Port 443 and no >> TCP flags set"; flags:0; classtype:misc-activity; sid:7;) >> >> Before anyone asks, I'll just ahead and state that "yes Virginia, these >> packets do really exist in the real world..." (though rare). >> >> Thanks in advance, >> >> -E >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190228/e78703d3/attachment-0001.html