From jlay at slave-tothe-box.net Fri Jan 4 08:13:39 2019 From: jlay at slave-tothe-box.net (James Lay) Date: Fri, 04 Jan 2019 09:13:39 -0700 Subject: [Zeek] Bro package question Message-ID: <76c5e15688e799877221db7a2fa33b28@slave-tothe-box.net> So...who do we go to when a package has issues? Thank you. James From dopheide at gmail.com Fri Jan 4 08:50:37 2019 From: dopheide at gmail.com (Mike Dopheide) Date: Fri, 4 Jan 2019 10:50:37 -0600 Subject: [Zeek] Bro package question In-Reply-To: <76c5e15688e799877221db7a2fa33b28@slave-tothe-box.net> References: <76c5e15688e799877221db7a2fa33b28@slave-tothe-box.net> Message-ID: Generally, I would say the package author. Unless it was a collaborative effort, they may be the only one that knows how it works. If they don't response or it's no longer maintained, then you can always fork the repo and use bro-pkg to install that directly. -Dop On Fri, Jan 4, 2019 at 10:29 AM James Lay wrote: > So...who do we go to when a package has issues? Thank you. > > James > _______________________________________________ > Zeek mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190104/c331a8c2/attachment.html From fatema.bannatwala at gmail.com Fri Jan 4 09:17:15 2019 From: fatema.bannatwala at gmail.com (fatema bannatwala) Date: Fri, 4 Jan 2019 12:17:15 -0500 Subject: [Zeek] Known_services detection for MODBUS Message-ID: Hi All, I had a recent case where MODBUS was reported in the known_services.log file for the scanning attempts on port 502, and no connection being set-up. I always thought that a known_service is logged when the complete handshake is seen in the connection: $ zcat known_services.22:00:00-23:00:00.log.gz | grep "128.175.10.187" | grep "MODBUS" | more 1544756649.284460 128.175.10.187 502 tcp MODBUS 1544756677.105590 128.175.10.187 502 tcp MODBUS $ zcat conn.22:00:00-23:00:00.log.gz | grep "modbus" | awk -F'\t' '{if ($5 ~ /128.175.10.187/) print;}' | more 1544756649.284460 Coix4i2Hvzy3fHMFH5 118.26.141.219 3901 128.175.10.187 502 tcp modbus - - - S0 F T 0 S 1 60 0 0 (empty) worker-2-10 1544756677.105590 C1wLrc4pJoc30fJvL 118.26.141.219 1471 128.175.10.187 502 tcp modbus - - - S0 F T 0 S 1 60 0 0 (empty) worker-4-5 Usually the number of entries logged in the known_services.log file ranges between 900-2000 for an hour, but that day for a single hour it was completely swamped by the MODBUS service logs for the heavy scanning on port 502. $ zcat known_services.22:00:00-23:00:00.log.gz | grep "MODBUS" | wc -l 96949 I am looking into the issue, but just wanted to share here if someone already know about this and can provide any inputs, don't want to re-invent the wheel :) Thanks! Fatema. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190104/5b24eece/attachment.html From zander.work at oregonstate.edu Mon Jan 7 15:18:07 2019 From: zander.work at oregonstate.edu (Zander Work) Date: Mon, 7 Jan 2019 15:18:07 -0800 Subject: [Zeek] Question about reporter log entries Message-ID: <01b3c1fa-596f-6eda-d66c-259e64a2265d@oregonstate.edu> There are a couple different entries in the Zeek reporter.log that I'm not sure how to resolve (my Google-fu has failed me on these): * {"ts":"2019-01-07T08:21:04.323061Z","level":"Reporter::ERROR","message":"string with embedded NUL: \u0022\u005cx00\u005cx00\u005cx00\u005cx00\u005cx00\u005cx00\u005cx00\u005cx00NOTIFY\u0022","location":""} * {"ts":"2019-01-07T15:42:30.457678Z","level":"Reporter::ERROR","message":"software/Log::WRITER_ASCII: count value too large for JSON: 10427193035649126500","location":""} Could someone point me in the right direction on what could be causing these, and how I can resolve the errors? Thank you! -- *Zander Work **|**? Security Analyst **| **Office of Information Security **|**? Oregon State**?University * *A008 Kerr Admin Bldg **|**? Corvallis, OR 97331 **| **Phone: 541-737-9800 ***** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190107/87ab8ece/attachment.html From neslog at gmail.com Tue Jan 8 16:39:29 2019 From: neslog at gmail.com (Neslog) Date: Tue, 8 Jan 2019 19:39:29 -0500 Subject: [Zeek] QUIC HTTP 3 support? Message-ID: Hello Zeekers, Does Zeek support Quic HTTP 3? https://tools.ietf.org/html/draft-ietf-quic-http-17 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190108/fb28ced9/attachment.html From anthony.kasza at gmail.com Tue Jan 8 19:58:34 2019 From: anthony.kasza at gmail.com (anthony kasza) Date: Tue, 8 Jan 2019 20:58:34 -0700 Subject: [Zeek] QUIC HTTP 3 support? In-Reply-To: References: Message-ID: I am confident that once the HTTP/3 specification is completed Zeek will support it. -AK On Tue, Jan 8, 2019, 17:48 Neslog Hello Zeekers, > > Does Zeek support Quic HTTP 3? > > > https://tools.ietf.org/html/draft-ietf-quic-http-17 > > > _______________________________________________ > Zeek mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190108/423953d7/attachment.html From dopheide at gmail.com Tue Jan 8 20:22:31 2019 From: dopheide at gmail.com (Mike Dopheide) Date: Tue, 8 Jan 2019 22:22:31 -0600 Subject: [Zeek] QUIC HTTP 3 support? In-Reply-To: References: Message-ID: There are two packages you might want to check out. The first one I wrote as a sample which does a very basic job of trying to identify a connection as being Google QUIC or IETF draft. (In practice, I saw zero traffic actually adhering to the IETF draft, all QUIC traffic was Google's version.) The second is a Corelight re-write that does a much more in-depth analysis of Google QUIC. https://github.com/dopheide-esnet/bro-quic https://github.com/corelight/bro-quic -Dop On Tue, Jan 8, 2019 at 10:11 PM anthony kasza wrote: > I am confident that once the HTTP/3 specification is completed Zeek will > support it. > > -AK > > On Tue, Jan 8, 2019, 17:48 Neslog >> Hello Zeekers, >> >> Does Zeek support Quic HTTP 3? >> >> >> https://tools.ietf.org/html/draft-ietf-quic-http-17 >> >> >> _______________________________________________ >> Zeek mailing list >> bro at bro-ids.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > _______________________________________________ > Zeek mailing list > bro at bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190108/22971fdb/attachment.html From daniel.guerra69 at gmail.com Thu Jan 10 04:59:08 2019 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Thu, 10 Jan 2019 13:59:08 +0100 Subject: [Zeek] [zeek] TLS version unknown-64282 Message-ID: Hi All, I'm using the latest zeek on alpine 3.8. In recent instagram tls traffic, I see tls version unknown-64282. The resumed flag is set to true. What is tls version unknown-64282. Regards, Daniel From daniel.guerra69 at gmail.com Thu Jan 10 05:02:57 2019 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Thu, 10 Jan 2019 14:02:57 +0100 Subject: [Zeek] ja3 & ja3s with resumed tls Message-ID: <3c20ff30-4c02-c42f-0a99-094fb61c9269@gmail.com> Hi, I'm researching ja3 and ja3s tls signatures. With resumed tls connections there is no complete handshake etc. Does it make sense to calculate a ja3 on resumed tls ? Regards, Daniel From johanna at icir.org Thu Jan 10 06:40:21 2019 From: johanna at icir.org (Johanna Amann) Date: Thu, 10 Jan 2019 06:40:21 -0800 Subject: [Zeek] [zeek] TLS version unknown-64282 In-Reply-To: References: Message-ID: Hi Daniel, this means that Zeek saw a TLS connection that specified 64282 as the version number. Translating that to hex helps in that case - this is 0xFB1A. Which is (as far as I know) a Facebook variant of TLS 1.3. Which has no official IANA assigned name. I hope this helps, Johanna On 10 Jan 2019, at 4:59, Daniel Guerra wrote: > Hi All, > > I'm using the latest zeek on alpine 3.8. In recent instagram tls > traffic, > > I see tls version unknown-64282. The resumed flag is set to true. > > What is tls version unknown-64282. > > > Regards, > > Daniel > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From johanna at icir.org Thu Jan 10 06:40:35 2019 From: johanna at icir.org (Johanna Amann) Date: Thu, 10 Jan 2019 06:40:35 -0800 Subject: [Zeek] ja3 & ja3s with resumed tls In-Reply-To: <3c20ff30-4c02-c42f-0a99-094fb61c9269@gmail.com> References: <3c20ff30-4c02-c42f-0a99-094fb61c9269@gmail.com> Message-ID: Hi Daniel, unless I am missing something, there should be no difference in the signature of a resumed and a new connection for JA3. I don?t remember them hashing anything in that has to do with session resumption. Johanna On 10 Jan 2019, at 5:02, Daniel Guerra wrote: > Hi, > > I'm researching ja3 and ja3s tls signatures. > > With resumed tls connections there is no complete > > handshake etc. Does it make sense to calculate a ja3 > > on resumed tls ? > > Regards, > > Daniel > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From brucekao at heliosdata.com Thu Jan 10 15:43:07 2019 From: brucekao at heliosdata.com (Bruce Kao) Date: Thu, 10 Jan 2019 23:43:07 +0000 Subject: [Zeek] Bro file extraction & out of order packets behavior Message-ID: Hi I am currently investigating an issue with http file extraction with file analyzer that very frequently I see missing_bytes in the file log which causes the file to be incomplete and fails extract the file nor generate a hash. I am running bro in a virtual machine sniffing on a interface in promiscuous mode that's is on a virtual switch. After examining a bunch of packet captures, I tracked the problem down to that when Bro sees out of order ACKs before actual packet, the problem with missing_bytes is observed. This seems to me that there is no TCP reassembler Bro's documents indicated that the TCP analyzer for the HTTP analyzer (or file analyzer?), since reassembled TCP payloads are only delivered via a tcp_content event. Does anyone have any information on how to make this work? Is it a configuration problem or... Appreciate any tips that you may have thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190110/a66db5d6/attachment.html From daniel.guerra69 at gmail.com Thu Jan 10 16:19:58 2019 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Fri, 11 Jan 2019 01:19:58 +0100 Subject: [Zeek] ja3 & ja3s with resumed tls In-Reply-To: References: <3c20ff30-4c02-c42f-0a99-094fb61c9269@gmail.com> Message-ID: Hi Johanna I was thinking the same but after the results i became insecure about this. I have attached 2 examples. Daniel Example 1 resumed false { "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "established": true, "client_cert_chain_fuids": "[]", "curve": "secp256r1", "issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US", "ja3s": "7d3eb4120cd50e889bcd3f3783be0f82", "subject": "CN=*.adnxs.com,O=AppNexus\\, Inc.,L=New York,ST=New York,C=US", "cert_chain_fuids": [ "FwvSeKet5kqNoujSf", "FNxask2v3HjNVTB5ff" ], "dest_asname": "AppNexus, Inc", "next_protocol": "http/1.1", "type": "tls", "version": "TLSv12", "sni": "ib.adnxs.com", "src_ip": "192.168.1.93", "src_port": 58443, "uid": "Cfc50Q1EnIW0GAYWch", "dest_ip": "37.252.172.40", "validation_status": "ok", "resumed": false, "ja3": "b20b44b18b853ef29ab773e921b03422", "dest_port": 443, "timestamp": "2018-12-16T17:16:44.801Z" } next resumed true { "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "established": true, "ja3s": "02bdc318d9f618eea3e10d0a7ba25ba0", "dest_asname": "AppNexus, Inc", "next_protocol": "http/1.1", "type": "tls", "version": "TLSv12", "sni": "ib.adnxs.com", "src_ip": "192.168.1.93", "src_port": 58446, "uid": "CyYQVc1FuxLDABqxpj", "dest_ip": "37.252.172.40", "resumed": true, "ja3": "334da95730484a993c6063e36bc90a47", "dest_port": 443, "timestamp": "2018-12-16T17:16:45.071Z" } Example 2 resumed false { "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "established": true, "client_cert_chain_fuids": "[]", "curve": "secp256r1", "issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US", "ja3s": "cabc8aadc20a64fa7156022319d177c0", "subject": "CN=*.adnxs.com,O=AppNexus\\, Inc.,L=New York,ST=New York,C=US", "cert_chain_fuids": [ "FCxxdLhSpJHRDMYv4", "FYW4Fs3VrkciMfUhc6" ], "dest_asname": "AppNexus, Inc", "next_protocol": "http/1.1", "type": "tls", "version": "TLSv12", "sni": "secure.adnxs.com", "src_ip": "192.168.1.93", "src_port": 55912, "uid": "CvUDsF40fhpESTJlLd", "dest_ip": "37.252.172.40", "validation_status": "ok", "resumed": false, "ja3": "5c118da645babe52f060d0754256a73c", "dest_port": 443, "timestamp": "2018-12-27T15:43:45.898Z" } resumed true { "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "established": true, "ja3s": "93174bff9e6f484d06ff9552fe757554", "dest_asname": "AppNexus, Inc", "type": "tls", "version": "TLSv12", "sni": "secure.adnxs.com", "src_ip": "192.168.1.93", "src_port": 55927, "uid": "Ctr8MRZepl9Z0r6E6", "dest_ip": "37.252.172.40", "resumed": true, "ja3": "7b1ac424884b798ca987e3e27b99d1a8", "dest_port": 443, "timestamp": "2018-12-27T15:43:46.019Z" } Op 10-01-19 om 15:40 schreef Johanna Amann: > Hi Daniel, > > unless I am missing something, there should be no difference in the > signature of a resumed and a new connection for JA3. I don?t remember > them hashing anything in that has to do with session resumption. > > Johanna > > > On 10 Jan 2019, at 5:02, Daniel Guerra wrote: > >> Hi, >> >> I'm researching ja3 and ja3s tls signatures. >> >> With resumed tls connections there is no complete >> >> handshake etc. Does it make sense to calculate a ja3 >> >> on resumed tls ? >> >> Regards, >> >> Daniel >> >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From shirkdog.bsd at gmail.com Thu Jan 10 16:22:56 2019 From: shirkdog.bsd at gmail.com (Michael Shirk) Date: Thu, 10 Jan 2019 19:22:56 -0500 Subject: [Zeek] Bro file extraction & out of order packets behavior In-Reply-To: References: Message-ID: Take a look at capture_loss.log to see if you are in fact not seeing complete connections. Missed bytes is telling you that there may be a problem in the acquisition of packets. Have you verified with a packet capture in Wireshark that you can reassemble the connection to get a complete file? I would also create a clean pcap of the file transfer and then test you are getting your hits on the hash, and then figure out the issue with the packet acquisition. Sometimes you have to disable checksum verification on the NIC to get things working. -- Michael Shirk Daemon Security, Inc. https://www.daemon-security.com On Thu, Jan 10, 2019, 18:51 Bruce Kao Hi > > > I am currently investigating an issue with http file extraction with file > analyzer that very frequently I see missing_bytes in the file log which > causes the file to be incomplete and fails extract the file nor generate a > hash. > > > I am running bro in a virtual machine sniffing on a interface in > promiscuous mode that's is on a virtual switch. > > > After examining a bunch of packet captures, I tracked the problem down to > that when Bro sees out of order ACKs before actual packet, the problem with > missing_bytes is observed. > > > This seems to me that there is no TCP reassembler Bro's documents > indicated that the TCP analyzer for the HTTP analyzer (or file analyzer?), > since reassembled TCP payloads are only delivered via a tcp_content event. > > > Does anyone have any information on how to make this work? Is it a > configuration problem or... > > > Appreciate any tips that you may have thanks! > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190110/08496865/attachment.html From brucekao at heliosdata.com Thu Jan 10 16:33:52 2019 From: brucekao at heliosdata.com (Bruce Kao) Date: Fri, 11 Jan 2019 00:33:52 +0000 Subject: [Zeek] Bro file extraction & out of order packets behavior In-Reply-To: References: , Message-ID: Hi Michael Thanks for the reply. I understand that based on documentation, missing_bytes is supposed to indicate missing packets. I previously researched that problem and ended up disabling the interface tcp optimization options including checksum as shown in another Bro related thread. The disabling did work as I don't see any missing packets when I capture packets on the virtual machine's interface. However, this problem here seems different to me. Based on packet capture, all the packets do arrive. The difference here is that the ACK arrives prior to the Packets themselves. In wireshark, it would show ACK'ing unseen packet, and immediate shows that those packets arrive immediately after (wireshark marks those as retransmissions). I have a http capture that is linked below which shows this sequence. https://file.io/kBIkJr ________________________________ From: Michael Shirk Sent: Thursday, January 10, 2019 4:22:56 PM To: Bruce Kao Cc: bro Subject: Re: [Zeek] Bro file extraction & out of order packets behavior Take a look at capture_loss.log to see if you are in fact not seeing complete connections. Missed bytes is telling you that there may be a problem in the acquisition of packets. Have you verified with a packet capture in Wireshark that you can reassemble the connection to get a complete file? I would also create a clean pcap of the file transfer and then test you are getting your hits on the hash, and then figure out the issue with the packet acquisition. Sometimes you have to disable checksum verification on the NIC to get things working. -- Michael Shirk Daemon Security, Inc. https://www.daemon-security.com On Thu, Jan 10, 2019, 18:51 Bruce Kao wrote: Hi I am currently investigating an issue with http file extraction with file analyzer that very frequently I see missing_bytes in the file log which causes the file to be incomplete and fails extract the file nor generate a hash. I am running bro in a virtual machine sniffing on a interface in promiscuous mode that's is on a virtual switch. After examining a bunch of packet captures, I tracked the problem down to that when Bro sees out of order ACKs before actual packet, the problem with missing_bytes is observed. This seems to me that there is no TCP reassembler Bro's documents indicated that the TCP analyzer for the HTTP analyzer (or file analyzer?), since reassembled TCP payloads are only delivered via a tcp_content event. Does anyone have any information on how to make this work? Is it a configuration problem or... Appreciate any tips that you may have thanks! _______________________________________________ Zeek mailing list zeek at zeek.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190111/eb3e4b19/attachment-0001.html From john.b.althouse at gmail.com Thu Jan 10 17:39:49 2019 From: john.b.althouse at gmail.com (John B. Althouse) Date: Thu, 10 Jan 2019 20:39:49 -0500 Subject: [Zeek] ja3 & ja3s with resumed tls In-Reply-To: References: <3c20ff30-4c02-c42f-0a99-094fb61c9269@gmail.com> Message-ID: Hey Daniel! I can help here. So when a TLS session resumes there is still a Client Hello packet, however the details can be different in the resuming hello packet vs the original, producing a different JA3, which will produce a different response from the server and therefore a different JA3S. Capturing this with JA3 is by design. There could be interesting unique qualities to the resumed negotiations vs the original that could assist in building more complex detections. The fact that Zeek is able to differentiate between new and resumed connections makes it so you can use this data however you want, or ignore it completely. The power of networking metadata is in your hands. John Althouse On Thu, Jan 10, 2019 at 7:28 PM Daniel Guerra wrote: > Hi Johanna > > I was thinking the same but after the results i became insecure about this. > I have attached 2 examples. > > Daniel > > Example 1 > > resumed false > > { > "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", > "established": true, > "client_cert_chain_fuids": "[]", > "curve": "secp256r1", > "issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US", > "ja3s": "7d3eb4120cd50e889bcd3f3783be0f82", > "subject": "CN=*.adnxs.com,O=AppNexus\\, Inc.,L=New York,ST=New > York,C=US", > "cert_chain_fuids": [ > "FwvSeKet5kqNoujSf", > "FNxask2v3HjNVTB5ff" > ], > "dest_asname": "AppNexus, Inc", > "next_protocol": "http/1.1", > "type": "tls", > "version": "TLSv12", > "sni": "ib.adnxs.com", > "src_ip": "192.168.1.93", > "src_port": 58443, > "uid": "Cfc50Q1EnIW0GAYWch", > "dest_ip": "37.252.172.40", > "validation_status": "ok", > "resumed": false, > "ja3": "b20b44b18b853ef29ab773e921b03422", > "dest_port": 443, > "timestamp": "2018-12-16T17:16:44.801Z" > } > > next resumed true > > { > "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", > "established": true, > "ja3s": "02bdc318d9f618eea3e10d0a7ba25ba0", > "dest_asname": "AppNexus, Inc", > "next_protocol": "http/1.1", > "type": "tls", > "version": "TLSv12", > "sni": "ib.adnxs.com", > "src_ip": "192.168.1.93", > "src_port": 58446, > "uid": "CyYQVc1FuxLDABqxpj", > "dest_ip": "37.252.172.40", > "resumed": true, > "ja3": "334da95730484a993c6063e36bc90a47", > "dest_port": 443, > "timestamp": "2018-12-16T17:16:45.071Z" > } > > Example 2 > > resumed false > > { > "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", > "established": true, > "client_cert_chain_fuids": "[]", > "curve": "secp256r1", > "issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US", > "ja3s": "cabc8aadc20a64fa7156022319d177c0", > "subject": "CN=*.adnxs.com,O=AppNexus\\, Inc.,L=New York,ST=New > York,C=US", > "cert_chain_fuids": [ > "FCxxdLhSpJHRDMYv4", > "FYW4Fs3VrkciMfUhc6" > ], > "dest_asname": "AppNexus, Inc", > "next_protocol": "http/1.1", > "type": "tls", > "version": "TLSv12", > "sni": "secure.adnxs.com", > "src_ip": "192.168.1.93", > "src_port": 55912, > "uid": "CvUDsF40fhpESTJlLd", > "dest_ip": "37.252.172.40", > "validation_status": "ok", > "resumed": false, > "ja3": "5c118da645babe52f060d0754256a73c", > "dest_port": 443, > "timestamp": "2018-12-27T15:43:45.898Z" > } > > resumed true > { > "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", > "established": true, > "ja3s": "93174bff9e6f484d06ff9552fe757554", > "dest_asname": "AppNexus, Inc", > "type": "tls", > "version": "TLSv12", > "sni": "secure.adnxs.com", > "src_ip": "192.168.1.93", > "src_port": 55927, > "uid": "Ctr8MRZepl9Z0r6E6", > "dest_ip": "37.252.172.40", > "resumed": true, > "ja3": "7b1ac424884b798ca987e3e27b99d1a8", > "dest_port": 443, > "timestamp": "2018-12-27T15:43:46.019Z" > } > > Op 10-01-19 om 15:40 schreef Johanna Amann: > > Hi Daniel, > > > > unless I am missing something, there should be no difference in the > > signature of a resumed and a new connection for JA3. I don?t remember > > them hashing anything in that has to do with session resumption. > > > > Johanna > > > > > > On 10 Jan 2019, at 5:02, Daniel Guerra wrote: > > > >> Hi, > >> > >> I'm researching ja3 and ja3s tls signatures. > >> > >> With resumed tls connections there is no complete > >> > >> handshake etc. Does it make sense to calculate a ja3 > >> > >> on resumed tls ? > >> > >> Regards, > >> > >> Daniel > >> > >> _______________________________________________ > >> Zeek mailing list > >> zeek at zeek.org > >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190110/4700c2be/attachment.html From daniel.guerra69 at gmail.com Thu Jan 10 18:04:08 2019 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Fri, 11 Jan 2019 03:04:08 +0100 Subject: [Zeek] ja3 & ja3s with resumed tls In-Reply-To: References: <3c20ff30-4c02-c42f-0a99-094fb61c9269@gmail.com> Message-ID: So far .. First I use a mac with firefox to generate pcap (could be something). The hashing uses the ssl extensions, cipher and version. The server extensions at the first connection contains all options the server can use, but on a resumed connection it uses only the negociated extensions. For this reason the ja3s for a resumed false is different from a ja3s with resumed true. This is the same for clients. If the extensions are stored when the tls connection resumed flag is false. It could be used for a resumed connection, after a check if one of the offered extensions is used..., to calculate the ja3s. Op 10-01-19 om 15:40 schreef Johanna Amann: > Hi Daniel, > > unless I am missing something, there should be no difference in the > signature of a resumed and a new connection for JA3. I don?t remember > them hashing anything in that has to do with session resumption. > > Johanna > > > On 10 Jan 2019, at 5:02, Daniel Guerra wrote: > >> Hi, >> >> I'm researching ja3 and ja3s tls signatures. >> >> With resumed tls connections there is no complete >> >> handshake etc. Does it make sense to calculate a ja3 >> >> on resumed tls ? >> >> Regards, >> >> Daniel >> >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From roberixion at gmail.com Fri Jan 11 04:37:01 2019 From: roberixion at gmail.com (=?UTF-8?Q?Rober_Fern=C3=A1ndez?=) Date: Fri, 11 Jan 2019 13:37:01 +0100 Subject: [Zeek] ssl handshake data Message-ID: There is a way to extract exclusively this payload generate in each packet of the ssl handshake? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190111/73ce9c35/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: example.png Type: image/png Size: 21233 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190111/73ce9c35/attachment-0001.bin From pssunu6 at gmail.com Fri Jan 11 09:04:23 2019 From: pssunu6 at gmail.com (ps sunu) Date: Fri, 11 Jan 2019 22:34:23 +0530 Subject: [Zeek] port-Knocking bro script error Message-ID: Hi I am using below script for port-knocking i am getting error https://github.com/initconf/scan-NG/blob/master/scripts/check-port-knock.bro http://try.bro.org/#/trybro/saved/292398 below part is getting error if (orig !in Scan::known_scanners) { if (|likely_port_scanner[orig,resp]| == HIGH_THRESHOLD_LIMIT && high_threshold_flag ) { result = T ; } else if (|likely_port_scanner[orig,resp]| == MED_THRESHOLD_LIMIT && medium_threshold_flag ) { result = T ; error in ././trybro.bro, line 115: unknown identifier Scan::known_scanners, at or near "Scan::known_scanners" Regards Sunu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190111/93d17d37/attachment.html From dopheide at gmail.com Fri Jan 11 09:24:30 2019 From: dopheide at gmail.com (Mike Dopheide) Date: Fri, 11 Jan 2019 11:24:30 -0600 Subject: [Zeek] port-Knocking bro script error In-Reply-To: References: Message-ID: My guess is you don't have scan.bro loaded ahead of that script. On Fri, Jan 11, 2019 at 11:06 AM ps sunu wrote: > Hi > I am using below script for port-knocking i am getting error > > > https://github.com/initconf/scan-NG/blob/master/scripts/check-port-knock.bro > http://try.bro.org/#/trybro/saved/292398 > > below part is getting error > > if (orig !in Scan::known_scanners) > { > if (|likely_port_scanner[orig,resp]| == > HIGH_THRESHOLD_LIMIT && high_threshold_flag ) > { > result = T ; > } > else if (|likely_port_scanner[orig,resp]| == > MED_THRESHOLD_LIMIT && medium_threshold_flag ) > { > result = T ; > > > error in ././trybro.bro, line 115: unknown identifier > Scan::known_scanners, at or near "Scan::known_scanners" > > > Regards > Sunu > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190111/fe23082a/attachment.html From asharma at lbl.gov Fri Jan 11 09:50:00 2019 From: asharma at lbl.gov (Aashish Sharma) Date: Fri, 11 Jan 2019 09:50:00 -0800 Subject: [Zeek] port-Knocking bro script error In-Reply-To: References: Message-ID: <20190111174959.GI6058@MacPro-2331.local> hello Sunu, Actually, I never finished writing the check-port-knock.bro - Don't use it :) I think it should have been commented out in #__load__.bro I'll make sure github doesn't include the unfinished version. Sorry about that. Aashish On Fri, Jan 11, 2019 at 10:34:23PM +0530, ps sunu wrote: > Hi > I am using below script for port-knocking i am getting error > > https://github.com/initconf/scan-NG/blob/master/scripts/check-port-knock.bro > http://try.bro.org/#/trybro/saved/292398 > > below part is getting error > > if (orig !in Scan::known_scanners) > { > if (|likely_port_scanner[orig,resp]| == > HIGH_THRESHOLD_LIMIT && high_threshold_flag ) > { > result = T ; > } > else if (|likely_port_scanner[orig,resp]| == > MED_THRESHOLD_LIMIT && medium_threshold_flag ) > { > result = T ; > > > error in ././trybro.bro, line 115: unknown identifier Scan::known_scanners, > at or near "Scan::known_scanners" > > > Regards > Sunu S > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From pssunu6 at gmail.com Fri Jan 11 10:05:17 2019 From: pssunu6 at gmail.com (ps sunu) Date: Fri, 11 Jan 2019 23:35:17 +0530 Subject: [Zeek] port-Knocking bro script error In-Reply-To: <20190111174959.GI6058@MacPro-2331.local> References: <20190111174959.GI6058@MacPro-2331.local> Message-ID: thanks for the update! On Fri, Jan 11, 2019 at 11:20 PM Aashish Sharma wrote: > hello Sunu, > > Actually, I never finished writing the check-port-knock.bro - > > Don't use it :) I think it should have been commented out in #__load__.bro > > I'll make sure github doesn't include the unfinished version. > > Sorry about that. > > Aashish > > On Fri, Jan 11, 2019 at 10:34:23PM +0530, ps sunu wrote: > > Hi > > I am using below script for port-knocking i am getting > error > > > > > https://github.com/initconf/scan-NG/blob/master/scripts/check-port-knock.bro > > http://try.bro.org/#/trybro/saved/292398 > > > > below part is getting error > > > > if (orig !in Scan::known_scanners) > > { > > if (|likely_port_scanner[orig,resp]| == > > HIGH_THRESHOLD_LIMIT && high_threshold_flag ) > > { > > result = T ; > > } > > else if (|likely_port_scanner[orig,resp]| == > > MED_THRESHOLD_LIMIT && medium_threshold_flag ) > > { > > result = T ; > > > > > > error in ././trybro.bro, line 115: unknown identifier > Scan::known_scanners, > > at or near "Scan::known_scanners" > > > > > > Regards > > Sunu > > S > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190111/8b8a834c/attachment.html From daniel.guerra69 at gmail.com Sat Jan 12 03:58:06 2019 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Sat, 12 Jan 2019 12:58:06 +0100 Subject: [Zeek] ja3 & ja3s with resumed tls In-Reply-To: References: <3c20ff30-4c02-c42f-0a99-094fb61c9269@gmail.com> Message-ID: <9abd4f8e-fe3f-9cb6-4cb2-9ae852156329@gmail.com> Hi, I have made a change to the j3s script. It stores the server extensions in a table with the server_name. When a tls connection is resumed it uses the stored extensions. Result, resumed tls has the same ja3s as none resumed. Regards, Daniel ja3s.bro: # This Bro script appends JA3S (JA3 Server) to ssl.log # Version 1.0 (August 2018) # This builds a fingerprint for the SSL Server Hello packet based on SSL/TLS version, cipher picked, and extensions used. # Designed to be used in conjunction with JA3 to fingerprint SSL communication between clients and servers. # # Authors: John B. Althouse (jalthouse at salesforce.com) Jeff Atkinson (jatkinson at salesforce.com) # Copyright (c) 2018, salesforce.com, inc. # All rights reserved. # Licensed under the BSD 3-Clause license. # For full license text, see LICENSE.txt file in the repo root? or https://opensource.org/licenses/BSD-3-Clause # module JA3_Server; export { ??? redef enum Log::ID += { LOG }; } type JA3SExtension: record { ??????? extensions:????? string &default="" &log; }; global ja3s_extension: table[string] of JA3SExtension; type JA3Sstorage: record { ?? server_version:???? count &default=0 &log; ?? server_cipher:????? count &default=0 &log; ?? server_extensions:? string &default="" &log; ?? server_name: string &default="" &log; }; redef record connection += { ??? ja3sfp: JA3Sstorage &optional; }; redef record SSL::Info += { ??? ja3s:??????????? string &optional &log; ??? # LOG FIELD VALUES # ??? ja3s_version:? string &optional &log; ??? ja3s_cipher:? string &optional &log; ??? ja3s_extensions: string &optional &log; }; const sep = "-"; event bro_init() { ??? Log::create_stream(JA3_Server::LOG,[$columns=JA3Sstorage, $path="ja3sfp"]); } event ssl_extension(c: connection, is_orig: bool, code: count, val: string) { ??? if ( ! c?$ja3sfp ) ??????? c$ja3sfp=JA3Sstorage(); ??????? if ( is_orig == F ) { ??????????? if ( c$ja3sfp$server_extensions == "" ) { ??????????????? c$ja3sfp$server_extensions = cat(code); ??????????? } ??????????? else { ??????????????? c$ja3sfp$server_extensions = string_cat(c$ja3sfp$server_extensions, sep,cat(code)); ??????????? } ??????? } } event ssl_extension_server_name(c: connection, is_orig: bool, names: string_vec) &priority=5 { ??? if ( ! c?$ja3sfp ) ??????? c$ja3sfp=JA3Sstorage(); ??? if ( is_orig && |names| > 0 ) { ??????? c$ja3sfp$server_name = names[0]; ??????? if ( c$ja3sfp$server_name !in ja3s_extension ) ??????????? ja3s_extension[c$ja3sfp$server_name]=JA3SExtension(); ??? } } @if ( Version::at_least("2.6") || ( Version::number == 20500 && Version::info$commit >= 944 ) ) event ssl_server_hello(c: connection, version: count, record_version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=1 @else event ssl_server_hello(c: connection, version: count, possible_ts: time, server_random: string, session_id: string, cipher: count, comp_method: count) &priority=1 @endif { ??? if ( !c?$ja3sfp ) ??? c$ja3sfp=JA3Sstorage(); ??? c$ja3sfp$server_version = version; ??? c$ja3sfp$server_cipher = cipher; ??? # check if the the connection is resumed ??? if ( c$ssl?$session_id && c$ssl$session_id == bytestring_to_hexstr(session_id) ) { ??????? if ( c$ja3sfp$server_name != "" ) ??????????? if ( c$ja3sfp$server_name in ja3s_extension ) ??????????????? # use a non resumed extension for this host, resumed connections use only the negotiated extensions ??????????????? if ( ja3s_extension[c$ja3sfp$server_name]$extensions != "" ) ??????????????????? c$ja3sfp$server_extensions = ja3s_extension[c$ja3sfp$server_name]$extensions; ??? } ??? else { ??????? if ( c$ja3sfp$server_name != "" ) ??????????? # store the extentions for this host if its not empty ??????????? if ( c$ja3sfp$server_extensions != "" ) ??????????????? ja3s_extension[c$ja3sfp$server_name]$extensions = c$ja3sfp$server_extensions; ??? } ??? local sep2 = ","; ??? local ja3s_string = string_cat(cat(c$ja3sfp$server_version),sep2,cat(c$ja3sfp$server_cipher),sep2,c$ja3sfp$server_extensions); ??? local ja3sfp_1 = md5_hash(ja3s_string); ??? c$ssl$ja3s = ja3sfp_1; # LOG FIELD VALUES # c$ssl$ja3s_version = cat(c$ja3sfp$server_version); c$ssl$ja3s_cipher = cat(c$ja3sfp$server_cipher); c$ssl$ja3s_extensions = c$ja3sfp$server_extensions; # # FOR DEBUGGING # #print "JA3S: "+ja3sfp_1+" Fingerprint String: "+ja3s_string; } Op 11-01-19 om 02:39 schreef John B. Althouse: > Hey Daniel! I can help here. So when a TLS session resumes there is > still a Client Hello packet, however the details can be different in > the resuming hello packet vs the original, producing a different JA3, > which will produce a different response from the server and therefore > a different JA3S.? > > Capturing this with JA3 is by design. There could be interesting > unique qualities to the resumed negotiations vs the original that > could assist in building more complex detections. The fact that Zeek > is able to differentiate between new and resumed connections makes it > so you can use this data however you want, or ignore it completely. > The power of networking metadata is in your hands.? > > John Althouse? > > On Thu, Jan 10, 2019 at 7:28 PM Daniel Guerra > > wrote: > > Hi Johanna > > I was thinking the same but after the results i became insecure > about this. > I have attached 2 examples. > > Daniel > > Example 1 > > resumed false > > { > ? ? "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", > ? ? "established": true, > ? ? "client_cert_chain_fuids": "[]", > ? ? "curve": "secp256r1", > ? ? "issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert > Inc,C=US", > ? ? "ja3s": "7d3eb4120cd50e889bcd3f3783be0f82", > ? ? "subject": "CN=*.adnxs.com ,O=AppNexus\\, > Inc.,L=New York,ST=New York,C=US", > ? ? "cert_chain_fuids": [ > ? ? ? "FwvSeKet5kqNoujSf", > ? ? ? "FNxask2v3HjNVTB5ff" > ? ? ], > ? ? "dest_asname": "AppNexus, Inc", > ? ? "next_protocol": "http/1.1", > ? ? "type": "tls", > ? ? "version": "TLSv12", > ? ? "sni": "ib.adnxs.com ", > ? ? "src_ip": "192.168.1.93", > ? ? "src_port": 58443, > ? ? "uid": "Cfc50Q1EnIW0GAYWch", > ? ? "dest_ip": "37.252.172.40", > ? ? "validation_status": "ok", > ? ? "resumed": false, > ? ? "ja3": "b20b44b18b853ef29ab773e921b03422", > ? ? "dest_port": 443, > ? ? "timestamp": "2018-12-16T17:16:44.801Z" > ? } > > next resumed true > > { > ? ? "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", > ? ? "established": true, > ? ? "ja3s": "02bdc318d9f618eea3e10d0a7ba25ba0", > ? ? "dest_asname": "AppNexus, Inc", > ? ? "next_protocol": "http/1.1", > ? ? "type": "tls", > ? ? "version": "TLSv12", > ? ? "sni": "ib.adnxs.com ", > ? ? "src_ip": "192.168.1.93", > ? ? "src_port": 58446, > ? ? "uid": "CyYQVc1FuxLDABqxpj", > ? ? "dest_ip": "37.252.172.40", > ? ? "resumed": true, > ? ? "ja3": "334da95730484a993c6063e36bc90a47", > ? ? "dest_port": 443, > ? ? "timestamp": "2018-12-16T17:16:45.071Z" > ? } > > Example 2 > > resumed false > > { > ? ? "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", > ? ? "established": true, > ? ? "client_cert_chain_fuids": "[]", > ? ? "curve": "secp256r1", > ? ? "issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert > Inc,C=US", > ? ? "ja3s": "cabc8aadc20a64fa7156022319d177c0", > ? ? "subject": "CN=*.adnxs.com ,O=AppNexus\\, > Inc.,L=New York,ST=New York,C=US", > ? ? "cert_chain_fuids": [ > ? ? ? "FCxxdLhSpJHRDMYv4", > ? ? ? "FYW4Fs3VrkciMfUhc6" > ? ? ], > ? ? "dest_asname": "AppNexus, Inc", > ? ? "next_protocol": "http/1.1", > ? ? "type": "tls", > ? ? "version": "TLSv12", > ? ? "sni": "secure.adnxs.com ", > ? ? "src_ip": "192.168.1.93", > ? ? "src_port": 55912, > ? ? "uid": "CvUDsF40fhpESTJlLd", > ? ? "dest_ip": "37.252.172.40", > ? ? "validation_status": "ok", > ? ? "resumed": false, > ? ? "ja3": "5c118da645babe52f060d0754256a73c", > ? ? "dest_port": 443, > ? ? "timestamp": "2018-12-27T15:43:45.898Z" > ? } > > resumed true > { > ? ? "cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", > ? ? "established": true, > ? ? "ja3s": "93174bff9e6f484d06ff9552fe757554", > ? ? "dest_asname": "AppNexus, Inc", > ? ? "type": "tls", > ? ? "version": "TLSv12", > ? ? "sni": "secure.adnxs.com ", > ? ? "src_ip": "192.168.1.93", > ? ? "src_port": 55927, > ? ? "uid": "Ctr8MRZepl9Z0r6E6", > ? ? "dest_ip": "37.252.172.40", > ? ? "resumed": true, > ? ? "ja3": "7b1ac424884b798ca987e3e27b99d1a8", > ? ? "dest_port": 443, > ? ? "timestamp": "2018-12-27T15:43:46.019Z" > ? } > > Op 10-01-19 om 15:40 schreef Johanna Amann: > > Hi Daniel, > > > > unless I am missing something, there should be no difference in the > > signature of a resumed and a new connection for JA3. I don?t > remember > > them hashing anything in that has to do with session resumption. > > > > Johanna > > > > > > On 10 Jan 2019, at 5:02, Daniel Guerra wrote: > > > >> Hi, > >> > >> I'm researching ja3 and ja3s tls signatures. > >> > >> With resumed tls connections there is no complete > >> > >> handshake etc. Does it make sense to calculate a ja3 > >> > >> on resumed tls ? > >> > >> Regards, > >> > >> Daniel > >> > >> _______________________________________________ > >> Zeek mailing list > >> zeek at zeek.org > >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190112/606344d9/attachment-0001.html From kayavila at illinois.edu Mon Jan 14 06:59:07 2019 From: kayavila at illinois.edu (Avila, Kay) Date: Mon, 14 Jan 2019 14:59:07 +0000 Subject: [Zeek] Issue with Arista symmetric hashing in 4.20 Message-ID: I'd like to share an issue that could impact anyone using tool ports on an Arista in a port-channel to a Bro cluster. Upgrading to 4.20.x from 4.19 broke our symmetric hashing (fixable with a config change), creating a lot of half-duplex connections in Bro. In 4.19, the hashing algorithm for output port selection in a port-channel could use either a layer 2 mode (MAC) or a layer 3 and 4 mode (IP and TCP/UDP). In 4.20, both modes can be used simultaneously, and both are enabled by default. During our upgrade, our layer 3 and 4 load-balancing policy was converted to use both modes. That broke symmetric hashing, and leading to many of the connections having the two sides of their flows sent to different Bro nodes. I haven't established yet with Arista whether the problem is the MAC hashing or having both enabled simultaneously, but layer 2 mode is fairly useless for us anyway as we tap link between routers. Changing the hashing algorithm back to layer 3/4 only solved the issue for us. Kay Avila Senior Security Engineer, Cybersecurity and Networking Division National Center for Supercomputing Applications (NCSA) University of Illinois, Urbana-Champaign P: (217) 300-1754 F: (217) 244-1987 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190114/c1d736b3/attachment.html From wren3 at illinois.edu Mon Jan 14 15:21:17 2019 From: wren3 at illinois.edu (Ren, Wenyu) Date: Mon, 14 Jan 2019 23:21:17 +0000 Subject: [Zeek] Question regarding installing python binding for Broker Message-ID: Dear all, Do I need to do "./configure" with any parameter for installing python binding for Broker? I tried no parameter but the broker module cannot be find in python. Thanks a lot. Best, Wenyu Wenyu Ren Ph.D. Candidate Department of Computer Science University of Illinois at Urbana-Champaign From jsiwek at corelight.com Tue Jan 15 07:49:56 2019 From: jsiwek at corelight.com (Jon Siwek) Date: Tue, 15 Jan 2019 09:49:56 -0600 Subject: [Zeek] Question regarding installing python binding for Broker In-Reply-To: References: Message-ID: On Mon, Jan 14, 2019 at 5:30 PM Ren, Wenyu wrote: > Do I need to do "./configure" with any parameter for installing python binding for Broker? I tried no parameter but the broker module cannot be find in python. If you have python development headers/libs installed at a standard path, `./configure` usually finds them without extra flags. i.e. typically you'd just install "python-dev" or "python-devel" packages (depending on OS) before doing `./configure`. - Jon From roberixion at gmail.com Thu Jan 17 03:03:16 2019 From: roberixion at gmail.com (=?UTF-8?Q?Rober_Fern=C3=A1ndez?=) Date: Thu, 17 Jan 2019 12:03:16 +0100 Subject: [Zeek] handshake ssl Message-ID: 1. Question i would like obtain the bytes related with the field certificates, but i don't see any event to get it. Attach a wireshark image with the field underlined. 2. Question There is a way to extract exclusively the payload generate in each packet of the ssl handshake? for example struct { ProtocolVersion client_version; Random random; SessionID session_id; CipherSuite cipher_suites<2..2^16-2>; CompressionMethod compression_methods<1..2^8-1>; select (extensions_present) { case false: struct {}; case true: Extension extensions<0..2^16-1>; }; } ClientHello; all bytes of this struct of Client Hello. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190117/3be58b4b/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: certificate.png Type: image/png Size: 29504 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190117/3be58b4b/attachment-0001.bin From roberixion at gmail.com Thu Jan 17 03:04:07 2019 From: roberixion at gmail.com (=?UTF-8?Q?Rober_Fern=C3=A1ndez?=) Date: Thu, 17 Jan 2019 12:04:07 +0100 Subject: [Zeek] Fwd: handshake ssl In-Reply-To: References: Message-ID: ---------- Forwarded message --------- From: Rober Fern?ndez Date: jue., 17 ene. 2019 a las 12:03 Subject: handshake ssl To: 1. Question i would like obtain the bytes related with the field certificates, but i don't see any event to get it. Attach a wireshark image with the field underlined. 2. Question There is a way to extract exclusively the payload generate in each packet of the ssl handshake? for example struct { ProtocolVersion client_version; Random random; SessionID session_id; CipherSuite cipher_suites<2..2^16-2>; CompressionMethod compression_methods<1..2^8-1>; select (extensions_present) { case false: struct {}; case true: Extension extensions<0..2^16-1>; }; } ClientHello; all bytes of this struct of Client Hello. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190117/78603956/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: certificate.png Type: image/png Size: 29504 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190117/78603956/attachment-0001.bin From leejia1989 at 126.com Thu Jan 17 03:23:16 2019 From: leejia1989 at 126.com (=?GBK?B?vNE=?=) Date: Thu, 17 Jan 2019 19:23:16 +0800 (CST) Subject: [Zeek] handle 100Tbps of traffic Message-ID: <171c179.86ed.1685b8d0bd4.Coremail.leejia1989@126.com> Can Bro handle 100Tbps of traffic? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190117/6b61689b/attachment.html From alajal at gmail.com Thu Jan 17 04:45:39 2019 From: alajal at gmail.com (Mustafa Qasim) Date: Thu, 17 Jan 2019 23:45:39 +1100 Subject: [Zeek] handle 100Tbps of traffic In-Reply-To: <171c179.86ed.1685b8d0bd4.Coremail.leejia1989@126.com> References: <171c179.86ed.1685b8d0bd4.Coremail.leejia1989@126.com> Message-ID: Zeek can work in cluster mode. Provided right hardware I don't know of any software limitations. Even if there is one you can always have multiple clusters. You aren't gonna do bro-cut 100Tbps anyway. So the logs can be pulled into whatever big data factory and put to use as needed. ------ *Mustafa Qasim* PGP: C57E0A7C On Thu, Jan 17, 2019 at 10:26 PM ? wrote: > Can Bro handle 100Tbps of traffic? > > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190117/2c270694/attachment.html From johanna at icir.org Thu Jan 17 07:35:21 2019 From: johanna at icir.org (Johanna Amann) Date: Thu, 17 Jan 2019 07:35:21 -0800 Subject: [Zeek] handshake ssl In-Reply-To: References: Message-ID: <59668963-3443-476F-9792-5D5FA1948739@icir.org> Hi Rober, > 1. Question > i would like obtain the bytes related with the field certificates, but > i > don't see any event to get it. > > Attach a wireshark image with the field underlined. You cannot get at the data for the field certificated directly; however you can get all of the individual certificates. The easiest way to get to them is through the event x509_certificate - https://www.zeek.org/sphinx/scripts/base/bif/plugins/Bro_X509.events.bif.bro.html#id-x509_certificate. That event gets the parsed out certificate data + an opaque of type x509. You can use the x509_get_certificate_string function to get the ASN.1 representation of the individual certificates out of that, > > 2. Question > There is a way to extract exclusively the payload generate in each > packet > of the ssl handshake? > for example > > struct { > ProtocolVersion client_version; > Random random; > SessionID session_id; > CipherSuite cipher_suites<2..2^16-2>; > CompressionMethod compression_methods<1..2^8-1>; > select (extensions_present) { > case false: > struct {}; > case true: > Extension extensions<0..2^16-1>; > }; > } ClientHello; > > all bytes of this struct of Client Hello. No, there is no way to get the payload for each packet in the handshake. That being said, there is an different event for I think every single event in the handshake that gets the parsed out information; in this case it would be ssl_client_hello and the different extension events. Is there a reason why you want the raw data and not access to the parsed information? Johanna From tom at rubica.com Thu Jan 17 13:33:40 2019 From: tom at rubica.com (Tom Donnelly) Date: Thu, 17 Jan 2019 21:33:40 +0000 Subject: [Zeek] Does Zeek support capture from nflog link type? Message-ID: Hi, I?m looking to capture from nflog (netfilter integration), but Zeek doesn?t seem to like `BroArgs = -i nflog:4` Do I need to integrate a plugin for this to work? Tom Donnelly CONFIDENTIALITY NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender by replying to this message and then delete it from your system. Thank You. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190117/a18d79dd/attachment.html From waa at cs.umd.edu Mon Jan 21 13:48:18 2019 From: waa at cs.umd.edu (William Arbaugh) Date: Mon, 21 Jan 2019 16:48:18 -0500 Subject: [Zeek] Using the Corelight Splunk App with Zeek? Message-ID: Can anyone point me to how to set-up the corelight Splunk app with a zeek sensor? I initially followed these instructions: https://www.ericooi.com/zeekurity-zen-part-ii-how-to-send-zeek-bro-logs-to-splunk/ the JSON coming into Splunk wasn't going into the corelight index though and looked malformed. I then found this message from Seth: http://mailman.icsi.berkeley.edu/pipermail/zeek/2018-June/013364.html and I changed to using Json streaming logs, but still no joy. Hints, pointers, etc appreciated. Thanks, Bill -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190121/f63eaab3/attachment.html From dmiller at stc-ntc-lsu.org Tue Jan 22 06:52:55 2019 From: dmiller at stc-ntc-lsu.org (Darrell Miller) Date: Tue, 22 Jan 2019 14:52:55 +0000 Subject: [Zeek] Zeek install monitoring multiple interfaces, need interface in logs Message-ID: Hi, I've been running bro for a few years, a simple straightforward install. I recently have a need for my bro instance to monitor two interfaces (internal network and external network) I've gotten this working, it was straight forward. My issue is in most of the logs there is no tag or field indicating which interface the log entry is referring to. Some logs like weird.log do have a field called "peer" That indicates what seems to be the interface. DNS.log, and CONN.log do not. Is there an easy way to add this field, or add a field saying which node of the cluster the log entry originated from? I hope that makes sense Thank you, Darrell Miller The information transmitted in this e-mail message and any attachments is strictly confidential and is exclusively addressed to the recipient indicated above. If you are not the intended recipient, please be aware that any use, copying or disclosure of information contained in this e-mail message is strictly prohibited. If you have received this e-mail message in error, please notify us immediately by reply and then delete it from your system. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/7513d200/attachment.html From ericooi at gmail.com Tue Jan 22 07:56:05 2019 From: ericooi at gmail.com (Eric Ooi) Date: Tue, 22 Jan 2019 09:56:05 -0600 Subject: [Zeek] Zeek install monitoring multiple interfaces, need interface in logs In-Reply-To: References: Message-ID: Hi Darrell, This might help -- https://blog.zeek.org/2012/02/filtering-logs-with-bro.html Thanks, Eric On Tue, Jan 22, 2019 at 9:03 AM Darrell Miller wrote: > Hi, > > I?ve been running bro for a few years, a simple straightforward install. I > recently have a need for my bro instance to monitor two interfaces > (internal network and external network) > > I?ve gotten this working, it was straight forward. My issue is in most of > the logs there is no tag or field indicating which interface the log entry > is referring to. Some logs like weird.log do have a field called ?peer? > > That indicates what seems to be the interface. DNS.log, and CONN.log do > not. Is there an easy way to add this field, or add a field saying which > node of the cluster the log entry originated from? I hope that makes sense > > > > Thank you, > > Darrell Miller > The information transmitted in this e-mail message and any attachments is > strictly confidential and is exclusively addressed to the recipient > indicated above. If you are not the intended recipient, please be aware > that any use, copying or disclosure of information contained in this e-mail > message is strictly prohibited. If you have received this e-mail message in > error, please notify us immediately by reply and then delete it from your > system. > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/34f25dbb/attachment.html From dmiller at stc-ntc-lsu.org Tue Jan 22 08:02:17 2019 From: dmiller at stc-ntc-lsu.org (Darrell Miller) Date: Tue, 22 Jan 2019 16:02:17 +0000 Subject: [Zeek] Zeek install monitoring multiple interfaces, need interface in logs In-Reply-To: References: Message-ID: Thanks, I found this right after I hit ?send? on my mail. Here is what I came up with to save anyone else a little bit of time: if there is a better way of doing it, please let me know. So far these are the logs I?ve been able to add the interface too. Communications.log did not work using the same pattern. ## ---==================================================================================================================== #add interface name to log filename: event bro_init() { if ( reading_live_traffic() ) { Log::remove_default_filter(HTTP::LOG); Log::add_filter(HTTP::LOG, [$name = "http-interfaces", $path_func(id: Log::ID, path: string, rec: HTTP::Info) = { local peer = get_event_peer()$descr; if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface ) return cat("http_", Cluster::nodes[peer]$interface); else return "http"; } ]); Log::remove_default_filter(Conn::LOG); Log::add_filter(Conn::LOG, [$name = "conn-interfaces", $path_func(id: Log::ID, path: string, rec: Conn::Info) = { local peer = get_event_peer()$descr; if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface ) return cat("conn_", Cluster::nodes[peer]$interface); else return "conn"; } ]); Log::remove_default_filter(Weird::LOG); Log::add_filter(Weird::LOG, [$name = "weird-interfaces", $path_func(id: Log::ID, path: string, rec: Weird::Info) = { local peer = get_event_peer()$descr; if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface ) return cat("weird_", Cluster::nodes[peer]$interface); else return "weird"; } ]); Log::remove_default_filter(DNS::LOG); Log::add_filter(DNS::LOG, [$name = "DNS-interfaces", $path_func(id: Log::ID, path: string, rec: DNS::Info) = { local peer = get_event_peer()$descr; if ( peer in Cluster::nodes && Cluster::nodes[peer]?$interface ) return cat("DNS_", Cluster::nodes[peer]$interface); else return "dns"; } ]); } #end if } #end event ## ---==================================================================================================================== In your logs folder, each logfile will be split up by the interface: DNS_eth01.log DNS_eth02.log weird_eth01.log weird_eth02.log From: Eric Ooi Sent: Tuesday, January 22, 2019 9:56 AM To: Darrell Miller Cc: zeek at zeek.org Subject: Re: [Zeek] Zeek install monitoring multiple interfaces, need interface in logs Hi Darrell, This might help -- https://blog.zeek.org/2012/02/filtering-logs-with-bro.html Thanks, Eric On Tue, Jan 22, 2019 at 9:03 AM Darrell Miller > wrote: Hi, I?ve been running bro for a few years, a simple straightforward install. I recently have a need for my bro instance to monitor two interfaces (internal network and external network) I?ve gotten this working, it was straight forward. My issue is in most of the logs there is no tag or field indicating which interface the log entry is referring to. Some logs like weird.log do have a field called ?peer? That indicates what seems to be the interface. DNS.log, and CONN.log do not. Is there an easy way to add this field, or add a field saying which node of the cluster the log entry originated from? I hope that makes sense Thank you, Darrell Miller The information transmitted in this e-mail message and any attachments is strictly confidential and is exclusively addressed to the recipient indicated above. If you are not the intended recipient, please be aware that any use, copying or disclosure of information contained in this e-mail message is strictly prohibited. If you have received this e-mail message in error, please notify us immediately by reply and then delete it from your system. _______________________________________________ Zeek mailing list zeek at zeek.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek The information transmitted in this e-mail message and any attachments is strictly confidential and is exclusively addressed to the recipient indicated above. If you are not the intended recipient, please be aware that any use, copying or disclosure of information contained in this e-mail message is strictly prohibited. If you have received this e-mail message in error, please notify us immediately by reply and then delete it from your system. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/6276cbf4/attachment-0001.html From ericooi at gmail.com Tue Jan 22 08:27:03 2019 From: ericooi at gmail.com (Eric Ooi) Date: Tue, 22 Jan 2019 10:27:03 -0600 Subject: [Zeek] Using the Corelight Splunk App with Zeek? In-Reply-To: References: Message-ID: Hey Bill, Ha, that's my blog! Can you qualify what you mean by "not going into the corelight index and looked malformed"? The instructions I outlined are what I use in my own setup and I haven't noticed this same behavior. Sorry to hear it's not working for your setup. A couple things to check -- * Is Zeek successfully generating JSON logs into the "current" folder? * Did you update the inputs.conf file on the forwarder that's installed on the sensor itself? Thanks, Eric On Mon, Jan 21, 2019 at 3:58 PM William Arbaugh wrote: > Can anyone point me to how to set-up the corelight Splunk app with a zeek > sensor? > > I initially followed these instructions: > https://www.ericooi.com/zeekurity-zen-part-ii-how-to-send-zeek-bro-logs-to-splunk/ > the JSON coming into Splunk wasn't going into the corelight index though > and looked malformed. > > I then found this message from Seth: > http://mailman.icsi.berkeley.edu/pipermail/zeek/2018-June/013364.html and > I changed to using Json streaming logs, but still no joy. > > Hints, pointers, etc appreciated. > > Thanks, Bill > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/e67b6a7c/attachment.html From waa at cs.umd.edu Tue Jan 22 08:49:53 2019 From: waa at cs.umd.edu (William Arbaugh) Date: Tue, 22 Jan 2019 11:49:53 -0500 Subject: [Zeek] Using the Corelight Splunk App with Zeek? In-Reply-To: References: Message-ID: Eric, Thanks for the blog! It definitely helped me. I'm a novice with Splunk. My issue was mostly on the splunk end, and a few things with Zeek. I changed the following from your blog on my Zeek instance: 1. I changed the index to main from corelight. I could have created the corelight index I suppose and it still would have worked. 2. I used the JSON streaming package from Seth which required changing the file names to be forwarded. That change cleaned up the JSON that I was seeing on Splunk. On the splunk instance, I just issued 'splunk enable listen 9997' on the command line. Previously, I had set-up a more complicated receiver using the GUI which I deleted which also contributed (likely) to cleaning up the JSON. All is well now - the overview page doesn't populate since I can't figure out which log file has those metrics to forward. The remaining tabs are working like a charm now. Thanks for the blog! Best, Bill On Tue, Jan 22, 2019 at 11:27 AM Eric Ooi wrote: > Hey Bill, > > Ha, that's my blog! > > Can you qualify what you mean by "not going into the corelight index and > looked malformed"? The instructions I outlined are what I use in my own > setup and I haven't noticed this same behavior. Sorry to hear it's not > working for your setup. > > A couple things to check -- > > * Is Zeek successfully generating JSON logs into the "current" folder? > * Did you update the inputs.conf file on the forwarder that's installed on > the sensor itself? > > Thanks, > Eric > > On Mon, Jan 21, 2019 at 3:58 PM William Arbaugh wrote: > >> Can anyone point me to how to set-up the corelight Splunk app with a zeek >> sensor? >> >> I initially followed these instructions: >> https://www.ericooi.com/zeekurity-zen-part-ii-how-to-send-zeek-bro-logs-to-splunk/ >> the JSON coming into Splunk wasn't going into the corelight index though >> and looked malformed. >> >> I then found this message from Seth: >> http://mailman.icsi.berkeley.edu/pipermail/zeek/2018-June/013364.html >> and I changed to using Json streaming logs, but still no joy. >> >> Hints, pointers, etc appreciated. >> >> Thanks, Bill >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/956d05a9/attachment.html From fatema.bannatwala at gmail.com Tue Jan 22 09:03:01 2019 From: fatema.bannatwala at gmail.com (fatema bannatwala) Date: Tue, 22 Jan 2019 12:03:01 -0500 Subject: [Zeek] Question regarding distributed clustering with Zeek! Message-ID: Hi All, Currently we are monitoring the north-south traffic using Zeek cluster (with a manager/logger system and 4 dedicated systems running as workers), and recently we managed to get approval of monitoring some of the east-west traffic with Zeek as well (Yay). And we want the logs corresponding to the internal (east-west) traffic monitoring to be logged separately than the logs of north-south traffic (current Zeek deployment). Therefore wanted to ask if multiple managers (two potentially) can be setup on a single system for two separate Zeek clusters (internal and external)? Or does Zeek yet support distributed clustering? Any thoughts? or better way to achieve the same? Thanks, Fatema. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/7a34bf48/attachment.html From ericooi at gmail.com Tue Jan 22 09:07:57 2019 From: ericooi at gmail.com (Eric Ooi) Date: Tue, 22 Jan 2019 11:07:57 -0600 Subject: [Zeek] Using the Corelight Splunk App with Zeek? In-Reply-To: References: Message-ID: Great! Glad to hear. I'll make a note to add that the corelight index should be created first as that is what the app is expecting. Ah yes, I believe the overview page is only useful if you have an actual enterprise Corelight sensor. For us Zeekers, the other tabs will be more relevant. Any feedback on what else you'd like to see in the series? I'm planning on changing the first article to leverage af_packet instead of pf_ring and go over some useful queries in the next article. But I'm curious to hear what you and others would be interested in seeing. On Tue, Jan 22, 2019 at 10:50 AM William Arbaugh wrote: > Eric, > > Thanks for the blog! It definitely helped me. I'm a novice with Splunk. > > My issue was mostly on the splunk end, and a few things with Zeek. I > changed the following from your blog on my Zeek instance: > > 1. I changed the index to main from corelight. I could have created the > corelight index I suppose and it still would have worked. > 2. I used the JSON streaming package from Seth which required changing the > file names to be forwarded. That change cleaned up the JSON that I was > seeing on Splunk. > > On the splunk instance, I just issued 'splunk enable listen 9997' on the > command line. Previously, I had set-up a more complicated receiver using > the GUI which I deleted which also contributed (likely) to cleaning up the > JSON. > > All is well now - the overview page doesn't populate since I can't figure > out which log file has those metrics to forward. The remaining tabs are > working like a charm now. > > Thanks for the blog! > > Best, Bill > > On Tue, Jan 22, 2019 at 11:27 AM Eric Ooi wrote: > >> Hey Bill, >> >> Ha, that's my blog! >> >> Can you qualify what you mean by "not going into the corelight index and >> looked malformed"? The instructions I outlined are what I use in my own >> setup and I haven't noticed this same behavior. Sorry to hear it's not >> working for your setup. >> >> A couple things to check -- >> >> * Is Zeek successfully generating JSON logs into the "current" folder? >> * Did you update the inputs.conf file on the forwarder that's installed >> on the sensor itself? >> >> Thanks, >> Eric >> >> On Mon, Jan 21, 2019 at 3:58 PM William Arbaugh wrote: >> >>> Can anyone point me to how to set-up the corelight Splunk app with a >>> zeek sensor? >>> >>> I initially followed these instructions: >>> https://www.ericooi.com/zeekurity-zen-part-ii-how-to-send-zeek-bro-logs-to-splunk/ >>> the JSON coming into Splunk wasn't going into the corelight index though >>> and looked malformed. >>> >>> I then found this message from Seth: >>> http://mailman.icsi.berkeley.edu/pipermail/zeek/2018-June/013364.html >>> and I changed to using Json streaming logs, but still no joy. >>> >>> Hints, pointers, etc appreciated. >>> >>> Thanks, Bill >>> _______________________________________________ >>> Zeek mailing list >>> zeek at zeek.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/4e6aae19/attachment-0001.html From johanna at icir.org Tue Jan 22 11:08:57 2019 From: johanna at icir.org (Johanna Amann) Date: Tue, 22 Jan 2019 11:08:57 -0800 Subject: [Zeek] Zeek workshop Europe @ CERN - call for presentations Message-ID: <20190122190857.wmetbuyskniat5by@Trafalgar.local> Hi, this email is a short reminder of the upcoming Zeek Workshop Europe 2019 (April 9?11 @CERN, Geneva, Switzerland). The program will consist of talks by the Bro development team and external contributors. As in our last event, a large part of the development team will be attending the workshop. There are still a bunch of open spots - you can register at https://indico.cern.ch/event/762505/ (also linked from https://zeek.org). We also are still looking for presenters - if you have a topic that you might want to give a talk about, please submit an talk abstract to info at zeek.org. The deadline for this submission is February 25th, 2019. Please note that there is a MISP training/workshop hosted at CERN right after the Zeek workshop - you can find more information linked from the event page. Johanna From jsiwek at corelight.com Tue Jan 22 11:49:06 2019 From: jsiwek at corelight.com (Jon Siwek) Date: Tue, 22 Jan 2019 13:49:06 -0600 Subject: [Zeek] Question regarding distributed clustering with Zeek! In-Reply-To: References: Message-ID: On Tue, Jan 22, 2019 at 11:20 AM fatema bannatwala wrote: > Therefore wanted to ask if multiple managers (two potentially) can be setup on a single system for two separate Zeek clusters (internal and external)? > > Or does Zeek yet support distributed clustering? Don't think it's that sophisticated at the moment. You might get what you want if a single Bro/BroControl install had the ability to let a user dynamically choose which config file to use and then you can set up two different cluster configs on the same system (it's probably not too difficult to patch/hack in if you are desperate). Otherwise, I imagine a crude, but working solution is to have two installations on the same system using a different --prefix: they'd then have different config files and log dirs by default. There's also the matter of setting BroPort in each broctl.cfg far enough away from each other such that there's no port conflicts. - Jon From hovsep.sanjay.levi at gmail.com Tue Jan 22 12:42:26 2019 From: hovsep.sanjay.levi at gmail.com (Hovsep Levi) Date: Tue, 22 Jan 2019 20:42:26 +0000 Subject: [Zeek] Question regarding distributed clustering with Zeek! In-Reply-To: References: Message-ID: I'd approach it by modifying the logging system. With a little work you could tag workers in node.cfg with "logging=north-south" or "logging=east-west" and then modify the bro logging script to decide where incoming logs should go based on that tag. -L On Tue, Jan 22, 2019 at 5:20 PM fatema bannatwala < fatema.bannatwala at gmail.com> wrote: > Hi All, > > Currently we are monitoring the north-south traffic using Zeek cluster > (with a manager/logger system and 4 dedicated systems running as workers), > and recently we managed to get approval of monitoring some of the east-west > traffic with Zeek as well (Yay). > And we want the logs corresponding to the internal (east-west) traffic > monitoring to be logged separately than the logs of north-south traffic > (current Zeek deployment). > Therefore wanted to ask if multiple managers (two potentially) can be > setup on a single system for two separate Zeek clusters (internal and > external)? > > Or does Zeek yet support distributed clustering? > > Any thoughts? or better way to achieve the same? > > Thanks, > Fatema. > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/3cf975e8/attachment.html From fatema.bannatwala at gmail.com Tue Jan 22 13:19:28 2019 From: fatema.bannatwala at gmail.com (fatema bannatwala) Date: Tue, 22 Jan 2019 16:19:28 -0500 Subject: [Zeek] Question regarding distributed clustering with Zeek! In-Reply-To: References: Message-ID: Hey Jon, Thanks for the insights! Makes sense, that's what I was wondering, that I can run a second manager from another install with a different prefix on the same server, have done that before but only for testing purposes, and just wanted to make sure to ask the experts, if there's any other way, before moving with that idea for production. :) Also, for the same purpose, I was checking the ports currently in use on manager and looks like it is using two ports currently to communicate with the worker systems: On manager: $ netstat | grep bro | cut -d':' -f2 | cut -d' ' -f1 | sort | uniq -c | sort -rn 92 47762 92 47761 And top showing two manager and logger processes running, hmm that's why using two ports? $ top top - 12:40:10 up 5 days, 20:37, 2 users, load average: 1.72, 1.78, 1.90 Tasks: 453 total, 5 running, 448 sleeping, 0 stopped, 0 zombie %Cpu(s): 5.4 us, 2.7 sy, 1.0 ni, 90.6 id, 0.2 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 10697342+total, 1324448 free, 16529272 used, 89119696 buff/cache KiB Swap: 8388600 total, 8388600 free, 0 used. 89549296 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 26511 bro 20 0 366.9g 13.1g 7668 R 75.6 12.8 5710:39 /usr/local/bro/2.5.4/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto 26552 bro 25 5 2671796 455148 1288 R 72.9 0.4 7010:04 /usr/local/bro/2.5.4/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto 26465 bro 20 0 1092876 316760 7364 R 54.5 0.3 3294:08 /usr/local/bro/2.5.4/bin/bro -U .status -p broctl -p broctl-live -p local -p logger local.bro broctl base/frameworks/cluster local-logger.bro broctl/auto 26484 bro 25 5 543848 433868 1260 S 19.1 0.4 1058:57 /usr/local/bro/2.5.4/bin/bro -U .status -p broctl -p broctl-live -p local -p logger local.bro broctl base/frameworks/cluster local-logger.bro broctl/auto On Tue, Jan 22, 2019 at 2:49 PM Jon Siwek wrote: > On Tue, Jan 22, 2019 at 11:20 AM fatema bannatwala > wrote: > > > Therefore wanted to ask if multiple managers (two potentially) can be > setup on a single system for two separate Zeek clusters (internal and > external)? > > > > Or does Zeek yet support distributed clustering? > > Don't think it's that sophisticated at the moment. You might get what > you want if a single Bro/BroControl install had the ability to let a > user dynamically choose which config file to use and then you can set > up two different cluster configs on the same system (it's probably not > too difficult to patch/hack in if you are desperate). Otherwise, I > imagine a crude, but working solution is to have two installations on > the same system using a different --prefix: they'd then have different > config files and log dirs by default. There's also the matter of > setting BroPort in each broctl.cfg far enough away from each other > such that there's no port conflicts. > > - Jon > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/339dc136/attachment.html From clopmz at outlook.com Wed Jan 23 04:23:19 2019 From: clopmz at outlook.com (Carlos Lopez) Date: Wed, 23 Jan 2019 12:23:19 +0000 Subject: [Zeek] Netmap support in Bro 2.6.1 Message-ID: Hi all, What is the status of netmap's support in Bro 2.6.X under FreeBSD? Do I need to install via bro-pkg? Regards, C. L. Martinez From shirkdog.bsd at gmail.com Wed Jan 23 04:49:17 2019 From: shirkdog.bsd at gmail.com (Michael Shirk) Date: Wed, 23 Jan 2019 07:49:17 -0500 Subject: [Zeek] Netmap support in Bro 2.6.1 In-Reply-To: References: Message-ID: That is all you should need to do. The load balancing app "lb" will make it's way into FreeBSD 13 as an add-on tool, but standard netmap should work. Raise an issue if that is not the case. -- Michael Shirk Daemon Security, Inc. https://www.daemon-security.com On Wed, Jan 23, 2019, 07:33 Carlos Lopez Hi all, > > What is the status of netmap's support in Bro 2.6.X under FreeBSD? Do I > need to install via bro-pkg? > > Regards, > C. L. Martinez > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190123/7cf98124/attachment.html From clopmz at outlook.com Wed Jan 23 05:35:13 2019 From: clopmz at outlook.com (Carlos Lopez) Date: Wed, 23 Jan 2019 13:35:13 +0000 Subject: [Zeek] Netmap support in Bro 2.6.1 In-Reply-To: References: , Message-ID: Thanks Michael for your answer. I have done a simple test installing Bro from pkgs, and it doesn't see any traffic: root at broserver01:/nsm/bro/logs/current # broctl capstats Error: No network interfaces suitable for use with capstats were found. root at broserver01:/nsm/bro/logs/current # broctl netstats worker-1-1: worker-1-2: worker-1-3: worker-1-4: worker-1-5: worker-1-6: worker-1-7: worker-1-8: worker-2-1: worker-2-2: worker-2-3: worker-2-4: worker-2-5: worker-2-6: worker-2-7: worker-2-8: And capture_loss.log: #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path capture_loss #open 2019-01-23-13-07-46 #fields ts ts_delta peer gaps acks percent_lost #types time interval string count count double 1548248866.685834 900.000060 worker-1-5 0 0 0.0 1548248866.689995 900.000024 worker-1-2 0 0 0.0 1548248866.695771 900.000226 worker-1-8 0 0 0.0 1548248866.700932 900.000009 worker-1-1 0 0 0.0 1548248866.709488 900.000045 worker-1-4 0 0 0.0 1548248866.714722 900.000015 worker-1-6 0 0 0.0 1548248866.750419 900.000134 worker-2-5 0 0 0.0 1548248866.761479 900.000238 worker-2-7 0 0 0.0 1548248866.795894 900.000048 worker-2-8 0 0 0.0 1548248866.804847 900.000026 worker-1-3 0 0 0.0 1548248866.834338 900.000073 worker-2-6 0 0 0.0 1548248866.885618 900.000056 worker-2-1 0 0 0.0 1548248866.890991 900.000224 worker-2-4 0 0 0.0 1548248866.894688 900.000009 worker-2-2 0 0 0.0 1548248866.908410 900.000005 worker-1-7 0 0 0.0 1548248866.910493 900.000029 worker-2-3 0 0 0.0 1548249766.685856 900.000022 worker-1-5 0 0 0.0 1548249766.690121 900.000126 worker-1-2 0 0 0.0 1548249766.695893 900.000122 worker-1-8 0 0 0.0 1548249766.702236 900.001304 worker-1-1 0 0 0.0 1548249766.709525 900.000037 worker-1-4 0 0 0.0 1548249766.714733 900.000011 worker-1-6 0 0 0.0 1548249766.750422 900.000003 worker-2-5 0 0 0.0 1548249766.761513 900.000034 worker-2-7 0 0 0.0 1548249766.795917 900.000023 worker-2-8 0 0 0.0 1548249766.804874 900.000027 worker-1-3 0 0 0.0 1548249766.834462 900.000124 worker-2-6 0 0 0.0 1548249766.885620 900.000002 worker-2-1 0 0 0.0 1548249766.891140 900.000149 worker-2-4 0 0 0.0 1548249766.894759 900.000071 worker-2-2 0 0 0.0 1548249766.908413 900.000003 worker-1-7 0 0 0.0 1548249766.910495 900.000002 worker-2-3 0 0 0.0 My actual node.cfg config is: [logger] type=logger host=localhost # [manager] type=manager host=localhost # [proxy-1] type=proxy host=localhost # [worker-1] type=worker host=localhost interface=netmap::ix1 lb_method=custom lb_procs=8 # [worker-2] type=worker host=localhost interface=netmap::ix2 lb_method=custom lb_procs=8 Maybe am I doing something wrong? Regards, C. L. Martinez ________________________________________ From: Michael Shirk Sent: 23 January 2019 13:49 To: Carlos Lopez Cc: zeek at zeek.org Subject: Re: [Zeek] Netmap support in Bro 2.6.1 That is all you should need to do. The load balancing app "lb" will make it's way into FreeBSD 13 as an add-on tool, but standard netmap should work. Raise an issue if that is not the case. -- Michael Shirk Daemon Security, Inc. https://www.daemon-security.com On Wed, Jan 23, 2019, 07:33 Carlos Lopez wrote: Hi all, What is the status of netmap's support in Bro 2.6.X under FreeBSD? Do I need to install via bro-pkg? Regards, C. L. Martinez _______________________________________________ Zeek mailing list zeek at zeek.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From clopmz at outlook.com Wed Jan 23 05:38:53 2019 From: clopmz at outlook.com (Carlos Lopez) Date: Wed, 23 Jan 2019 13:38:53 +0000 Subject: [Zeek] Netmap support in Bro 2.6.1 In-Reply-To: References: , , Message-ID: Yep, solved ... My fault ... I have removed "lb" options from config file and all it is working now ... Sorry for the noise .,.. Regards, C. L. Martinez ________________________________________ From: Carlos Lopez Sent: 23 January 2019 14:35 To: Michael Shirk Cc: zeek at zeek.org Subject: Re: [Zeek] Netmap support in Bro 2.6.1 Thanks Michael for your answer. I have done a simple test installing Bro from pkgs, and it doesn't see any traffic: root at broserver01:/nsm/bro/logs/current # broctl capstats Error: No network interfaces suitable for use with capstats were found. root at broserver01:/nsm/bro/logs/current # broctl netstats worker-1-1: worker-1-2: worker-1-3: worker-1-4: worker-1-5: worker-1-6: worker-1-7: worker-1-8: worker-2-1: worker-2-2: worker-2-3: worker-2-4: worker-2-5: worker-2-6: worker-2-7: worker-2-8: And capture_loss.log: #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path capture_loss #open 2019-01-23-13-07-46 #fields ts ts_delta peer gaps acks percent_lost #types time interval string count count double 1548248866.685834 900.000060 worker-1-5 0 0 0.0 1548248866.689995 900.000024 worker-1-2 0 0 0.0 1548248866.695771 900.000226 worker-1-8 0 0 0.0 1548248866.700932 900.000009 worker-1-1 0 0 0.0 1548248866.709488 900.000045 worker-1-4 0 0 0.0 1548248866.714722 900.000015 worker-1-6 0 0 0.0 1548248866.750419 900.000134 worker-2-5 0 0 0.0 1548248866.761479 900.000238 worker-2-7 0 0 0.0 1548248866.795894 900.000048 worker-2-8 0 0 0.0 1548248866.804847 900.000026 worker-1-3 0 0 0.0 1548248866.834338 900.000073 worker-2-6 0 0 0.0 1548248866.885618 900.000056 worker-2-1 0 0 0.0 1548248866.890991 900.000224 worker-2-4 0 0 0.0 1548248866.894688 900.000009 worker-2-2 0 0 0.0 1548248866.908410 900.000005 worker-1-7 0 0 0.0 1548248866.910493 900.000029 worker-2-3 0 0 0.0 1548249766.685856 900.000022 worker-1-5 0 0 0.0 1548249766.690121 900.000126 worker-1-2 0 0 0.0 1548249766.695893 900.000122 worker-1-8 0 0 0.0 1548249766.702236 900.001304 worker-1-1 0 0 0.0 1548249766.709525 900.000037 worker-1-4 0 0 0.0 1548249766.714733 900.000011 worker-1-6 0 0 0.0 1548249766.750422 900.000003 worker-2-5 0 0 0.0 1548249766.761513 900.000034 worker-2-7 0 0 0.0 1548249766.795917 900.000023 worker-2-8 0 0 0.0 1548249766.804874 900.000027 worker-1-3 0 0 0.0 1548249766.834462 900.000124 worker-2-6 0 0 0.0 1548249766.885620 900.000002 worker-2-1 0 0 0.0 1548249766.891140 900.000149 worker-2-4 0 0 0.0 1548249766.894759 900.000071 worker-2-2 0 0 0.0 1548249766.908413 900.000003 worker-1-7 0 0 0.0 1548249766.910495 900.000002 worker-2-3 0 0 0.0 My actual node.cfg config is: [logger] type=logger host=localhost # [manager] type=manager host=localhost # [proxy-1] type=proxy host=localhost # [worker-1] type=worker host=localhost interface=netmap::ix1 lb_method=custom lb_procs=8 # [worker-2] type=worker host=localhost interface=netmap::ix2 lb_method=custom lb_procs=8 Maybe am I doing something wrong? Regards, C. L. Martinez ________________________________________ From: Michael Shirk Sent: 23 January 2019 13:49 To: Carlos Lopez Cc: zeek at zeek.org Subject: Re: [Zeek] Netmap support in Bro 2.6.1 That is all you should need to do. The load balancing app "lb" will make it's way into FreeBSD 13 as an add-on tool, but standard netmap should work. Raise an issue if that is not the case. -- Michael Shirk Daemon Security, Inc. https://www.daemon-security.com On Wed, Jan 23, 2019, 07:33 Carlos Lopez wrote: Hi all, What is the status of netmap's support in Bro 2.6.X under FreeBSD? Do I need to install via bro-pkg? Regards, C. L. Martinez _______________________________________________ Zeek mailing list zeek at zeek.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From shirkdog.bsd at gmail.com Wed Jan 23 05:40:27 2019 From: shirkdog.bsd at gmail.com (Michael Shirk) Date: Wed, 23 Jan 2019 08:40:27 -0500 Subject: [Zeek] Netmap support in Bro 2.6.1 In-Reply-To: References: Message-ID: Yes, there were changes to how you setup the netmap plugin from the 2.4.X days, so also raise an issue if that is not documented correctly. On Wed, Jan 23, 2019 at 8:38 AM Carlos Lopez wrote: > > Yep, solved ... My fault ... I have removed "lb" options from config file and all it is working now ... Sorry for the noise .,.. > > > > Regards, > C. L. Martinez > > > ________________________________________ > From: Carlos Lopez > Sent: 23 January 2019 14:35 > To: Michael Shirk > Cc: zeek at zeek.org > Subject: Re: [Zeek] Netmap support in Bro 2.6.1 > > Thanks Michael for your answer. I have done a simple test installing Bro from pkgs, and it doesn't see any traffic: > > root at broserver01:/nsm/bro/logs/current # broctl capstats > Error: No network interfaces suitable for use with capstats were found. > > root at broserver01:/nsm/bro/logs/current # broctl netstats > worker-1-1: > worker-1-2: > worker-1-3: > worker-1-4: > worker-1-5: > worker-1-6: > worker-1-7: > worker-1-8: > worker-2-1: > worker-2-2: > worker-2-3: > worker-2-4: > worker-2-5: > worker-2-6: > worker-2-7: > worker-2-8: > > And capture_loss.log: > #separator \x09 > #set_separator , > #empty_field (empty) > #unset_field - > #path capture_loss > #open 2019-01-23-13-07-46 > #fields ts ts_delta peer gaps acks percent_lost > #types time interval string count count double > 1548248866.685834 900.000060 worker-1-5 0 0 0.0 > 1548248866.689995 900.000024 worker-1-2 0 0 0.0 > 1548248866.695771 900.000226 worker-1-8 0 0 0.0 > 1548248866.700932 900.000009 worker-1-1 0 0 0.0 > 1548248866.709488 900.000045 worker-1-4 0 0 0.0 > 1548248866.714722 900.000015 worker-1-6 0 0 0.0 > 1548248866.750419 900.000134 worker-2-5 0 0 0.0 > 1548248866.761479 900.000238 worker-2-7 0 0 0.0 > 1548248866.795894 900.000048 worker-2-8 0 0 0.0 > 1548248866.804847 900.000026 worker-1-3 0 0 0.0 > 1548248866.834338 900.000073 worker-2-6 0 0 0.0 > 1548248866.885618 900.000056 worker-2-1 0 0 0.0 > 1548248866.890991 900.000224 worker-2-4 0 0 0.0 > 1548248866.894688 900.000009 worker-2-2 0 0 0.0 > 1548248866.908410 900.000005 worker-1-7 0 0 0.0 > 1548248866.910493 900.000029 worker-2-3 0 0 0.0 > 1548249766.685856 900.000022 worker-1-5 0 0 0.0 > 1548249766.690121 900.000126 worker-1-2 0 0 0.0 > 1548249766.695893 900.000122 worker-1-8 0 0 0.0 > 1548249766.702236 900.001304 worker-1-1 0 0 0.0 > 1548249766.709525 900.000037 worker-1-4 0 0 0.0 > 1548249766.714733 900.000011 worker-1-6 0 0 0.0 > 1548249766.750422 900.000003 worker-2-5 0 0 0.0 > 1548249766.761513 900.000034 worker-2-7 0 0 0.0 > 1548249766.795917 900.000023 worker-2-8 0 0 0.0 > 1548249766.804874 900.000027 worker-1-3 0 0 0.0 > 1548249766.834462 900.000124 worker-2-6 0 0 0.0 > 1548249766.885620 900.000002 worker-2-1 0 0 0.0 > 1548249766.891140 900.000149 worker-2-4 0 0 0.0 > 1548249766.894759 900.000071 worker-2-2 0 0 0.0 > 1548249766.908413 900.000003 worker-1-7 0 0 0.0 > 1548249766.910495 900.000002 worker-2-3 0 0 0.0 > > My actual node.cfg config is: > [logger] > type=logger > host=localhost > # > [manager] > type=manager > host=localhost > # > [proxy-1] > type=proxy > host=localhost > # > [worker-1] > type=worker > host=localhost > interface=netmap::ix1 > lb_method=custom > lb_procs=8 > # > [worker-2] > type=worker > host=localhost > interface=netmap::ix2 > lb_method=custom > lb_procs=8 > > Maybe am I doing something wrong? > > > > > Regards, > C. L. Martinez > > > ________________________________________ > From: Michael Shirk > Sent: 23 January 2019 13:49 > To: Carlos Lopez > Cc: zeek at zeek.org > Subject: Re: [Zeek] Netmap support in Bro 2.6.1 > > That is all you should need to do. The load balancing app "lb" will make it's way into FreeBSD 13 as an add-on tool, but standard netmap should work. Raise an issue if that is not the case. > > > > -- > Michael Shirk > Daemon Security, Inc. > https://www.daemon-security.com > > On Wed, Jan 23, 2019, 07:33 Carlos Lopez wrote: > Hi all, > > What is the status of netmap's support in Bro 2.6.X under FreeBSD? Do I need to install via bro-pkg? > > Regards, > C. L. Martinez > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Michael Shirk Daemon Security, Inc. https://www.daemon-security.com From clopmz at outlook.com Wed Jan 23 06:06:03 2019 From: clopmz at outlook.com (Carlos Lopez) Date: Wed, 23 Jan 2019 14:06:03 +0000 Subject: [Zeek] Write in realtime packets captured by Bro Message-ID: Hi all, I am reading Bro's docs about how to write pcap file by Bro. According to docs, passing "-w" switch to bro via BroArgs options, will write a tcpdump file. That is perfect for what I am looking for, but: is it possible to rotate this tcpdump's file and remove it based on disk space and number of files? Regards, C. L. Martinez From seth at corelight.com Wed Jan 23 10:03:05 2019 From: seth at corelight.com (Seth Hall) Date: Wed, 23 Jan 2019 13:03:05 -0500 Subject: [Zeek] Write in realtime packets captured by Bro In-Reply-To: References: Message-ID: <23A81377-4BE2-4316-A4C7-1F3E48F1D74C@corelight.com> On 23 Jan 2019, at 9:06, Carlos Lopez wrote: > I am reading Bro's docs about how to write pcap file by Bro. > According to docs, passing "-w" switch to bro via BroArgs options, > will write a tcpdump file. That is perfect for what I am looking for, > but: is it possible to rotate this tcpdump's file and remove it based > on disk space and number of files? Unfortunately that hasn't been implemented yet. .Seth -- Seth Hall * Corelight, Inc * www.corelight.com From mnmblair at hotmail.com Wed Jan 23 10:03:47 2019 From: mnmblair at hotmail.com (COLIN BLAIR) Date: Wed, 23 Jan 2019 18:03:47 +0000 Subject: [Zeek] Bro 2.6.1 packet loss Message-ID: We are testing the latest release on our sensors and are seeing larger packet drops than the previous 2.5.5. We are running a local cluster with the following node.cfg: [manager] localhost [logger] localhost [proxy-1] localhost [worker-1] localhost lb_method = pf_ring lb_procs = 20 pin_cpus = 0-19 System: Xeon D-1587 16 cores, 32 logical, 1.7 Ghz 128GB DDR4 2133Mhz 8TB SSD Intel 10GBase-T X557 We are dropping traffic @ 250 Mb/s with this config. We have already tuned the BIOS, NIC and sysctl.d. Did the netstats command get updated in the latest release? We did not see this poor performance with bro 2.5.5. Can you provide any other suggestions? Also, did the pf_ring plugin get removed? R, CB -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190123/2b114c12/attachment.html From craig.edgmand at okstate.edu Wed Jan 23 10:16:25 2019 From: craig.edgmand at okstate.edu (Edgmand, Craig) Date: Wed, 23 Jan 2019 18:16:25 +0000 Subject: [Zeek] Bro 2.6.1 packet loss In-Reply-To: References: Message-ID: You have to use bro-pkg manager to get the pf_ring plugin now. From: zeek-bounces at zeek.org On Behalf Of COLIN BLAIR Sent: Wednesday, January 23, 2019 12:04 PM To: zeek at zeek.org Subject: [Zeek] Bro 2.6.1 packet loss **External Email - Please verify sender email address before responding.** We are testing the latest release on our sensors and are seeing larger packet drops than the previous 2.5.5. We are running a local cluster with the following node.cfg: [manager] localhost [logger] localhost [proxy-1] localhost [worker-1] localhost lb_method = pf_ring lb_procs = 20 pin_cpus = 0-19 System: Xeon D-1587 16 cores, 32 logical, 1.7 Ghz 128GB DDR4 2133Mhz 8TB SSD Intel 10GBase-T X557 We are dropping traffic @ 250 Mb/s with this config. We have already tuned the BIOS, NIC and sysctl.d. Did the netstats command get updated in the latest release? We did not see this poor performance with bro 2.5.5. Can you provide any other suggestions? Also, did the pf_ring plugin get removed? R, CB -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190123/1f6ef202/attachment.html From ambros.novak.89 at gmail.com Wed Jan 23 21:01:12 2019 From: ambros.novak.89 at gmail.com (Ambros Novak) Date: Thu, 24 Jan 2019 00:01:12 -0500 Subject: [Zeek] configuring base option default values and ftp log Message-ID: Hello! Two separate questions: 1) How do you configure an option in ./base/ in site/local.bro? For example "base/protocols/ftp/info.bro:11: option default_capture_password = F;" would like that to be set to T but don't want to change it in a ./base/ file. 2) I see FTP traffic in connection log but there is no ftp.log generated. Must this be turned on. 3) Lastly (and sneaky third question), I am extracting all files types. I can extract the file via HTTP but am unable to extract the same over FTP. Must this be turned on for FTP and IRC? Thank you very much for the help. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190124/bd365f05/attachment.html From seth at corelight.com Thu Jan 24 06:34:55 2019 From: seth at corelight.com (Seth Hall) Date: Thu, 24 Jan 2019 09:34:55 -0500 Subject: [Zeek] configuring base option default values and ftp log In-Reply-To: References: Message-ID: On 24 Jan 2019, at 0:01, Ambros Novak wrote: > 1) How do you configure an option in ./base/ in site/local.bro? For > example > "base/protocols/ftp/info.bro:11: option default_capture_password = F;" > would like that to be set to T but don't want to change it in a > ./base/ > file. You have two options since you seem to be using 2.6. You can use the old "redef" style in local.bro like this... redef FTP::default_capture_password = T; or you can use the new configuration framework which Johanna has described here: https://corelight.blog/2018/02/13/runtime-options-the-bro-configuration-framework/ > 2) I see FTP traffic in connection log but there is no ftp.log > generated. > Must this be turned on. Hm, no. It should be turned on by default. Feel free to paste a conn log line where you'd expect to see an FTP log but don't. > 3) Lastly (and sneaky third question), I am extracting all files > types. I > can extract the file via HTTP but am unable to extract the same over > FTP. > Must this be turned on for FTP and IRC? How are you doing the extraction for HTTP? If you'd coming at it from the Files framework then it's a very easy change. (there are several ways you could approach it) .Seth -- Seth Hall * Corelight, Inc * www.corelight.com From seth at corelight.com Thu Jan 24 06:37:25 2019 From: seth at corelight.com (Seth Hall) Date: Thu, 24 Jan 2019 09:37:25 -0500 Subject: [Zeek] Bro 2.6.1 packet loss In-Reply-To: References: Message-ID: <9DA37424-0242-4F4E-BCFD-99CA1034CC58@corelight.com> On 23 Jan 2019, at 13:03, COLIN BLAIR wrote: > [worker-1] > localhost > lb_method = pf_ring > lb_procs = 20 > pin_cpus = 0-19 Is this your actual configuration? I don't even see an interface to sniff, and where you've specified "localhost" seems to not have the associated configuration key. Based on your question about pf_ring too, it sounsd like you might not actually be load balancing your traffic. Are you having duplicate logs? .Seth -- Seth Hall * Corelight, Inc * www.corelight.com From dheeraj.gupta4 at gmail.com Fri Jan 25 00:27:08 2019 From: dheeraj.gupta4 at gmail.com (Dheeraj Gupta) Date: Fri, 25 Jan 2019 13:57:08 +0530 Subject: [Zeek] Fwd: DNS log records do not have total_answers, total_queries, saw_reply and saw_query fields In-Reply-To: References: Message-ID: Hi, I am running Bro/Zeek v 2.6.1. The fields logged in DNS logs are different from the ones shown in official docs (DNS::Info seen at https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.bro.html#type-DNS::Info). Concretely, the last four fields (total_answers, total_queries, saw_query and saw_reply) fields are never part of the logs. This behaviour was seen in previous versions of Bro/Zeek as well (atleast from v.2.4). I looked at the dns/main.bro script and can't figure out why this is happening. Any ideas are greatly appreciated. Regards, Dheeraj -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190125/87cf3276/attachment.html From jsiwek at corelight.com Fri Jan 25 08:44:59 2019 From: jsiwek at corelight.com (Jon Siwek) Date: Fri, 25 Jan 2019 10:44:59 -0600 Subject: [Zeek] Fwd: DNS log records do not have total_answers, total_queries, saw_reply and saw_query fields In-Reply-To: References: Message-ID: On Fri, Jan 25, 2019 at 2:36 AM Dheeraj Gupta wrote: > The fields logged in DNS logs are different from the ones shown in official docs (DNS::Info seen at https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.bro.html#type-DNS::Info). Concretely, the last four fields (total_answers, total_queries, saw_query and saw_reply) fields are never part of the logs. The logs contain only fields with the &log attribute. Those fields do not have &log, so they are not in the logs. - Jon From dheeraj.gupta4 at gmail.com Fri Jan 25 08:47:22 2019 From: dheeraj.gupta4 at gmail.com (Dheeraj Gupta) Date: Fri, 25 Jan 2019 22:17:22 +0530 Subject: [Zeek] DNS log records do not have total_answers, total_queries, saw_reply and saw_query fields Message-ID: Ah, thanks for pointing it out. I didn't know about the &log attribute On Fri 25 Jan, 2019, 22:15 Jon Siwek, wrote: > On Fri, Jan 25, 2019 at 2:36 AM Dheeraj Gupta > wrote: > > > The fields logged in DNS logs are different from the ones shown in > official docs (DNS::Info seen at > https://docs.zeek.org/en/stable/scripts/base/protocols/dns/main.bro.html#type-DNS::Info). > Concretely, the last four fields (total_answers, total_queries, saw_query > and saw_reply) fields are never part of the logs. > > The logs contain only fields with the &log attribute. Those fields do > not have &log, so they are not in the logs. > > - Jon > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190125/aceeb83e/attachment.html From clopmz at outlook.com Sat Jan 26 05:01:05 2019 From: clopmz at outlook.com (Carlos Lopez) Date: Sat, 26 Jan 2019 13:01:05 +0000 Subject: [Zeek] Segmentation fault in one node of the cluster Message-ID: <9F679C76-3757-44AE-A3A2-D2D224725A5D@outlook.com> Hi all, As a test lab I have installed a Zeek's cluster with one manager and two workers. All works ok for manager and one node, but in the other node the following error appears every time I try to start it: /opt/bro/share/broctl/scripts/run-bro: line 110: 52802 Segmentation fault nohup "$mybro" "$@" Commands like "bro -b -i lo0" or "bro -I em0" don't return any error ... Any idea? Regards, C. L. Martinez From clopmz at outlook.com Sat Jan 26 05:37:08 2019 From: clopmz at outlook.com (Carlos Lopez) Date: Sat, 26 Jan 2019 13:37:08 +0000 Subject: [Zeek] Segmentation fault in one node of the cluster (SOLVED) Message-ID: <57E531B7-C190-4C2D-8150-925EB8A827BF@outlook.com> Solved, my mistake ... /etc/bro dir, where I store all configuration, doesn't exist in this worker node ... Regards, C. L. Martinez ?On 26/01/2019, 14:10, "zeek-bounces at zeek.org on behalf of Carlos Lopez" wrote: Hi all, As a test lab I have installed a Zeek's cluster with one manager and two workers. All works ok for manager and one node, but in the other node the following error appears every time I try to start it: /opt/bro/share/broctl/scripts/run-bro: line 110: 52802 Segmentation fault nohup "$mybro" "$@" Commands like "bro -b -i lo0" or "bro -I em0" don't return any error ... Any idea? Regards, C. L. Martinez _______________________________________________ Zeek mailing list zeek at zeek.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From lalithab.work at gmail.com Sat Jan 26 22:39:59 2019 From: lalithab.work at gmail.com (Lalitha B) Date: Sun, 27 Jan 2019 00:39:59 -0600 Subject: [Zeek] Help with Docker Bro Message-ID: <24BC5E08-5975-4522-97E0-3FD2F08C7AF0@gmail.com> Hello all, Has anyone worked with this Docker Bro? I have installed dpisano/docker-bro image and run the image using docker run command. Broctl shows the status of the bro node as crashed. The broctl diag does not give any error indication. ( except - core not found, install gdb for backtrace). Any poniters on where help can be found on docker bros, maybe any other docker bro image ? Thanks, Lalitha From clopmz at outlook.com Mon Jan 28 11:16:54 2019 From: clopmz at outlook.com (Carlos Lopez) Date: Mon, 28 Jan 2019 19:16:54 +0000 Subject: [Zeek] Using af_packet in a host with two nics Message-ID: <656A869F-BBB9-478A-8D4F-152EA1382D78@outlook.com> Hi all, Is not posible to start a zeek's worker with two network interfaces using AF_Packet as a data acquisition? I have tried using the following config: [prod-ids] type=worker host=172.22.58.2 interface=af_packet::eth2 # [dmz-ids] type=worker host=172.22.58.2 interface=af_packet::eth3? ... But fails. And I have tried using " interface=' af_packet::eth2 -i af_packet::eth3' and it doesn't work also ... So, is it not possible to use af_packet to sniff two nics? I am using Zeek 2.6.1 with af_packet plugin installed. Regards, C. L. Martinez From michalpurzynski1 at gmail.com Mon Jan 28 12:48:38 2019 From: michalpurzynski1 at gmail.com (=?UTF-8?B?TWljaGHFgiBQdXJ6ecWEc2tp?=) Date: Mon, 28 Jan 2019 12:48:38 -0800 Subject: [Zeek] Using af_packet in a host with two nics In-Reply-To: <656A869F-BBB9-478A-8D4F-152EA1382D78@outlook.com> References: <656A869F-BBB9-478A-8D4F-152EA1382D78@outlook.com> Message-ID: It is, unfortunately, impossible to tell, without you telling us how it failed and what the error messages were. I will take a wild guess - you need to specify a different cluster ID for each card. The original code here https://github.com/J-Gras/bro-af_packet-plugin And it tells how to do that with af_packet_fanout_id=23 On Mon, Jan 28, 2019 at 11:26 AM Carlos Lopez wrote: > > Hi all, > > Is not posible to start a zeek's worker with two network interfaces using AF_Packet as a data acquisition? I have tried using the following config: > > [prod-ids] > type=worker > host=172.22.58.2 > interface=af_packet::eth2 > # > [dmz-ids] > type=worker > host=172.22.58.2 > interface=af_packet::eth3? > > ... But fails. And I have tried using " interface=' af_packet::eth2 -i af_packet::eth3' and it doesn't work also ... So, is it not possible to use af_packet to sniff two nics? > > I am using Zeek 2.6.1 with af_packet plugin installed. > > Regards, > C. L. Martinez > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From clopmz at outlook.com Mon Jan 28 23:33:10 2019 From: clopmz at outlook.com (Carlos Lopez) Date: Tue, 29 Jan 2019 07:33:10 +0000 Subject: [Zeek] Using af_packet in a host with two nics In-Reply-To: References: <656A869F-BBB9-478A-8D4F-152EA1382D78@outlook.com>, Message-ID: Thanks Michal. Error is "Invalid argument" ... But what is "af_packet_fanout_id"? is it a random value? Regards, C. L. Martinez ________________________________________ From: Micha? Purzy?ski Sent: 28 January 2019 21:48 To: Carlos Lopez Cc: zeek at zeek.org Subject: Re: [Zeek] Using af_packet in a host with two nics It is, unfortunately, impossible to tell, without you telling us how it failed and what the error messages were. I will take a wild guess - you need to specify a different cluster ID for each card. The original code here https://github.com/J-Gras/bro-af_packet-plugin And it tells how to do that with af_packet_fanout_id=23 On Mon, Jan 28, 2019 at 11:26 AM Carlos Lopez wrote: > > Hi all, > > Is not posible to start a zeek's worker with two network interfaces using AF_Packet as a data acquisition? I have tried using the following config: > > [prod-ids] > type=worker > host=172.22.58.2 > interface=af_packet::eth2 > # > [dmz-ids] > type=worker > host=172.22.58.2 > interface=af_packet::eth3? > > ... But fails. And I have tried using " interface=' af_packet::eth2 -i af_packet::eth3' and it doesn't work also ... So, is it not possible to use af_packet to sniff two nics? > > I am using Zeek 2.6.1 with af_packet plugin installed. > > Regards, > C. L. Martinez > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From jan.grashoefer at gmail.com Tue Jan 29 02:11:39 2019 From: jan.grashoefer at gmail.com (=?UTF-8?Q?Jan_Grash=c3=b6fer?=) Date: Tue, 29 Jan 2019 11:11:39 +0100 Subject: [Zeek] Using af_packet in a host with two nics In-Reply-To: References: <656A869F-BBB9-478A-8D4F-152EA1382D78@outlook.com> Message-ID: On 29/01/2019 08:33, Carlos Lopez wrote: > Thanks Michal. Error is "Invalid argument" ... But what is "af_packet_fanout_id"? is it a random value? From the man page (http://man7.org/linux/man-pages/man7/packet.7.html): > To scale processing across threads, packet sockets can form a > fanout group. In this mode, each matching packet is enqueued > onto only one socket in the group. A socket joins a fanout > group by calling setsockopt(2) with level SOL_PACKET and > option PACKET_FANOUT. Each network namespace can have up to > 65536 independent groups. A socket selects a group by encod? > ing the ID in the first 16 bits of the integer option value. > The first packet socket to join a group implicitly creates it. > To successfully join an existing group, subsequent packet > sockets must have the same protocol, device settings, fanout > mode and flags (see below). Packet sockets can leave a fanout > group only by closing the socket. The group is deleted when > the last socket is closed. So as Michal suggested, you want to configure different fanout IDs for the both workers to support different NICs. Jan From michalpurzynski1 at gmail.com Tue Jan 29 02:18:54 2019 From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=) Date: Tue, 29 Jan 2019 02:18:54 -0800 Subject: [Zeek] Using af_packet in a host with two nics In-Reply-To: References: <656A869F-BBB9-478A-8D4F-152EA1382D78@outlook.com> Message-ID: <5199CF0B-6D24-42BC-8322-6EBF66E51016@gmail.com> That looks like a cluster ID collision, fairly typical for a multi NIC setup. Cluster ID is the common identifier of all sockets that the stream is load balanced across. If two processes read packets from the same NIC and traffic is load balanced between them, they share the cluster ID. Simplification, but a proper explanation needs a diagram. Basically traffic is send to each cluster and shared between all processes in the cluster. Two NIC - two cluster IDs. Do you happen to have other NSM running as well, like Suricata, on the same host? ID would have to be different. Also - does your bro have CAP_NET_RAW? > On Jan 28, 2019, at 11:33 PM, Carlos Lopez wrote: > > Thanks Michal. Error is "Invalid argument" ... But what is "af_packet_fanout_id"? is it a random value? > > > > Regards, > C. L. Martinez > > > ________________________________________ > From: Micha? Purzy?ski > Sent: 28 January 2019 21:48 > To: Carlos Lopez > Cc: zeek at zeek.org > Subject: Re: [Zeek] Using af_packet in a host with two nics > > It is, unfortunately, impossible to tell, without you telling us how > it failed and what the error messages were. I will take a wild guess - > you need to specify a different cluster ID for each card. > > The original code here > > https://github.com/J-Gras/bro-af_packet-plugin > > And it tells how to do that with > > af_packet_fanout_id=23 > > >> On Mon, Jan 28, 2019 at 11:26 AM Carlos Lopez wrote: >> >> Hi all, >> >> Is not posible to start a zeek's worker with two network interfaces using AF_Packet as a data acquisition? I have tried using the following config: >> >> [prod-ids] >> type=worker >> host=172.22.58.2 >> interface=af_packet::eth2 >> # >> [dmz-ids] >> type=worker >> host=172.22.58.2 >> interface=af_packet::eth3? >> >> ... But fails. And I have tried using " interface=' af_packet::eth2 -i af_packet::eth3' and it doesn't work also ... So, is it not possible to use af_packet to sniff two nics? >> >> I am using Zeek 2.6.1 with af_packet plugin installed. >> >> Regards, >> C. L. Martinez >> >> >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From clopmz at outlook.com Tue Jan 29 02:58:25 2019 From: clopmz at outlook.com (Carlos Lopez) Date: Tue, 29 Jan 2019 10:58:25 +0000 Subject: [Zeek] Using af_packet in a host with two nics In-Reply-To: References: <656A869F-BBB9-478A-8D4F-152EA1382D78@outlook.com> , Message-ID: Perfect. manay thanks Jan. Regards, C. L. Martinez ________________________________________ From: zeek-bounces at zeek.org on behalf of Jan Grash?fer Sent: 29 January 2019 11:11 To: zeek at zeek.org Subject: Re: [Zeek] Using af_packet in a host with two nics On 29/01/2019 08:33, Carlos Lopez wrote: > Thanks Michal. Error is "Invalid argument" ... But what is "af_packet_fanout_id"? is it a random value? From the man page (http://man7.org/linux/man-pages/man7/packet.7.html): > To scale processing across threads, packet sockets can form a > fanout group. In this mode, each matching packet is enqueued > onto only one socket in the group. A socket joins a fanout > group by calling setsockopt(2) with level SOL_PACKET and > option PACKET_FANOUT. Each network namespace can have up to > 65536 independent groups. A socket selects a group by encod? > ing the ID in the first 16 bits of the integer option value. > The first packet socket to join a group implicitly creates it. > To successfully join an existing group, subsequent packet > sockets must have the same protocol, device settings, fanout > mode and flags (see below). Packet sockets can leave a fanout > group only by closing the socket. The group is deleted when > the last socket is closed. So as Michal suggested, you want to configure different fanout IDs for the both workers to support different NICs. Jan _______________________________________________ Zeek mailing list zeek at zeek.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From hosom at battelle.org Tue Jan 29 05:32:13 2019 From: hosom at battelle.org (Hosom, Stephen M) Date: Tue, 29 Jan 2019 13:32:13 +0000 Subject: [Zeek] Help with Docker Bro In-Reply-To: <24BC5E08-5975-4522-97E0-3FD2F08C7AF0@gmail.com> References: <24BC5E08-5975-4522-97E0-3FD2F08C7AF0@gmail.com> Message-ID: This Docker image looks like it was built before some patches went in to fix some bugs that Zeek had in Alpine. You'll probably have to build your own Docker image, since I'm not aware of one that includes those fixes. ________________________________ From: zeek-bounces at zeek.org on behalf of Lalitha B Sent: Sunday, January 27, 2019 1:39:59 AM To: zeek at zeek.org Subject: [Zeek] Help with Docker Bro Message received from outside the Battelle network. Carefully examine it before you open any links or attachments. Hello all, Has anyone worked with this Docker Bro? I have installed dpisano/docker-bro image and run the image using docker run command. Broctl shows the status of the bro node as crashed. The broctl diag does not give any error indication. ( except - core not found, install gdb for backtrace). Any poniters on where help can be found on docker bros, maybe any other docker bro image ? Thanks, Lalitha _______________________________________________ Zeek mailing list zeek at zeek.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From mnmblair at hotmail.com Tue Jan 29 08:10:00 2019 From: mnmblair at hotmail.com (COLIN BLAIR) Date: Tue, 29 Jan 2019 16:10:00 +0000 Subject: [Zeek] Bro 2.6.1 packet loss In-Reply-To: References: Message-ID: Hi Seth, Thank you for the response. It is my configuration. eth0 is the capture interface. I figured out the issue based on your duplicate log question. In node.cfg, when using lb_method=pf_ring, i belive the cluster ID is supposed to be automatically assigned. If you look at the output of "broctl config" it shows pfringclusterid = 21, however, that is not the case. I had to explicitly assign the cluster ID in broctl.cfg like this: pfringclusterid = 21 This might be good to include in the documentation here: https://www.zeek.org/documentation/load-balancing.html Thanks again, CB ________________________________ From: COLIN BLAIR Sent: Wednesday, January 23, 2019 1:03 PM To: zeek at zeek.org Subject: Bro 2.6.1 packet loss We are testing the latest release on our sensors and are seeing larger packet drops than the previous 2.5.5. We are running a local cluster with the following node.cfg: [manager] localhost [logger] localhost [proxy-1] localhost [worker-1] localhost lb_method = pf_ring lb_procs = 20 pin_cpus = 0-19 System: Xeon D-1587 16 cores, 32 logical, 1.7 Ghz 128GB DDR4 2133Mhz 8TB SSD Intel 10GBase-T X557 We are dropping traffic @ 250 Mb/s with this config. We have already tuned the BIOS, NIC and sysctl.d. Did the netstats command get updated in the latest release? We did not see this poor performance with bro 2.5.5. Can you provide any other suggestions? Also, did the pf_ring plugin get removed? R, CB -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190129/14c71bea/attachment.html From clopmz at outlook.com Tue Jan 29 10:18:03 2019 From: clopmz at outlook.com (Carlos Lopez) Date: Tue, 29 Jan 2019 18:18:03 +0000 Subject: [Zeek] Using af_packet in a host with two nics In-Reply-To: References: <656A869F-BBB9-478A-8D4F-152EA1382D78@outlook.com> Message-ID: <870F3913-E55A-4C92-8F28-9DD9C7A7AC7F@outlook.com> Uhmm ... I have changed my config to: [prod-ids] type=worker host=172.22.58.2 interface=af_packet::eth2 af_packet_fanout_id=5 # [dmz-ids] type=worker host=172.22.58.2 interface=af_packet::eth3 af_packet_fanout_id=10 But it doesn't work. Error is: fatal error: problem with interface af_packet::eth2 (Invalid argument) Regards, C. L. Martinez ?On 29/01/2019, 11:31, "zeek-bounces at zeek.org on behalf of Jan Grash?fer" wrote: On 29/01/2019 08:33, Carlos Lopez wrote: > Thanks Michal. Error is "Invalid argument" ... But what is "af_packet_fanout_id"? is it a random value? From the man page (http://man7.org/linux/man-pages/man7/packet.7.html): > To scale processing across threads, packet sockets can form a > fanout group. In this mode, each matching packet is enqueued > onto only one socket in the group. A socket joins a fanout > group by calling setsockopt(2) with level SOL_PACKET and > option PACKET_FANOUT. Each network namespace can have up to > 65536 independent groups. A socket selects a group by encod? > ing the ID in the first 16 bits of the integer option value. > The first packet socket to join a group implicitly creates it. > To successfully join an existing group, subsequent packet > sockets must have the same protocol, device settings, fanout > mode and flags (see below). Packet sockets can leave a fanout > group only by closing the socket. The group is deleted when > the last socket is closed. So as Michal suggested, you want to configure different fanout IDs for the both workers to support different NICs. Jan _______________________________________________ Zeek mailing list zeek at zeek.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From pmurphy+bro at nrao.edu Tue Jan 29 10:44:59 2019 From: pmurphy+bro at nrao.edu (Patrick P Murphy) Date: Tue, 29 Jan 2019 13:44:59 -0500 Subject: [Zeek] Using af_packet in a host with two nics References: <656A869F-BBB9-478A-8D4F-152EA1382D78@outlook.com> <870F3913-E55A-4C92-8F28-9DD9C7A7AC7F@outlook.com> Message-ID: Carlos Lopez writes: CL> Uhmm ... I have changed my config to: CL> [prod-ids] CL> type=worker CL> host=172.22.58.2 CL> interface=af_packet::eth2 CL> af_packet_fanout_id=5 CL> # CL> [dmz-ids] CL> type=worker CL> host=172.22.58.2 CL> interface=af_packet::eth3 CL> af_packet_fanout_id=10 This may be a totally dumb/naive question, but... why do the interfaces have the same IP address? - Pat -- Patrick P. Murphy, Ph.D. https://www.nrao.edu/~pmurphy/ Info Services Site Manager NRAO Information Security Officer From clopmz at outlook.com Tue Jan 29 11:09:41 2019 From: clopmz at outlook.com (Carlos Lopez) Date: Tue, 29 Jan 2019 19:09:41 +0000 Subject: [Zeek] Using af_packet in a host with two nics In-Reply-To: <23632.40209.560085.15826@lunasa.cv.nrao.edu> References: <656A869F-BBB9-478A-8D4F-152EA1382D78@outlook.com> <870F3913-E55A-4C92-8F28-9DD9C7A7AC7F@outlook.com> <23632.40209.560085.15826@lunasa.cv.nrao.edu> Message-ID: ?On 29/01/2019, 19:37, "Patrick P Murphy" wrote: Carlos Lopez writes: CL> Uhmm ... I have changed my config to: CL> [prod-ids] CL> type=worker CL> host=172.22.58.2 CL> interface=af_packet::eth2 CL> af_packet_fanout_id=5 CL> # CL> [dmz-ids] CL> type=worker CL> host=172.22.58.2 CL> interface=af_packet::eth3 CL> af_packet_fanout_id=10 This may be a totally dumb/naive question, but... why do the interfaces have the same IP address? Because this host has two network interfaces .... From pmurphy+bro at nrao.edu Tue Jan 29 12:36:27 2019 From: pmurphy+bro at nrao.edu (Patrick P Murphy) Date: Tue, 29 Jan 2019 15:36:27 -0500 Subject: [Zeek] Using af_packet in a host with two nics References: <656A869F-BBB9-478A-8D4F-152EA1382D78@outlook.com> <870F3913-E55A-4C92-8F28-9DD9C7A7AC7F@outlook.com> <23632.40209.560085.15826@lunasa.cv.nrao.edu> Message-ID: <23632.47435.30867.226904@lunasa.cv.nrao.edu> On Tue, 29 Jan 2019 19:09:41 +0000, Carlos Lopez said: > ?On 29/01/2019, 19:37, "Patrick P Murphy" wrote: PM> Carlos Lopez writes: CL> Uhmm ... I have changed my config to: CL> [prod-ids] CL> type=worker CL> host=172.22.58.2 CL> interface=af_packet::eth2 CL> af_packet_fanout_id=5 CL> # CL> [dmz-ids] CL> type=worker CL> host=172.22.58.2 CL> interface=af_packet::eth3 CL> af_packet_fanout_id=10 PM> This may be a totally dumb/naive question, but... why do the PM> interfaces have the same IP address? CL> Because this host has two network interfaces .... I have many such boxes (for other purposes). Each interface has a unique IP address, and associated hostnames, e.g., polaris for XXX.XXX.115.101 on interface em1 polaris-10g for YYY.YYY.3.13 on interface p5p1 Even if the two interfaces are on the same VLAN (they are not in my example) I would think you want separate IP addresses for them. - Pat -- Patrick P. Murphy, Ph.D. https://www.nrao.edu/~pmurphy/ Info Services Site Manager NRAO Information Security Officer From michalpurzynski1 at gmail.com Tue Jan 29 18:48:10 2019 From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=) Date: Tue, 29 Jan 2019 18:48:10 -0800 Subject: [Zeek] Using af_packet in a host with two nics In-Reply-To: <23632.47435.30867.226904@lunasa.cv.nrao.edu> References: <656A869F-BBB9-478A-8D4F-152EA1382D78@outlook.com> <870F3913-E55A-4C92-8F28-9DD9C7A7AC7F@outlook.com> <23632.40209.560085.15826@lunasa.cv.nrao.edu> <23632.47435.30867.226904@lunasa.cv.nrao.edu> Message-ID: <0A8CB9E7-30C6-4733-9BAE-4EE37B1C6E76@gmail.com> The IP layer has nothing to do with it. Capture takes place way lower. Are you running as root or a user? Is there something else capturing pockets? Have you tried with one card? > On Jan 29, 2019, at 12:36 PM, Patrick P Murphy wrote: > > On Tue, 29 Jan 2019 19:09:41 +0000, Carlos Lopez said: > >> ?On 29/01/2019, 19:37, "Patrick P Murphy" wrote: > > PM> Carlos Lopez writes: > > CL> Uhmm ... I have changed my config to: > CL> [prod-ids] > CL> type=worker > CL> host=172.22.58.2 > CL> interface=af_packet::eth2 > CL> af_packet_fanout_id=5 > CL> # > CL> [dmz-ids] > CL> type=worker > CL> host=172.22.58.2 > CL> interface=af_packet::eth3 > CL> af_packet_fanout_id=10 > > PM> This may be a totally dumb/naive question, but... why do the > PM> interfaces have the same IP address? > > > CL> Because this host has two network interfaces .... > > I have many such boxes (for other purposes). Each interface has a > unique IP address, and associated hostnames, e.g., > > polaris for XXX.XXX.115.101 on interface em1 > polaris-10g for YYY.YYY.3.13 on interface p5p1 > > Even if the two interfaces are on the same VLAN (they are not in my > example) I would think you want separate IP addresses for them. > > - Pat > > -- > Patrick P. Murphy, Ph.D. https://www.nrao.edu/~pmurphy/ > Info Services Site Manager NRAO Information Security Officer > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From kazanbarbaros8 at gmail.com Tue Jan 29 23:20:15 2019 From: kazanbarbaros8 at gmail.com (Barbaros Kazan) Date: Wed, 30 Jan 2019 10:20:15 +0300 Subject: [Zeek] Compiling bro scripts Message-ID: Hello all How to compile bro scripts? Hilti?.can we use hilti compiled llvm bitcode? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190130/0fd121c7/attachment.html From ipninichuck at gmail.com Tue Jan 29 23:50:20 2019 From: ipninichuck at gmail.com (ivan ninichuck) Date: Tue, 29 Jan 2019 23:50:20 -0800 Subject: [Zeek] Help with Docker Bro In-Reply-To: References: <24BC5E08-5975-4522-97E0-3FD2F08C7AF0@gmail.com> Message-ID: Has anyone used https://github.com/blacktop/docker-bro? I am also looking at a project that will require a zeek docker image. Wasn't sure if the blacktop would work well enough, or might be also quite out of date. Any opinions would help. On Tue, Jan 29, 2019, 5:43 AM Hosom, Stephen M This Docker image looks like it was built before some patches went in to > fix some bugs that Zeek had in Alpine. You'll probably have to build your > own Docker image, since I'm not aware of one that includes those fixes. > > ________________________________ > From: zeek-bounces at zeek.org on behalf of Lalitha > B > Sent: Sunday, January 27, 2019 1:39:59 AM > To: zeek at zeek.org > Subject: [Zeek] Help with Docker Bro > > Message received from outside the Battelle network. Carefully examine it > before you open any links or attachments. > > Hello all, > > Has anyone worked with this Docker Bro? I have installed > dpisano/docker-bro image and run the image using docker run command. Broctl > shows the status of the bro node as crashed. The broctl diag does not give > any error indication. ( except - core not found, install gdb for backtrace). > Any poniters on where help can be found on docker bros, maybe any other > docker bro image ? > > Thanks, > Lalitha > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190129/5f2293a3/attachment.html From daniel.guerra69 at gmail.com Wed Jan 30 00:10:25 2019 From: daniel.guerra69 at gmail.com (Daniel Guerra) Date: Wed, 30 Jan 2019 09:10:25 +0100 Subject: [Zeek] Help with Docker Bro In-Reply-To: References: <24BC5E08-5975-4522-97E0-3FD2F08C7AF0@gmail.com> Message-ID: <4c31b1e2-8436-0c24-4b11-46a3a2ba35a9@gmail.com> Hi, The blacktop images work very well. For zeek check https://github.com/blacktop/docker-zeek Regards, Daniel Op 30-01-19 om 08:50 schreef ivan ninichuck: > Has anyone used?https://github.com/blacktop/docker-bro? I am also > looking at a project that will require a zeek docker image. Wasn't > sure if the blacktop would work well enough, or might be also quite > out of date. Any opinions would help. > > On Tue, Jan 29, 2019, 5:43 AM Hosom, Stephen M wrote: > > This Docker image looks like it was built before some patches went > in to fix some bugs that Zeek had in Alpine. You'll probably have > to build your own Docker image, since I'm not aware of one that > includes those fixes. > > ________________________________ > From: zeek-bounces at zeek.org > > on behalf > of Lalitha B > > Sent: Sunday, January 27, 2019 1:39:59 AM > To: zeek at zeek.org > Subject: [Zeek] Help with Docker Bro > > Message received from outside the Battelle network. Carefully > examine it before you open any links or attachments. > > Hello all, > > Has anyone worked with this Docker Bro? I have installed > dpisano/docker-bro image and run the image using docker run > command. Broctl shows the status of the bro node as crashed. The > broctl diag? does not give any error indication. ( except - core > not found, install gdb for backtrace). > Any poniters on where help can be found on docker bros, maybe any > other docker bro image ? > > Thanks, > Lalitha > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190130/779cf570/attachment-0001.html From clopmz at outlook.com Wed Jan 30 02:12:01 2019 From: clopmz at outlook.com (Carlos Lopez) Date: Wed, 30 Jan 2019 10:12:01 +0000 Subject: [Zeek] Using af_packet in a host with two nics In-Reply-To: <0A8CB9E7-30C6-4733-9BAE-4EE37B1C6E76@gmail.com> References: <656A869F-BBB9-478A-8D4F-152EA1382D78@outlook.com> <870F3913-E55A-4C92-8F28-9DD9C7A7AC7F@outlook.com> <23632.40209.560085.15826@lunasa.cv.nrao.edu> <23632.47435.30867.226904@lunasa.cv.nrao.edu>, <0A8CB9E7-30C6-4733-9BAE-4EE37B1C6E76@gmail.com> Message-ID: Hi all, I don't think I've made myself clear. This host has three network interfaces: an interface for management with assigned IP address and two interfaces for sniffing .. Regards, C. L. Martinez ________________________________________ From: Micha? Purzy?ski Sent: 30 January 2019 03:48 To: Patrick P Murphy Cc: Carlos Lopez; zeek at zeek.org Subject: Re: [Zeek] Using af_packet in a host with two nics The IP layer has nothing to do with it. Capture takes place way lower. Are you running as root or a user? Is there something else capturing pockets? Have you tried with one card? > On Jan 29, 2019, at 12:36 PM, Patrick P Murphy wrote: > > On Tue, 29 Jan 2019 19:09:41 +0000, Carlos Lopez said: > >> ?On 29/01/2019, 19:37, "Patrick P Murphy" wrote: > > PM> Carlos Lopez writes: > > CL> Uhmm ... I have changed my config to: > CL> [prod-ids] > CL> type=worker > CL> host=172.22.58.2 > CL> interface=af_packet::eth2 > CL> af_packet_fanout_id=5 > CL> # > CL> [dmz-ids] > CL> type=worker > CL> host=172.22.58.2 > CL> interface=af_packet::eth3 > CL> af_packet_fanout_id=10 > > PM> This may be a totally dumb/naive question, but... why do the > PM> interfaces have the same IP address? > > > CL> Because this host has two network interfaces .... > > I have many such boxes (for other purposes). Each interface has a > unique IP address, and associated hostnames, e.g., > > polaris for XXX.XXX.115.101 on interface em1 > polaris-10g for YYY.YYY.3.13 on interface p5p1 > > Even if the two interfaces are on the same VLAN (they are not in my > example) I would think you want separate IP addresses for them. > > - Pat > > -- > Patrick P. Murphy, Ph.D. https://www.nrao.edu/~pmurphy/ > Info Services Site Manager NRAO Information Security Officer > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From robin at corelight.com Wed Jan 30 07:44:43 2019 From: robin at corelight.com (Robin Sommer) Date: Wed, 30 Jan 2019 07:44:43 -0800 Subject: [Zeek] Compiling bro scripts In-Reply-To: References: Message-ID: <20190130154443.GB2910@corelight.com> On Wed, Jan 30, 2019 at 10:20 +0300, Barbaros Kazan wrote: > How to compile bro scripts? > Hilti?.can we use hilti compiled llvm bitcode? There's a proof-of-concept for script compilation to LLVM via HILTI. It works (!), however it's nothing for production, and no longer maintained. We might bring this back, as HILTI matures, but hard to say right now. HILTI is going through a redesign currently, and getting Spicy ready on top of it is the immediate focus. Robin -- Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com