[Zeek] New Analyzer

TQ nothinrandom at gmail.com
Wed Jul 10 15:51:27 PDT 2019 

Hi Aaron,

Silly question, but did you tell it to listen to port 47808 in your
main.zeek script?  Probably something like this:

## define listening ports
const ports = { 47808/udp };
redef likely_server_ports += { ports };

I do have a working analyzer and could walk you through if you could share
what you have so far.

Thanks,

On Wed, Jul 10, 2019 at 12:00 PM <zeek-request at zeek.org> wrote:

> Send Zeek mailing list submissions to
>         zeek at zeek.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> or, via email, send a message with subject or body 'help' to
>         zeek-request at zeek.org
>
> You can reach the person managing the list at
>         zeek-owner at zeek.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Zeek digest..."
>
>
> Today's Topics:
>
>    1. New Analyzer (Aaron Heller)
>    2. R:  New Analyzer (Palumbo Mauro)
>    3. Re: Issues with Intel::FILE_NAME not working. (Jan Grash?fer)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 9 Jul 2019 21:44:35 -0400
> From: Aaron Heller <deltah24 at gmail.com>
> Subject: [Zeek] New Analyzer
> To: zeek at zeek.org
> Message-ID:
>         <CABepR1fBc3SXZ9FjRc3n4HZy=
> w+bgHsVk9oKG8qk7QC9s+h6Dg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
>  Hi everyone,
> I'm working on a BACnet protocol analyzer for Zeek and am having problems
> getting the analyzer to fire.  I've been working with Zeek version 2.6.2
> and the analyzer was created using binpac_quickstart.
>
> BACnet is a UDP based building automation and control protocol (think
> furnaces, security/access systems, lighting, etc.).
>
> Not sure what info would be most helpful, if anyone is willing to lend some
> insight as why the analyzer isn't firing off? The analyzer is supposed to
> be signature based and bro -N shows it as built-in and active.  If bro -s
> option is used to specify the signature file then the analyzer will fire
> off appropriately, but I'm looking for it to auto-magically be included in
> the UDP analyzer tree.
>
> Greatly appreciate any help or thought for where to look first,
> Aaron
>
> <
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> >
> Virus-free.
> www.avg.com
> <
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> >
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190709/a8579081/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Wed, 10 Jul 2019 07:30:18 +0000
> From: Palumbo Mauro <mauro.palumbo at aizoon.it>
> Subject: [Zeek] R:  New Analyzer
> To: Aaron Heller <deltah24 at gmail.com>, "zeek at zeek.org" <zeek at zeek.org>
> Message-ID: <4f87e95ceddc4eee8b2951225fb61a86 at SRVEX03.aizoon.local>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Aaron,
>    not sure what you have done so far, but maybe you are missing something
> on the script side?
>
> To activate signature recognition for analyzers, you must write a script
> with the proper signature (usually called dpd.sig) and load it (usually
> with @load-sigs ./dpd.sig in the main.zeek script for the analyzer).
>
> Have a look at the script side of some other analyzers to see some
> examples.
>
> Mauro
>
>
>
>
> Da: zeek-bounces at zeek.org [mailto:zeek-bounces at zeek.org] Per conto di
> Aaron Heller
> Inviato: mercoled? 10 luglio 2019 03:45
> A: zeek at zeek.org
> Oggetto: [Zeek] New Analyzer
>
> Hi everyone,
> I'm working on a BACnet protocol analyzer for Zeek and am having problems
> getting the analyzer to fire.  I've been working with Zeek version 2.6.2
> and the analyzer was created using binpac_quickstart.
>
> BACnet is a UDP based building automation and control protocol (think
> furnaces, security/access systems, lighting, etc.).
>
> Not sure what info would be most helpful, if anyone is willing to lend
> some insight as why the analyzer isn't firing off? The analyzer is supposed
> to be signature based and bro -N shows it as built-in and active.  If bro
> -s option is used to specify the signature file then the analyzer will fire
> off appropriately, but I'm looking for it to auto-magically be included in
> the UDP analyzer tree.
>
> Greatly appreciate any help or thought for where to look first,
> Aaron
>
> [Immagine rimossa dal mittente.]<
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> >
>
> Virus-free. www.avg.com<
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> >
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/e3119293/attachment-0001.html
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image001.jpg
> Type: image/jpeg
> Size: 362 bytes
> Desc: image001.jpg
> Url :
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/e3119293/attachment-0001.jpg
>
> ------------------------------
>
> Message: 3
> Date: Wed, 10 Jul 2019 12:03:36 +0200
> From: Jan Grash?fer <jan.grashoefer at gmail.com>
> Subject: Re: [Zeek] Issues with Intel::FILE_NAME not working.
> To: zeek at zeek.org
> Message-ID: <29e7d9b3-c68f-f959-0485-85f952532183 at gmail.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Hi William,
>
> the script seen/file-names.zeek [1] defines how file names are reported
> to the intel framework. To match, the indicator has to be identical to
> f$info$filename.
>
> Jan
>
> [1]
>
> https://github.com/zeek/zeek/blob/master/scripts/policy/frameworks/intel/seen/file-names.zeek
>
> On 09/07/2019 20:27, William Dieterich wrote:
> > Using the Intel Framework I cannot get Intel::FILE_NAME to fire.  It
> > is working with any other type so my script and read file is good.
> >
> > I am loading the following scripts
> >
> > Policy/frameworks/intel/seen
> > policy/frameworks/intel/do_notice
> > frameworks/file/hash-all-files.bro
> > base/frameworks/intel/files.bro
> >
> > Loading hash-all-files.bro is there so that Intel::FILE_HASH works, is
> > there a better way?
> >
> > I am taking filenames from both my files.log and http.log files so I
> > know the files exist.  I am getting no errors in recorder.log and am
> > running from the command line and no errors are there.  Any ideas on
> > what I am doing wrong?
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> >
>
>
> ------------------------------
>
> _______________________________________________
> Zeek mailing list
> Zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
> End of Zeek Digest, Vol 159, Issue 8
> ************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/f0d4608f/attachment.html

More information about the Zeek mailing list