[Zeek] Zeek Digest, Vol 159, Issue 9

Wed Jul 10 17:46:56 PDT 2019

Hi TQ,
Thanks for the thoughts.

I tried as you suggested, but nothing changed when specifying 47808/udp.
Below is what's in the main.bro file - any thoughts are welcome and
appreciated.

Also - what's best practice for this mailing list when a conversation gets
multiple threads going (you, Mauro, and Justin have all offered help)?
Keep everyone's thoughts/replies in one thread or break out into direct
emails?

Aaron
---------------------------------------------------------------------------------------------------------------------

##! Implements base functionality for bacnet analysis.
##! Generates the Bacnet.log file.

# Generated by binpac_quickstart

module Bacnet;

export {

print "Export statement!";
redef enum Log::ID += { LOG };

type Info: record {
## Timestamp for when the event happened.
ts:     time    &log;
## Unique ID for the connection.
uid:    string  &log;
## The connection's 4-tuple of endpoint addresses/ports.
id:     conn_id &log;

# ## TODO: Add other fields here that you'd like to log.
};

## Event that can be handled to access the bacnet record as it is sent on
## to the loggin framework.
global log_bacnet: event(rec: Info);
}

# TODO: The recommended method to do dynamic protocol detection
# (DPD) is with the signatures in dpd.sig. If you can't come up
# with any signatures, then you can do port-based detection by
# uncommenting the following and specifying the port(s):

#################################################################################################################
#
# Per your suggestion, I modified and uncommented the following 2 lines and
tried running again,
# along with uncommenting the
"Analyzer::register_for_ports(Analyzer::ANALYZER_BACNET, ports);" line. No
joy. :(
#
#################################################################################################################

# const ports = { 47808/udp };

# redef likely_server_ports += { ports };

event bro_init() &priority=5
{
Log::create_stream(Bacnet::LOG, [$columns=Info, $ev=log_bacnet,
$path="bacnet"]);

print "Init Statement";

# TODO: If you're using port-based DPD, uncomment this.
# Analyzer::register_for_ports(Analyzer::ANALYZER_BACNET, ports);
}

event bacnet_ethernet_BVLC_Result(c: connection, BVLC_Type : count,
BVLC_Function : count)
{
local info: Info;
info$ts  = network_time();
info$uid = c$uid;
info$id  = c$id;

print "Result seen! ", BVLC_Function;

Log::write(Bacnet::LOG, info);
}

On Wed, Jul 10, 2019 at 8:08 PM <zeek-request at zeek.org> wrote:

> Send Zeek mailing list submissions to
>         zeek at zeek.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> or, via email, send a message with subject or body 'help' to
>         zeek-request at zeek.org
>
> You can reach the person managing the list at
>         zeek-owner at zeek.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Zeek digest..."
>
>
> Today's Topics:
>
>    1. Re: New Analyzer (TQ)
>    2. Re: New Analyzer (Aaron Heller)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 10 Jul 2019 15:51:27 -0700
> From: TQ <nothinrandom at gmail.com>
> Subject: Re: [Zeek] New Analyzer
> To: zeek <zeek at zeek.org>
> Message-ID:
>         <CAM2MKSr+g27Cu56UPea+4g0Cz5PbiUPc1Fd=
> YGhp0mcnTB3oBg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Aaron,
>
> Silly question, but did you tell it to listen to port 47808 in your
> main.zeek script?  Probably something like this:
>
> ## define listening ports
> const ports = { 47808/udp };
> redef likely_server_ports += { ports };
>
> I do have a working analyzer and could walk you through if you could share
> what you have so far.
>
> Thanks,
>
> On Wed, Jul 10, 2019 at 12:00 PM <zeek-request at zeek.org> wrote:
>
> > Send Zeek mailing list submissions to
> >         zeek at zeek.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> > or, via email, send a message with subject or body 'help' to
> >         zeek-request at zeek.org
> >
> > You can reach the person managing the list at
> >         zeek-owner at zeek.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Zeek digest..."
> >
> >
> > Today's Topics:
> >
> >    1. New Analyzer (Aaron Heller)
> >    2. R:  New Analyzer (Palumbo Mauro)
> >    3. Re: Issues with Intel::FILE_NAME not working. (Jan Grash?fer)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Tue, 9 Jul 2019 21:44:35 -0400
> > From: Aaron Heller <deltah24 at gmail.com>
> > Subject: [Zeek] New Analyzer
> > To: zeek at zeek.org
> > Message-ID:
> >         <CABepR1fBc3SXZ9FjRc3n4HZy=
> > w+bgHsVk9oKG8qk7QC9s+h6Dg at mail.gmail.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> >  Hi everyone,
> > I'm working on a BACnet protocol analyzer for Zeek and am having problems
> > getting the analyzer to fire.  I've been working with Zeek version 2.6.2
> > and the analyzer was created using binpac_quickstart.
> >
> > BACnet is a UDP based building automation and control protocol (think
> > furnaces, security/access systems, lighting, etc.).
> >
> > Not sure what info would be most helpful, if anyone is willing to lend
> some
> > insight as why the analyzer isn't firing off? The analyzer is supposed to
> > be signature based and bro -N shows it as built-in and active.  If bro -s
> > option is used to specify the signature file then the analyzer will fire
> > off appropriately, but I'm looking for it to auto-magically be included
> in
> > the UDP analyzer tree.
> >
> > Greatly appreciate any help or thought for where to look first,
> > Aaron
> >
> > <
> >
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> > >
> > Virus-free.
> > www.avg.com
> > <
> >
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> > >
> > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> >
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190709/a8579081/attachment-0001.html
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Wed, 10 Jul 2019 07:30:18 +0000
> > From: Palumbo Mauro <mauro.palumbo at aizoon.it>
> > Subject: [Zeek] R:  New Analyzer
> > To: Aaron Heller <deltah24 at gmail.com>, "zeek at zeek.org" <zeek at zeek.org>
> > Message-ID: <4f87e95ceddc4eee8b2951225fb61a86 at SRVEX03.aizoon.local>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi Aaron,
> >    not sure what you have done so far, but maybe you are missing
> something
> > on the script side?
> >
> > To activate signature recognition for analyzers, you must write a script
> > with the proper signature (usually called dpd.sig) and load it (usually
> > with @load-sigs ./dpd.sig in the main.zeek script for the analyzer).
> >
> > Have a look at the script side of some other analyzers to see some
> > examples.
> >
> > Mauro
> >
> >
> >
> >
> > Da: zeek-bounces at zeek.org [mailto:zeek-bounces at zeek.org] Per conto di
> > Aaron Heller
> > Inviato: mercoled? 10 luglio 2019 03:45
> > A: zeek at zeek.org
> > Oggetto: [Zeek] New Analyzer
> >
> > Hi everyone,
> > I'm working on a BACnet protocol analyzer for Zeek and am having problems
> > getting the analyzer to fire.  I've been working with Zeek version 2.6.2
> > and the analyzer was created using binpac_quickstart.
> >
> > BACnet is a UDP based building automation and control protocol (think
> > furnaces, security/access systems, lighting, etc.).
> >
> > Not sure what info would be most helpful, if anyone is willing to lend
> > some insight as why the analyzer isn't firing off? The analyzer is
> supposed
> > to be signature based and bro -N shows it as built-in and active.  If bro
> > -s option is used to specify the signature file then the analyzer will
> fire
> > off appropriately, but I'm looking for it to auto-magically be included
> in
> > the UDP analyzer tree.
> >
> > Greatly appreciate any help or thought for where to look first,
> > Aaron
> >
> > [Immagine rimossa dal mittente.]<
> >
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> > >
> >
> > Virus-free. www.avg.com<
> >
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> > >
> >
> >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> >
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/e3119293/attachment-0001.html
> > -------------- next part --------------
> > A non-text attachment was scrubbed...
> > Name: image001.jpg
> > Type: image/jpeg
> > Size: 362 bytes
> > Desc: image001.jpg
> > Url :
> >
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/e3119293/attachment-0001.jpg
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Wed, 10 Jul 2019 12:03:36 +0200
> > From: Jan Grash?fer <jan.grashoefer at gmail.com>
> > Subject: Re: [Zeek] Issues with Intel::FILE_NAME not working.
> > To: zeek at zeek.org
> > Message-ID: <29e7d9b3-c68f-f959-0485-85f952532183 at gmail.com>
> > Content-Type: text/plain; charset=utf-8; format=flowed
> >
> > Hi William,
> >
> > the script seen/file-names.zeek [1] defines how file names are reported
> > to the intel framework. To match, the indicator has to be identical to
> > f$info$filename.
> >
> > Jan
> >
> > [1]
> >
> >
> https://github.com/zeek/zeek/blob/master/scripts/policy/frameworks/intel/seen/file-names.zeek
> >
> > On 09/07/2019 20:27, William Dieterich wrote:
> > > Using the Intel Framework I cannot get Intel::FILE_NAME to fire.  It
> > > is working with any other type so my script and read file is good.
> > >
> > > I am loading the following scripts
> > >
> > > Policy/frameworks/intel/seen
> > > policy/frameworks/intel/do_notice
> > > frameworks/file/hash-all-files.bro
> > > base/frameworks/intel/files.bro
> > >
> > > Loading hash-all-files.bro is there so that Intel::FILE_HASH works, is
> > > there a better way?
> > >
> > > I am taking filenames from both my files.log and http.log files so I
> > > know the files exist.  I am getting no errors in recorder.log and am
> > > running from the command line and no errors are there.  Any ideas on
> > > what I am doing wrong?
> > > _______________________________________________
> > > Zeek mailing list
> > > zeek at zeek.org
> > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> > >
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > Zeek mailing list
> > Zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> >
> >
> > End of Zeek Digest, Vol 159, Issue 8
> > ************************************
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/f0d4608f/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Wed, 10 Jul 2019 20:07:45 -0400
> From: Aaron Heller <deltah24 at gmail.com>
> Subject: Re: [Zeek] New Analyzer
> To: Palumbo Mauro <mauro.palumbo at aizoon.it>
> Cc: "zeek at zeek.org" <zeek at zeek.org>
> Message-ID:
>         <CABepR1c1Nfyx7xOETHChGUmjqHKAGrYVHu1wPObKVA=
> a9MWjOQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Mauro,
> Thanks much for the idea/insight.
>
> I didn't have a @load-sigs line in the main.bro script, but there is one in
> the __load__.bro file.  It looks consistent with the other protocols that
> appear to be signature based (dnp3, ftp, pop3, etc.).  I tried adding the
> @load-sigs ./dpd.sig line to the main.bro script but still no joy.  Any
> other thoughts?
>
> I didn't think to include it in the original email, but when zeek is run
> with the -s option and a signature file is specified, the 'C' portion of
> the analyzer fires off (i.e., the
> ../zeek/src/analyzers/protocol/bacnet/bacnet.cc, Plugin.cc, and
> events.bif), but the script side that should generate a log file does not
> (../zeek/scripts/base/protocols/bacnet/main.bro, __load__.bro, and
> dpd.sig).  Maybe that and the analyzer not automatically firing off
> indicates an issue with the bacnet script not being called appropriately?
> I'm grasping at straws, so any thoughts are greatly appreciated!
>
>
> Thanks again,
> Aaron
>
> On Wed, Jul 10, 2019 at 3:30 AM Palumbo Mauro <mauro.palumbo at aizoon.it>
> wrote:
>
> > Hi Aaron,
> >
> >    not sure what you have done so far, but maybe you are missing
> something
> > on the script side?
> >
> >
> >
> > To activate signature recognition for analyzers, you must write a script
> > with the proper signature (usually called dpd.sig) and load it (usually
> > with @load-sigs ./dpd.sig in the main.zeek script for the analyzer).
> >
> >
> >
> > Have a look at the script side of some other analyzers to see some
> > examples.
> >
> >
> >
> > Mauro
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *Da:* zeek-bounces at zeek.org [mailto:zeek-bounces at zeek.org] *Per conto
> di *Aaron
> > Heller
> > *Inviato:* mercoled? 10 luglio 2019 03:45
> > *A:* zeek at zeek.org
> > *Oggetto:* [Zeek] New Analyzer
> >
> >
> >
> > Hi everyone,
> >
> > I'm working on a BACnet protocol analyzer for Zeek and am having problems
> > getting the analyzer to fire.  I've been working with Zeek version 2.6.2
> > and the analyzer was created using binpac_quickstart.
> >
> >
> >
> > BACnet is a UDP based building automation and control protocol (think
> > furnaces, security/access systems, lighting, etc.).
> >
> >
> >
> > Not sure what info would be most helpful, if anyone is willing to lend
> > some insight as why the analyzer isn't firing off? The analyzer is
> supposed
> > to be signature based and bro -N shows it as built-in and active.  If bro
> > -s option is used to specify the signature file then the analyzer will
> fire
> > off appropriately, but I'm looking for it to auto-magically be included
> in
> > the UDP analyzer tree.
> >
> >
> >
> > Greatly appreciate any help or thought for where to look first,
> >
> > Aaron
> >
> >
> >
> > [image: Immagine rimossa dal mittente.]
> > <
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> >
> >
> > Virus-free. www.avg.com
> > <
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> >
> >
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/7ff16c1a/attachment.html
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image001.jpg
> Type: image/jpeg
> Size: 362 bytes
> Desc: not available
> Url :
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/7ff16c1a/attachment.jpg
>
> ------------------------------
>
> _______________________________________________
> Zeek mailing list
> Zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
> End of Zeek Digest, Vol 159, Issue 9
> ************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/c0faa59e/attachment-0001.html 