[Zeek] Zeek Digest, Vol 159, Issue 9
Aaron Heller
deltah24 at gmail.com
Wed Jul 10 17:46:56 PDT 2019
Hi TQ,
Thanks for the thoughts.
I tried as you suggested, but nothing changed when specifying 47808/udp.
Below is what's in the main.bro file - any thoughts are welcome and
appreciated.
Also - what's best practice for this mailing list when a conversation gets
multiple threads going (you, Mauro, and Justin have all offered help)?
Keep everyone's thoughts/replies in one thread or break out into direct
emails?
Aaron
---------------------------------------------------------------------------------------------------------------------
##! Implements base functionality for bacnet analysis.
##! Generates the Bacnet.log file.
# Generated by binpac_quickstart
module Bacnet;
export {
print "Export statement!";
redef enum Log::ID += { LOG };
type Info: record {
## Timestamp for when the event happened.
ts: time &log;
## Unique ID for the connection.
uid: string &log;
## The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
# ## TODO: Add other fields here that you'd like to log.
};
## Event that can be handled to access the bacnet record as it is sent on
## to the loggin framework.
global log_bacnet: event(rec: Info);
}
# TODO: The recommended method to do dynamic protocol detection
# (DPD) is with the signatures in dpd.sig. If you can't come up
# with any signatures, then you can do port-based detection by
# uncommenting the following and specifying the port(s):
#################################################################################################################
#
# Per your suggestion, I modified and uncommented the following 2 lines and
tried running again,
# along with uncommenting the
"Analyzer::register_for_ports(Analyzer::ANALYZER_BACNET, ports);" line. No
joy. :(
#
#################################################################################################################
# const ports = { 47808/udp };
# redef likely_server_ports += { ports };
event bro_init() &priority=5
{
Log::create_stream(Bacnet::LOG, [$columns=Info, $ev=log_bacnet,
$path="bacnet"]);
print "Init Statement";
# TODO: If you're using port-based DPD, uncomment this.
# Analyzer::register_for_ports(Analyzer::ANALYZER_BACNET, ports);
}
event bacnet_ethernet_BVLC_Result(c: connection, BVLC_Type : count,
BVLC_Function : count)
{
local info: Info;
info$ts = network_time();
info$uid = c$uid;
info$id = c$id;
print "Result seen! ", BVLC_Function;
Log::write(Bacnet::LOG, info);
}
On Wed, Jul 10, 2019 at 8:08 PM <zeek-request at zeek.org> wrote:
> Send Zeek mailing list submissions to
> zeek at zeek.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> or, via email, send a message with subject or body 'help' to
> zeek-request at zeek.org
>
> You can reach the person managing the list at
> zeek-owner at zeek.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Zeek digest..."
>
>
> Today's Topics:
>
> 1. Re: New Analyzer (TQ)
> 2. Re: New Analyzer (Aaron Heller)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 10 Jul 2019 15:51:27 -0700
> From: TQ <nothinrandom at gmail.com>
> Subject: Re: [Zeek] New Analyzer
> To: zeek <zeek at zeek.org>
> Message-ID:
> <CAM2MKSr+g27Cu56UPea+4g0Cz5PbiUPc1Fd=
> YGhp0mcnTB3oBg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Aaron,
>
> Silly question, but did you tell it to listen to port 47808 in your
> main.zeek script? Probably something like this:
>
> ## define listening ports
> const ports = { 47808/udp };
> redef likely_server_ports += { ports };
>
> I do have a working analyzer and could walk you through if you could share
> what you have so far.
>
> Thanks,
>
> On Wed, Jul 10, 2019 at 12:00 PM <zeek-request at zeek.org> wrote:
>
> > Send Zeek mailing list submissions to
> > zeek at zeek.org
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> > or, via email, send a message with subject or body 'help' to
> > zeek-request at zeek.org
> >
> > You can reach the person managing the list at
> > zeek-owner at zeek.org
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Zeek digest..."
> >
> >
> > Today's Topics:
> >
> > 1. New Analyzer (Aaron Heller)
> > 2. R: New Analyzer (Palumbo Mauro)
> > 3. Re: Issues with Intel::FILE_NAME not working. (Jan Grash?fer)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Tue, 9 Jul 2019 21:44:35 -0400
> > From: Aaron Heller <deltah24 at gmail.com>
> > Subject: [Zeek] New Analyzer
> > To: zeek at zeek.org
> > Message-ID:
> > <CABepR1fBc3SXZ9FjRc3n4HZy=
> > w+bgHsVk9oKG8qk7QC9s+h6Dg at mail.gmail.com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi everyone,
> > I'm working on a BACnet protocol analyzer for Zeek and am having problems
> > getting the analyzer to fire. I've been working with Zeek version 2.6.2
> > and the analyzer was created using binpac_quickstart.
> >
> > BACnet is a UDP based building automation and control protocol (think
> > furnaces, security/access systems, lighting, etc.).
> >
> > Not sure what info would be most helpful, if anyone is willing to lend
> some
> > insight as why the analyzer isn't firing off? The analyzer is supposed to
> > be signature based and bro -N shows it as built-in and active. If bro -s
> > option is used to specify the signature file then the analyzer will fire
> > off appropriately, but I'm looking for it to auto-magically be included
> in
> > the UDP analyzer tree.
> >
> > Greatly appreciate any help or thought for where to look first,
> > Aaron
> >
> > <
> >
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> > >
> > Virus-free.
> > www.avg.com
> > <
> >
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> > >
> > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> >
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190709/a8579081/attachment-0001.html
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Wed, 10 Jul 2019 07:30:18 +0000
> > From: Palumbo Mauro <mauro.palumbo at aizoon.it>
> > Subject: [Zeek] R: New Analyzer
> > To: Aaron Heller <deltah24 at gmail.com>, "zeek at zeek.org" <zeek at zeek.org>
> > Message-ID: <4f87e95ceddc4eee8b2951225fb61a86 at SRVEX03.aizoon.local>
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi Aaron,
> > not sure what you have done so far, but maybe you are missing
> something
> > on the script side?
> >
> > To activate signature recognition for analyzers, you must write a script
> > with the proper signature (usually called dpd.sig) and load it (usually
> > with @load-sigs ./dpd.sig in the main.zeek script for the analyzer).
> >
> > Have a look at the script side of some other analyzers to see some
> > examples.
> >
> > Mauro
> >
> >
> >
> >
> > Da: zeek-bounces at zeek.org [mailto:zeek-bounces at zeek.org] Per conto di
> > Aaron Heller
> > Inviato: mercoled? 10 luglio 2019 03:45
> > A: zeek at zeek.org
> > Oggetto: [Zeek] New Analyzer
> >
> > Hi everyone,
> > I'm working on a BACnet protocol analyzer for Zeek and am having problems
> > getting the analyzer to fire. I've been working with Zeek version 2.6.2
> > and the analyzer was created using binpac_quickstart.
> >
> > BACnet is a UDP based building automation and control protocol (think
> > furnaces, security/access systems, lighting, etc.).
> >
> > Not sure what info would be most helpful, if anyone is willing to lend
> > some insight as why the analyzer isn't firing off? The analyzer is
> supposed
> > to be signature based and bro -N shows it as built-in and active. If bro
> > -s option is used to specify the signature file then the analyzer will
> fire
> > off appropriately, but I'm looking for it to auto-magically be included
> in
> > the UDP analyzer tree.
> >
> > Greatly appreciate any help or thought for where to look first,
> > Aaron
> >
> > [Immagine rimossa dal mittente.]<
> >
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> > >
> >
> > Virus-free. www.avg.com<
> >
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> > >
> >
> >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> >
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/e3119293/attachment-0001.html
> > -------------- next part --------------
> > A non-text attachment was scrubbed...
> > Name: image001.jpg
> > Type: image/jpeg
> > Size: 362 bytes
> > Desc: image001.jpg
> > Url :
> >
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/e3119293/attachment-0001.jpg
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Wed, 10 Jul 2019 12:03:36 +0200
> > From: Jan Grash?fer <jan.grashoefer at gmail.com>
> > Subject: Re: [Zeek] Issues with Intel::FILE_NAME not working.
> > To: zeek at zeek.org
> > Message-ID: <29e7d9b3-c68f-f959-0485-85f952532183 at gmail.com>
> > Content-Type: text/plain; charset=utf-8; format=flowed
> >
> > Hi William,
> >
> > the script seen/file-names.zeek [1] defines how file names are reported
> > to the intel framework. To match, the indicator has to be identical to
> > f$info$filename.
> >
> > Jan
> >
> > [1]
> >
> >
> https://github.com/zeek/zeek/blob/master/scripts/policy/frameworks/intel/seen/file-names.zeek
> >
> > On 09/07/2019 20:27, William Dieterich wrote:
> > > Using the Intel Framework I cannot get Intel::FILE_NAME to fire. It
> > > is working with any other type so my script and read file is good.
> > >
> > > I am loading the following scripts
> > >
> > > Policy/frameworks/intel/seen
> > > policy/frameworks/intel/do_notice
> > > frameworks/file/hash-all-files.bro
> > > base/frameworks/intel/files.bro
> > >
> > > Loading hash-all-files.bro is there so that Intel::FILE_HASH works, is
> > > there a better way?
> > >
> > > I am taking filenames from both my files.log and http.log files so I
> > > know the files exist. I am getting no errors in recorder.log and am
> > > running from the command line and no errors are there. Any ideas on
> > > what I am doing wrong?
> > > _______________________________________________
> > > Zeek mailing list
> > > zeek at zeek.org
> > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> > >
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > Zeek mailing list
> > Zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> >
> >
> > End of Zeek Digest, Vol 159, Issue 8
> > ************************************
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/f0d4608f/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Wed, 10 Jul 2019 20:07:45 -0400
> From: Aaron Heller <deltah24 at gmail.com>
> Subject: Re: [Zeek] New Analyzer
> To: Palumbo Mauro <mauro.palumbo at aizoon.it>
> Cc: "zeek at zeek.org" <zeek at zeek.org>
> Message-ID:
> <CABepR1c1Nfyx7xOETHChGUmjqHKAGrYVHu1wPObKVA=
> a9MWjOQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Mauro,
> Thanks much for the idea/insight.
>
> I didn't have a @load-sigs line in the main.bro script, but there is one in
> the __load__.bro file. It looks consistent with the other protocols that
> appear to be signature based (dnp3, ftp, pop3, etc.). I tried adding the
> @load-sigs ./dpd.sig line to the main.bro script but still no joy. Any
> other thoughts?
>
> I didn't think to include it in the original email, but when zeek is run
> with the -s option and a signature file is specified, the 'C' portion of
> the analyzer fires off (i.e., the
> ../zeek/src/analyzers/protocol/bacnet/bacnet.cc, Plugin.cc, and
> events.bif), but the script side that should generate a log file does not
> (../zeek/scripts/base/protocols/bacnet/main.bro, __load__.bro, and
> dpd.sig). Maybe that and the analyzer not automatically firing off
> indicates an issue with the bacnet script not being called appropriately?
> I'm grasping at straws, so any thoughts are greatly appreciated!
>
>
> Thanks again,
> Aaron
>
> On Wed, Jul 10, 2019 at 3:30 AM Palumbo Mauro <mauro.palumbo at aizoon.it>
> wrote:
>
> > Hi Aaron,
> >
> > not sure what you have done so far, but maybe you are missing
> something
> > on the script side?
> >
> >
> >
> > To activate signature recognition for analyzers, you must write a script
> > with the proper signature (usually called dpd.sig) and load it (usually
> > with @load-sigs ./dpd.sig in the main.zeek script for the analyzer).
> >
> >
> >
> > Have a look at the script side of some other analyzers to see some
> > examples.
> >
> >
> >
> > Mauro
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *Da:* zeek-bounces at zeek.org [mailto:zeek-bounces at zeek.org] *Per conto
> di *Aaron
> > Heller
> > *Inviato:* mercoled? 10 luglio 2019 03:45
> > *A:* zeek at zeek.org
> > *Oggetto:* [Zeek] New Analyzer
> >
> >
> >
> > Hi everyone,
> >
> > I'm working on a BACnet protocol analyzer for Zeek and am having problems
> > getting the analyzer to fire. I've been working with Zeek version 2.6.2
> > and the analyzer was created using binpac_quickstart.
> >
> >
> >
> > BACnet is a UDP based building automation and control protocol (think
> > furnaces, security/access systems, lighting, etc.).
> >
> >
> >
> > Not sure what info would be most helpful, if anyone is willing to lend
> > some insight as why the analyzer isn't firing off? The analyzer is
> supposed
> > to be signature based and bro -N shows it as built-in and active. If bro
> > -s option is used to specify the signature file then the analyzer will
> fire
> > off appropriately, but I'm looking for it to auto-magically be included
> in
> > the UDP analyzer tree.
> >
> >
> >
> > Greatly appreciate any help or thought for where to look first,
> >
> > Aaron
> >
> >
> >
> > [image: Immagine rimossa dal mittente.]
> > <
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> >
> >
> > Virus-free. www.avg.com
> > <
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> >
> >
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/7ff16c1a/attachment.html
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image001.jpg
> Type: image/jpeg
> Size: 362 bytes
> Desc: not available
> Url :
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/7ff16c1a/attachment.jpg
>
> ------------------------------
>
> _______________________________________________
> Zeek mailing list
> Zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
> End of Zeek Digest, Vol 159, Issue 9
> ************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190710/c0faa59e/attachment-0001.html
More information about the Zeek
mailing list