[Zeek] Query reagrding Bro Ids

Aashish Sharma asharma at lbl.gov
Wed Jul 17 13:02:18 PDT 2019 

Manoj, 

(Apologies for the delayed reply!) 

> we do not have taps/sensors as of now. if we have taps placed at right
> places , may you elaborate what kind of difficulty we may face?

That is generally the most difficult part - to put the taps in right places to be
able to sniff the bytes - gain visibility. 

YOu might have issues with encryption - in which case you'd still see connection
info but not the contents. I know some sites have workaround where the taps are
'beyond encryption' - ie you might want to tap behind load balancers where SSL
terminates etc. 

If you are able to do that, you should be able to get zeek running and seeing
the traffic and also reporting tcp flags/states etc. 

> Also let me know if we can filter and send the traffic (without payload)
> according to our requirement e.g. flags only like syn, synack,ack, timeout
> etc to zeek for troubleshooting.

Yes, you can do that - as long as control packets are sent, zeek is able to
handle most, if not all, of connection info. We at Berkeley Lab do this for one
of our deployment. 

> May you please share some data/charts depicting the information we are
> looking for (as per the trail mail ) so that we may proceed further.

I am afraid I don't have data/charts for information you are looking for handy
with me. I'd advice you should run zeek on a laptop/linux box - feed it some
data and see if you are seeing what you desire. If so, you can scale up to your
needs. 

roughly 4 years ago we did write a document which shows how you'd deploy zeek:
go.lbl.gov/100g - may be useful.

But as far as what you seek, you should look at conn.log and try to understand
it: read this page -- has pretty detailed info on connection record:

https://docs.zeek.org/en/stable/scripts/base/protocols/conn/main.bro.html

Hope this helps. 

Aashish 



On Sat, Jul 13, 2019 at 01:37:04PM +0530, Manoj Petshali wrote:
> Hi Ashish,
> 
> Thanks a lot for your response.
> we do not have taps/sensors as of now. if we have taps placed at right
> places , may you elaborate what kind of difficulty we may face?
> Also let me know if we can filter and send the traffic (without payload)
> according to our requirement e.g. flags only like syn, synack,ack, timeout
> etc to zeek for troubleshooting.
> May you please share some data/charts depicting the information we are
> looking for (as per the trail mail ) so that we may proceed further.
> 
> 
> Thanks
> Manoj Petshali
> Sr. Manager - Payments Engineering
> Mobile +91-9891066456
> 
> www.paytm.com
> 
> 
> 
> On Sat, Jul 13, 2019 at 2:04 AM Aashish Sharma <asharma at lbl.gov> wrote:
> 
> > Hello Manoj,
> >
> > you can sure use zeek to get more visibility into your traffic and
> > connections.
> > It has a pretty good and powerful tcp analysis engine built into. I am
> > sure zeek
> > can get you a lot of diagnostic data - I say that from our experience at
> > Berkeley Lab where we do a lot of proactive blocking and always rely on
> > zeek's
> > conn.log (and similar) to look into connectivity issues.  So to me what you
> > seek, is not too difficult.
> >
> > The difficult part for you is going to be getting this traffic  into zeek
> > or
> > putting taps/sensors at the right places.
> >
> > Do you have taps on the points you want to monitor ?
> >
> > Aashish
> >
> > On Fri, Jul 12, 2019 at 01:54:43PM +0530, Manoj Petshali wrote:
> > > Hi Team,
> > >
> > > Please respond as we need to implement the same at the earliest.
> > >
> > > Thanks
> > > Manoj Petshali
> > > Sr. Manager - Payments Engineering
> > > Mobile +91-9891066456
> > >
> > > www.paytm.com
> > >
> > >
> > >
> > > On Fri, Jul 12, 2019 at 10:21 AM Manoj Petshali <
> > manoj.petshali at paytm.com>
> > > wrote:
> > >
> > > > Hi Team,
> > > >
> > > > I am very eager about the Bro and need to know below information :
> > > >
> > > > -We are working in india's biggest transactional system and facing many
> > > > issues e.g.
> > > >
> > > > : if some user request is coming from pubic or private network
> > (Internal
> > > > request) and traverses across many servers and if user receives
> > timeout (
> > > > e.g. connection time out, read time out ,rst etc) then we need to know
> > the
> > > > deep analysis of the same means :
> > > >
> > > > : Why/where the request timed out ?
> > > > : Upto which hop the request travelled?
> > > > : Network latency between these hopes to know if the latency is the
> > issue?
> > > > : tcp handshake and ssl handshake latency and the reason for the same?
> > > > : Applicatency latency ?  means if the network latency is fine
> > > >
> > > > We searched on wen and got feeling that the Bro is more oriented toward
> > > > security and do deep packe inspection.But we have many problems like
> > above
> > > > to resolve .May you please let us know that how Bro can help us to
> > resolve
> > > > above issues?
> > > >
> > > > Thanks
> > > > Manoj Petshali
> > > > Sr. Manager - Payments Engineering
> > > > Mobile +91-9891066456
> > > >
> > > > www.paytm.com
> > > >
> > > >
> >
> >
> >
> > > _______________________________________________
> > > Zeek mailing list
> > > zeek at zeek.org
> > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> >
> >

More information about the Zeek mailing list