[Zeek] Query reagrding Bro Ids

Manoj Petshali manoj.petshali at paytm.com
Wed Jul 17 21:15:31 PDT 2019 

Hi Aashish,

Thanks for knowledge sharing.
We will check the docs and will contact you as and when required.


Thanks
Manoj Petshali
Sr. Manager - Payments Engineering
Mobile +91-9891066456

www.paytm.com



On Thu, Jul 18, 2019 at 1:32 AM Aashish Sharma <asharma at lbl.gov> wrote:

> Manoj,
>
> (Apologies for the delayed reply!)
>
> > we do not have taps/sensors as of now. if we have taps placed at right
> > places , may you elaborate what kind of difficulty we may face?
>
> That is generally the most difficult part - to put the taps in right
> places to be
> able to sniff the bytes - gain visibility.
>
> YOu might have issues with encryption - in which case you'd still see
> connection
> info but not the contents. I know some sites have workaround where the
> taps are
> 'beyond encryption' - ie you might want to tap behind load balancers where
> SSL
> terminates etc.
>
> If you are able to do that, you should be able to get zeek running and
> seeing
> the traffic and also reporting tcp flags/states etc.
>
> > Also let me know if we can filter and send the traffic (without payload)
> > according to our requirement e.g. flags only like syn, synack,ack,
> timeout
> > etc to zeek for troubleshooting.
>
> Yes, you can do that - as long as control packets are sent, zeek is able to
> handle most, if not all, of connection info. We at Berkeley Lab do this
> for one
> of our deployment.
>
> > May you please share some data/charts depicting the information we are
> > looking for (as per the trail mail ) so that we may proceed further.
>
> I am afraid I don't have data/charts for information you are looking for
> handy
> with me. I'd advice you should run zeek on a laptop/linux box - feed it
> some
> data and see if you are seeing what you desire. If so, you can scale up to
> your
> needs.
>
> roughly 4 years ago we did write a document which shows how you'd deploy
> zeek:
> go.lbl.gov/100g - may be useful.
>
> But as far as what you seek, you should look at conn.log and try to
> understand
> it: read this page -- has pretty detailed info on connection record:
>
> https://docs.zeek.org/en/stable/scripts/base/protocols/conn/main.bro.html
>
> Hope this helps.
>
> Aashish
>
>
>
> On Sat, Jul 13, 2019 at 01:37:04PM +0530, Manoj Petshali wrote:
> > Hi Ashish,
> >
> > Thanks a lot for your response.
> > we do not have taps/sensors as of now. if we have taps placed at right
> > places , may you elaborate what kind of difficulty we may face?
> > Also let me know if we can filter and send the traffic (without payload)
> > according to our requirement e.g. flags only like syn, synack,ack,
> timeout
> > etc to zeek for troubleshooting.
> > May you please share some data/charts depicting the information we are
> > looking for (as per the trail mail ) so that we may proceed further.
> >
> >
> > Thanks
> > Manoj Petshali
> > Sr. Manager - Payments Engineering
> > Mobile +91-9891066456
> >
> > www.paytm.com
> >
> >
> >
> > On Sat, Jul 13, 2019 at 2:04 AM Aashish Sharma <asharma at lbl.gov> wrote:
> >
> > > Hello Manoj,
> > >
> > > you can sure use zeek to get more visibility into your traffic and
> > > connections.
> > > It has a pretty good and powerful tcp analysis engine built into. I am
> > > sure zeek
> > > can get you a lot of diagnostic data - I say that from our experience
> at
> > > Berkeley Lab where we do a lot of proactive blocking and always rely on
> > > zeek's
> > > conn.log (and similar) to look into connectivity issues.  So to me
> what you
> > > seek, is not too difficult.
> > >
> > > The difficult part for you is going to be getting this traffic  into
> zeek
> > > or
> > > putting taps/sensors at the right places.
> > >
> > > Do you have taps on the points you want to monitor ?
> > >
> > > Aashish
> > >
> > > On Fri, Jul 12, 2019 at 01:54:43PM +0530, Manoj Petshali wrote:
> > > > Hi Team,
> > > >
> > > > Please respond as we need to implement the same at the earliest.
> > > >
> > > > Thanks
> > > > Manoj Petshali
> > > > Sr. Manager - Payments Engineering
> > > > Mobile +91-9891066456
> > > >
> > > > www.paytm.com
> > > >
> > > >
> > > >
> > > > On Fri, Jul 12, 2019 at 10:21 AM Manoj Petshali <
> > > manoj.petshali at paytm.com>
> > > > wrote:
> > > >
> > > > > Hi Team,
> > > > >
> > > > > I am very eager about the Bro and need to know below information :
> > > > >
> > > > > -We are working in india's biggest transactional system and facing
> many
> > > > > issues e.g.
> > > > >
> > > > > : if some user request is coming from pubic or private network
> > > (Internal
> > > > > request) and traverses across many servers and if user receives
> > > timeout (
> > > > > e.g. connection time out, read time out ,rst etc) then we need to
> know
> > > the
> > > > > deep analysis of the same means :
> > > > >
> > > > > : Why/where the request timed out ?
> > > > > : Upto which hop the request travelled?
> > > > > : Network latency between these hopes to know if the latency is the
> > > issue?
> > > > > : tcp handshake and ssl handshake latency and the reason for the
> same?
> > > > > : Applicatency latency ?  means if the network latency is fine
> > > > >
> > > > > We searched on wen and got feeling that the Bro is more oriented
> toward
> > > > > security and do deep packe inspection.But we have many problems
> like
> > > above
> > > > > to resolve .May you please let us know that how Bro can help us to
> > > resolve
> > > > > above issues?
> > > > >
> > > > > Thanks
> > > > > Manoj Petshali
> > > > > Sr. Manager - Payments Engineering
> > > > > Mobile +91-9891066456
> > > > >
> > > > > www.paytm.com
> > > > >
> > > > >
> > >
> > >
> > >
> > > > _______________________________________________
> > > > Zeek mailing list
> > > > zeek at zeek.org
> > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> > >
> > >
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190718/cf3b6f2e/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: noname
Type: image/png
Size: 944 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190718/cf3b6f2e/attachment-0001.bin

More information about the Zeek mailing list