From tscheponik at gmail.com  Sat Jun  1 18:24:32 2019
From: tscheponik at gmail.com (Woot4moo)
Date: Sat, 1 Jun 2019 21:24:32 -0400
Subject: [Zeek] Communication channels
Message-ID: <CALiK309iTPp9GjM-+nh63pn3eX8F7BDZn64sLAtRGao64L_5Dg@mail.gmail.com>

Are there any plans to use another communication platform besides IRC? To
the best of my knowledge the IRC channel does not record history, so any
new member is unaware of prior chats / discoveries.

Is there a desire in the community to move to something along the lines of
Discord or Slack? Granted Slack would come at a premium.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190601/4ccff65d/attachment.html 

From anthony.kasza at gmail.com  Sun Jun  2 08:43:25 2019
From: anthony.kasza at gmail.com (anthony kasza)
Date: Sun, 2 Jun 2019 09:43:25 -0600
Subject: [Zeek] Communication channels
In-Reply-To: <CALiK309iTPp9GjM-+nh63pn3eX8F7BDZn64sLAtRGao64L_5Dg@mail.gmail.com>
References: <CALiK309iTPp9GjM-+nh63pn3eX8F7BDZn64sLAtRGao64L_5Dg@mail.gmail.com>
Message-ID: <CAEZw2bz9byw287vkmw6hCny8cFTx10_GTFi9EtKu0Hy_6YKA0Q@mail.gmail.com>

I don't use the IRC channel but I would lurk in a Zeek Slack channel.

-AK

On Sat, Jun 1, 2019, 19:27 Woot4moo <tscheponik at gmail.com> wrote:

> Are there any plans to use another communication platform besides IRC? To
> the best of my knowledge the IRC channel does not record history, so any
> new member is unaware of prior chats / discoveries.
>
> Is there a desire in the community to move to something along the lines of
> Discord or Slack? Granted Slack would come at a premium.
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190602/e5abc5dc/attachment.html 

From zeolla at gmail.com  Sun Jun  2 10:32:06 2019
From: zeolla at gmail.com (Zeolla@GMail.com)
Date: Sun, 2 Jun 2019 13:32:06 -0400
Subject: [Zeek] Communication channels
In-Reply-To: <CAEZw2bz9byw287vkmw6hCny8cFTx10_GTFi9EtKu0Hy_6YKA0Q@mail.gmail.com>
References: <CALiK309iTPp9GjM-+nh63pn3eX8F7BDZn64sLAtRGao64L_5Dg@mail.gmail.com>
	<CAEZw2bz9byw287vkmw6hCny8cFTx10_GTFi9EtKu0Hy_6YKA0Q@mail.gmail.com>
Message-ID: <CAM1mTCrjkFcxJ2Nu14JHOiOaOYvGA+T61=aAnv3i4y0-r5FX=Q@mail.gmail.com>

I would also be interested in a slack workspace, even if it's the free tier.

Jon Zeolla

On Sun, Jun 2, 2019, 11:46 AM anthony kasza <anthony.kasza at gmail.com> wrote:

> I don't use the IRC channel but I would lurk in a Zeek Slack channel.
>
> -AK
>
> On Sat, Jun 1, 2019, 19:27 Woot4moo <tscheponik at gmail.com> wrote:
>
>> Are there any plans to use another communication platform besides IRC? To
>> the best of my knowledge the IRC channel does not record history, so any
>> new member is unaware of prior chats / discoveries.
>>
>> Is there a desire in the community to move to something along the lines
>> of Discord or Slack? Granted Slack would come at a premium.
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190602/5fc069e0/attachment.html 

From dopheide at gmail.com  Sun Jun  2 14:07:40 2019
From: dopheide at gmail.com (Mike Dopheide)
Date: Sun, 2 Jun 2019 16:07:40 -0500
Subject: [Zeek] Communication channels
In-Reply-To: <CAM1mTCrjkFcxJ2Nu14JHOiOaOYvGA+T61=aAnv3i4y0-r5FX=Q@mail.gmail.com>
References: <CALiK309iTPp9GjM-+nh63pn3eX8F7BDZn64sLAtRGao64L_5Dg@mail.gmail.com>
	<CAEZw2bz9byw287vkmw6hCny8cFTx10_GTFi9EtKu0Hy_6YKA0Q@mail.gmail.com>
	<CAM1mTCrjkFcxJ2Nu14JHOiOaOYvGA+T61=aAnv3i4y0-r5FX=Q@mail.gmail.com>
Message-ID: <CAPy2kFZ73gQPyHVA9An1vVO9UnaN7_9B-nq5swdSaF=HpK-Cqw@mail.gmail.com>

+1

On Sun, Jun 2, 2019 at 12:40 PM Zeolla at GMail.com <zeolla at gmail.com> wrote:

> I would also be interested in a slack workspace, even if it's the free
> tier.
>
> Jon Zeolla
>
> On Sun, Jun 2, 2019, 11:46 AM anthony kasza <anthony.kasza at gmail.com>
> wrote:
>
>> I don't use the IRC channel but I would lurk in a Zeek Slack channel.
>>
>> -AK
>>
>> On Sat, Jun 1, 2019, 19:27 Woot4moo <tscheponik at gmail.com> wrote:
>>
>>> Are there any plans to use another communication platform besides IRC?
>>> To the best of my knowledge the IRC channel does not record history, so any
>>> new member is unaware of prior chats / discoveries.
>>>
>>> Is there a desire in the community to move to something along the lines
>>> of Discord or Slack? Granted Slack would come at a premium.
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190602/83b1ba74/attachment.html 

From akgraner at corelight.com  Sun Jun  2 16:35:37 2019
From: akgraner at corelight.com (Amber Graner)
Date: Sun, 2 Jun 2019 18:35:37 -0500
Subject: [Zeek] Communication channels
In-Reply-To: <CAPy2kFZ73gQPyHVA9An1vVO9UnaN7_9B-nq5swdSaF=HpK-Cqw@mail.gmail.com>
References: <CALiK309iTPp9GjM-+nh63pn3eX8F7BDZn64sLAtRGao64L_5Dg@mail.gmail.com>
	<CAEZw2bz9byw287vkmw6hCny8cFTx10_GTFi9EtKu0Hy_6YKA0Q@mail.gmail.com>
	<CAM1mTCrjkFcxJ2Nu14JHOiOaOYvGA+T61=aAnv3i4y0-r5FX=Q@mail.gmail.com>
	<CAPy2kFZ73gQPyHVA9An1vVO9UnaN7_9B-nq5swdSaF=HpK-Cqw@mail.gmail.com>
Message-ID: <CAJhOzuo705-QTLNgzE7Hbu+mmqU9oF+wjHuLirU8KYb4wtfs6Q@mail.gmail.com>

Great feedback! Thank you all.

What else would be helpful and encourage yours or others participation and
contribution.

Please feel free to reach out to me here or via email.

With gratitude,
~Amber

On Sun, Jun 2, 2019 at 4:10 PM Mike Dopheide <dopheide at gmail.com> wrote:

> +1
>
> On Sun, Jun 2, 2019 at 12:40 PM Zeolla at GMail.com <zeolla at gmail.com> wrote:
>
>> I would also be interested in a slack workspace, even if it's the free
>> tier.
>>
>> Jon Zeolla
>>
>> On Sun, Jun 2, 2019, 11:46 AM anthony kasza <anthony.kasza at gmail.com>
>> wrote:
>>
>>> I don't use the IRC channel but I would lurk in a Zeek Slack channel.
>>>
>>> -AK
>>>
>>> On Sat, Jun 1, 2019, 19:27 Woot4moo <tscheponik at gmail.com> wrote:
>>>
>>>> Are there any plans to use another communication platform besides IRC?
>>>> To the best of my knowledge the IRC channel does not record history, so any
>>>> new member is unaware of prior chats / discoveries.
>>>>
>>>> Is there a desire in the community to move to something along the lines
>>>> of Discord or Slack? Granted Slack would come at a premium.
>>>> _______________________________________________
>>>> Zeek mailing list
>>>> zeek at zeek.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

-- 
*Amber Graner*
Director of Community
Corelight, Inc

828.582.9469


 * Ask me about how you can participate in the Zeek (formerly Bro)
community.
 * Remember - ZEEK AND YOU SHALL FIND!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190602/32f99d96/attachment.html 

From jan.grashoefer at gmail.com  Mon Jun  3 01:40:52 2019
From: jan.grashoefer at gmail.com (=?UTF-8?Q?Jan_Grash=c3=b6fer?=)
Date: Mon, 3 Jun 2019 10:40:52 +0200
Subject: [Zeek] Communication channels
In-Reply-To: <CAJhOzuo705-QTLNgzE7Hbu+mmqU9oF+wjHuLirU8KYb4wtfs6Q@mail.gmail.com>
References: <CALiK309iTPp9GjM-+nh63pn3eX8F7BDZn64sLAtRGao64L_5Dg@mail.gmail.com>
	<CAEZw2bz9byw287vkmw6hCny8cFTx10_GTFi9EtKu0Hy_6YKA0Q@mail.gmail.com>
	<CAM1mTCrjkFcxJ2Nu14JHOiOaOYvGA+T61=aAnv3i4y0-r5FX=Q@mail.gmail.com>
	<CAPy2kFZ73gQPyHVA9An1vVO9UnaN7_9B-nq5swdSaF=HpK-Cqw@mail.gmail.com>
	<CAJhOzuo705-QTLNgzE7Hbu+mmqU9oF+wjHuLirU8KYb4wtfs6Q@mail.gmail.com>
Message-ID: <f3ae03fb-f429-4576-9929-af31fa7b6018@gmail.com>

I would like to add Matrix (https://matrix.org) to the list.

Jan

On 03/06/2019 01:35, Amber Graner wrote:
> Great feedback! Thank you all.
> 
> What else would be helpful and encourage yours or others participation and
> contribution.
> 
> Please feel free to reach out to me here or via email.
> 
> With gratitude,
> ~Amber
> 
> On Sun, Jun 2, 2019 at 4:10 PM Mike Dopheide <dopheide at gmail.com> wrote:
> 
>> +1
>>
>> On Sun, Jun 2, 2019 at 12:40 PM Zeolla at GMail.com <zeolla at gmail.com> wrote:
>>
>>> I would also be interested in a slack workspace, even if it's the free
>>> tier.
>>>
>>> Jon Zeolla
>>>
>>> On Sun, Jun 2, 2019, 11:46 AM anthony kasza <anthony.kasza at gmail.com>
>>> wrote:
>>>
>>>> I don't use the IRC channel but I would lurk in a Zeek Slack channel.
>>>>
>>>> -AK
>>>>
>>>> On Sat, Jun 1, 2019, 19:27 Woot4moo <tscheponik at gmail.com> wrote:
>>>>
>>>>> Are there any plans to use another communication platform besides IRC?
>>>>> To the best of my knowledge the IRC channel does not record history, so any
>>>>> new member is unaware of prior chats / discoveries.
>>>>>
>>>>> Is there a desire in the community to move to something along the lines
>>>>> of Discord or Slack? Granted Slack would come at a premium.
>>>>> _______________________________________________
>>>>> Zeek mailing list
>>>>> zeek at zeek.org
>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>>
>>>> _______________________________________________
>>>> Zeek mailing list
>>>> zeek at zeek.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> 
> 
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> 

From mkg at vt.edu  Mon Jun  3 05:24:02 2019
From: mkg at vt.edu (Mark Gardner)
Date: Mon, 3 Jun 2019 08:24:02 -0400
Subject: [Zeek] Communication channels
In-Reply-To: <CAEZw2bz9byw287vkmw6hCny8cFTx10_GTFi9EtKu0Hy_6YKA0Q@mail.gmail.com>
References: <CALiK309iTPp9GjM-+nh63pn3eX8F7BDZn64sLAtRGao64L_5Dg@mail.gmail.com>
	<CAEZw2bz9byw287vkmw6hCny8cFTx10_GTFi9EtKu0Hy_6YKA0Q@mail.gmail.com>
Message-ID: <CAG=_CgBi9As+rY=dwDXw2NORezb4bGtYLGkBjwCqEMYWgBp-iw@mail.gmail.com>

On Sun, Jun 2, 2019 at 11:45 AM anthony kasza <anthony.kasza at gmail.com>
wrote:

> I don't use the IRC channel but I would lurk in a Zeek Slack channel.
>

Please choose an open standard rather than a walled garden. Someone above
suggested Matrix as a possibility.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190603/957e09cc/attachment.html 

From tscheponik at gmail.com  Mon Jun  3 05:31:44 2019
From: tscheponik at gmail.com (Woot4moo)
Date: Mon, 3 Jun 2019 08:31:44 -0400
Subject: [Zeek] Communication channels
In-Reply-To: <CAG=_CgBi9As+rY=dwDXw2NORezb4bGtYLGkBjwCqEMYWgBp-iw@mail.gmail.com>
References: <CALiK309iTPp9GjM-+nh63pn3eX8F7BDZn64sLAtRGao64L_5Dg@mail.gmail.com>
	<CAEZw2bz9byw287vkmw6hCny8cFTx10_GTFi9EtKu0Hy_6YKA0Q@mail.gmail.com>
	<CAG=_CgBi9As+rY=dwDXw2NORezb4bGtYLGkBjwCqEMYWgBp-iw@mail.gmail.com>
Message-ID: <CALiK3086v6UKskGrDr=d6sLMN4BBrm2PVVA9M-_0CkfrO=3K5A@mail.gmail.com>

Agree. While giphy integration is a good time killer, I am far more
interested in modern amenities such as threads and history. I presume
Matrix would get us there or could be close with some pull requests.

On Mon, Jun 3, 2019 at 8:24 AM Mark Gardner <mkg at vt.edu> wrote:

> On Sun, Jun 2, 2019 at 11:45 AM anthony kasza <anthony.kasza at gmail.com>
> wrote:
>
>> I don't use the IRC channel but I would lurk in a Zeek Slack channel.
>>
>
> Please choose an open standard rather than a walled garden. Someone above
> suggested Matrix as a possibility.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190603/de8d0412/attachment-0001.html 

From akgraner at corelight.com  Mon Jun  3 06:25:57 2019
From: akgraner at corelight.com (Amber Graner)
Date: Mon, 3 Jun 2019 08:25:57 -0500
Subject: [Zeek] Communication channels
In-Reply-To: <CALiK3086v6UKskGrDr=d6sLMN4BBrm2PVVA9M-_0CkfrO=3K5A@mail.gmail.com>
References: <CALiK309iTPp9GjM-+nh63pn3eX8F7BDZn64sLAtRGao64L_5Dg@mail.gmail.com>
	<CAEZw2bz9byw287vkmw6hCny8cFTx10_GTFi9EtKu0Hy_6YKA0Q@mail.gmail.com>
	<CAG=_CgBi9As+rY=dwDXw2NORezb4bGtYLGkBjwCqEMYWgBp-iw@mail.gmail.com>
	<CALiK3086v6UKskGrDr=d6sLMN4BBrm2PVVA9M-_0CkfrO=3K5A@mail.gmail.com>
Message-ID: <CAJhOzupbWXdfUQ1179smjW6xxrZVkF2_fBUidn0A8=Sv4vzzKA@mail.gmail.com>

I?ll research some options and ask for the LT to review at the next
meeting.

Please continue to add your your thoughts.

Thanks,
~Amber

On Mon, Jun 3, 2019 at 7:34 AM Woot4moo <tscheponik at gmail.com> wrote:

> Agree. While giphy integration is a good time killer, I am far more
> interested in modern amenities such as threads and history. I presume
> Matrix would get us there or could be close with some pull requests.
>
> On Mon, Jun 3, 2019 at 8:24 AM Mark Gardner <mkg at vt.edu> wrote:
>
>> On Sun, Jun 2, 2019 at 11:45 AM anthony kasza <anthony.kasza at gmail.com>
>> wrote:
>>
>>> I don't use the IRC channel but I would lurk in a Zeek Slack channel.
>>>
>>
>> Please choose an open standard rather than a walled garden. Someone above
>> suggested Matrix as a possibility.
>>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

-- 
*Amber Graner*
Director of Community
Corelight, Inc

828.582.9469


 * Ask me about how you can participate in the Zeek (formerly Bro)
community.
 * Remember - ZEEK AND YOU SHALL FIND!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190603/57bd06eb/attachment.html 

From merril.mathew at baby2body.com  Tue Jun  4 08:47:30 2019
From: merril.mathew at baby2body.com (Merril Mathew)
Date: Tue, 4 Jun 2019 16:47:30 +0100
Subject: [Zeek] Creating a module and accessing an event in another script
Message-ID: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>

Hi all,

I am new to Zeek and would like some help with writing a module and
accessing the events in another script.

I created a module called SSHAttempt under /usr/local/bro/share/bro/site
and set up the module with __local__.zeek and main.zeek.

I created a custom log stream based on the result derived from
ssh_auth_result in SSHAttempt/main.zeek. I also exported the SSH::Info
record as log_sshattempt from main.zeek.

I can see the notice.log when running with sshquess.pcap. However if I try
to access the event that has been exported from SSHAttempt/main.zeek inside
another script (test.zeek) then I am getting the error that the record
values are not initialised. I was expecting auth_fail variable inside
SSHAttempt::Info record to be initialised when running .pcap.

Please find all the necessary files for reference. Any help would be much
appreciated. :)

Kind regards,
Merril
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190604/9ed4999b/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: __local__.zeek
Type: application/octet-stream
Size: 12 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190604/9ed4999b/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: main.zeek
Type: application/octet-stream
Size: 1994 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190604/9ed4999b/attachment-0001.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.zeek
Type: application/octet-stream
Size: 205 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190604/9ed4999b/attachment-0002.obj 

From merril.mathew at baby2body.com  Tue Jun  4 09:32:06 2019
From: merril.mathew at baby2body.com (Merril Mathew)
Date: Tue, 4 Jun 2019 17:32:06 +0100
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
Message-ID: <CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>

Hi all,

I figured out why it wasn't working. I was trying to print rec. newbie
mistake. :)

But the notice email action does not work though. It generates notice.log
but does not email. Any silly mistakes anyone can see?

Kind regards,
Merril.

On Tue, 4 Jun 2019 at 16:47, Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi all,
>
> I am new to Zeek and would like some help with writing a module and
> accessing the events in another script.
>
> I created a module called SSHAttempt under /usr/local/bro/share/bro/site
> and set up the module with __local__.zeek and main.zeek.
>
> I created a custom log stream based on the result derived from
> ssh_auth_result in SSHAttempt/main.zeek. I also exported the SSH::Info
> record as log_sshattempt from main.zeek.
>
> I can see the notice.log when running with sshquess.pcap. However if I try
> to access the event that has been exported from SSHAttempt/main.zeek inside
> another script (test.zeek) then I am getting the error that the record
> values are not initialised. I was expecting auth_fail variable inside
> SSHAttempt::Info record to be initialised when running .pcap.
>
> Please find all the necessary files for reference. Any help would be much
> appreciated. :)
>
> Kind regards,
> Merril
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190604/ca7e2f36/attachment.html 

From jsiwek at corelight.com  Tue Jun  4 09:37:46 2019
From: jsiwek at corelight.com (Jon Siwek)
Date: Tue, 4 Jun 2019 09:37:46 -0700
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
Message-ID: <CAMzgZ0L1ynsRW_fh7V0Y6g0kzDO9_TZgrGp4vLBS5Dh6mEsgHA@mail.gmail.com>

On Tue, Jun 4, 2019 at 8:56 AM Merril Mathew
<merril.mathew at baby2body.com> wrote:

> I created a module called SSHAttempt under /usr/local/bro/share/bro/site and set up the module with __local__.zeek and main.zeek.

The magic filename for loading directories is "__load__.zeek", not
"__local__.zeek".

> However if I try to access the event that has been exported from SSHAttempt/main.zeek inside another script (test.zeek) then I am getting the error that the record values are not initialised. I was expecting auth_fail variable inside SSHAttempt::Info record to be initialised when running .pcap.

The event handler in test.zeek was creating an uninitialized record
and printing it instead of printing the one given as an argument like:

event log_sshattempt(rec: Info) &priority=5
    {
    print rec;
    }

- Jon


From justin at corelight.com  Tue Jun  4 09:37:26 2019
From: justin at corelight.com (Justin Azoff)
Date: Tue, 4 Jun 2019 12:37:26 -0400
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
Message-ID: <CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>

On Tue, Jun 4, 2019 at 12:34 PM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi all,
>
> But the notice email action does not work though. It generates notice.log
> but does not email. Any silly mistakes anyone can see?
>

Are you running against a pcap?  emails are not sent when reading pcap
files.  You should still  see ACTION_EMAIL in the actions field in the
notice.log.

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190604/2798f30b/attachment.html 

From jsiwek at corelight.com  Tue Jun  4 09:43:43 2019
From: jsiwek at corelight.com (Jon Siwek)
Date: Tue, 4 Jun 2019 09:43:43 -0700
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
Message-ID: <CAMzgZ0Jt1RQMC5HMWW_miNKEe5wKSWibsrtHC9=7vnqAMtLM2g@mail.gmail.com>

On Tue, Jun 4, 2019 at 9:34 AM Merril Mathew
<merril.mathew at baby2body.com> wrote:

> But the notice email action does not work though. It generates notice.log but does not email. Any silly mistakes anyone can see?

Do you also have "Notice::mail_dest" set to the email address that
should receive them?  Or if you're using ZeekControl / BroControl,
you'd instead edit zeekctl.cfg/broctl.cfg to set the "MailTo" option.

- Jon

From merril.mathew at baby2body.com  Tue Jun  4 09:54:43 2019
From: merril.mathew at baby2body.com (Merril Mathew)
Date: Tue, 4 Jun 2019 17:54:43 +0100
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
Message-ID: <CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>

Hi Justin,

I can see ACTION_EMAIL on notice.log when running .pcap. But I included the
SSHAttempt module with local.zeek file and if I try to call the notice type
defined in the module inside test.zeek then it doesn't work when I ssh into
the box. Please find attached the files.

Kind regards,
Merril

On Tue, 4 Jun 2019 at 17:38, Justin Azoff <justin at corelight.com> wrote:

> On Tue, Jun 4, 2019 at 12:34 PM Merril Mathew <merril.mathew at baby2body.com>
> wrote:
>
>> Hi all,
>>
>> But the notice email action does not work though. It generates notice.log
>> but does not email. Any silly mistakes anyone can see?
>>
>
> Are you running against a pcap?  emails are not sent when reading pcap
> files.  You should still  see ACTION_EMAIL in the actions field in the
> notice.log.
>
> --
> Justin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190604/e36e0807/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: local.zeek
Type: application/octet-stream
Size: 4020 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190604/e36e0807/attachment-0002.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.zeek
Type: application/octet-stream
Size: 308 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190604/e36e0807/attachment-0003.obj 

From blake_moss at byu.edu  Tue Jun  4 09:58:25 2019
From: blake_moss at byu.edu (Blake Moss)
Date: Tue, 4 Jun 2019 16:58:25 +0000
Subject: [Zeek] ActiveHTTP Module Error
Message-ID: <BYAPR08MB43416D28CDD054A2273CFD71F2150@BYAPR08MB4341.namprd08.prod.outlook.com>

Hi all,

I'm having difficulty using the ActiveHTTP module to make an HTTP request in my zeek script. Here is a snippet of the code and output:

Script:
     print("MAKING A REQUEST");
     when (local response = ActiveHTTP::request([$url="https://google.com", $method="GET"]))
        {
            print(response$msg);
        }
     print ("AFTER WHEN BLOCK");
------------------------------------------------------
Output:
MAKING A REQUEST
AFTER WHEN BLOCK
rm: cannot remove '/tmp/bro-activehttp-9gbMHtTs8u_headers': No such file or directory
rm: cannot remove '/tmp/bro-activehttp-9gbMHtTs8u_body': No such file or directory

Does anyone have an example of using this in a script they would be willing to share? I've looked at the curl command that the active http module generates and that looks good however from looking at the exec module, I'm a little unclear of how this actually gets executed.
Thanks!
- Blake

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190604/55fb7efd/attachment.html 

From jsiwek at corelight.com  Tue Jun  4 10:19:49 2019
From: jsiwek at corelight.com (Jon Siwek)
Date: Tue, 4 Jun 2019 10:19:49 -0700
Subject: [Zeek] ActiveHTTP Module Error
In-Reply-To: <BYAPR08MB43416D28CDD054A2273CFD71F2150@BYAPR08MB4341.namprd08.prod.outlook.com>
References: <BYAPR08MB43416D28CDD054A2273CFD71F2150@BYAPR08MB4341.namprd08.prod.outlook.com>
Message-ID: <CAMzgZ0K4xr5MsNcKLkgMi7pHnBRdi0N6Y4-WySgV5A4s-GyAOA@mail.gmail.com>

On Tue, Jun 4, 2019 at 10:06 AM Blake Moss <blake_moss at byu.edu> wrote:

> Does anyone have an example of using this in a script they would be willing to share?

There's an example in
testing/btest/scripts/base/utils/active-http.test.  In your example,
if you're running from the command line and/or reading a pcap, you
need to add this:

    redef exit_only_after_terminate = T;

That is, "when" statements and the ActiveHTTP modules are executed
asynchronously.  The block of code within the "when" gets executed
whenever the results are ready, and if you're on command-line without
an indefinite source of input, the process exits before the results
are obtained.

- Jon

From blake_moss at byu.edu  Tue Jun  4 10:23:12 2019
From: blake_moss at byu.edu (Blake Moss)
Date: Tue, 4 Jun 2019 17:23:12 +0000
Subject: [Zeek] ActiveHTTP Module Error
In-Reply-To: <CAMzgZ0K4xr5MsNcKLkgMi7pHnBRdi0N6Y4-WySgV5A4s-GyAOA@mail.gmail.com>
References: <BYAPR08MB43416D28CDD054A2273CFD71F2150@BYAPR08MB4341.namprd08.prod.outlook.com>,
	<CAMzgZ0K4xr5MsNcKLkgMi7pHnBRdi0N6Y4-WySgV5A4s-GyAOA@mail.gmail.com>
Message-ID: <BYAPR08MB43416CFF0033896CBECC2EFEF2150@BYAPR08MB4341.namprd08.prod.outlook.com>

Great, that is what I was missing! Thank you!

________________________________
From: Jon Siwek <jsiwek at corelight.com>
Sent: Tuesday, June 4, 2019 11:19:49 AM
To: Blake Moss
Cc: zeek at zeek.org
Subject: Re: [Zeek] ActiveHTTP Module Error

On Tue, Jun 4, 2019 at 10:06 AM Blake Moss <blake_moss at byu.edu> wrote:

> Does anyone have an example of using this in a script they would be willing to share?

There's an example in
testing/btest/scripts/base/utils/active-http.test.  In your example,
if you're running from the command line and/or reading a pcap, you
need to add this:

    redef exit_only_after_terminate = T;

That is, "when" statements and the ActiveHTTP modules are executed
asynchronously.  The block of code within the "when" gets executed
whenever the results are ready, and if you're on command-line without
an indefinite source of input, the process exits before the results
are obtained.

- Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190604/4ab7ffec/attachment.html 

From merril.mathew at baby2body.com  Wed Jun  5 01:03:17 2019
From: merril.mathew at baby2body.com (Merril Mathew)
Date: Wed, 5 Jun 2019 09:03:17 +0100
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAMzgZ0Jt1RQMC5HMWW_miNKEe5wKSWibsrtHC9=7vnqAMtLM2g@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAMzgZ0Jt1RQMC5HMWW_miNKEe5wKSWibsrtHC9=7vnqAMtLM2g@mail.gmail.com>
Message-ID: <A51AB8D4-A296-4E73-AA56-474556034EF1@baby2body.com>

Hi Jon,

Yes I have MailTo option set to my email address in zeekcontrol.

Kind regards,
Merril.

> On 4 Jun 2019, at 17:43, Jon Siwek <jsiwek at corelight.com> wrote:
> 
> On Tue, Jun 4, 2019 at 9:34 AM Merril Mathew
> <merril.mathew at baby2body.com> wrote:
> 
>> But the notice email action does not work though. It generates notice.log but does not email. Any silly mistakes anyone can see?
> 
> Do you also have "Notice::mail_dest" set to the email address that
> should receive them?  Or if you're using ZeekControl / BroControl,
> you'd instead edit zeekctl.cfg/broctl.cfg to set the "MailTo" option.
> 
> - Jon



From merril.mathew at baby2body.com  Wed Jun  5 01:41:24 2019
From: merril.mathew at baby2body.com (Merril Mathew)
Date: Wed, 5 Jun 2019 09:41:24 +0100
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <A51AB8D4-A296-4E73-AA56-474556034EF1@baby2body.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAMzgZ0Jt1RQMC5HMWW_miNKEe5wKSWibsrtHC9=7vnqAMtLM2g@mail.gmail.com>
	<A51AB8D4-A296-4E73-AA56-474556034EF1@baby2body.com>
Message-ID: <CAPqihfzpkbgxJuDKYvku3DFDtaUgmHAh3S9X1hoc90SJeCaFOA@mail.gmail.com>

Do you think it might be because I am relying on ssh_auth_result which is
exported in module GLOBAL as seen in SSH/main.zeek? rather than log_ssh
event?. My understanding was that if exported globally it is available for
all scripts which is true when I use it in my own module. But maybe its not
triggered when I try to ssh into the box since log_ssh is the only event
exported from module SSH?

If so how can I export ssh_auth_result to module SSH as well? also how can
I pass two events to a log stream? ie how to edit this line:
Log::create_stream(SSHAttempt::LOG,
[$columns=Info, $ev=log_sshattempt, $path="SSHAttempt"]);

Kind regards,
Merril.

On Wed, 5 Jun 2019 at 09:03, Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi Jon,
>
> Yes I have MailTo option set to my email address in zeekcontrol.
>
> Kind regards,
> Merril.
>
> > On 4 Jun 2019, at 17:43, Jon Siwek <jsiwek at corelight.com> wrote:
> >
> > On Tue, Jun 4, 2019 at 9:34 AM Merril Mathew
> > <merril.mathew at baby2body.com> wrote:
> >
> >> But the notice email action does not work though. It generates
> notice.log but does not email. Any silly mistakes anyone can see?
> >
> > Do you also have "Notice::mail_dest" set to the email address that
> > should receive them?  Or if you're using ZeekControl / BroControl,
> > you'd instead edit zeekctl.cfg/broctl.cfg to set the "MailTo" option.
> >
> > - Jon
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/84af9ee5/attachment.html 

From justin at corelight.com  Wed Jun  5 08:03:19 2019
From: justin at corelight.com (Justin Azoff)
Date: Wed, 5 Jun 2019 11:03:19 -0400
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
Message-ID: <CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>

On Tue, Jun 4, 2019 at 12:54 PM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi Justin,
>
> I can see ACTION_EMAIL on notice.log when running .pcap. But I included
> the SSHAttempt module with local.zeek file and if I try to call the notice
> type defined in the module inside test.zeek then it doesn't work when I ssh
> into the box. Please find attached the files.
>

If your notice.log shows ACTION_EMAIL then it's working properly.  It will
not send emails when reading a .pcap file.

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/51f1765c/attachment.html 

From merril.mathew at baby2body.com  Wed Jun  5 08:45:19 2019
From: merril.mathew at baby2body.com (Merril Mathew)
Date: Wed, 5 Jun 2019 16:45:19 +0100
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
Message-ID: <CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>

Hi Justin,

I think I figured it out. I don?t think seeing EMAIL_ACTION in notice.log necessarily sends out email or at least was the case in my scenario. So what I changed was to not directly declare notice variable in the module/main.zeek I created but instead redefine and export it in another script  and then notify the variable using the module I created. After that I had to set the ACTION_EMAIL from another script when the defined notice variable is available. I maybe completely wrong here as I also found that this code (found from SSH.main.zeek)
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
                                {
                                if ( atype == Analyzer::ANALYZER_SSH )
                                        {
						set_session(c);
                                        }
                                }

Is needed for the Log to work and perhaps for Notice as well.

Now I am struggling to pass the right information to this event (protocol_confirmation). How does one return a record from a function? I can see examples of string and count etc? but not record.

Kind regards,
Merril.
> On 5 Jun 2019, at 16:03, Justin Azoff <justin at corelight.com> wrote:
> 
> On Tue, Jun 4, 2019 at 12:54 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi Justin,
> 
> I can see ACTION_EMAIL on notice.log when running .pcap. But I included the SSHAttempt module with local.zeek file and if I try to call the notice type defined in the module inside test.zeek then it doesn't work when I ssh into the box. Please find attached the files.
> 
> If your notice.log shows ACTION_EMAIL then it's working properly.  It will not send emails when reading a .pcap file.
> 
> -- 
> Justin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/20c501a8/attachment.html 

From justin at corelight.com  Wed Jun  5 08:55:03 2019
From: justin at corelight.com (Justin Azoff)
Date: Wed, 5 Jun 2019 11:55:03 -0400
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
	<CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
Message-ID: <CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>

On Wed, Jun 5, 2019 at 11:45 AM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi Justin,
>
> I think I figured it out. I don?t think seeing EMAIL_ACTION in notice.log
> necessarily sends out email or at least was the case in my scenario.
>

If notice.log contains ACTION_EMAIL under actions then it would have sent
the email when reading live traffic.  If you were not getting the email
then you had smtp issues, not zeek issues...


> So what I changed was to not directly declare notice variable in the
> module/main.zeek I created but instead redefine and export it in another
> script  and then notify the variable using the module I created. After that
> I had to set the ACTION_EMAIL from another script when the defined notice
> variable is available.
>

You did not need to make any of those changes, the previously shared files
were all perfect.


> I maybe completely wrong here as I also found that this code (found from
> SSH.main.zeek)
> event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid:
> count) &priority=20
>                                 {
>                                 if ( atype == Analyzer::ANALYZER_SSH )
>                                         {
> set_session(c);
>                                         }
>                                 }
>
> Is needed for the Log to work and perhaps for Notice as well.
>

It is not needed.  That is code specific to the existing ssh policy to
start tracking the ssh session as soon as it is detected.  This is not
relevant to what you are doing since you only care about authentication
attempts.


> Now I am struggling to pass the right information to this event
> (protocol_confirmation).
>

You don't pass information to that event.  You should not need to do
anything with that event.


> How does one return a record from a function? I can see examples of string
> and count etc? but not record.
>

You return a record exactly the same way you return a string or a count,
there is no difference.

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/0a1d16ef/attachment-0001.html 

From merril.mathew at baby2body.com  Wed Jun  5 09:11:12 2019
From: merril.mathew at baby2body.com (Merril Mathew)
Date: Wed, 5 Jun 2019 17:11:12 +0100
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
	<CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
	<CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>
Message-ID: <710CAC72-8985-4A99-B97E-CC36454C8C3C@baby2body.com>

Hi Justin,

Thanks. But it did not work for me. Yes everything works fine if I use log_ssh event exported from the SSH module. I can check if its authenticated from the SSH::Info. However what I tried to do was to use ssh_auth_result which is exported globally. Not sure the live traffic on SSH would trigger ssh_auth_result. Thats why I tried to include the SSH analyser and protocol_conformation event with my module. Once I put that in then it generates an email and log. Maybe I am just looking at it completely the wrong way.

With regards to function return this gives me an error:

function set_session(c: connection, auth_fail: string &optional, auth_success: string &optional): record
        {
                if( ! c?$sshattempt )
                {
                local info: SSHAttempt::Info;
                info$ts = network_time();
                info$auth_fail = auth_fail;
                info$auth_success = auth_success;
                c$sshattempt = info;
                return info;
                }
        }

Kind regards,
Merril.
> On 5 Jun 2019, at 16:55, Justin Azoff <justin at corelight.com> wrote:
> 
> On Wed, Jun 5, 2019 at 11:45 AM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi Justin,
> 
> I think I figured it out. I don?t think seeing EMAIL_ACTION in notice.log necessarily sends out email or at least was the case in my scenario.
> 
> If notice.log contains ACTION_EMAIL under actions then it would have sent the email when reading live traffic.  If you were not getting the email then you had smtp issues, not zeek issues...
>  
> So what I changed was to not directly declare notice variable in the module/main.zeek I created but instead redefine and export it in another script  and then notify the variable using the module I created. After that I had to set the ACTION_EMAIL from another script when the defined notice variable is available.
> 
> You did not need to make any of those changes, the previously shared files were all perfect.
>  
> I maybe completely wrong here as I also found that this code (found from SSH.main.zeek)
> event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
>                                 {
>                                 if ( atype == Analyzer::ANALYZER_SSH )
>                                         {
> 						set_session(c);
>                                         }
>                                 }
> 
> Is needed for the Log to work and perhaps for Notice as well.
> 
> It is not needed.  That is code specific to the existing ssh policy to start tracking the ssh session as soon as it is detected.  This is not relevant to what you are doing since you only care about authentication attempts.
>  
> Now I am struggling to pass the right information to this event (protocol_confirmation).
> 
> You don't pass information to that event.  You should not need to do anything with that event.
>  
> How does one return a record from a function? I can see examples of string and count etc? but not record.
> 
> You return a record exactly the same way you return a string or a count, there is no difference.
> 
> -- 
> Justin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/cb9e3d12/attachment.html 

From justin at corelight.com  Wed Jun  5 09:20:14 2019
From: justin at corelight.com (Justin Azoff)
Date: Wed, 5 Jun 2019 12:20:14 -0400
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <710CAC72-8985-4A99-B97E-CC36454C8C3C@baby2body.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
	<CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
	<CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>
	<710CAC72-8985-4A99-B97E-CC36454C8C3C@baby2body.com>
Message-ID: <CAPfnCuhHA8GQhBah+yiB7+-ram0hdempRFju6gKLYZe096cY7A@mail.gmail.com>

On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi Justin,
>
> Thanks. But it did not work for me.
>

Did not work how?  Did you post the version of the script that didn't work?

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/896fd611/attachment.html 

From merril.mathew at baby2body.com  Wed Jun  5 09:45:59 2019
From: merril.mathew at baby2body.com (Merril Mathew)
Date: Wed, 5 Jun 2019 17:45:59 +0100
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAPfnCuhHA8GQhBah+yiB7+-ram0hdempRFju6gKLYZe096cY7A@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
	<CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
	<CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>
	<710CAC72-8985-4A99-B97E-CC36454C8C3C@baby2body.com>
	<CAPfnCuhHA8GQhBah+yiB7+-ram0hdempRFju6gKLYZe096cY7A@mail.gmail.com>
Message-ID: <620CE345-1CB0-46EF-8BB6-0E911C865EB3@baby2body.com>

Hi Justin,

I can confirm that attached scripts does not send me email on live traffic or create a log under $PREFIX/logs/current. But it does create notice.log and a SSHAttempt.log when running pcap. I can also confirm that send mail set up is working as I have received emails from zeek from other scripts.

Kind regards,
Merril.



> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com> wrote:
> 
> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi Justin,
> 
> Thanks. But it did not work for me.
> 
> Did not work how?  Did you post the version of the script that didn't work? 
> 
> -- 
> Justin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/44001ca4/attachment-0004.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.zeek
Type: application/octet-stream
Size: 334 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/44001ca4/attachment-0003.obj 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/44001ca4/attachment-0005.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: main.zeek
Type: application/octet-stream
Size: 1994 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/44001ca4/attachment-0004.obj 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/44001ca4/attachment-0006.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: local.zeek
Type: application/octet-stream
Size: 3952 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/44001ca4/attachment-0005.obj 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/44001ca4/attachment-0007.html 

From justin at corelight.com  Wed Jun  5 10:39:05 2019
From: justin at corelight.com (Justin Azoff)
Date: Wed, 5 Jun 2019 13:39:05 -0400
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <620CE345-1CB0-46EF-8BB6-0E911C865EB3@baby2body.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
	<CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
	<CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>
	<710CAC72-8985-4A99-B97E-CC36454C8C3C@baby2body.com>
	<CAPfnCuhHA8GQhBah+yiB7+-ram0hdempRFju6gKLYZe096cY7A@mail.gmail.com>
	<620CE345-1CB0-46EF-8BB6-0E911C865EB3@baby2body.com>
Message-ID: <CAPfnCuin2hbRMT+V2jn1j0bRg0thJ-YfO0mVV=iTYY025WXt8w@mail.gmail.com>

that script should generally work, but it was a lot more complicated than
it needed to be to accomplish what you are trying to do.  Here is a much
simplified version.

The only thing to keep in mind is that since you are using zeek_init to
setup the log stream this won't work on bro or a small number of zeek
builds from right after the rename.  There are no released versions of zeek
so I don't know when you built it.  Using bro_init is backwards compatible
and is probably better for now.

On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi Justin,
>
> I can confirm that attached scripts does not send me email on live traffic
> or create a log under $PREFIX/logs/current. But it does create notice.log
> and a SSHAttempt.log when running pcap. I can also confirm that send mail
> set up is working as I have received emails from zeek from other scripts.
>
> Kind regards,
> Merril.
>
>
>
> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com> wrote:
>
> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <merril.mathew at baby2body.com>
> wrote:
>
>> Hi Justin,
>>
>> Thanks. But it did not work for me.
>>
>
> Did not work how?  Did you post the version of the script that didn't
> work?
>
> --
> Justin
>
>
>

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/ca2935de/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: main.zeek
Type: application/octet-stream
Size: 1156 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/ca2935de/attachment.obj 

From neslog at gmail.com  Wed Jun  5 11:06:28 2019
From: neslog at gmail.com (Neslog)
Date: Wed, 5 Jun 2019 14:06:28 -0400
Subject: [Zeek] RDP protocol details
Message-ID: <CALgfRGLNwQ4RJg2-EMAUuUJ2qYN8w24r=mNZd78QTLygqwX9wQ@mail.gmail.com>

Hi I'm looking at RDP protocol and looking for some details.  I'm looking
for encryption algorithms
and methods supported by the client.  I believe it would be in the
following event but not sure where I pulled it from.

event rdp_client_network_data(c: connection, channels: ClientChannelList)

Appreciate any insights.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/b220373f/attachment.html 

From greg.grasmehr at caltech.edu  Wed Jun  5 11:32:18 2019
From: greg.grasmehr at caltech.edu (Greg Grasmehr)
Date: Wed, 5 Jun 2019 11:32:18 -0700
Subject: [Zeek] Zeek Myricom port aggregation
In-Reply-To: <20190515220440.GB15954@dakine>
References: <20190515181427.GA15954@dakine>
	<CAPfnCujvPXX609LRjrRMGqD4Vpa4+J89NjaLut4JS6LGQ7xdqw@mail.gmail.com>
	<20190515220440.GB15954@dakine>
Message-ID: <20190605183218.GC19294@dakine>

Just an update:

I contacted Myricom support about this issue a while back and haven't
heard anything in a while from them so I believe they are unable to
duplicate it perhaps, as they generally fix kernel problems very quickly
in my experience.

Fortunately I will be swapping drives in an array and will need to take
Zeek down, so I will experiment for a bit before bringing it back up and
see if I can figure out what the issue is.

This kind of experimentation is very difficult when you don't have a dev
system to test on.  :P

Greg

On 05/15/19 15:04:40, Greg Grasmehr wrote:
> tcpdump works perfectly with aggregation, no issues
> 
> On 05/15/19 17:35:56, Justin Azoff wrote:
> > That looks like a bug in the myricom Driver and not zeek.  Can you
> > reproduce the same kernel issue using tcpdump?  You configure
> > aggregation for that using SNF_FLAGS:
> > 
> > SNF_FLAGS=0x2 (Port aggregation (or merging))
> > Flag 0x2 says that the port number that is passed to an application is actually
> > a mask of port, not just one port.
> > For example, when using tcpdump:
> > export SNF_FLAGS=0x2
> > env SNF_FLAGS=0x2 /path/to/tcpdump -i snf3
> > 
> > Without SNF_FLAGS=0x2, you would actually try to open snf port 3 (which
> > may not exist if you only have one adapter.)
> > 
> > 
> > It's possible that you don't need to use aggregation in the first
> > place,  That is generally only needed if you are connecting a fiber
> > tap directly into a card.  If flows are being load balanced across
> > multiple ports you can just run two different sets of workers, one for
> > each port
> > 
> > On Wed, May 15, 2019 at 2:17 PM Greg Grasmehr <greg.grasmehr at caltech.edu> wrote:
> > >
> > > Hello,
> > >
> > > Hoping someone has some insight into whatever I am doing wrong as try as
> > > I might, I can't seem to get the Myricom plugin working if configured to
> > > aggregate port data.  Zeek starts and then crashes in every case,
> > > regardless of configuration ie
> > >
> > > interface=myricom::3
> > > interface=myricom::*
> > >
> > > and snf_aggregate = T
> > >
> > > Here is related dmesg output logged by kdump
> > >
> > > [67471.838822] BUG: unable to handle kernel paging request at 00007f0d8459607f
> > > [67471.838863] IP: [<ffffffffc0bed569>] snf_eop_ioctl+0x609/0xc60 [myri_snf]
> > > [67471.838897] PGD 8000000a93bb9067 PUD 12d142c067 PMD 12d142d067 PTE 8000001d54829025
> > > [67471.838927] Oops: 0001 [#1] SMP
> > > [67471.838942] Modules linked in: binfmt_misc macsec tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag myri_snf(OE) mpt2sas raid_class scsi_transport_sas mptctl mptbase ip6t_rpfilter ipt_REJECT nf_reject_ipv4 nf_log_ipv4 ip6t_REJECT nf_reject_ipv6 nf_log_ipv6 nf_log_common xt_LOG xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter dell_rbu sunrpc dcdbas iTCO_wdt iTCO_vendor_support sb_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul joydev
> > > [67471.839241]  ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd mxm_wmi ext4 mbcache jbd2 pcspkr ipmi_ssif mei_me lpc_ich mei sg ipmi_si ipmi_devintf ipmi_msghandler wmi acpi_power_meter ip_tables xfs libcrc32c sd_mod crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crct10dif_pclmul crct10dif_common crc32c_intel drm_panel_orientation_quirks ahci libahci dca libata tg3 megaraid_sas ptp pps_core dm_mirror dm_region_hash dm_log dm_mod [last unloaded: myri10ge]
> > > [67471.839450] CPU: 24 PID: 92952 Comm: bro Kdump: loaded Tainted: G           OE  ------------   3.10.0-957.10.1.el7.x86_64 #1
> > > [67471.839483] Hardware name: Dell Inc. PowerEdge R730xd/072T6D, BIOS 2.9.1 12/04/2018
> > > [67471.839508] task: ffff95d0e7c41040 ti: ffff95e3197c0000 task.ti: ffff95e3197c0000
> > > [67471.839531] RIP: 0010:[<ffffffffc0bed569>]  [<ffffffffc0bed569>] snf_eop_ioctl+0x609/0xc60 [myri_snf]
> > > [67471.839564] RSP: 0018:ffff95e3197c3d38  EFLAGS: 00010006
> > > [67471.839583] RAX: 0000000000000286 RBX: 0000000000000001 RCX: 0000000000000000
> > > [67471.839605] RDX: ffff95d0526253d0 RSI: 00007f0d84596000 RDI: ffffb70f589ba7f8
> > > [67471.839627] RBP: ffff95e3197c3df8 R08: ffffb70f599bb000 R09: 0000000000000003
> > > [67471.839648] R10: 0000000000000000 R11: 0000000000000000 R12: ffff95d052625000
> > > [67471.839670] R13: 00007ffeb542d710 R14: 00007ffeb542d710 R15: 0000000000000000
> > > [67471.839693] FS:  00007f180d6a7900(0000) GS:ffff95eefe900000(0000) knlGS:0000000000000000
> > > [67471.839717] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > [67471.839735] CR2: 00007f0d8459607f CR3: 0000001ff663c000 CR4: 00000000003607e0
> > > [67471.839757] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > > [67471.839778] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > > [67471.839800] Call Trace:
> > > [67471.839818]  [<ffffffff98d67ef2>] ? down_read+0x12/0x40
> > > [67471.839840]  [<ffffffffc0bdfba0>] mx_common_ioctl+0x40/0x90 [myri_snf]
> > > [67471.839865]  [<ffffffffc0bd44e2>] mx_ioctl+0x72/0x290 [myri_snf]
> > > [67471.839888]  [<ffffffff98856880>] do_vfs_ioctl+0x3a0/0x5a0
> > > [67471.839908]  [<ffffffff98d70608>] ? __do_page_fault+0x228/0x500
> > > [67471.839928]  [<ffffffff98856b21>] SyS_ioctl+0xa1/0xc0
> > > [67471.839947]  [<ffffffff98d75ddb>] system_call_fastpath+0x22/0x27
> > > [67471.839966] Code: d3 e6 44 85 ce 74 e1 48 83 bf b8 00 00 00 00 75 d1 4c 8b 87 c0 00 00 00 4c 63 d9 41 8b 70 04 48 c1 e6 09 4b 03 b4 dc c0 06 00 00 <0f> b6 76 7f 41 39 30 75 b4 4c 89 a7 b8 00 00 00 49 89 bc 24 60
> > > [67471.840084] RIP  [<ffffffffc0bed569>] snf_eop_ioctl+0x609/0xc60 [myri_snf]
> > > [67471.840112]  RSP <ffff95e3197c3d38>
> > > [67471.840125] CR2: 00007f0d8459607f
> > >
> > > _______________________________________________
> > > Zeek mailing list
> > > zeek at zeek.org
> > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> > 
> > 
> > 
> > -- 
> > Justin
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

From justin at corelight.com  Wed Jun  5 11:31:46 2019
From: justin at corelight.com (Justin Azoff)
Date: Wed, 5 Jun 2019 14:31:46 -0400
Subject: [Zeek] RDP protocol details
In-Reply-To: <CALgfRGLNwQ4RJg2-EMAUuUJ2qYN8w24r=mNZd78QTLygqwX9wQ@mail.gmail.com>
References: <CALgfRGLNwQ4RJg2-EMAUuUJ2qYN8w24r=mNZd78QTLygqwX9wQ@mail.gmail.com>
Message-ID: <CAPfnCuhQOdPedyOboMCSr7W2GfbHpChgyD2Xb=1nzq7oBkgY9w@mail.gmail.com>

Does this help?

https://github.com/zeek/zeek/blob/1e488d7ebe2c889b20333a4196512e069e34f630/scripts/base/init-bare.zeek#L4279-L4306

channels is a vector of RDP::ClientChannelDef

On Wed, Jun 5, 2019 at 2:15 PM Neslog <neslog at gmail.com> wrote:

> Hi I'm looking at RDP protocol and looking for some details.  I'm looking
> for encryption algorithms
> and methods supported by the client.  I believe it would be in the
> following event but not sure where I pulled it from.
>
> event rdp_client_network_data(c: connection, channels: ClientChannelList)
>
> Appreciate any insights.
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/c7c9aaa5/attachment.html 

From justin at corelight.com  Wed Jun  5 11:39:43 2019
From: justin at corelight.com (Justin Azoff)
Date: Wed, 5 Jun 2019 14:39:43 -0400
Subject: [Zeek] Zeek Myricom port aggregation
In-Reply-To: <20190605183218.GC19294@dakine>
References: <20190515181427.GA15954@dakine>
	<CAPfnCujvPXX609LRjrRMGqD4Vpa4+J89NjaLut4JS6LGQ7xdqw@mail.gmail.com>
	<20190515220440.GB15954@dakine> <20190605183218.GC19294@dakine>
Message-ID: <CAPfnCuhvEtG9Mu++L-vyfLGU6YtSgatWydWMe2hD_fTGDdXDoQ@mail.gmail.com>

Oh, I forgot to send you the recommended configuration for 2 cards in one
box..

Most likely you don't need to be merging the ports... as long as the arista
or something is merging the flows for you each port is already getting a
consistent subset of flows.  At that point the on card aggregation doesn't
do anything for you.

I would use a configuration like this:

[node-foo-card1]
interface = p1p1
lb_method=myricom
lb_procs=9
#check hwloc for numa/pci info
pin_cpus=1,3,5,7,9,...

[node-foo-card2]
interface = p2p1
lb_method=myricom
lb_procs=9
#check hwloc for numa/pci info
pin_cpus=2,4,6,8,...

the hardest part is using the right pin_cpus settings.  It's a little
easier if you disable HT and then check to see which card is attached to
which cpu using hwloc.  sometimes it doesn't matter much, but on some
motherboards you can make sure you match up pci slots to physical cpus to
avoid moving data between the numa nodes.



On Wed, Jun 5, 2019 at 2:32 PM Greg Grasmehr <greg.grasmehr at caltech.edu>
wrote:

> Just an update:
>
> I contacted Myricom support about this issue a while back and haven't
> heard anything in a while from them so I believe they are unable to
> duplicate it perhaps, as they generally fix kernel problems very quickly
> in my experience.
>
> Fortunately I will be swapping drives in an array and will need to take
> Zeek down, so I will experiment for a bit before bringing it back up and
> see if I can figure out what the issue is.
>
> This kind of experimentation is very difficult when you don't have a dev
> system to test on.  :P
>
> Greg
>
> On 05/15/19 15:04:40, Greg Grasmehr wrote:
> > tcpdump works perfectly with aggregation, no issues
> >
> > On 05/15/19 17:35:56, Justin Azoff wrote:
> > > That looks like a bug in the myricom Driver and not zeek.  Can you
> > > reproduce the same kernel issue using tcpdump?  You configure
> > > aggregation for that using SNF_FLAGS:
> > >
> > > SNF_FLAGS=0x2 (Port aggregation (or merging))
> > > Flag 0x2 says that the port number that is passed to an application is
> actually
> > > a mask of port, not just one port.
> > > For example, when using tcpdump:
> > > export SNF_FLAGS=0x2
> > > env SNF_FLAGS=0x2 /path/to/tcpdump -i snf3
> > >
> > > Without SNF_FLAGS=0x2, you would actually try to open snf port 3 (which
> > > may not exist if you only have one adapter.)
> > >
> > >
> > > It's possible that you don't need to use aggregation in the first
> > > place,  That is generally only needed if you are connecting a fiber
> > > tap directly into a card.  If flows are being load balanced across
> > > multiple ports you can just run two different sets of workers, one for
> > > each port
> > >
> > > On Wed, May 15, 2019 at 2:17 PM Greg Grasmehr <
> greg.grasmehr at caltech.edu> wrote:
> > > >
> > > > Hello,
> > > >
> > > > Hoping someone has some insight into whatever I am doing wrong as
> try as
> > > > I might, I can't seem to get the Myricom plugin working if
> configured to
> > > > aggregate port data.  Zeek starts and then crashes in every case,
> > > > regardless of configuration ie
> > > >
> > > > interface=myricom::3
> > > > interface=myricom::*
> > > >
> > > > and snf_aggregate = T
> > > >
> > > > Here is related dmesg output logged by kdump
> > > >
> > > > [67471.838822] BUG: unable to handle kernel paging request at
> 00007f0d8459607f
> > > > [67471.838863] IP: [<ffffffffc0bed569>] snf_eop_ioctl+0x609/0xc60
> [myri_snf]
> > > > [67471.838897] PGD 8000000a93bb9067 PUD 12d142c067 PMD 12d142d067
> PTE 8000001d54829025
> > > > [67471.838927] Oops: 0001 [#1] SMP
> > > > [67471.838942] Modules linked in: binfmt_misc macsec tcp_diag
> udp_diag inet_diag unix_diag af_packet_diag netlink_diag myri_snf(OE)
> mpt2sas raid_class scsi_transport_sas mptctl mptbase ip6t_rpfilter
> ipt_REJECT nf_reject_ipv4 nf_log_ipv4 ip6t_REJECT nf_reject_ipv6
> nf_log_ipv6 nf_log_common xt_LOG xt_conntrack ip_set nfnetlink ebtable_nat
> ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6
> nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat
> nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack
> iptable_mangle iptable_security iptable_raw ebtable_filter ebtables
> ip6table_filter ip6_tables iptable_filter dell_rbu sunrpc dcdbas iTCO_wdt
> iTCO_vendor_support sb_edac intel_powerclamp coretemp intel_rapl iosf_mbi
> kvm_intel kvm irqbypass crc32_pclmul joydev
> > > > [67471.839241]  ghash_clmulni_intel aesni_intel lrw gf128mul
> glue_helper ablk_helper cryptd mxm_wmi ext4 mbcache jbd2 pcspkr ipmi_ssif
> mei_me lpc_ich mei sg ipmi_si ipmi_devintf ipmi_msghandler wmi
> acpi_power_meter ip_tables xfs libcrc32c sd_mod crc_t10dif
> crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper syscopyarea
> sysfillrect sysimgblt fb_sys_fops ttm drm crct10dif_pclmul crct10dif_common
> crc32c_intel drm_panel_orientation_quirks ahci libahci dca libata tg3
> megaraid_sas ptp pps_core dm_mirror dm_region_hash dm_log dm_mod [last
> unloaded: myri10ge]
> > > > [67471.839450] CPU: 24 PID: 92952 Comm: bro Kdump: loaded Tainted:
> G           OE  ------------   3.10.0-957.10.1.el7.x86_64 #1
> > > > [67471.839483] Hardware name: Dell Inc. PowerEdge R730xd/072T6D,
> BIOS 2.9.1 12/04/2018
> > > > [67471.839508] task: ffff95d0e7c41040 ti: ffff95e3197c0000 task.ti:
> ffff95e3197c0000
> > > > [67471.839531] RIP: 0010:[<ffffffffc0bed569>]  [<ffffffffc0bed569>]
> snf_eop_ioctl+0x609/0xc60 [myri_snf]
> > > > [67471.839564] RSP: 0018:ffff95e3197c3d38  EFLAGS: 00010006
> > > > [67471.839583] RAX: 0000000000000286 RBX: 0000000000000001 RCX:
> 0000000000000000
> > > > [67471.839605] RDX: ffff95d0526253d0 RSI: 00007f0d84596000 RDI:
> ffffb70f589ba7f8
> > > > [67471.839627] RBP: ffff95e3197c3df8 R08: ffffb70f599bb000 R09:
> 0000000000000003
> > > > [67471.839648] R10: 0000000000000000 R11: 0000000000000000 R12:
> ffff95d052625000
> > > > [67471.839670] R13: 00007ffeb542d710 R14: 00007ffeb542d710 R15:
> 0000000000000000
> > > > [67471.839693] FS:  00007f180d6a7900(0000) GS:ffff95eefe900000(0000)
> knlGS:0000000000000000
> > > > [67471.839717] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > > [67471.839735] CR2: 00007f0d8459607f CR3: 0000001ff663c000 CR4:
> 00000000003607e0
> > > > [67471.839757] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> 0000000000000000
> > > > [67471.839778] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
> 0000000000000400
> > > > [67471.839800] Call Trace:
> > > > [67471.839818]  [<ffffffff98d67ef2>] ? down_read+0x12/0x40
> > > > [67471.839840]  [<ffffffffc0bdfba0>] mx_common_ioctl+0x40/0x90
> [myri_snf]
> > > > [67471.839865]  [<ffffffffc0bd44e2>] mx_ioctl+0x72/0x290 [myri_snf]
> > > > [67471.839888]  [<ffffffff98856880>] do_vfs_ioctl+0x3a0/0x5a0
> > > > [67471.839908]  [<ffffffff98d70608>] ? __do_page_fault+0x228/0x500
> > > > [67471.839928]  [<ffffffff98856b21>] SyS_ioctl+0xa1/0xc0
> > > > [67471.839947]  [<ffffffff98d75ddb>] system_call_fastpath+0x22/0x27
> > > > [67471.839966] Code: d3 e6 44 85 ce 74 e1 48 83 bf b8 00 00 00 00 75
> d1 4c 8b 87 c0 00 00 00 4c 63 d9 41 8b 70 04 48 c1 e6 09 4b 03 b4 dc c0 06
> 00 00 <0f> b6 76 7f 41 39 30 75 b4 4c 89 a7 b8 00 00 00 49 89 bc 24 60
> > > > [67471.840084] RIP  [<ffffffffc0bed569>] snf_eop_ioctl+0x609/0xc60
> [myri_snf]
> > > > [67471.840112]  RSP <ffff95e3197c3d38>
> > > > [67471.840125] CR2: 00007f0d8459607f
> > > >
> > > > _______________________________________________
> > > > Zeek mailing list
> > > > zeek at zeek.org
> > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> > >
> > >
> > >
> > > --
> > > Justin
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>


-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/cfdaa518/attachment-0001.html 

From neslog at gmail.com  Wed Jun  5 12:07:21 2019
From: neslog at gmail.com (Neslog)
Date: Wed, 5 Jun 2019 15:07:21 -0400
Subject: [Zeek] RDP protocol details
In-Reply-To: <CAPfnCuhQOdPedyOboMCSr7W2GfbHpChgyD2Xb=1nzq7oBkgY9w@mail.gmail.com>
References: <CALgfRGLNwQ4RJg2-EMAUuUJ2qYN8w24r=mNZd78QTLygqwX9wQ@mail.gmail.com>
	<CAPfnCuhQOdPedyOboMCSr7W2GfbHpChgyD2Xb=1nzq7oBkgY9w@mail.gmail.com>
Message-ID: <CALgfRGKL-DBdb88iXf20Etn5p27YOT64DV6dYYujnV8aVHnrHA@mail.gmail.com>

Solved: Answer at the bottom.

Yes, that's the data I'm looking for.  Unfortunately when I try to load the
event with those details I receive an error.

error in ././trybro.bro, line 11: identifier not defined:
RDP::ClientChannelList
http://try.bro.org/#/trybro/saved/329529

I pulled this event from bro/src/analyzer/protocol/rdp/events.bif.
event rdp_client_network_data%(c: connection, channels:
RDP::ClientChannelList%);

Am I missing something?  maybe need to define that in my init-bare?

Digging into it deeper... looks like it was using GitHub.com/bro vs
GitHub.com/zeek.  Guess I'll have to officially migrate off Bro to Zeek.

On Wed, Jun 5, 2019 at 2:32 PM Justin Azoff <justin at corelight.com> wrote:

> Does this help?
>
>
> https://github.com/zeek/zeek/blob/1e488d7ebe2c889b20333a4196512e069e34f630/scripts/base/init-bare.zeek#L4279-L4306
>
> channels is a vector of RDP::ClientChannelDef
>
> On Wed, Jun 5, 2019 at 2:15 PM Neslog <neslog at gmail.com> wrote:
>
>> Hi I'm looking at RDP protocol and looking for some details.  I'm looking
>> for encryption algorithms
>> and methods supported by the client.  I believe it would be in the
>> following event but not sure where I pulled it from.
>>
>> event rdp_client_network_data(c: connection, channels: ClientChannelList)
>>
>> Appreciate any insights.
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Justin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/28fee22e/attachment.html 

From justin at corelight.com  Wed Jun  5 12:13:57 2019
From: justin at corelight.com (Justin Azoff)
Date: Wed, 5 Jun 2019 15:13:57 -0400
Subject: [Zeek] RDP protocol details
In-Reply-To: <CALgfRGKL-DBdb88iXf20Etn5p27YOT64DV6dYYujnV8aVHnrHA@mail.gmail.com>
References: <CALgfRGLNwQ4RJg2-EMAUuUJ2qYN8w24r=mNZd78QTLygqwX9wQ@mail.gmail.com>
	<CAPfnCuhQOdPedyOboMCSr7W2GfbHpChgyD2Xb=1nzq7oBkgY9w@mail.gmail.com>
	<CALgfRGKL-DBdb88iXf20Etn5p27YOT64DV6dYYujnV8aVHnrHA@mail.gmail.com>
Message-ID: <CAPfnCujuWgTnwAZywjF3h-K7NAUYVsghJS=M0sKzDshR3_JHJA@mail.gmail.com>

not so much bro -> zeek but that it was just added 8 days ago:

https://github.com/zeek/zeek/pull/384

try.{bro,zeek}.org will work once I build a new master container... I'll
try to get to that soon if not today.

On Wed, Jun 5, 2019 at 3:07 PM Neslog <neslog at gmail.com> wrote:

> Solved: Answer at the bottom.
>
> Yes, that's the data I'm looking for.  Unfortunately when I try to load
> the event with those details I receive an error.
>
> error in ././trybro.bro, line 11: identifier not defined:
> RDP::ClientChannelList
> http://try.bro.org/#/trybro/saved/329529
>
> I pulled this event from bro/src/analyzer/protocol/rdp/events.bif.
> event rdp_client_network_data%(c: connection, channels:
> RDP::ClientChannelList%);
>
> Am I missing something?  maybe need to define that in my init-bare?
>
> Digging into it deeper... looks like it was using GitHub.com/bro vs
> GitHub.com/zeek.  Guess I'll have to officially migrate off Bro to Zeek.
>
> On Wed, Jun 5, 2019 at 2:32 PM Justin Azoff <justin at corelight.com> wrote:
>
>> Does this help?
>>
>>
>> https://github.com/zeek/zeek/blob/1e488d7ebe2c889b20333a4196512e069e34f630/scripts/base/init-bare.zeek#L4279-L4306
>>
>> channels is a vector of RDP::ClientChannelDef
>>
>> On Wed, Jun 5, 2019 at 2:15 PM Neslog <neslog at gmail.com> wrote:
>>
>>> Hi I'm looking at RDP protocol and looking for some details.  I'm
>>> looking for encryption algorithms
>>> and methods supported by the client.  I believe it would be in the
>>> following event but not sure where I pulled it from.
>>>
>>> event rdp_client_network_data(c: connection, channels: ClientChannelList)
>>>
>>> Appreciate any insights.
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
>>
>> --
>> Justin
>>
>

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/3809f960/attachment.html 

From neslog at gmail.com  Wed Jun  5 12:34:41 2019
From: neslog at gmail.com (Neslog)
Date: Wed, 5 Jun 2019 15:34:41 -0400
Subject: [Zeek] RDP protocol details
In-Reply-To: <CAPfnCujuWgTnwAZywjF3h-K7NAUYVsghJS=M0sKzDshR3_JHJA@mail.gmail.com>
References: <CALgfRGLNwQ4RJg2-EMAUuUJ2qYN8w24r=mNZd78QTLygqwX9wQ@mail.gmail.com>
	<CAPfnCuhQOdPedyOboMCSr7W2GfbHpChgyD2Xb=1nzq7oBkgY9w@mail.gmail.com>
	<CALgfRGKL-DBdb88iXf20Etn5p27YOT64DV6dYYujnV8aVHnrHA@mail.gmail.com>
	<CAPfnCujuWgTnwAZywjF3h-K7NAUYVsghJS=M0sKzDshR3_JHJA@mail.gmail.com>
Message-ID: <CALgfRG+7AdD8R79=cwfDy1GTfEfbZ58TDv=feFBBx7=fAG55Vg@mail.gmail.com>

lol, too funny.  I look forward to it and thanks.

That said I'm looking for where the client sends it's supported encryption
algos and methods.  I'm still learning the protocol, doesn't look like Bro
is parsing out the encryption methods or encoding methods.  Actually see
the Client security data commented out in rep-protocol.pac.

                #0xc002  -> client_security:   Client_Security_Data;

Looks like there's still more work to be done with parsing out the data?




On Wed, Jun 5, 2019 at 3:14 PM Justin Azoff <justin at corelight.com> wrote:

> not so much bro -> zeek but that it was just added 8 days ago:
>
> https://github.com/zeek/zeek/pull/384
>
> try.{bro,zeek}.org will work once I build a new master container... I'll
> try to get to that soon if not today.
>
> On Wed, Jun 5, 2019 at 3:07 PM Neslog <neslog at gmail.com> wrote:
>
>> Solved: Answer at the bottom.
>>
>> Yes, that's the data I'm looking for.  Unfortunately when I try to load
>> the event with those details I receive an error.
>>
>> error in ././trybro.bro, line 11: identifier not defined:
>> RDP::ClientChannelList
>> http://try.bro.org/#/trybro/saved/329529
>>
>> I pulled this event from bro/src/analyzer/protocol/rdp/events.bif.
>> event rdp_client_network_data%(c: connection, channels:
>> RDP::ClientChannelList%);
>>
>> Am I missing something?  maybe need to define that in my init-bare?
>>
>> Digging into it deeper... looks like it was using GitHub.com/bro vs
>> GitHub.com/zeek.  Guess I'll have to officially migrate off Bro to Zeek.
>>
>> On Wed, Jun 5, 2019 at 2:32 PM Justin Azoff <justin at corelight.com> wrote:
>>
>>> Does this help?
>>>
>>>
>>> https://github.com/zeek/zeek/blob/1e488d7ebe2c889b20333a4196512e069e34f630/scripts/base/init-bare.zeek#L4279-L4306
>>>
>>> channels is a vector of RDP::ClientChannelDef
>>>
>>> On Wed, Jun 5, 2019 at 2:15 PM Neslog <neslog at gmail.com> wrote:
>>>
>>>> Hi I'm looking at RDP protocol and looking for some details.  I'm
>>>> looking for encryption algorithms
>>>> and methods supported by the client.  I believe it would be in the
>>>> following event but not sure where I pulled it from.
>>>>
>>>> event rdp_client_network_data(c: connection, channels:
>>>> ClientChannelList)
>>>>
>>>> Appreciate any insights.
>>>> _______________________________________________
>>>> Zeek mailing list
>>>> zeek at zeek.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>>>
>>>
>>> --
>>> Justin
>>>
>>
>
> --
> Justin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/c61f3f56/attachment.html 

From greg.grasmehr at caltech.edu  Wed Jun  5 15:22:13 2019
From: greg.grasmehr at caltech.edu (Greg Grasmehr)
Date: Wed, 5 Jun 2019 15:22:13 -0700
Subject: [Zeek] Zeek Myricom port aggregation
In-Reply-To: <CAPfnCuhvEtG9Mu++L-vyfLGU6YtSgatWydWMe2hD_fTGDdXDoQ@mail.gmail.com>
References: <20190515181427.GA15954@dakine>
	<CAPfnCujvPXX609LRjrRMGqD4Vpa4+J89NjaLut4JS6LGQ7xdqw@mail.gmail.com>
	<20190515220440.GB15954@dakine> <20190605183218.GC19294@dakine>
	<CAPfnCuhvEtG9Mu++L-vyfLGU6YtSgatWydWMe2hD_fTGDdXDoQ@mail.gmail.com>
Message-ID: <20190605222213.GH19294@dakine>

Thanks for that Justin, however I am merging two ports on a single card
and the reason for doing so is the Arista has 2 x 10G taps and
aggregating those links within the switch causes drops on the switch due
to periodic microbursts that exceed the bandwidth to a single 10G tool
port.  The other option of aggregating the traffic in the switch to the
40G ports as a tool port isn't a viable solution.

This is really vexing because tcpdump has 0 trouble reading the
aggregated ports, so while the kernel panic error information points to
the SNF software as a cause; I wonder...

Greg

On 06/05/19 14:39:43, Justin Azoff wrote:
> Oh, I forgot to send you the recommended configuration for 2 cards in one
> box..
> 
> Most likely you don't need to be merging the ports... as long as the arista
> or something is merging the flows for you each port is already getting a
> consistent subset of flows.  At that point the on card aggregation doesn't
> do anything for you.
> 
> I would use a configuration like this:
> 
> [node-foo-card1]
> interface = p1p1
> lb_method=myricom
> lb_procs=9
> #check hwloc for numa/pci info
> pin_cpus=1,3,5,7,9,...
> 
> [node-foo-card2]
> interface = p2p1
> lb_method=myricom
> lb_procs=9
> #check hwloc for numa/pci info
> pin_cpus=2,4,6,8,...
> 
> the hardest part is using the right pin_cpus settings.  It's a little
> easier if you disable HT and then check to see which card is attached to
> which cpu using hwloc.  sometimes it doesn't matter much, but on some
> motherboards you can make sure you match up pci slots to physical cpus to
> avoid moving data between the numa nodes.
> 
> 
> 
> On Wed, Jun 5, 2019 at 2:32 PM Greg Grasmehr <greg.grasmehr at caltech.edu>
> wrote:
> 
> > Just an update:
> >
> > I contacted Myricom support about this issue a while back and haven't
> > heard anything in a while from them so I believe they are unable to
> > duplicate it perhaps, as they generally fix kernel problems very quickly
> > in my experience.
> >
> > Fortunately I will be swapping drives in an array and will need to take
> > Zeek down, so I will experiment for a bit before bringing it back up and
> > see if I can figure out what the issue is.
> >
> > This kind of experimentation is very difficult when you don't have a dev
> > system to test on.  :P
> >
> > Greg
> >
> > On 05/15/19 15:04:40, Greg Grasmehr wrote:
> > > tcpdump works perfectly with aggregation, no issues
> > >
> > > On 05/15/19 17:35:56, Justin Azoff wrote:
> > > > That looks like a bug in the myricom Driver and not zeek.  Can you
> > > > reproduce the same kernel issue using tcpdump?  You configure
> > > > aggregation for that using SNF_FLAGS:
> > > >
> > > > SNF_FLAGS=0x2 (Port aggregation (or merging))
> > > > Flag 0x2 says that the port number that is passed to an application is
> > actually
> > > > a mask of port, not just one port.
> > > > For example, when using tcpdump:
> > > > export SNF_FLAGS=0x2
> > > > env SNF_FLAGS=0x2 /path/to/tcpdump -i snf3
> > > >
> > > > Without SNF_FLAGS=0x2, you would actually try to open snf port 3 (which
> > > > may not exist if you only have one adapter.)
> > > >
> > > >
> > > > It's possible that you don't need to use aggregation in the first
> > > > place,  That is generally only needed if you are connecting a fiber
> > > > tap directly into a card.  If flows are being load balanced across
> > > > multiple ports you can just run two different sets of workers, one for
> > > > each port
> > > >
> > > > On Wed, May 15, 2019 at 2:17 PM Greg Grasmehr <
> > greg.grasmehr at caltech.edu> wrote:
> > > > >
> > > > > Hello,
> > > > >
> > > > > Hoping someone has some insight into whatever I am doing wrong as
> > try as
> > > > > I might, I can't seem to get the Myricom plugin working if
> > configured to
> > > > > aggregate port data.  Zeek starts and then crashes in every case,
> > > > > regardless of configuration ie
> > > > >
> > > > > interface=myricom::3
> > > > > interface=myricom::*
> > > > >
> > > > > and snf_aggregate = T
> > > > >
> > > > > Here is related dmesg output logged by kdump
> > > > >
> > > > > [67471.838822] BUG: unable to handle kernel paging request at
> > 00007f0d8459607f
> > > > > [67471.838863] IP: [<ffffffffc0bed569>] snf_eop_ioctl+0x609/0xc60
> > [myri_snf]
> > > > > [67471.838897] PGD 8000000a93bb9067 PUD 12d142c067 PMD 12d142d067
> > PTE 8000001d54829025
> > > > > [67471.838927] Oops: 0001 [#1] SMP
> > > > > [67471.838942] Modules linked in: binfmt_misc macsec tcp_diag
> > udp_diag inet_diag unix_diag af_packet_diag netlink_diag myri_snf(OE)
> > mpt2sas raid_class scsi_transport_sas mptctl mptbase ip6t_rpfilter
> > ipt_REJECT nf_reject_ipv4 nf_log_ipv4 ip6t_REJECT nf_reject_ipv6
> > nf_log_ipv6 nf_log_common xt_LOG xt_conntrack ip_set nfnetlink ebtable_nat
> > ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6
> > nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat
> > nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack
> > iptable_mangle iptable_security iptable_raw ebtable_filter ebtables
> > ip6table_filter ip6_tables iptable_filter dell_rbu sunrpc dcdbas iTCO_wdt
> > iTCO_vendor_support sb_edac intel_powerclamp coretemp intel_rapl iosf_mbi
> > kvm_intel kvm irqbypass crc32_pclmul joydev
> > > > > [67471.839241]  ghash_clmulni_intel aesni_intel lrw gf128mul
> > glue_helper ablk_helper cryptd mxm_wmi ext4 mbcache jbd2 pcspkr ipmi_ssif
> > mei_me lpc_ich mei sg ipmi_si ipmi_devintf ipmi_msghandler wmi
> > acpi_power_meter ip_tables xfs libcrc32c sd_mod crc_t10dif
> > crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper syscopyarea
> > sysfillrect sysimgblt fb_sys_fops ttm drm crct10dif_pclmul crct10dif_common
> > crc32c_intel drm_panel_orientation_quirks ahci libahci dca libata tg3
> > megaraid_sas ptp pps_core dm_mirror dm_region_hash dm_log dm_mod [last
> > unloaded: myri10ge]
> > > > > [67471.839450] CPU: 24 PID: 92952 Comm: bro Kdump: loaded Tainted:
> > G           OE  ------------   3.10.0-957.10.1.el7.x86_64 #1
> > > > > [67471.839483] Hardware name: Dell Inc. PowerEdge R730xd/072T6D,
> > BIOS 2.9.1 12/04/2018
> > > > > [67471.839508] task: ffff95d0e7c41040 ti: ffff95e3197c0000 task.ti:
> > ffff95e3197c0000
> > > > > [67471.839531] RIP: 0010:[<ffffffffc0bed569>]  [<ffffffffc0bed569>]
> > snf_eop_ioctl+0x609/0xc60 [myri_snf]
> > > > > [67471.839564] RSP: 0018:ffff95e3197c3d38  EFLAGS: 00010006
> > > > > [67471.839583] RAX: 0000000000000286 RBX: 0000000000000001 RCX:
> > 0000000000000000
> > > > > [67471.839605] RDX: ffff95d0526253d0 RSI: 00007f0d84596000 RDI:
> > ffffb70f589ba7f8
> > > > > [67471.839627] RBP: ffff95e3197c3df8 R08: ffffb70f599bb000 R09:
> > 0000000000000003
> > > > > [67471.839648] R10: 0000000000000000 R11: 0000000000000000 R12:
> > ffff95d052625000
> > > > > [67471.839670] R13: 00007ffeb542d710 R14: 00007ffeb542d710 R15:
> > 0000000000000000
> > > > > [67471.839693] FS:  00007f180d6a7900(0000) GS:ffff95eefe900000(0000)
> > knlGS:0000000000000000
> > > > > [67471.839717] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > > > [67471.839735] CR2: 00007f0d8459607f CR3: 0000001ff663c000 CR4:
> > 00000000003607e0
> > > > > [67471.839757] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> > 0000000000000000
> > > > > [67471.839778] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
> > 0000000000000400
> > > > > [67471.839800] Call Trace:
> > > > > [67471.839818]  [<ffffffff98d67ef2>] ? down_read+0x12/0x40
> > > > > [67471.839840]  [<ffffffffc0bdfba0>] mx_common_ioctl+0x40/0x90
> > [myri_snf]
> > > > > [67471.839865]  [<ffffffffc0bd44e2>] mx_ioctl+0x72/0x290 [myri_snf]
> > > > > [67471.839888]  [<ffffffff98856880>] do_vfs_ioctl+0x3a0/0x5a0
> > > > > [67471.839908]  [<ffffffff98d70608>] ? __do_page_fault+0x228/0x500
> > > > > [67471.839928]  [<ffffffff98856b21>] SyS_ioctl+0xa1/0xc0
> > > > > [67471.839947]  [<ffffffff98d75ddb>] system_call_fastpath+0x22/0x27
> > > > > [67471.839966] Code: d3 e6 44 85 ce 74 e1 48 83 bf b8 00 00 00 00 75
> > d1 4c 8b 87 c0 00 00 00 4c 63 d9 41 8b 70 04 48 c1 e6 09 4b 03 b4 dc c0 06
> > 00 00 <0f> b6 76 7f 41 39 30 75 b4 4c 89 a7 b8 00 00 00 49 89 bc 24 60
> > > > > [67471.840084] RIP  [<ffffffffc0bed569>] snf_eop_ioctl+0x609/0xc60
> > [myri_snf]
> > > > > [67471.840112]  RSP <ffff95e3197c3d38>
> > > > > [67471.840125] CR2: 00007f0d8459607f
> > > > >
> > > > > _______________________________________________
> > > > > Zeek mailing list
> > > > > zeek at zeek.org
> > > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> > > >
> > > >
> > > >
> > > > --
> > > > Justin
> > > _______________________________________________
> > > Zeek mailing list
> > > zeek at zeek.org
> > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> >
> 
> 
> -- 
> Justin

From greg.grasmehr at caltech.edu  Wed Jun  5 15:30:35 2019
From: greg.grasmehr at caltech.edu (Greg Grasmehr)
Date: Wed, 5 Jun 2019 15:30:35 -0700
Subject: [Zeek] Zeek Myricom port aggregation
In-Reply-To: <20190605222213.GH19294@dakine>
References: <20190515181427.GA15954@dakine>
	<CAPfnCujvPXX609LRjrRMGqD4Vpa4+J89NjaLut4JS6LGQ7xdqw@mail.gmail.com>
	<20190515220440.GB15954@dakine> <20190605183218.GC19294@dakine>
	<CAPfnCuhvEtG9Mu++L-vyfLGU6YtSgatWydWMe2hD_fTGDdXDoQ@mail.gmail.com>
	<20190605222213.GH19294@dakine>
Message-ID: <20190605223035.GI19294@dakine>

Other problem is I am running timemachine on this box, I think it would
be a little dicey trying to run two separate instances of Zeek and TM -
not even sure running two instances of TM would work...

On 06/05/19 15:22:13, Greg Grasmehr wrote:
> Thanks for that Justin, however I am merging two ports on a single card
> and the reason for doing so is the Arista has 2 x 10G taps and
> aggregating those links within the switch causes drops on the switch due
> to periodic microbursts that exceed the bandwidth to a single 10G tool
> port.  The other option of aggregating the traffic in the switch to the
> 40G ports as a tool port isn't a viable solution.
> 
> This is really vexing because tcpdump has 0 trouble reading the
> aggregated ports, so while the kernel panic error information points to
> the SNF software as a cause; I wonder...
> 
> Greg
> 
> On 06/05/19 14:39:43, Justin Azoff wrote:
> > Oh, I forgot to send you the recommended configuration for 2 cards in one
> > box..
> > 
> > Most likely you don't need to be merging the ports... as long as the arista
> > or something is merging the flows for you each port is already getting a
> > consistent subset of flows.  At that point the on card aggregation doesn't
> > do anything for you.
> > 
> > I would use a configuration like this:
> > 
> > [node-foo-card1]
> > interface = p1p1
> > lb_method=myricom
> > lb_procs=9
> > #check hwloc for numa/pci info
> > pin_cpus=1,3,5,7,9,...
> > 
> > [node-foo-card2]
> > interface = p2p1
> > lb_method=myricom
> > lb_procs=9
> > #check hwloc for numa/pci info
> > pin_cpus=2,4,6,8,...
> > 
> > the hardest part is using the right pin_cpus settings.  It's a little
> > easier if you disable HT and then check to see which card is attached to
> > which cpu using hwloc.  sometimes it doesn't matter much, but on some
> > motherboards you can make sure you match up pci slots to physical cpus to
> > avoid moving data between the numa nodes.
> > 
> > 
> > 
> > On Wed, Jun 5, 2019 at 2:32 PM Greg Grasmehr <greg.grasmehr at caltech.edu>
> > wrote:
> > 
> > > Just an update:
> > >
> > > I contacted Myricom support about this issue a while back and haven't
> > > heard anything in a while from them so I believe they are unable to
> > > duplicate it perhaps, as they generally fix kernel problems very quickly
> > > in my experience.
> > >
> > > Fortunately I will be swapping drives in an array and will need to take
> > > Zeek down, so I will experiment for a bit before bringing it back up and
> > > see if I can figure out what the issue is.
> > >
> > > This kind of experimentation is very difficult when you don't have a dev
> > > system to test on.  :P
> > >
> > > Greg
> > >
> > > On 05/15/19 15:04:40, Greg Grasmehr wrote:
> > > > tcpdump works perfectly with aggregation, no issues
> > > >
> > > > On 05/15/19 17:35:56, Justin Azoff wrote:
> > > > > That looks like a bug in the myricom Driver and not zeek.  Can you
> > > > > reproduce the same kernel issue using tcpdump?  You configure
> > > > > aggregation for that using SNF_FLAGS:
> > > > >
> > > > > SNF_FLAGS=0x2 (Port aggregation (or merging))
> > > > > Flag 0x2 says that the port number that is passed to an application is
> > > actually
> > > > > a mask of port, not just one port.
> > > > > For example, when using tcpdump:
> > > > > export SNF_FLAGS=0x2
> > > > > env SNF_FLAGS=0x2 /path/to/tcpdump -i snf3
> > > > >
> > > > > Without SNF_FLAGS=0x2, you would actually try to open snf port 3 (which
> > > > > may not exist if you only have one adapter.)
> > > > >
> > > > >
> > > > > It's possible that you don't need to use aggregation in the first
> > > > > place,  That is generally only needed if you are connecting a fiber
> > > > > tap directly into a card.  If flows are being load balanced across
> > > > > multiple ports you can just run two different sets of workers, one for
> > > > > each port
> > > > >
> > > > > On Wed, May 15, 2019 at 2:17 PM Greg Grasmehr <
> > > greg.grasmehr at caltech.edu> wrote:
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > Hoping someone has some insight into whatever I am doing wrong as
> > > try as
> > > > > > I might, I can't seem to get the Myricom plugin working if
> > > configured to
> > > > > > aggregate port data.  Zeek starts and then crashes in every case,
> > > > > > regardless of configuration ie
> > > > > >
> > > > > > interface=myricom::3
> > > > > > interface=myricom::*
> > > > > >
> > > > > > and snf_aggregate = T
> > > > > >
> > > > > > Here is related dmesg output logged by kdump
> > > > > >
> > > > > > [67471.838822] BUG: unable to handle kernel paging request at
> > > 00007f0d8459607f
> > > > > > [67471.838863] IP: [<ffffffffc0bed569>] snf_eop_ioctl+0x609/0xc60
> > > [myri_snf]
> > > > > > [67471.838897] PGD 8000000a93bb9067 PUD 12d142c067 PMD 12d142d067
> > > PTE 8000001d54829025
> > > > > > [67471.838927] Oops: 0001 [#1] SMP
> > > > > > [67471.838942] Modules linked in: binfmt_misc macsec tcp_diag
> > > udp_diag inet_diag unix_diag af_packet_diag netlink_diag myri_snf(OE)
> > > mpt2sas raid_class scsi_transport_sas mptctl mptbase ip6t_rpfilter
> > > ipt_REJECT nf_reject_ipv4 nf_log_ipv4 ip6t_REJECT nf_reject_ipv6
> > > nf_log_ipv6 nf_log_common xt_LOG xt_conntrack ip_set nfnetlink ebtable_nat
> > > ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6
> > > nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat
> > > nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack
> > > iptable_mangle iptable_security iptable_raw ebtable_filter ebtables
> > > ip6table_filter ip6_tables iptable_filter dell_rbu sunrpc dcdbas iTCO_wdt
> > > iTCO_vendor_support sb_edac intel_powerclamp coretemp intel_rapl iosf_mbi
> > > kvm_intel kvm irqbypass crc32_pclmul joydev
> > > > > > [67471.839241]  ghash_clmulni_intel aesni_intel lrw gf128mul
> > > glue_helper ablk_helper cryptd mxm_wmi ext4 mbcache jbd2 pcspkr ipmi_ssif
> > > mei_me lpc_ich mei sg ipmi_si ipmi_devintf ipmi_msghandler wmi
> > > acpi_power_meter ip_tables xfs libcrc32c sd_mod crc_t10dif
> > > crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper syscopyarea
> > > sysfillrect sysimgblt fb_sys_fops ttm drm crct10dif_pclmul crct10dif_common
> > > crc32c_intel drm_panel_orientation_quirks ahci libahci dca libata tg3
> > > megaraid_sas ptp pps_core dm_mirror dm_region_hash dm_log dm_mod [last
> > > unloaded: myri10ge]
> > > > > > [67471.839450] CPU: 24 PID: 92952 Comm: bro Kdump: loaded Tainted:
> > > G           OE  ------------   3.10.0-957.10.1.el7.x86_64 #1
> > > > > > [67471.839483] Hardware name: Dell Inc. PowerEdge R730xd/072T6D,
> > > BIOS 2.9.1 12/04/2018
> > > > > > [67471.839508] task: ffff95d0e7c41040 ti: ffff95e3197c0000 task.ti:
> > > ffff95e3197c0000
> > > > > > [67471.839531] RIP: 0010:[<ffffffffc0bed569>]  [<ffffffffc0bed569>]
> > > snf_eop_ioctl+0x609/0xc60 [myri_snf]
> > > > > > [67471.839564] RSP: 0018:ffff95e3197c3d38  EFLAGS: 00010006
> > > > > > [67471.839583] RAX: 0000000000000286 RBX: 0000000000000001 RCX:
> > > 0000000000000000
> > > > > > [67471.839605] RDX: ffff95d0526253d0 RSI: 00007f0d84596000 RDI:
> > > ffffb70f589ba7f8
> > > > > > [67471.839627] RBP: ffff95e3197c3df8 R08: ffffb70f599bb000 R09:
> > > 0000000000000003
> > > > > > [67471.839648] R10: 0000000000000000 R11: 0000000000000000 R12:
> > > ffff95d052625000
> > > > > > [67471.839670] R13: 00007ffeb542d710 R14: 00007ffeb542d710 R15:
> > > 0000000000000000
> > > > > > [67471.839693] FS:  00007f180d6a7900(0000) GS:ffff95eefe900000(0000)
> > > knlGS:0000000000000000
> > > > > > [67471.839717] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > > > > [67471.839735] CR2: 00007f0d8459607f CR3: 0000001ff663c000 CR4:
> > > 00000000003607e0
> > > > > > [67471.839757] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
> > > 0000000000000000
> > > > > > [67471.839778] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
> > > 0000000000000400
> > > > > > [67471.839800] Call Trace:
> > > > > > [67471.839818]  [<ffffffff98d67ef2>] ? down_read+0x12/0x40
> > > > > > [67471.839840]  [<ffffffffc0bdfba0>] mx_common_ioctl+0x40/0x90
> > > [myri_snf]
> > > > > > [67471.839865]  [<ffffffffc0bd44e2>] mx_ioctl+0x72/0x290 [myri_snf]
> > > > > > [67471.839888]  [<ffffffff98856880>] do_vfs_ioctl+0x3a0/0x5a0
> > > > > > [67471.839908]  [<ffffffff98d70608>] ? __do_page_fault+0x228/0x500
> > > > > > [67471.839928]  [<ffffffff98856b21>] SyS_ioctl+0xa1/0xc0
> > > > > > [67471.839947]  [<ffffffff98d75ddb>] system_call_fastpath+0x22/0x27
> > > > > > [67471.839966] Code: d3 e6 44 85 ce 74 e1 48 83 bf b8 00 00 00 00 75
> > > d1 4c 8b 87 c0 00 00 00 4c 63 d9 41 8b 70 04 48 c1 e6 09 4b 03 b4 dc c0 06
> > > 00 00 <0f> b6 76 7f 41 39 30 75 b4 4c 89 a7 b8 00 00 00 49 89 bc 24 60
> > > > > > [67471.840084] RIP  [<ffffffffc0bed569>] snf_eop_ioctl+0x609/0xc60
> > > [myri_snf]
> > > > > > [67471.840112]  RSP <ffff95e3197c3d38>
> > > > > > [67471.840125] CR2: 00007f0d8459607f
> > > > > >
> > > > > > _______________________________________________
> > > > > > Zeek mailing list
> > > > > > zeek at zeek.org
> > > > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Justin
> > > > _______________________________________________
> > > > Zeek mailing list
> > > > zeek at zeek.org
> > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> > >
> > 
> > 
> > -- 
> > Justin
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

From Melissa.Carpenter1 at gdit.com  Wed Jun  5 18:56:08 2019
From: Melissa.Carpenter1 at gdit.com (Carpenter, Melissa)
Date: Thu, 6 Jun 2019 01:56:08 +0000
Subject: [Zeek] Zeek Digest, Vol 158, Issue 3
In-Reply-To: <mailman.5.1559588402.15516.zeek@zeek.org>
References: <mailman.5.1559588402.15516.zeek@zeek.org>
Message-ID: <767dd6cb13b84bc889ca7ef01f81d2f2@HQ-EXCHMBX06.ad.local>

I like the idea of a Zeek Slack Channel as well!

-----Original Message-----
From: zeek-bounces at zeek.org <zeek-bounces at zeek.org> On Behalf Of zeek-request at zeek.org
Sent: Monday, June 3, 2019 3:00 PM
To: zeek at zeek.org
Subject: Zeek Digest, Vol 158, Issue 3

Send Zeek mailing list submissions to
	zeek at zeek.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
or, via email, send a message with subject or body 'help' to
	zeek-request at zeek.org

You can reach the person managing the list at
	zeek-owner at zeek.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of Zeek digest..."


Today's Topics:

   1. Re: Communication channels (Amber Graner)


----------------------------------------------------------------------

Message: 1
Date: Mon, 3 Jun 2019 08:25:57 -0500
From: Amber Graner <akgraner at corelight.com>
Subject: Re: [Zeek] Communication channels
To: Woot4moo <tscheponik at gmail.com>
Cc: zeek <zeek at zeek.org>
Message-ID:
	<CAJhOzupbWXdfUQ1179smjW6xxrZVkF2_fBUidn0A8=Sv4vzzKA at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

I?ll research some options and ask for the LT to review at the next meeting.

Please continue to add your your thoughts.

Thanks,
~Amber

On Mon, Jun 3, 2019 at 7:34 AM Woot4moo <tscheponik at gmail.com> wrote:

> Agree. While giphy integration is a good time killer, I am far more 
> interested in modern amenities such as threads and history. I presume 
> Matrix would get us there or could be close with some pull requests.
>
> On Mon, Jun 3, 2019 at 8:24 AM Mark Gardner <mkg at vt.edu> wrote:
>
>> On Sun, Jun 2, 2019 at 11:45 AM anthony kasza 
>> <anthony.kasza at gmail.com>
>> wrote:
>>
>>> I don't use the IRC channel but I would lurk in a Zeek Slack channel.
>>>
>>
>> Please choose an open standard rather than a walled garden. Someone 
>> above suggested Matrix as a possibility.
>>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

--
*Amber Graner*
Director of Community
Corelight, Inc

828.582.9469


 * Ask me about how you can participate in the Zeek (formerly Bro) community.
 * Remember - ZEEK AND YOU SHALL FIND!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190603/57bd06eb/attachment-0001.html 

------------------------------

_______________________________________________
Zeek mailing list
Zeek at zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek


End of Zeek Digest, Vol 158, Issue 3
************************************


From merril.mathew at baby2body.com  Thu Jun  6 01:50:16 2019
From: merril.mathew at baby2body.com (Merril Mathew)
Date: Thu, 6 Jun 2019 09:50:16 +0100
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAPfnCuin2hbRMT+V2jn1j0bRg0thJ-YfO0mVV=iTYY025WXt8w@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
	<CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
	<CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>
	<710CAC72-8985-4A99-B97E-CC36454C8C3C@baby2body.com>
	<CAPfnCuhHA8GQhBah+yiB7+-ram0hdempRFju6gKLYZe096cY7A@mail.gmail.com>
	<620CE345-1CB0-46EF-8BB6-0E911C865EB3@baby2body.com>
	<CAPfnCuin2hbRMT+V2jn1j0bRg0thJ-YfO0mVV=iTYY025WXt8w@mail.gmail.com>
Message-ID: <04C29F12-6C8F-4D1A-BDD5-61391748977E@baby2body.com>

Hi Justin,

Thank you for the script, much appreciated.  Unfortunately it does not seem to solve the problem, now I am starting to think if there is any issue with my zeek installation.  Also apologies for the messy code. I am only one week into Zeek(bro) and I will try to improve the code for any future posts. :)

Kind regards,
Merril.

> On 5 Jun 2019, at 18:39, Justin Azoff <justin at corelight.com> wrote:
> 
> that script should generally work, but it was a lot more complicated than it needed to be to accomplish what you are trying to do.  Here is a much simplified version.
> 
> The only thing to keep in mind is that since you are using zeek_init to setup the log stream this won't work on bro or a small number of zeek builds from right after the rename.  There are no released versions of zeek so I don't know when you built it.  Using bro_init is backwards compatible and is probably better for now.
> 
> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi Justin,
> 
> I can confirm that attached scripts does not send me email on live traffic or create a log under $PREFIX/logs/current. But it does create notice.log and a SSHAttempt.log when running pcap. I can also confirm that send mail set up is working as I have received emails from zeek from other scripts.
> 
> Kind regards,
> Merril.
> 
> 
> 
>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com <mailto:justin at corelight.com>> wrote:
>> 
>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
>> Hi Justin,
>> 
>> Thanks. But it did not work for me.
>> 
>> Did not work how?  Did you post the version of the script that didn't work? 
>> 
>> -- 
>> Justin
> 
> 
> 
> -- 
> Justin
> <main.zeek>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/7e00c4c7/attachment.html 

From nskelsey at gmail.com  Thu Jun  6 02:54:12 2019
From: nskelsey at gmail.com (Nick Skelsey)
Date: Thu, 6 Jun 2019 11:54:12 +0200
Subject: [Zeek] Packages in the Arch user repo
Message-ID: <CAL14oKAxvh6ZzzHN4Kh1aXx1+1Jyc2XWA+c39mOcDWHPHMQJyQ@mail.gmail.com>

Hi folks,

I have packaged and uploaded zeek [1] and zeek-broker [2] into the Arch
user repository.

https://aur.archlinux.org/packages/zeek/
https://aur.archlinux.org/packages/zeek-broker/

I've tested the install on a few different systems and it seems to work. I
plan on maintaining these packages long term because zeek is awesome.

The flags I've configured for zeek-broker are minimal because the only
current user (me) requires the headers and the shared objects. So, let me
know either here or in the comments in the aur if flag x,y,z would be nice
to have by default and I'll turn them on.

Cheers,
  Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/290bcc8d/attachment-0001.html 

From akgraner at corelight.com  Thu Jun  6 08:19:02 2019
From: akgraner at corelight.com (Amber Graner)
Date: Thu, 6 Jun 2019 10:19:02 -0500
Subject: [Zeek] Packages in the Arch user repo
In-Reply-To: <CAL14oKAxvh6ZzzHN4Kh1aXx1+1Jyc2XWA+c39mOcDWHPHMQJyQ@mail.gmail.com>
References: <CAL14oKAxvh6ZzzHN4Kh1aXx1+1Jyc2XWA+c39mOcDWHPHMQJyQ@mail.gmail.com>
Message-ID: <CAJhOzuoCCkVAisVai8Kv5EvezLxzz5ChC8h3YR0MmHv4jhgM-Q@mail.gmail.com>

Nick,

Thank you!

~Amber

On Thu, Jun 6, 2019 at 5:02 AM Nick Skelsey <nskelsey at gmail.com> wrote:

> Hi folks,
>
> I have packaged and uploaded zeek [1] and zeek-broker [2] into the Arch
> user repository.
>
> https://aur.archlinux.org/packages/zeek/
> https://aur.archlinux.org/packages/zeek-broker/
>
> I've tested the install on a few different systems and it seems to work. I
> plan on maintaining these packages long term because zeek is awesome.
>
> The flags I've configured for zeek-broker are minimal because the only
> current user (me) requires the headers and the shared objects. So, let me
> know either here or in the comments in the aur if flag x,y,z would be nice
> to have by default and I'll turn them on.
>
> Cheers,
>   Nick
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

-- 
*Amber Graner*
Director of Community
Corelight, Inc

828.582.9469


 * Ask me about how you can participate in the Zeek (formerly Bro)
community.
 * Remember - ZEEK AND YOU SHALL FIND!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/cab969a1/attachment.html 

From merril.mathew at baby2body.com  Thu Jun  6 09:10:38 2019
From: merril.mathew at baby2body.com (Merril Mathew)
Date: Thu, 6 Jun 2019 17:10:38 +0100
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAPfnCuin2hbRMT+V2jn1j0bRg0thJ-YfO0mVV=iTYY025WXt8w@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
	<CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
	<CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>
	<710CAC72-8985-4A99-B97E-CC36454C8C3C@baby2body.com>
	<CAPfnCuhHA8GQhBah+yiB7+-ram0hdempRFju6gKLYZe096cY7A@mail.gmail.com>
	<620CE345-1CB0-46EF-8BB6-0E911C865EB3@baby2body.com>
	<CAPfnCuin2hbRMT+V2jn1j0bRg0thJ-YfO0mVV=iTYY025WXt8w@mail.gmail.com>
Message-ID: <C97E215B-E2C3-41F1-8579-B384EA681BD1@baby2body.com>

Hi All,

I cannot figure out why the Notice doesn?t behave as expected on live traffic. I am now trying to make it work with SSH (log_ssh) event as previous attempt on ssh_auth_result lead me nowhere. If I raise the NOTICE function  just after the log_ssh event from a script it sends me email on live traffic. However if I use the NOTICE function inside IF, ELSE IF, ELSE conditionals for auth_success boolean then it does not send me emails. Anyone see what I am doing wrong? I couldn?t figure it out from Notice documentation.

Please find attached the scripts for reference.

Kind regards,
Merril.

> On 5 Jun 2019, at 18:39, Justin Azoff <justin at corelight.com> wrote:
> 
> that script should generally work, but it was a lot more complicated than it needed to be to accomplish what you are trying to do.  Here is a much simplified version.
> 
> The only thing to keep in mind is that since you are using zeek_init to setup the log stream this won't work on bro or a small number of zeek builds from right after the rename.  There are no released versions of zeek so I don't know when you built it.  Using bro_init is backwards compatible and is probably better for now.
> 
> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi Justin,
> 
> I can confirm that attached scripts does not send me email on live traffic or create a log under $PREFIX/logs/current. But it does create notice.log and a SSHAttempt.log when running pcap. I can also confirm that send mail set up is working as I have received emails from zeek from other scripts.
> 
> Kind regards,
> Merril.
> 
> 
> 
>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com <mailto:justin at corelight.com>> wrote:
>> 
>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
>> Hi Justin,
>> 
>> Thanks. But it did not work for me.
>> 
>> Did not work how?  Did you post the version of the script that didn't work? 
>> 
>> -- 
>> Justin
> 
> 
> 
> -- 
> Justin
> <main.zeek>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/9514e001/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alert_ssh_attempt_new.bro
Type: application/octet-stream
Size: 957 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/9514e001/attachment.obj 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/9514e001/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: email_ssh_attempt.bro
Type: application/octet-stream
Size: 239 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/9514e001/attachment-0001.obj 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/9514e001/attachment-0002.html 

From justin at corelight.com  Thu Jun  6 09:22:34 2019
From: justin at corelight.com (Justin Azoff)
Date: Thu, 6 Jun 2019 12:22:34 -0400
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <C97E215B-E2C3-41F1-8579-B384EA681BD1@baby2body.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
	<CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
	<CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>
	<710CAC72-8985-4A99-B97E-CC36454C8C3C@baby2body.com>
	<CAPfnCuhHA8GQhBah+yiB7+-ram0hdempRFju6gKLYZe096cY7A@mail.gmail.com>
	<620CE345-1CB0-46EF-8BB6-0E911C865EB3@baby2body.com>
	<CAPfnCuin2hbRMT+V2jn1j0bRg0thJ-YfO0mVV=iTYY025WXt8w@mail.gmail.com>
	<C97E215B-E2C3-41F1-8579-B384EA681BD1@baby2body.com>
Message-ID: <CAPfnCug4MiGTqSNY+WPW39Kzc9kkCEzHm5zniJ_-6o-K+fAm+Q@mail.gmail.com>

email_ssh_attempt.bro is not required at all because you already
added Login_Attempted to Notice::emailed_types in the other script.

Your other script is slightly broken because in the case of unknown result
the field is not present, so your script needs to look like this.

event log_ssh(rec: Info) &priority=5
{
    if(!rec?$auth_success) {
        NOTICE([$note=SSH::Login_Attempted, $msg=fmt("Unknown")]);
    }
    else if(rec$auth_success == F) {
        NOTICE([$note=SSH::Login_Attempted,
           $msg=fmt("SSH login attempted from %s, %s many times and
failed", rec$client, rec$auth_attempts)]);
    } else {
        NOTICE([$note=SSH::Login_Attempted,
           $msg=fmt("SSH login attempted from %s, %s many times and
succeeded", rec$client, rec$auth_attempts)]);
    }
}

if you look at your reporter.log you should see it filled with errors like
this:

Reporter::ERROR field value missing [SSH::rec$auth_success]
alert_ssh_attempt_new.bro, line 14




On Thu, Jun 6, 2019 at 12:10 PM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi All,
>
> I cannot figure out why the Notice doesn?t behave as expected on live
> traffic. I am now trying to make it work with SSH (log_ssh) event as
> previous attempt on ssh_auth_result lead me nowhere. If I raise the NOTICE
> function  just after the log_ssh event from a script it sends me email on
> live traffic. However if I use the NOTICE function inside IF, ELSE IF, ELSE
> conditionals for auth_success boolean then it does not send me emails.
> Anyone see what I am doing wrong? I couldn?t figure it out from Notice
> documentation.
>
> Please find attached the scripts for reference.
>
> Kind regards,
> Merril.
>
> On 5 Jun 2019, at 18:39, Justin Azoff <justin at corelight.com> wrote:
>
> that script should generally work, but it was a lot more complicated than
> it needed to be to accomplish what you are trying to do.  Here is a much
> simplified version.
>
> The only thing to keep in mind is that since you are using zeek_init to
> setup the log stream this won't work on bro or a small number of zeek
> builds from right after the rename.  There are no released versions of zeek
> so I don't know when you built it.  Using bro_init is backwards compatible
> and is probably better for now.
>
> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com>
> wrote:
>
>> Hi Justin,
>>
>> I can confirm that attached scripts does not send me email on live
>> traffic or create a log under $PREFIX/logs/current. But it does create
>> notice.log and a SSHAttempt.log when running pcap. I can also confirm that
>> send mail set up is working as I have received emails from zeek from other
>> scripts.
>>
>> Kind regards,
>> Merril.
>>
>>
>>
>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com> wrote:
>>
>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <
>> merril.mathew at baby2body.com> wrote:
>>
>>> Hi Justin,
>>>
>>> Thanks. But it did not work for me.
>>>
>>
>> Did not work how?  Did you post the version of the script that didn't
>> work?
>>
>> --
>> Justin
>>
>>
>>
>
> --
> Justin
> <main.zeek>
>
>
>

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/38b1e98d/attachment-0001.html 

From neslog at gmail.com  Thu Jun  6 09:39:30 2019
From: neslog at gmail.com (Neslog)
Date: Thu, 6 Jun 2019 12:39:30 -0400
Subject: [Zeek] RDP protocol details
In-Reply-To: <CALgfRG+7AdD8R79=cwfDy1GTfEfbZ58TDv=feFBBx7=fAG55Vg@mail.gmail.com>
References: <CALgfRGLNwQ4RJg2-EMAUuUJ2qYN8w24r=mNZd78QTLygqwX9wQ@mail.gmail.com>
	<CAPfnCuhQOdPedyOboMCSr7W2GfbHpChgyD2Xb=1nzq7oBkgY9w@mail.gmail.com>
	<CALgfRGKL-DBdb88iXf20Etn5p27YOT64DV6dYYujnV8aVHnrHA@mail.gmail.com>
	<CAPfnCujuWgTnwAZywjF3h-K7NAUYVsghJS=M0sKzDshR3_JHJA@mail.gmail.com>
	<CALgfRG+7AdD8R79=cwfDy1GTfEfbZ58TDv=feFBBx7=fAG55Vg@mail.gmail.com>
Message-ID: <CALgfRGJyuXOqVCE1Of1J6vvJ2tNrgP5U2dTQf5hTwzb37ebT7g@mail.gmail.com>

For anyone interested I got the Client_Security_Data added to the rdp
analyzer.  Pull request is open.  Please let me know thoughts.

https://github.com/zeek/zeek/pull/400

On Wed, Jun 5, 2019 at 3:34 PM Neslog <neslog at gmail.com> wrote:

> lol, too funny.  I look forward to it and thanks.
>
> That said I'm looking for where the client sends it's supported encryption
> algos and methods.  I'm still learning the protocol, doesn't look like Bro
> is parsing out the encryption methods or encoding methods.  Actually see
> the Client security data commented out in rep-protocol.pac.
>
>                 #0xc002  -> client_security:   Client_Security_Data;
>
> Looks like there's still more work to be done with parsing out the data?
>
>
>
>
> On Wed, Jun 5, 2019 at 3:14 PM Justin Azoff <justin at corelight.com> wrote:
>
>> not so much bro -> zeek but that it was just added 8 days ago:
>>
>> https://github.com/zeek/zeek/pull/384
>>
>> try.{bro,zeek}.org will work once I build a new master container... I'll
>> try to get to that soon if not today.
>>
>> On Wed, Jun 5, 2019 at 3:07 PM Neslog <neslog at gmail.com> wrote:
>>
>>> Solved: Answer at the bottom.
>>>
>>> Yes, that's the data I'm looking for.  Unfortunately when I try to load
>>> the event with those details I receive an error.
>>>
>>> error in ././trybro.bro, line 11: identifier not defined:
>>> RDP::ClientChannelList
>>> http://try.bro.org/#/trybro/saved/329529
>>>
>>> I pulled this event from bro/src/analyzer/protocol/rdp/events.bif.
>>> event rdp_client_network_data%(c: connection, channels:
>>> RDP::ClientChannelList%);
>>>
>>> Am I missing something?  maybe need to define that in my init-bare?
>>>
>>> Digging into it deeper... looks like it was using GitHub.com/bro vs
>>> GitHub.com/zeek.  Guess I'll have to officially migrate off Bro to Zeek.
>>>
>>> On Wed, Jun 5, 2019 at 2:32 PM Justin Azoff <justin at corelight.com>
>>> wrote:
>>>
>>>> Does this help?
>>>>
>>>>
>>>> https://github.com/zeek/zeek/blob/1e488d7ebe2c889b20333a4196512e069e34f630/scripts/base/init-bare.zeek#L4279-L4306
>>>>
>>>> channels is a vector of RDP::ClientChannelDef
>>>>
>>>> On Wed, Jun 5, 2019 at 2:15 PM Neslog <neslog at gmail.com> wrote:
>>>>
>>>>> Hi I'm looking at RDP protocol and looking for some details.  I'm
>>>>> looking for encryption algorithms
>>>>> and methods supported by the client.  I believe it would be in the
>>>>> following event but not sure where I pulled it from.
>>>>>
>>>>> event rdp_client_network_data(c: connection, channels:
>>>>> ClientChannelList)
>>>>>
>>>>> Appreciate any insights.
>>>>> _______________________________________________
>>>>> Zeek mailing list
>>>>> zeek at zeek.org
>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>>
>>>>
>>>>
>>>> --
>>>> Justin
>>>>
>>>
>>
>> --
>> Justin
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/85c5cc00/attachment.html 

From merril.mathew at baby2body.com  Thu Jun  6 09:46:51 2019
From: merril.mathew at baby2body.com (Merril Mathew)
Date: Thu, 6 Jun 2019 17:46:51 +0100
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAPfnCug4MiGTqSNY+WPW39Kzc9kkCEzHm5zniJ_-6o-K+fAm+Q@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
	<CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
	<CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>
	<710CAC72-8985-4A99-B97E-CC36454C8C3C@baby2body.com>
	<CAPfnCuhHA8GQhBah+yiB7+-ram0hdempRFju6gKLYZe096cY7A@mail.gmail.com>
	<620CE345-1CB0-46EF-8BB6-0E911C865EB3@baby2body.com>
	<CAPfnCuin2hbRMT+V2jn1j0bRg0thJ-YfO0mVV=iTYY025WXt8w@mail.gmail.com>
	<C97E215B-E2C3-41F1-8579-B384EA681BD1@baby2body.com>
	<CAPfnCug4MiGTqSNY+WPW39Kzc9kkCEzHm5zniJ_-6o-K+fAm+Q@mail.gmail.com>
Message-ID: <F34918D5-1EF4-4CAD-8951-EC3A305857BF@baby2body.com>

Hi Justin,

Thanks again. I made the changes you sent and I am getting this error on reporter.log. ? 1559839456.472514       Reporter::ERROR field value missing [SSH::rec$auth_success]     /usr/local/bro/share/bro/site/alert_ssh_attempt.bro, line 22? 

But it definitely	returns auth_success=F when running on .pcap. I assume auth_success will be T when I ssh into the box?

Kind regards,
Merril.

> On 6 Jun 2019, at 17:22, Justin Azoff <justin at corelight.com> wrote:
> 
> email_ssh_attempt.bro is not required at all because you already added Login_Attempted to Notice::emailed_types in the other script.
> 
> Your other script is slightly broken because in the case of unknown result the field is not present, so your script needs to look like this.
> 
> event log_ssh(rec: Info) &priority=5
> {
>     if(!rec?$auth_success) {
>         NOTICE([$note=SSH::Login_Attempted, $msg=fmt("Unknown")]);
>     }
>     else if(rec$auth_success == F) {
>         NOTICE([$note=SSH::Login_Attempted,
>            $msg=fmt("SSH login attempted from %s, %s many times and failed", rec$client, rec$auth_attempts)]);
>     } else {
>         NOTICE([$note=SSH::Login_Attempted,
>            $msg=fmt("SSH login attempted from %s, %s many times and succeeded", rec$client, rec$auth_attempts)]);
>     }
> }
> 
> if you look at your reporter.log you should see it filled with errors like this:
> 
> Reporter::ERROR	field value missing [SSH::rec$auth_success]  alert_ssh_attempt_new.bro, line 14
> 
> 
> 
> 
> On Thu, Jun 6, 2019 at 12:10 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi All,
> 
> I cannot figure out why the Notice doesn?t behave as expected on live traffic. I am now trying to make it work with SSH (log_ssh) event as previous attempt on ssh_auth_result lead me nowhere. If I raise the NOTICE function  just after the log_ssh event from a script it sends me email on live traffic. However if I use the NOTICE function inside IF, ELSE IF, ELSE conditionals for auth_success boolean then it does not send me emails. Anyone see what I am doing wrong? I couldn?t figure it out from Notice documentation.
> 
> Please find attached the scripts for reference.
> 
> Kind regards,
> Merril.
> 
>> On 5 Jun 2019, at 18:39, Justin Azoff <justin at corelight.com <mailto:justin at corelight.com>> wrote:
>> 
>> that script should generally work, but it was a lot more complicated than it needed to be to accomplish what you are trying to do.  Here is a much simplified version.
>> 
>> The only thing to keep in mind is that since you are using zeek_init to setup the log stream this won't work on bro or a small number of zeek builds from right after the rename.  There are no released versions of zeek so I don't know when you built it.  Using bro_init is backwards compatible and is probably better for now.
>> 
>> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
>> Hi Justin,
>> 
>> I can confirm that attached scripts does not send me email on live traffic or create a log under $PREFIX/logs/current. But it does create notice.log and a SSHAttempt.log when running pcap. I can also confirm that send mail set up is working as I have received emails from zeek from other scripts.
>> 
>> Kind regards,
>> Merril.
>> 
>> 
>> 
>>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com <mailto:justin at corelight.com>> wrote:
>>> 
>>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
>>> Hi Justin,
>>> 
>>> Thanks. But it did not work for me.
>>> 
>>> Did not work how?  Did you post the version of the script that didn't work? 
>>> 
>>> -- 
>>> Justin
>> 
>> 
>> 
>> -- 
>> Justin
>> <main.zeek>
> 
> 
> 
> -- 
> Justin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/a7a1013b/attachment-0001.html 

From justin at corelight.com  Thu Jun  6 09:56:17 2019
From: justin at corelight.com (Justin Azoff)
Date: Thu, 6 Jun 2019 12:56:17 -0400
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <F34918D5-1EF4-4CAD-8951-EC3A305857BF@baby2body.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
	<CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
	<CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>
	<710CAC72-8985-4A99-B97E-CC36454C8C3C@baby2body.com>
	<CAPfnCuhHA8GQhBah+yiB7+-ram0hdempRFju6gKLYZe096cY7A@mail.gmail.com>
	<620CE345-1CB0-46EF-8BB6-0E911C865EB3@baby2body.com>
	<CAPfnCuin2hbRMT+V2jn1j0bRg0thJ-YfO0mVV=iTYY025WXt8w@mail.gmail.com>
	<C97E215B-E2C3-41F1-8579-B384EA681BD1@baby2body.com>
	<CAPfnCug4MiGTqSNY+WPW39Kzc9kkCEzHm5zniJ_-6o-K+fAm+Q@mail.gmail.com>
	<F34918D5-1EF4-4CAD-8951-EC3A305857BF@baby2body.com>
Message-ID: <CAPfnCuhTsY2o0Kx4Ouyib=8Kyv7G3dEvuMUC0bQNT7kXYiO=KA@mail.gmail.com>

What does your current script look like?

On Thu, Jun 6, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi Justin,
>
> Thanks again. I made the changes you sent and I am getting this error on
> reporter.log. ? 1559839456.472514       Reporter::ERROR field value
> missing [SSH::rec$auth_success]     /usr/local/bro/share/bro/site/alert_ssh_attempt.bro,
> line 22?
>
> But it definitely returns auth_success=F when running on .pcap. I assume
> auth_success will be T when I ssh into the box?
>
> Kind regards,
> Merril.
>
> On 6 Jun 2019, at 17:22, Justin Azoff <justin at corelight.com> wrote:
>
> email_ssh_attempt.bro is not required at all because you already
> added Login_Attempted to Notice::emailed_types in the other script.
>
> Your other script is slightly broken because in the case of unknown result
> the field is not present, so your script needs to look like this.
>
> event log_ssh(rec: Info) &priority=5
> {
>     if(!rec?$auth_success) {
>         NOTICE([$note=SSH::Login_Attempted, $msg=fmt("Unknown")]);
>     }
>     else if(rec$auth_success == F) {
>         NOTICE([$note=SSH::Login_Attempted,
>            $msg=fmt("SSH login attempted from %s, %s many times and
> failed", rec$client, rec$auth_attempts)]);
>     } else {
>         NOTICE([$note=SSH::Login_Attempted,
>            $msg=fmt("SSH login attempted from %s, %s many times and
> succeeded", rec$client, rec$auth_attempts)]);
>     }
> }
>
> if you look at your reporter.log you should see it filled with errors like
> this:
>
> Reporter::ERROR field value missing [SSH::rec$auth_success]
> alert_ssh_attempt_new.bro, line 14
>
>
>
>
> On Thu, Jun 6, 2019 at 12:10 PM Merril Mathew <merril.mathew at baby2body.com>
> wrote:
>
>> Hi All,
>>
>> I cannot figure out why the Notice doesn?t behave as expected on live
>> traffic. I am now trying to make it work with SSH (log_ssh) event as
>> previous attempt on ssh_auth_result lead me nowhere. If I raise the NOTICE
>> function  just after the log_ssh event from a script it sends me email on
>> live traffic. However if I use the NOTICE function inside IF, ELSE IF, ELSE
>> conditionals for auth_success boolean then it does not send me emails.
>> Anyone see what I am doing wrong? I couldn?t figure it out from Notice
>> documentation.
>>
>> Please find attached the scripts for reference.
>>
>> Kind regards,
>> Merril.
>>
>> On 5 Jun 2019, at 18:39, Justin Azoff <justin at corelight.com> wrote:
>>
>> that script should generally work, but it was a lot more complicated than
>> it needed to be to accomplish what you are trying to do.  Here is a much
>> simplified version.
>>
>> The only thing to keep in mind is that since you are using zeek_init to
>> setup the log stream this won't work on bro or a small number of zeek
>> builds from right after the rename.  There are no released versions of zeek
>> so I don't know when you built it.  Using bro_init is backwards compatible
>> and is probably better for now.
>>
>> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <
>> merril.mathew at baby2body.com> wrote:
>>
>>> Hi Justin,
>>>
>>> I can confirm that attached scripts does not send me email on live
>>> traffic or create a log under $PREFIX/logs/current. But it does create
>>> notice.log and a SSHAttempt.log when running pcap. I can also confirm that
>>> send mail set up is working as I have received emails from zeek from other
>>> scripts.
>>>
>>> Kind regards,
>>> Merril.
>>>
>>>
>>>
>>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com> wrote:
>>>
>>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <
>>> merril.mathew at baby2body.com> wrote:
>>>
>>>> Hi Justin,
>>>>
>>>> Thanks. But it did not work for me.
>>>>
>>>
>>> Did not work how?  Did you post the version of the script that didn't
>>> work?
>>>
>>> --
>>> Justin
>>>
>>>
>>>
>>
>> --
>> Justin
>> <main.zeek>
>>
>>
>>
>
> --
> Justin
>
>
>

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/34c0bf75/attachment.html 

From merril.mathew at baby2body.com  Thu Jun  6 10:02:50 2019
From: merril.mathew at baby2body.com (Merril Mathew)
Date: Thu, 6 Jun 2019 18:02:50 +0100
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAPfnCuhTsY2o0Kx4Ouyib=8Kyv7G3dEvuMUC0bQNT7kXYiO=KA@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
	<CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
	<CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>
	<710CAC72-8985-4A99-B97E-CC36454C8C3C@baby2body.com>
	<CAPfnCuhHA8GQhBah+yiB7+-ram0hdempRFju6gKLYZe096cY7A@mail.gmail.com>
	<620CE345-1CB0-46EF-8BB6-0E911C865EB3@baby2body.com>
	<CAPfnCuin2hbRMT+V2jn1j0bRg0thJ-YfO0mVV=iTYY025WXt8w@mail.gmail.com>
	<C97E215B-E2C3-41F1-8579-B384EA681BD1@baby2body.com>
	<CAPfnCug4MiGTqSNY+WPW39Kzc9kkCEzHm5zniJ_-6o-K+fAm+Q@mail.gmail.com>
	<F34918D5-1EF4-4CAD-8951-EC3A305857BF@baby2body.com>
	<CAPfnCuhTsY2o0Kx4Ouyib=8Kyv7G3dEvuMUC0bQNT7kXYiO=KA@mail.gmail.com>
Message-ID: <8B71A2F6-1725-4BE7-B7E9-39E339DA1B07@baby2body.com>

Please find attached. It complains on the first if statement that auth_success is missing. At line 14 for !rec$auth_success.

Merril.
> On 6 Jun 2019, at 17:56, Justin Azoff <justin at corelight.com> wrote:
> 
> What does your current script look like?
> 
> On Thu, Jun 6, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi Justin,
> 
> Thanks again. I made the changes you sent and I am getting this error on reporter.log. ? 1559839456.472514       Reporter::ERROR field value missing [SSH::rec$auth_success]     /usr/local/bro/share/bro/site/alert_ssh_attempt.bro, line 22? 
> 
> But it definitely	returns auth_success=F when running on .pcap. I assume auth_success will be T when I ssh into the box?
> 
> Kind regards,
> Merril.
> 
>> On 6 Jun 2019, at 17:22, Justin Azoff <justin at corelight.com <mailto:justin at corelight.com>> wrote:
>> 
>> email_ssh_attempt.bro is not required at all because you already added Login_Attempted to Notice::emailed_types in the other script.
>> 
>> Your other script is slightly broken because in the case of unknown result the field is not present, so your script needs to look like this.
>> 
>> event log_ssh(rec: Info) &priority=5
>> {
>>     if(!rec?$auth_success) {
>>         NOTICE([$note=SSH::Login_Attempted, $msg=fmt("Unknown")]);
>>     }
>>     else if(rec$auth_success == F) {
>>         NOTICE([$note=SSH::Login_Attempted,
>>            $msg=fmt("SSH login attempted from %s, %s many times and failed", rec$client, rec$auth_attempts)]);
>>     } else {
>>         NOTICE([$note=SSH::Login_Attempted,
>>            $msg=fmt("SSH login attempted from %s, %s many times and succeeded", rec$client, rec$auth_attempts)]);
>>     }
>> }
>> 
>> if you look at your reporter.log you should see it filled with errors like this:
>> 
>> Reporter::ERROR	field value missing [SSH::rec$auth_success]  alert_ssh_attempt_new.bro, line 14
>> 
>> 
>> 
>> 
>> On Thu, Jun 6, 2019 at 12:10 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
>> Hi All,
>> 
>> I cannot figure out why the Notice doesn?t behave as expected on live traffic. I am now trying to make it work with SSH (log_ssh) event as previous attempt on ssh_auth_result lead me nowhere. If I raise the NOTICE function  just after the log_ssh event from a script it sends me email on live traffic. However if I use the NOTICE function inside IF, ELSE IF, ELSE conditionals for auth_success boolean then it does not send me emails. Anyone see what I am doing wrong? I couldn?t figure it out from Notice documentation.
>> 
>> Please find attached the scripts for reference.
>> 
>> Kind regards,
>> Merril.
>> 
>>> On 5 Jun 2019, at 18:39, Justin Azoff <justin at corelight.com <mailto:justin at corelight.com>> wrote:
>>> 
>>> that script should generally work, but it was a lot more complicated than it needed to be to accomplish what you are trying to do.  Here is a much simplified version.
>>> 
>>> The only thing to keep in mind is that since you are using zeek_init to setup the log stream this won't work on bro or a small number of zeek builds from right after the rename.  There are no released versions of zeek so I don't know when you built it.  Using bro_init is backwards compatible and is probably better for now.
>>> 
>>> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
>>> Hi Justin,
>>> 
>>> I can confirm that attached scripts does not send me email on live traffic or create a log under $PREFIX/logs/current. But it does create notice.log and a SSHAttempt.log when running pcap. I can also confirm that send mail set up is working as I have received emails from zeek from other scripts.
>>> 
>>> Kind regards,
>>> Merril.
>>> 
>>> 
>>> 
>>>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com <mailto:justin at corelight.com>> wrote:
>>>> 
>>>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
>>>> Hi Justin,
>>>> 
>>>> Thanks. But it did not work for me.
>>>> 
>>>> Did not work how?  Did you post the version of the script that didn't work? 
>>>> 
>>>> -- 
>>>> Justin
>>> 
>>> 
>>> 
>>> -- 
>>> Justin
>>> <main.zeek>
>> 
>> 
>> 
>> -- 
>> Justin
> 
> 
> 
> -- 
> Justin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/fb91cb83/attachment-0002.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alert_ssh_attempt_new.bro
Type: application/octet-stream
Size: 959 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/fb91cb83/attachment-0001.obj 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/fb91cb83/attachment-0003.html 

From justin at corelight.com  Thu Jun  6 10:12:03 2019
From: justin at corelight.com (Justin Azoff)
Date: Thu, 6 Jun 2019 13:12:03 -0400
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <8B71A2F6-1725-4BE7-B7E9-39E339DA1B07@baby2body.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
	<CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
	<CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>
	<710CAC72-8985-4A99-B97E-CC36454C8C3C@baby2body.com>
	<CAPfnCuhHA8GQhBah+yiB7+-ram0hdempRFju6gKLYZe096cY7A@mail.gmail.com>
	<620CE345-1CB0-46EF-8BB6-0E911C865EB3@baby2body.com>
	<CAPfnCuin2hbRMT+V2jn1j0bRg0thJ-YfO0mVV=iTYY025WXt8w@mail.gmail.com>
	<C97E215B-E2C3-41F1-8579-B384EA681BD1@baby2body.com>
	<CAPfnCug4MiGTqSNY+WPW39Kzc9kkCEzHm5zniJ_-6o-K+fAm+Q@mail.gmail.com>
	<F34918D5-1EF4-4CAD-8951-EC3A305857BF@baby2body.com>
	<CAPfnCuhTsY2o0Kx4Ouyib=8Kyv7G3dEvuMUC0bQNT7kXYiO=KA@mail.gmail.com>
	<8B71A2F6-1725-4BE7-B7E9-39E339DA1B07@baby2body.com>
Message-ID: <CAPfnCuie74Qxm=81gZkcjO8x5iTZ5i2ZZEZXzJBRJU0HvaUWSA@mail.gmail.com>

The first line should be

    if(!rec?$auth_success) {

not

    if(!rec$auth_success)

On Thu, Jun 6, 2019 at 1:02 PM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Please find attached. It complains on the first if statement that
> auth_success is missing. At line 14 for !rec$auth_success.
>
>
> Merril.
>
> On 6 Jun 2019, at 17:56, Justin Azoff <justin at corelight.com> wrote:
>
> What does your current script look like?
>
> On Thu, Jun 6, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com>
> wrote:
>
>> Hi Justin,
>>
>> Thanks again. I made the changes you sent and I am getting this error on
>> reporter.log. ? 1559839456.472514       Reporter::ERROR field value
>> missing [SSH::rec$auth_success]     /usr/local/bro/share/bro/site/alert_ssh_attempt.bro,
>> line 22?
>>
>> But it definitely returns auth_success=F when running on .pcap. I assume
>> auth_success will be T when I ssh into the box?
>>
>> Kind regards,
>> Merril.
>>
>> On 6 Jun 2019, at 17:22, Justin Azoff <justin at corelight.com> wrote:
>>
>> email_ssh_attempt.bro is not required at all because you already
>> added Login_Attempted to Notice::emailed_types in the other script.
>>
>> Your other script is slightly broken because in the case of unknown
>> result the field is not present, so your script needs to look like this.
>>
>> event log_ssh(rec: Info) &priority=5
>> {
>>     if(!rec?$auth_success) {
>>         NOTICE([$note=SSH::Login_Attempted, $msg=fmt("Unknown")]);
>>     }
>>     else if(rec$auth_success == F) {
>>         NOTICE([$note=SSH::Login_Attempted,
>>            $msg=fmt("SSH login attempted from %s, %s many times and
>> failed", rec$client, rec$auth_attempts)]);
>>     } else {
>>         NOTICE([$note=SSH::Login_Attempted,
>>            $msg=fmt("SSH login attempted from %s, %s many times and
>> succeeded", rec$client, rec$auth_attempts)]);
>>     }
>> }
>>
>> if you look at your reporter.log you should see it filled with errors
>> like this:
>>
>> Reporter::ERROR field value missing [SSH::rec$auth_success]
>> alert_ssh_attempt_new.bro, line 14
>>
>>
>>
>>
>> On Thu, Jun 6, 2019 at 12:10 PM Merril Mathew <
>> merril.mathew at baby2body.com> wrote:
>>
>>> Hi All,
>>>
>>> I cannot figure out why the Notice doesn?t behave as expected on live
>>> traffic. I am now trying to make it work with SSH (log_ssh) event as
>>> previous attempt on ssh_auth_result lead me nowhere. If I raise the NOTICE
>>> function  just after the log_ssh event from a script it sends me email on
>>> live traffic. However if I use the NOTICE function inside IF, ELSE IF, ELSE
>>> conditionals for auth_success boolean then it does not send me emails.
>>> Anyone see what I am doing wrong? I couldn?t figure it out from Notice
>>> documentation.
>>>
>>> Please find attached the scripts for reference.
>>>
>>> Kind regards,
>>> Merril.
>>>
>>> On 5 Jun 2019, at 18:39, Justin Azoff <justin at corelight.com> wrote:
>>>
>>> that script should generally work, but it was a lot more complicated
>>> than it needed to be to accomplish what you are trying to do.  Here is a
>>> much simplified version.
>>>
>>> The only thing to keep in mind is that since you are using zeek_init to
>>> setup the log stream this won't work on bro or a small number of zeek
>>> builds from right after the rename.  There are no released versions of zeek
>>> so I don't know when you built it.  Using bro_init is backwards compatible
>>> and is probably better for now.
>>>
>>> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <
>>> merril.mathew at baby2body.com> wrote:
>>>
>>>> Hi Justin,
>>>>
>>>> I can confirm that attached scripts does not send me email on live
>>>> traffic or create a log under $PREFIX/logs/current. But it does create
>>>> notice.log and a SSHAttempt.log when running pcap. I can also confirm that
>>>> send mail set up is working as I have received emails from zeek from other
>>>> scripts.
>>>>
>>>> Kind regards,
>>>> Merril.
>>>>
>>>>
>>>>
>>>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com> wrote:
>>>>
>>>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <
>>>> merril.mathew at baby2body.com> wrote:
>>>>
>>>>> Hi Justin,
>>>>>
>>>>> Thanks. But it did not work for me.
>>>>>
>>>>
>>>> Did not work how?  Did you post the version of the script that didn't
>>>> work?
>>>>
>>>> --
>>>> Justin
>>>>
>>>>
>>>>
>>>
>>> --
>>> Justin
>>> <main.zeek>
>>>
>>>
>>>
>>
>> --
>> Justin
>>
>>
>>
>
> --
> Justin
>
>
>

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/499a3e7d/attachment.html 

From merril.mathew at baby2body.com  Thu Jun  6 11:44:50 2019
From: merril.mathew at baby2body.com (Merril Mathew)
Date: Thu, 6 Jun 2019 19:44:50 +0100
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAPfnCuin2hbRMT+V2jn1j0bRg0thJ-YfO0mVV=iTYY025WXt8w@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
	<CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
	<CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>
	<710CAC72-8985-4A99-B97E-CC36454C8C3C@baby2body.com>
	<CAPfnCuhHA8GQhBah+yiB7+-ram0hdempRFju6gKLYZe096cY7A@mail.gmail.com>
	<620CE345-1CB0-46EF-8BB6-0E911C865EB3@baby2body.com>
	<CAPfnCuin2hbRMT+V2jn1j0bRg0thJ-YfO0mVV=iTYY025WXt8w@mail.gmail.com>
Message-ID: <CAPqihfz6WudZnZ3JjnrTZd8vEMqZ3eG1_f_BXEJ4dUzraP-QQg@mail.gmail.com>

Hi Justin,

Now it sends the email. But it executes the "if(!rec?$auth_success)"
condition and I am getting message "unknown". Which means auth_success is
not found on live traffic, so the error remains I think.

Kind regards,
Merril.

On Wed, 5 Jun 2019, 18:39 Justin Azoff, <justin at corelight.com> wrote:

> that script should generally work, but it was a lot more complicated than
> it needed to be to accomplish what you are trying to do.  Here is a much
> simplified version.
>
> The only thing to keep in mind is that since you are using zeek_init to
> setup the log stream this won't work on bro or a small number of zeek
> builds from right after the rename.  There are no released versions of zeek
> so I don't know when you built it.  Using bro_init is backwards compatible
> and is probably better for now.
>
> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com>
> wrote:
>
>> Hi Justin,
>>
>> I can confirm that attached scripts does not send me email on live
>> traffic or create a log under $PREFIX/logs/current. But it does create
>> notice.log and a SSHAttempt.log when running pcap. I can also confirm that
>> send mail set up is working as I have received emails from zeek from other
>> scripts.
>>
>> Kind regards,
>> Merril.
>>
>>
>>
>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com> wrote:
>>
>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <
>> merril.mathew at baby2body.com> wrote:
>>
>>> Hi Justin,
>>>
>>> Thanks. But it did not work for me.
>>>
>>
>> Did not work how?  Did you post the version of the script that didn't
>> work?
>>
>> --
>> Justin
>>
>>
>>
>
> --
> Justin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/d22f19c7/attachment.html 

From justin at corelight.com  Thu Jun  6 11:54:07 2019
From: justin at corelight.com (Justin Azoff)
Date: Thu, 6 Jun 2019 14:54:07 -0400
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAPqihfz6WudZnZ3JjnrTZd8vEMqZ3eG1_f_BXEJ4dUzraP-QQg@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
	<CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
	<CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>
	<710CAC72-8985-4A99-B97E-CC36454C8C3C@baby2body.com>
	<CAPfnCuhHA8GQhBah+yiB7+-ram0hdempRFju6gKLYZe096cY7A@mail.gmail.com>
	<620CE345-1CB0-46EF-8BB6-0E911C865EB3@baby2body.com>
	<CAPfnCuin2hbRMT+V2jn1j0bRg0thJ-YfO0mVV=iTYY025WXt8w@mail.gmail.com>
	<CAPqihfz6WudZnZ3JjnrTZd8vEMqZ3eG1_f_BXEJ4dUzraP-QQg@mail.gmail.com>
Message-ID: <CAPfnCuiNVSA-+VGRT_M_Svaqgb6EFxv1yvTFJngfNpwDsnMhSw@mail.gmail.com>

probably this
https://www.zeek.org/documentation/faq.html#why-isn-t-zeek-producing-the-logs-i-expect-a-note-about-checksums
 ?

On Thu, Jun 6, 2019 at 2:45 PM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi Justin,
>
> Now it sends the email. But it executes the "if(!rec?$auth_success)"
> condition and I am getting message "unknown". Which means auth_success is
> not found on live traffic, so the error remains I think.
>
> Kind regards,
> Merril.
>
> On Wed, 5 Jun 2019, 18:39 Justin Azoff, <justin at corelight.com> wrote:
>
>> that script should generally work, but it was a lot more complicated than
>> it needed to be to accomplish what you are trying to do.  Here is a much
>> simplified version.
>>
>> The only thing to keep in mind is that since you are using zeek_init to
>> setup the log stream this won't work on bro or a small number of zeek
>> builds from right after the rename.  There are no released versions of zeek
>> so I don't know when you built it.  Using bro_init is backwards compatible
>> and is probably better for now.
>>
>> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <
>> merril.mathew at baby2body.com> wrote:
>>
>>> Hi Justin,
>>>
>>> I can confirm that attached scripts does not send me email on live
>>> traffic or create a log under $PREFIX/logs/current. But it does create
>>> notice.log and a SSHAttempt.log when running pcap. I can also confirm that
>>> send mail set up is working as I have received emails from zeek from other
>>> scripts.
>>>
>>> Kind regards,
>>> Merril.
>>>
>>>
>>>
>>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com> wrote:
>>>
>>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <
>>> merril.mathew at baby2body.com> wrote:
>>>
>>>> Hi Justin,
>>>>
>>>> Thanks. But it did not work for me.
>>>>
>>>
>>> Did not work how?  Did you post the version of the script that didn't
>>> work?
>>>
>>> --
>>> Justin
>>>
>>>
>>>
>>
>> --
>> Justin
>>
>

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/37bbc754/attachment-0001.html 

From merril.mathew at baby2body.com  Fri Jun  7 01:29:19 2019
From: merril.mathew at baby2body.com (Merril Mathew)
Date: Fri, 7 Jun 2019 09:29:19 +0100
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <CAPfnCuiNVSA-+VGRT_M_Svaqgb6EFxv1yvTFJngfNpwDsnMhSw@mail.gmail.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
	<CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
	<CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>
	<710CAC72-8985-4A99-B97E-CC36454C8C3C@baby2body.com>
	<CAPfnCuhHA8GQhBah+yiB7+-ram0hdempRFju6gKLYZe096cY7A@mail.gmail.com>
	<620CE345-1CB0-46EF-8BB6-0E911C865EB3@baby2body.com>
	<CAPfnCuin2hbRMT+V2jn1j0bRg0thJ-YfO0mVV=iTYY025WXt8w@mail.gmail.com>
	<CAPqihfz6WudZnZ3JjnrTZd8vEMqZ3eG1_f_BXEJ4dUzraP-QQg@mail.gmail.com>
	<CAPfnCuiNVSA-+VGRT_M_Svaqgb6EFxv1yvTFJngfNpwDsnMhSw@mail.gmail.com>
Message-ID: <83771702-62D4-4983-A5CD-0728BC50207A@baby2body.com>

Hi Justin,

You are a life saver. :) That did the trick. 

I also have one more question. I been searching online to understand how a function	can return a user defined record and have not come across one yet.

function set_session(c:  connection, var: string):  record
	{
		local info: SSH::Info;
		return info;
	} 
This doesn?t work. Am I on the right path here?

Kind regards,
Merril.


> On 6 Jun 2019, at 19:54, Justin Azoff <justin at corelight.com> wrote:
> 
> probably this https://www.zeek.org/documentation/faq.html#why-isn-t-zeek-producing-the-logs-i-expect-a-note-about-checksums <https://www.zeek.org/documentation/faq.html#why-isn-t-zeek-producing-the-logs-i-expect-a-note-about-checksums> ?
> 
> On Thu, Jun 6, 2019 at 2:45 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi Justin,
> 
> Now it sends the email. But it executes the "if(!rec?$auth_success)" condition and I am getting message "unknown". Which means auth_success is not found on live traffic, so the error remains I think.
> 
> Kind regards,
> Merril.
> 
> On Wed, 5 Jun 2019, 18:39 Justin Azoff, <justin at corelight.com <mailto:justin at corelight.com>> wrote:
> that script should generally work, but it was a lot more complicated than it needed to be to accomplish what you are trying to do.  Here is a much simplified version.
> 
> The only thing to keep in mind is that since you are using zeek_init to setup the log stream this won't work on bro or a small number of zeek builds from right after the rename.  There are no released versions of zeek so I don't know when you built it.  Using bro_init is backwards compatible and is probably better for now.
> 
> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi Justin,
> 
> I can confirm that attached scripts does not send me email on live traffic or create a log under $PREFIX/logs/current. But it does create notice.log and a SSHAttempt.log when running pcap. I can also confirm that send mail set up is working as I have received emails from zeek from other scripts.
> 
> Kind regards,
> Merril.
> 
> 
> 
>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com <mailto:justin at corelight.com>> wrote:
>> 
>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
>> Hi Justin,
>> 
>> Thanks. But it did not work for me.
>> 
>> Did not work how?  Did you post the version of the script that didn't work? 
>> 
>> -- 
>> Justin
> 
> 
> 
> -- 
> Justin
> 
> 
> -- 
> Justin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190607/d1396181/attachment.html 

From justin at corelight.com  Fri Jun  7 06:00:26 2019
From: justin at corelight.com (Justin Azoff)
Date: Fri, 7 Jun 2019 09:00:26 -0400
Subject: [Zeek] Creating a module and accessing an event in another
	script
In-Reply-To: <83771702-62D4-4983-A5CD-0728BC50207A@baby2body.com>
References: <CAPqihfzvxGGixR-icoj_z2HZbbpEjPxoYTchMtQituNR4S3wnw@mail.gmail.com>
	<CAPqihfzT+iZJTimq9YkmWLBm+U627+5q7=0Kn-xmSxZL7otcRQ@mail.gmail.com>
	<CAPfnCujbUHMOXS0kd2i6hX2Y+2qyGbBxm48sSeSKhwejtd0VdQ@mail.gmail.com>
	<CAPqihfxhNHK2FmyXtkBA=WD19VQqXm+gOY1v9GQ4b=GXHwvbfA@mail.gmail.com>
	<CAPfnCui-TFmPfCqjNtd8Dbon-LJS4kZqSFFqnjaR+KX52bNqmg@mail.gmail.com>
	<CE7BFF1A-1BFA-4A48-9EF5-17CD8C1164FD@baby2body.com>
	<CAPfnCuguOR8Lm6xdbD0Q=5BBFWHwrHqrgvf_GRsQAkH6XBHseA@mail.gmail.com>
	<710CAC72-8985-4A99-B97E-CC36454C8C3C@baby2body.com>
	<CAPfnCuhHA8GQhBah+yiB7+-ram0hdempRFju6gKLYZe096cY7A@mail.gmail.com>
	<620CE345-1CB0-46EF-8BB6-0E911C865EB3@baby2body.com>
	<CAPfnCuin2hbRMT+V2jn1j0bRg0thJ-YfO0mVV=iTYY025WXt8w@mail.gmail.com>
	<CAPqihfz6WudZnZ3JjnrTZd8vEMqZ3eG1_f_BXEJ4dUzraP-QQg@mail.gmail.com>
	<CAPfnCuiNVSA-+VGRT_M_Svaqgb6EFxv1yvTFJngfNpwDsnMhSw@mail.gmail.com>
	<83771702-62D4-4983-A5CD-0728BC50207A@baby2body.com>
Message-ID: <CAPfnCug=VCcQQ6NFk4m1rp3hDOc98zowy9kH4_ZzGxkeTviuLw@mail.gmail.com>

On Fri, Jun 7, 2019 at 4:29 AM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi Justin,
>
> You are a life saver. :) That did the trick.
>

awesome :-)


> I also have one more question. I been searching online to understand how a
> function can return a user defined record and have not come across one
> yet.
>
> function set_session(c:  connection, var: string):  record
> {
> local info: SSH::Info;
> return info;
> }
> This doesn?t work. Am I on the right path here?
>

Close..

function set_session(c:  connection, var: string): SSH::Info

should work.


-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190607/232b0b52/attachment.html 

From akgraner at corelight.com  Tue Jun 11 07:55:04 2019
From: akgraner at corelight.com (Amber Graner)
Date: Tue, 11 Jun 2019 09:55:04 -0500
Subject: [Zeek] 31 May Leadership Team Minutes
Message-ID: <CAJhOzupRT0JzjHRGZrjRw6TzMV1C6_-vWCKTZ0YYeaothhKPUg@mail.gmail.com>

Hi all,

The LT Meeting Minutes from the 31 May Meeting can be found at:
https://blog.zeek.org/2019/06/open-source-zeek-leadership-team.html

Please let me know if you have any questions or if you have anything you
would like the LT to discuss.

Many thanks,
~Amber

-- 
*Amber Graner*
Director of Community
Corelight, Inc

828.582.9469


 * Ask me about how you can participate in the Zeek (formerly Bro)
community.
 * Remember - ZEEK AND YOU SHALL FIND!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190611/2a65f9ba/attachment.html 

From anthony.kasza at gmail.com  Tue Jun 11 08:40:11 2019
From: anthony.kasza at gmail.com (anthony kasza)
Date: Tue, 11 Jun 2019 09:40:11 -0600
Subject: [Zeek] 31 May Leadership Team Minutes
In-Reply-To: <CAJhOzupRT0JzjHRGZrjRw6TzMV1C6_-vWCKTZ0YYeaothhKPUg@mail.gmail.com>
References: <CAJhOzupRT0JzjHRGZrjRw6TzMV1C6_-vWCKTZ0YYeaothhKPUg@mail.gmail.com>
Message-ID: <CAEZw2bxCWVLVJFgq088ROMiXWckouyWcj-f=Pf4YQEMbJwryrw@mail.gmail.com>

Hi Amber,

Thank you for the minutes. Could you please provide more information about
the package contest?

-AK

On Tue, Jun 11, 2019, 09:04 Amber Graner <akgraner at corelight.com> wrote:

> Hi all,
>
> The LT Meeting Minutes from the 31 May Meeting can be found at:
> https://blog.zeek.org/2019/06/open-source-zeek-leadership-team.html
>
> Please let me know if you have any questions or if you have anything you
> would like the LT to discuss.
>
> Many thanks,
> ~Amber
>
> --
> *Amber Graner*
> Director of Community
> Corelight, Inc
>
> 828.582.9469
>
>
>  * Ask me about how you can participate in the Zeek (formerly Bro)
> community.
>  * Remember - ZEEK AND YOU SHALL FIND!!
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190611/a309d4d6/attachment.html 

From akgraner at gmail.com  Tue Jun 11 08:47:16 2019
From: akgraner at gmail.com (Amber Graner)
Date: Tue, 11 Jun 2019 10:47:16 -0500
Subject: [Zeek] 31 May Leadership Team Minutes
In-Reply-To: <CAEZw2bxCWVLVJFgq088ROMiXWckouyWcj-f=Pf4YQEMbJwryrw@mail.gmail.com>
References: <CAJhOzupRT0JzjHRGZrjRw6TzMV1C6_-vWCKTZ0YYeaothhKPUg@mail.gmail.com>
	<CAEZw2bxCWVLVJFgq088ROMiXWckouyWcj-f=Pf4YQEMbJwryrw@mail.gmail.com>
Message-ID: <CAK4fH93nNo+2RiGZNsiciSg0wSdu6+p-1bcEPPBQtYzW90+Phw@mail.gmail.com>

Of course, as soon as we have all the details ready, we?ll definitely be
sharing it with the community.

Couple more weeks and we should have that worked out. What I presented the
LT was just part of the planning of it.

I?ll keep you all posted as we put the details in place.

Thank you for asking.

~Amber

On Tue, Jun 11, 2019 at 10:42 AM anthony kasza <anthony.kasza at gmail.com>
wrote:

> Hi Amber,
>
> Thank you for the minutes. Could you please provide more information about
> the package contest?
>
> -AK
>
> On Tue, Jun 11, 2019, 09:04 Amber Graner <akgraner at corelight.com> wrote:
>
>> Hi all,
>>
>> The LT Meeting Minutes from the 31 May Meeting can be found at:
>> https://blog.zeek.org/2019/06/open-source-zeek-leadership-team.html
>>
>> Please let me know if you have any questions or if you have anything you
>> would like the LT to discuss.
>>
>> Many thanks,
>> ~Amber
>>
>> --
>> *Amber Graner*
>> Director of Community
>> Corelight, Inc
>>
>> 828.582.9469
>>
>>
>>  * Ask me about how you can participate in the Zeek (formerly Bro)
>> community.
>>  * Remember - ZEEK AND YOU SHALL FIND!!
>>
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

-- 
Sent from Gmail Mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190611/4942739b/attachment.html 

From cmhobbs at manor.space  Tue Jun 11 14:32:27 2019
From: cmhobbs at manor.space (Christopher M. Hobbs)
Date: Tue, 11 Jun 2019 21:32:27 +0000
Subject: [Zeek] emacs mode for zeek?
Message-ID: <20190611213227.1301e0b9@moonglade>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Greetings, List!

Is anyone aware of an emacs mode for Zeek?  I found this one and I
intend to start playing with it but it was last updated 7 years ago so
I didn't know how much syntax has changed in that time or if there was
a more modern option

https://github.com/srunnels/bro-mode

Thanks!
cmh

- -- 
Happy Hacking!

http://manor.space/~cmhobbs
GPG:  1200 0808 F968 47AB F489  91A3 FE26 6FFB 1A77 0868

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEEgAICPloR6v0iZGj/iZv+xp3CGgFAl0AHesACgkQ/iZv+xp3
CGjICg/+IZsK8lClB867uNUgptmCj5jxFbGB+s43QdfQEruRQgPHHyqKxy4uakiE
/ftBDaJpanNlE3FjOYvu4YqZ7FEz4a6nJW1tQz8vP+Un3m5MWYINj1BHyTr4s3FK
DHiboVUZJB6CMBRiKSnaJm0wshRIACMoB12VhJ7AA67HEQI85ysCTtijQ+fPNbgZ
4WDmY0XKv2xNjOdYo4z22nKxf25p1qf1yOAyPgIWMwk6M6QneAv4q4mQaTXtOMYO
q4QM2MUoPuwMhFLf+5NlyhEzLX9fj8fhGDg097aQfJaELaNK9kbE9KNVcYcLAjcI
Oz0gkUV2IzmmPtekGyKcGxFcx5VYRxpr4R88HNIbG6lE76Q/qgPFMRxFk7fbWCEJ
Jv9Y64MQZY+TGAzUEyCR2f1EcfpdRb1Vm3wWvV/WaBYdGuVpLjFAEDUFN26Q0b6I
of5+ZIG8I5dourO57o8yKoKztldjdlT4RAD01a9+ObR+OL0pylB2jYezCOmyd9EQ
3inz7jTfBp97HqwdmEs+DoMy0oEy2QLiy39DnJIvQ71nE4oHQ33FV+arVHzuZXEn
1D9KiRc/m4GJ2OVGQ/g1hU5hsXsp7u6jlnl0r74LXsMudvbsFu8j1YPA77cMI0Sq
NzibJ6yAsZMfQUXU9zSwHsAfkurffohqRnadVkqFV2HWzeMa61E=
=wONU
-----END PGP SIGNATURE-----


From x.faith at gmail.com  Tue Jun 11 23:21:58 2019
From: x.faith at gmail.com (David Decker)
Date: Tue, 11 Jun 2019 23:21:58 -0700
Subject: [Zeek] Field renaming
Message-ID: <CAE44EXEDBSMYVq2CqZp+VS0_HWv4gtku=6dTqR6MkShvrxV5hQ@mail.gmail.com>

Zeek

Sorry  cant find this, but when did id_resp_h become id.resp_h?
And well for the rest (renamed _ to . )
Looked through changelog.

Thanks
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190611/4f78c9c2/attachment.html 

From justin at corelight.com  Wed Jun 12 06:01:49 2019
From: justin at corelight.com (Justin Azoff)
Date: Wed, 12 Jun 2019 09:01:49 -0400
Subject: [Zeek] Field renaming
In-Reply-To: <CAE44EXEDBSMYVq2CqZp+VS0_HWv4gtku=6dTqR6MkShvrxV5hQ@mail.gmail.com>
References: <CAE44EXEDBSMYVq2CqZp+VS0_HWv4gtku=6dTqR6MkShvrxV5hQ@mail.gmail.com>
Message-ID: <CAPfnCui99Qx3byMGfVL0=HGZ0gy6h0pAdUjeX=nQwB9Pm5S2pA@mail.gmail.com>

On Wed, Jun 12, 2019 at 2:30 AM David Decker <x.faith at gmail.com> wrote:
>
> Zeek
>
> Sorry  cant find this, but when did id_resp_h become id.resp_h?
> And well for the rest (renamed _ to . )
> Looked through changelog.

It has always been id.resp_h, you must have had this in your
configuration at one point:

    redef Log::default_scope_sep = "_";


-- 
Justin

From nweaver at ICSI.Berkeley.EDU  Wed Jun 12 07:58:53 2019
From: nweaver at ICSI.Berkeley.EDU (Nicholas Weaver)
Date: Wed, 12 Jun 2019 07:58:53 -0700
Subject: [Zeek] Question on small OpenFlow clusters...
Message-ID: <B5C5423C-DE79-44E4-8FCC-A96D654C6C85@icsi.berkeley.edu>

Has anyone played with a Zodiac GX (5 port open flow switch) or similar super small/cheap OpenFlow switch as a load balancer for a Zeek cluster?

THanks.

--
Nicholas Weaver                  it is a tale, told by an idiot,
nweaver at icsi.berkeley.edu                full of sound and fury,
510-666-2903                                 .signifying nothing
He/Him/His



From vlad at es.net  Wed Jun 12 08:54:02 2019
From: vlad at es.net (Vlad Grigorescu)
Date: Wed, 12 Jun 2019 15:54:02 +0000
Subject: [Zeek] Field renaming
In-Reply-To: <CAPfnCui99Qx3byMGfVL0=HGZ0gy6h0pAdUjeX=nQwB9Pm5S2pA@mail.gmail.com>
References: <CAE44EXEDBSMYVq2CqZp+VS0_HWv4gtku=6dTqR6MkShvrxV5hQ@mail.gmail.com>
	<CAPfnCui99Qx3byMGfVL0=HGZ0gy6h0pAdUjeX=nQwB9Pm5S2pA@mail.gmail.com>
Message-ID: <CAPqbkwuNfoqT8KDZONxsJho=G4pyZQkiPOCHRnFjiivpcHVnTw@mail.gmail.com>

Are you using JSON logs? I think JSON logs use an underscore because the
dot notation conflicts with a JSON object.

On Wed, Jun 12, 2019 at 1:05 PM Justin Azoff <justin at corelight.com> wrote:

> On Wed, Jun 12, 2019 at 2:30 AM David Decker <x.faith at gmail.com> wrote:
> >
> > Zeek
> >
> > Sorry  cant find this, but when did id_resp_h become id.resp_h?
> > And well for the rest (renamed _ to . )
> > Looked through changelog.
>
> It has always been id.resp_h, you must have had this in your
> configuration at one point:
>
>     redef Log::default_scope_sep = "_";
>
>
> --
> Justin
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190612/89bba0b3/attachment.html 

From richard at corelight.com  Wed Jun 12 12:27:26 2019
From: richard at corelight.com (Richard Bejtlich)
Date: Wed, 12 Jun 2019 15:27:26 -0400
Subject: [Zeek] Field renaming
In-Reply-To: <CAPqbkwuNfoqT8KDZONxsJho=G4pyZQkiPOCHRnFjiivpcHVnTw@mail.gmail.com>
References: <CAE44EXEDBSMYVq2CqZp+VS0_HWv4gtku=6dTqR6MkShvrxV5hQ@mail.gmail.com>
	<CAPfnCui99Qx3byMGfVL0=HGZ0gy6h0pAdUjeX=nQwB9Pm5S2pA@mail.gmail.com>
	<CAPqbkwuNfoqT8KDZONxsJho=G4pyZQkiPOCHRnFjiivpcHVnTw@mail.gmail.com>
Message-ID: <CAOtSMjZeKTaM=HOWwRvVngfWhwDmEcELUXS9p5m2QybadboouQ@mail.gmail.com>

I don't think that's the case? I use json and have the dot notation too. At
least, that's what I get with my Corelight, Security Onion, and RockNSM
installations. I don't think they are changing anything?

Sincerely,

Richard

On Wed, Jun 12, 2019 at 12:03 PM Vlad Grigorescu <vlad at es.net> wrote:

> Are you using JSON logs? I think JSON logs use an underscore because the
> dot notation conflicts with a JSON object.
>
> On Wed, Jun 12, 2019 at 1:05 PM Justin Azoff <justin at corelight.com> wrote:
>
>> On Wed, Jun 12, 2019 at 2:30 AM David Decker <x.faith at gmail.com> wrote:
>> >
>> > Zeek
>> >
>> > Sorry  cant find this, but when did id_resp_h become id.resp_h?
>> > And well for the rest (renamed _ to . )
>> > Looked through changelog.
>>
>> It has always been id.resp_h, you must have had this in your
>> configuration at one point:
>>
>>     redef Log::default_scope_sep = "_";
>>
>>
>> --
>> Justin
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Richard Bejtlich
Principal Security Strategist, Corelight
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190612/835893b2/attachment.html 

From x.faith at gmail.com  Wed Jun 12 12:44:54 2019
From: x.faith at gmail.com (David Decker)
Date: Wed, 12 Jun 2019 12:44:54 -0700
Subject: [Zeek] Field renaming
In-Reply-To: <CAOtSMjZeKTaM=HOWwRvVngfWhwDmEcELUXS9p5m2QybadboouQ@mail.gmail.com>
References: <CAE44EXEDBSMYVq2CqZp+VS0_HWv4gtku=6dTqR6MkShvrxV5hQ@mail.gmail.com>
	<CAPfnCui99Qx3byMGfVL0=HGZ0gy6h0pAdUjeX=nQwB9Pm5S2pA@mail.gmail.com>
	<CAPqbkwuNfoqT8KDZONxsJho=G4pyZQkiPOCHRnFjiivpcHVnTw@mail.gmail.com>
	<CAOtSMjZeKTaM=HOWwRvVngfWhwDmEcELUXS9p5m2QybadboouQ@mail.gmail.com>
Message-ID: <CAE44EXHgJaZkOUkwHdkoUuGx-b8Ej+f3P9WdNBd7T02U2C_UGA@mail.gmail.com>

We had an older ta which had the id_resp, that's why I was wondering if it
changed cause all I see more is the id.resp

On Wed, Jun 12, 2019, 12:36 PM Richard Bejtlich <richard at corelight.com>
wrote:

> I don't think that's the case? I use json and have the dot notation too.
> At least, that's what I get with my Corelight, Security Onion, and RockNSM
> installations. I don't think they are changing anything?
>
> Sincerely,
>
> Richard
>
> On Wed, Jun 12, 2019 at 12:03 PM Vlad Grigorescu <vlad at es.net> wrote:
>
>> Are you using JSON logs? I think JSON logs use an underscore because the
>> dot notation conflicts with a JSON object.
>>
>> On Wed, Jun 12, 2019 at 1:05 PM Justin Azoff <justin at corelight.com>
>> wrote:
>>
>>> On Wed, Jun 12, 2019 at 2:30 AM David Decker <x.faith at gmail.com> wrote:
>>> >
>>> > Zeek
>>> >
>>> > Sorry  cant find this, but when did id_resp_h become id.resp_h?
>>> > And well for the rest (renamed _ to . )
>>> > Looked through changelog.
>>>
>>> It has always been id.resp_h, you must have had this in your
>>> configuration at one point:
>>>
>>>     redef Log::default_scope_sep = "_";
>>>
>>>
>>> --
>>> Justin
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Richard Bejtlich
> Principal Security Strategist, Corelight
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190612/d393ee2e/attachment.html 

From hugolin615 at gmail.com  Thu Jun 13 10:10:28 2019
From: hugolin615 at gmail.com (Hugo)
Date: Thu, 13 Jun 2019 10:10:28 -0700
Subject: [Zeek] Multiple print in the same line
Message-ID: <CAKq214=SacGu_HyigMzcby-GKSukrYRkMC3Y4Grv16W8tc76mw@mail.gmail.com>

Hi,

I am wondering whether there is a way to call multiple prints such that
they print in the same line. By default, in Zeek, each print will print in
different lines.

For example, if I want to print all elements of a vector v1 in the same
line in a log file "log_name" with "print log_name, v1", all elements are
printed in the same line. But the character "[" and "]" at the beginning
and end of the line can be annoying if the log is used by other software
such as gnuplot. However, if I iterate each element in v1 and print it one
by one, I will not print all elements in the same line. Wonder whether we
have a workaround on this issue or not.

Thank you and best regards,

Hui Lin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190613/ace81fec/attachment.html 

From jsiwek at corelight.com  Thu Jun 13 10:40:31 2019
From: jsiwek at corelight.com (Jon Siwek)
Date: Thu, 13 Jun 2019 10:40:31 -0700
Subject: [Zeek] Multiple print in the same line
In-Reply-To: <CAKq214=SacGu_HyigMzcby-GKSukrYRkMC3Y4Grv16W8tc76mw@mail.gmail.com>
References: <CAKq214=SacGu_HyigMzcby-GKSukrYRkMC3Y4Grv16W8tc76mw@mail.gmail.com>
Message-ID: <CAMzgZ0Kptg-CZTA+JUJ4MwOgHuMf5YXAbdRo-20+a3Jtw6_i4Q@mail.gmail.com>

On Thu, Jun 13, 2019 at 10:15 AM Hugo <hugolin615 at gmail.com> wrote:

> For example, if I want to print all elements of a vector v1 in the same line in a log file "log_name" with "print log_name, v1", all elements are printed in the same line. But the character "[" and "]" at the beginning and end of the line can be annoying if the log is used by other software such as gnuplot. However, if I iterate each element in v1 and print it one by one, I will not print all elements in the same line. Wonder whether we have a workaround on this issue or not.

You could up your own string (e.g. iterate over the vector and append
each element to a string, choosing your own delimiter or format stuff
via fmt()) and print the final version of that string.

- Jon


From hugolin615 at gmail.com  Thu Jun 13 11:29:56 2019
From: hugolin615 at gmail.com (Hugo)
Date: Thu, 13 Jun 2019 11:29:56 -0700
Subject: [Zeek] Multiple print in the same line
In-Reply-To: <98247be2426c4b4f823f9c530175d1cb@BYAPR11MB2662.namprd11.prod.outlook.com>
References: <CAKq214=SacGu_HyigMzcby-GKSukrYRkMC3Y4Grv16W8tc76mw@mail.gmail.com>
	<98247be2426c4b4f823f9c530175d1cb@BYAPR11MB2662.namprd11.prod.outlook.com>
Message-ID: <CAKq214nxoDmaPYYixyvdA7CqxKtPKieuATd91nD+vMwypgSZAA@mail.gmail.com>

Thanks Jon. Using "cat" to pack them all in a string works.

Hugo

On Thu, Jun 13, 2019 at 10:42 AM Jon Siwek <jsiwek at corelight.com> wrote:

> On Thu, Jun 13, 2019 at 10:15 AM Hugo <hugolin615 at gmail.com> wrote:
>
> > For example, if I want to print all elements of a vector v1 in the same
> line in a log file "log_name" with "print log_name, v1", all elements are
> printed in the same line. But the character "[" and "]" at the beginning
> and end of the line can be annoying if the log is used by other software
> such as gnuplot. However, if I iterate each element in v1 and print it one
> by one, I will not print all elements in the same line. Wonder whether we
> have a workaround on this issue or not.
>
> You could up your own string (e.g. iterate over the vector and append
> each element to a string, choosing your own delimiter or format stuff
> via fmt()) and print the final version of that string.
>
> - Jon
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190613/27e6a1f8/attachment-0001.html 

From nothinrandom at gmail.com  Thu Jun 13 16:03:01 2019
From: nothinrandom at gmail.com (TQ)
Date: Thu, 13 Jun 2019 16:03:01 -0700
Subject: [Zeek] OS fingerprinting - p0f signature update
Message-ID: <CAM2MKSpEyh+n3OfsPoqB7uDW=24=pbtTYzBqWdX36Yszbkktnw@mail.gmail.com>

Hello All,

I'd like to get the OS fingerprinting working.  I see multiple methods to
do this, starting with
https://docs.zeek.org/en/stable/scripts/policy/frameworks/software/windows-version-detection.bro.html,
which requires the Microsoft Certificate Revocation List (CRL) event.  It
was also noticed that there's p0f integration
https://github.com/bro/bro/blob/master/scripts/base/misc/p0f.fp  which is
great, but it looks like it's using old signature.  Is there a way to
update this signature to the latest version (
https://github.com/p0f/p0f/blob/master/p0f.fp)?  Copying the latest file
over crashes Zeek.

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190613/31262550/attachment.html 

From x.faith at gmail.com  Fri Jun 14 15:50:48 2019
From: x.faith at gmail.com (David Decker)
Date: Fri, 14 Jun 2019 15:50:48 -0700
Subject: [Zeek] Log files
Message-ID: <CAE44EXGOodBxusYedAmMU-UC8zoC7a0EaKHHruca=SH3oJ0euw@mail.gmail.com>

All,

Sorry more questions.  Where is it define the log files that are created
when using Zeek?
local.bro?
Only seem to see sterr stout and reporter log files.

Thank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190614/404eac75/attachment.html 

From hlin33 at illinois.edu  Sun Jun 16 15:15:06 2019
From: hlin33 at illinois.edu (Hui Lin (Hugo))
Date: Sun, 16 Jun 2019 15:15:06 -0700
Subject: [Zeek] Hui Lin_DNP3 analyzer not working in current version of zeek
Message-ID: <CAKq214m0SfEd51UanH3phX2mGCsUKJVcVzKzJ=ZNf8QpkxdHNg@mail.gmail.com>

Hi

It seemed that the DNP3 analyzer is not working properly in the current
version of zeek. I have a pcap file containing around 400 DNP3 read
requests and responses. I have included a print message in both
"dnp3_application_request_header" and "dnp3_application_response_header"
event handlers, but only two messages are print out for the request
packets. Actually for the same pcap, in a version that I git last year, bro
works fine by printing all messages. Any idea what happens? If needed, I
can provide the pcap for the testing.

Thank you and best regards,

Hui Lin
-- 
Hui Lin
Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
DEPEND (http://depend.csl.illinois.edu/)
ECE, Uni. of Illinois at Urbana-Champaign
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190616/2a0e5610/attachment.html 

From x.faith at gmail.com  Sun Jun 16 20:10:08 2019
From: x.faith at gmail.com (David Decker)
Date: Sun, 16 Jun 2019 20:10:08 -0700
Subject: [Zeek] Looking for Info on DPDK and Zeek
Message-ID: <CAE44EXGosMKuiDa5UjBV9E45+-9qHBsmvRCy6ebMV-8+NSCecw@mail.gmail.com>

Hello,

Looking for any information for setting up Zeek using DPDK, has it been
done/tried?  Looking at what might need to change. I know some use PF_RING
or AF_PACKET but interetsed in DPDK.

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190616/c0a6cdc6/attachment.html 

From michalpurzynski1 at gmail.com  Mon Jun 17 00:52:01 2019
From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=)
Date: Mon, 17 Jun 2019 00:52:01 -0700
Subject: [Zeek] Looking for Info on DPDK and Zeek
In-Reply-To: <CAE44EXGosMKuiDa5UjBV9E45+-9qHBsmvRCy6ebMV-8+NSCecw@mail.gmail.com>
References: <CAE44EXGosMKuiDa5UjBV9E45+-9qHBsmvRCy6ebMV-8+NSCecw@mail.gmail.com>
Message-ID: <6F431EBB-5E4B-41B7-BD8F-DC803EEF972A@gmail.com>

May i ask why? It?s an outdated technology 

Sent from my iPad

> On 16 Jun 2019, at 20:10, David Decker <x.faith at gmail.com> wrote:
> 
> 
> Hello, 
> 
> Looking for any information for setting up Zeek using DPDK, has it been done/tried?  Looking at what might need to change. I know some use PF_RING or AF_PACKET but interetsed in DPDK.
> 
> Thanks
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek


From jsiwek at corelight.com  Mon Jun 17 10:32:04 2019
From: jsiwek at corelight.com (Jon Siwek)
Date: Mon, 17 Jun 2019 10:32:04 -0700
Subject: [Zeek] Hui Lin_DNP3 analyzer not working in current version of
	zeek
In-Reply-To: <CAKq214m0SfEd51UanH3phX2mGCsUKJVcVzKzJ=ZNf8QpkxdHNg@mail.gmail.com>
References: <CAKq214m0SfEd51UanH3phX2mGCsUKJVcVzKzJ=ZNf8QpkxdHNg@mail.gmail.com>
Message-ID: <CAMzgZ0JYWrGm1+gmocS=KwJ_SdeDEFXT-AxxYhHjtBz0L1u4Cg@mail.gmail.com>

On Sun, Jun 16, 2019 at 3:17 PM Hui Lin (Hugo) <hlin33 at illinois.edu> wrote:
> Actually for the same pcap, in a version that I git last year, bro works fine by printing all messages. Any idea what happens? If needed, I can provide the pcap for the testing.

Not sure, please either try to debug / explore the diffs, or provide a
pcap and say which was the last known working version.

- Jon

From robin at corelight.com  Mon Jun 17 13:45:27 2019
From: robin at corelight.com (Robin Sommer)
Date: Mon, 17 Jun 2019 13:45:27 -0700
Subject: [Zeek] State of p0f support
Message-ID: <20190617204527.GB61709@corelight.com>

Looking for some input here.

Zeek has provided support for passive OS fingerprinting for a long
time through p0f. However, we are using using a very outdated version
of the p0f engine, and the signature set is likewise stale (last
update from 2011!).

Unfortunately p0f has changed quite a bit in meantime, so that it's
not easy to upgrade. While we'd certainly be happy to do that if
anybody wanted to work on it, for now we are considering to remove the
old engine that's currently shipping with Zeek because it doesn't seem
to provide much value anymore.

Please chime in if that would be a problem for you. Is anybody still
relying on the p0f support in Zeek as it is today?

Thanks,

Robin


-- 
Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com

From michalpurzynski1 at gmail.com  Mon Jun 17 15:05:18 2019
From: michalpurzynski1 at gmail.com (=?UTF-8?B?TWljaGHFgiBQdXJ6ecWEc2tp?=)
Date: Mon, 17 Jun 2019 15:05:18 -0700
Subject: [Zeek] State of p0f support
In-Reply-To: <20190617204527.GB61709@corelight.com>
References: <20190617204527.GB61709@corelight.com>
Message-ID: <CAJ6bFK1MzSH=fpWAcDQu2ANFTLAGOiicBHA33ZNL=5De2NLQuA@mail.gmail.com>

There is so much data in various logs, like software.log, http.log, SSL,
DNS, known_*, x509 and even in the conn.log that recognizing the OS is most
of the time trivial. I would rather invest into correlation and build a
scoring engine that logs a verdict "based on A, B and C I think this is a
Windows 10"

On Mon, Jun 17, 2019 at 1:55 PM Robin Sommer <robin at corelight.com> wrote:

> Looking for some input here.
>
> Zeek has provided support for passive OS fingerprinting for a long
> time through p0f. However, we are using using a very outdated version
> of the p0f engine, and the signature set is likewise stale (last
> update from 2011!).
>
> Unfortunately p0f has changed quite a bit in meantime, so that it's
> not easy to upgrade. While we'd certainly be happy to do that if
> anybody wanted to work on it, for now we are considering to remove the
> old engine that's currently shipping with Zeek because it doesn't seem
> to provide much value anymore.
>
> Please chime in if that would be a problem for you. Is anybody still
> relying on the p0f support in Zeek as it is today?
>
> Thanks,
>
> Robin
>
>
> --
> Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190617/3f89f3bf/attachment.html 

From jsiwek at corelight.com  Mon Jun 17 19:46:57 2019
From: jsiwek at corelight.com (Jon Siwek)
Date: Mon, 17 Jun 2019 19:46:57 -0700
Subject: [Zeek] Hui Lin_DNP3 analyzer not working in current version of
	zeek
In-Reply-To: <CAKq214kk6iME=nrFS0uFoa8A9f0nwKrKZNDRk1b6_oaEj54H6w@mail.gmail.com>
References: <CAKq214m0SfEd51UanH3phX2mGCsUKJVcVzKzJ=ZNf8QpkxdHNg@mail.gmail.com>
	<5d15086bbacc46468202e31684b123c1@BYAPR11MB2662.namprd11.prod.outlook.com>
	<CAKq214kk6iME=nrFS0uFoa8A9f0nwKrKZNDRk1b6_oaEj54H6w@mail.gmail.com>
Message-ID: <CAMzgZ0+RHVhvSv5UHVhOz-4cgEg3_km4eDd+NcCic9SR8eEuXg@mail.gmail.com>

Found the difference:

This behavior changed in Bro 2.5.4 (really what changed is in BinPAC
0.49, not Bro), but the new parsing behavior is legitimate.  The old
behavior just caused broken protocol grammars to possibly parse more
things than they should have, such as in cases where there wasn't enough
data to fill an array.  So it appeared to be working for you, but it
was not.

In this case, the DNP3 protocol grammar we use is either incomplete or
needs a further fix.  With some debugging for this example pcap, you can
see where the parsing is failing:

protocol violation, [orig_h=10.0.0.3, orig_p=37147/tcp,
resp_h=10.0.0.1, resp_p=20000/tcp], Analyzer::ANALYZER_DNP3_TCP,
Binpac exception: binpac exception: out_of_bound:
Request_Objects:ojbects: 8 > 0
protocol violation, [orig_h=10.0.0.3, orig_p=55021/tcp,
resp_h=10.0.0.2, resp_p=20000/tcp], Analyzer::ANALYZER_DNP3_TCP,
Binpac exception: binpac exception: out_of_bound:
Request_Objects:ojbects: 8 > 0

That's here:

https://github.com/zeek/zeek/blob/e2dc0092f3a1caea1ebc71e347663e723298fb6b/src/analyzer/protocol/dnp3/dnp3-protocol.pac#L97

You can look in the pcap (e.g. Wireshark) and see in the first READ
request that there's no objects being sent for us to parse even though
our protocol definition is written to expect that.  So that protocol
violation is legit in the sense that we've defined the protocol in a way
that differs from what's being sent on the wire.  And a protocol
violation in the case of DNP3 disables all further analysis.

You maybe understand DNP3 better than me, so please create an issue
or pull request if you come up with a fix that improves the DNP3 parser.
Attached is a naive patch that seems to generate the same number of
requests/responses as before Bro 2.5.4; maybe it helps as a
starting point or reference.

- Jon

On Mon, Jun 17, 2019 at 11:53 AM Hui Lin (Hugo) <hlin33 at illinois.edu> wrote:
>
> Thanks Jon,
>
> The version that is working is version 2.5-457. I have attached the sample pcap here.
>
> Best,
>
> Hui Lin
>
> On Mon, Jun 17, 2019 at 10:32 AM Jon Siwek <jsiwek at corelight.com> wrote:
>>
>> On Sun, Jun 16, 2019 at 3:17 PM Hui Lin (Hugo) <hlin33 at illinois.edu> wrote:
>> > Actually for the same pcap, in a version that I git last year, bro works fine by printing all messages. Any idea what happens? If needed, I can provide the pcap for the testing.
>>
>> Not sure, please either try to debug / explore the diffs, or provide a
>> pcap and say which was the last known working version.
>>
>> - Jon
>
>
>
> --
> Hui Lin
> Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
> DEPEND (http://depend.csl.illinois.edu/)
> ECE, Uni. of Illinois at Urbana-Champaign
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnp3-naive.patch
Type: application/octet-stream
Size: 1229 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190617/e6d65dd9/attachment.obj 

From hlin33 at illinois.edu  Mon Jun 17 21:17:40 2019
From: hlin33 at illinois.edu (Hui Lin (Hugo))
Date: Mon, 17 Jun 2019 21:17:40 -0700
Subject: [Zeek] Hui Lin_DNP3 analyzer not working in current version of
	zeek
In-Reply-To: <CAMzgZ0+RHVhvSv5UHVhOz-4cgEg3_km4eDd+NcCic9SR8eEuXg@mail.gmail.com>
References: <CAKq214m0SfEd51UanH3phX2mGCsUKJVcVzKzJ=ZNf8QpkxdHNg@mail.gmail.com>
	<5d15086bbacc46468202e31684b123c1@BYAPR11MB2662.namprd11.prod.outlook.com>
	<CAKq214kk6iME=nrFS0uFoa8A9f0nwKrKZNDRk1b6_oaEj54H6w@mail.gmail.com>
	<CAMzgZ0+RHVhvSv5UHVhOz-4cgEg3_km4eDd+NcCic9SR8eEuXg@mail.gmail.com>
Message-ID: <CAKq214mGdRLKPDZtaXe-w6juvBcpUpmmz6SFYrxgBOfsPwVVQA@mail.gmail.com>

Hi Jon,

This is a very confusing part of DNP3 protocol, but only in the request.
The "number_of_item" obtained from "object_header" in the request is mainly
applied to the response, telling outstation that this is the number of
items that you should include in the response. But there are a few
exceptions where the request is also using the "number_of_item", especially
the control operations, meaning that these are the operations that we would
like to apply to the outstation.

Back then when I had implemented it, I use a common record
type, Request_Data_Object, to hide those differences. In the READ request,
there still should be Request_Data_Object[8]. However, according to the
value of the function code (which is the input of the Request_Data_Object),
the size of each Request_Data_Object becomes 0 if it is READ request. Even
though there are 8 objects, but each of them has 0 bytes, so totally there
are no data coming. That is why actually there are no more data coming,
which is not a mistake. I guess that it is probably how binpac changes the
way to handle this type of situation now, making the analyzer fail to work.

For me, the workaround should not be difficult (also I am pretty sure that
Robin and Seth would like to keep the binpac works as it is now).  As there
are only a very few exceptions, I just include those exceptions directly
there (similar to what you did in the patch), and then default most other
requests to empty objects.

I probably will do that on July as I am catching a deadline on July 1st. I
will contact you privately as I may need you to help me to input a
different public key for upload as I have already graduated.

Best,

Hui Lin

On Mon, Jun 17, 2019 at 7:57 PM Jon Siwek <jsiwek at corelight.com> wrote:

> Found the difference:
>
> This behavior changed in Bro 2.5.4 (really what changed is in BinPAC
> 0.49, not Bro), but the new parsing behavior is legitimate.  The old
> behavior just caused broken protocol grammars to possibly parse more
> things than they should have, such as in cases where there wasn't enough
> data to fill an array.  So it appeared to be working for you, but it
> was not.
>
> In this case, the DNP3 protocol grammar we use is either incomplete or
> needs a further fix.  With some debugging for this example pcap, you can
> see where the parsing is failing:
>
> protocol violation, [orig_h=10.0.0.3, orig_p=37147/tcp,
> resp_h=10.0.0.1, resp_p=20000/tcp], Analyzer::ANALYZER_DNP3_TCP,
> Binpac exception: binpac exception: out_of_bound:
> Request_Objects:ojbects: 8 > 0
> protocol violation, [orig_h=10.0.0.3, orig_p=55021/tcp,
> resp_h=10.0.0.2, resp_p=20000/tcp], Analyzer::ANALYZER_DNP3_TCP,
> Binpac exception: binpac exception: out_of_bound:
> Request_Objects:ojbects: 8 > 0
>
> That's here:
>
>
> https://github.com/zeek/zeek/blob/e2dc0092f3a1caea1ebc71e347663e723298fb6b/src/analyzer/protocol/dnp3/dnp3-protocol.pac#L97
>
> You can look in the pcap (e.g. Wireshark) and see in the first READ
> request that there's no objects being sent for us to parse even though
> our protocol definition is written to expect that.  So that protocol
> violation is legit in the sense that we've defined the protocol in a way
> that differs from what's being sent on the wire.  And a protocol
> violation in the case of DNP3 disables all further analysis.
>
> You maybe understand DNP3 better than me, so please create an issue
> or pull request if you come up with a fix that improves the DNP3 parser.
> Attached is a naive patch that seems to generate the same number of
> requests/responses as before Bro 2.5.4; maybe it helps as a
> starting point or reference.
>
> - Jon
>
> On Mon, Jun 17, 2019 at 11:53 AM Hui Lin (Hugo) <hlin33 at illinois.edu>
> wrote:
> >
> > Thanks Jon,
> >
> > The version that is working is version 2.5-457. I have attached the
> sample pcap here.
> >
> > Best,
> >
> > Hui Lin
> >
> > On Mon, Jun 17, 2019 at 10:32 AM Jon Siwek <jsiwek at corelight.com> wrote:
> >>
> >> On Sun, Jun 16, 2019 at 3:17 PM Hui Lin (Hugo) <hlin33 at illinois.edu>
> wrote:
> >> > Actually for the same pcap, in a version that I git last year, bro
> works fine by printing all messages. Any idea what happens? If needed, I
> can provide the pcap for the testing.
> >>
> >> Not sure, please either try to debug / explore the diffs, or provide a
> >> pcap and say which was the last known working version.
> >>
> >> - Jon
> >
> >
> >
> > --
> > Hui Lin
> > Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
> > DEPEND (http://depend.csl.illinois.edu/)
> > ECE, Uni. of Illinois at Urbana-Champaign
> >
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Hui Lin
Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
DEPEND (http://depend.csl.illinois.edu/)
ECE, Uni. of Illinois at Urbana-Champaign
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190617/06350065/attachment-0001.html 

From nothinrandom at gmail.com  Mon Jun 17 23:34:00 2019
From: nothinrandom at gmail.com (TQ)
Date: Mon, 17 Jun 2019 23:34:00 -0700
Subject: [Zeek] State of p0f support
In-Reply-To: <mailman.97546.1560831554.837.zeek@zeek.org>
References: <mailman.97546.1560831554.837.zeek@zeek.org>
Message-ID: <CAM2MKSpUKCs2F4SGn-nzk9WXoTRO7fyTKd0Gc40=s-kg46AD-A@mail.gmail.com>

@Michal,

That's a really good suggestion!  Latest p0f is from 2016, so it's not that
maintained anyway I guess.  The thing I noticed for software.log is that
the OS info gets logged only via software calls from apps like
Firefox/Chrome/etc; it would be nice to not rely on this.

Thanks,

On Mon, Jun 17, 2019 at 9:22 PM <zeek-request at zeek.org> wrote:

> Send Zeek mailing list submissions to
>         zeek at zeek.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> or, via email, send a message with subject or body 'help' to
>         zeek-request at zeek.org
>
> You can reach the person managing the list at
>         zeek-owner at zeek.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Zeek digest..."
>
>
> Today's Topics:
>
>    1. State of p0f support (Robin Sommer)
>    2. Re: State of p0f support (Micha? Purzy?ski)
>    3. Re: Hui Lin_DNP3 analyzer not working in current version of
>       zeek (Jon Siwek)
>    4. Re: Hui Lin_DNP3 analyzer not working in current version of
>       zeek (Hui Lin (Hugo))
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 17 Jun 2019 13:45:27 -0700
> From: Robin Sommer <robin at corelight.com>
> Subject: [Zeek] State of p0f support
> To: zeek <zeek at zeek.org>
> Message-ID: <20190617204527.GB61709 at corelight.com>
> Content-Type: text/plain; charset=us-ascii
>
> Looking for some input here.
>
> Zeek has provided support for passive OS fingerprinting for a long
> time through p0f. However, we are using using a very outdated version
> of the p0f engine, and the signature set is likewise stale (last
> update from 2011!).
>
> Unfortunately p0f has changed quite a bit in meantime, so that it's
> not easy to upgrade. While we'd certainly be happy to do that if
> anybody wanted to work on it, for now we are considering to remove the
> old engine that's currently shipping with Zeek because it doesn't seem
> to provide much value anymore.
>
> Please chime in if that would be a problem for you. Is anybody still
> relying on the p0f support in Zeek as it is today?
>
> Thanks,
>
> Robin
>
>
> --
> Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 17 Jun 2019 15:05:18 -0700
> From: Micha? Purzy?ski <michalpurzynski1 at gmail.com>
> Subject: Re: [Zeek] State of p0f support
> To: Robin Sommer <robin at corelight.com>
> Cc: zeek <zeek at zeek.org>
> Message-ID:
>         <CAJ6bFK1MzSH=fpWAcDQu2ANFTLAGOiicBHA33ZNL=
> 5De2NLQuA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> There is so much data in various logs, like software.log, http.log, SSL,
> DNS, known_*, x509 and even in the conn.log that recognizing the OS is most
> of the time trivial. I would rather invest into correlation and build a
> scoring engine that logs a verdict "based on A, B and C I think this is a
> Windows 10"
>
> On Mon, Jun 17, 2019 at 1:55 PM Robin Sommer <robin at corelight.com> wrote:
>
> > Looking for some input here.
> >
> > Zeek has provided support for passive OS fingerprinting for a long
> > time through p0f. However, we are using using a very outdated version
> > of the p0f engine, and the signature set is likewise stale (last
> > update from 2011!).
> >
> > Unfortunately p0f has changed quite a bit in meantime, so that it's
> > not easy to upgrade. While we'd certainly be happy to do that if
> > anybody wanted to work on it, for now we are considering to remove the
> > old engine that's currently shipping with Zeek because it doesn't seem
> > to provide much value anymore.
> >
> > Please chime in if that would be a problem for you. Is anybody still
> > relying on the p0f support in Zeek as it is today?
> >
> > Thanks,
> >
> > Robin
> >
> >
> > --
> > Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190617/3f89f3bf/attachment-0001.html
>
> ------------------------------
>
> Message: 3
> Date: Mon, 17 Jun 2019 19:46:57 -0700
> From: Jon Siwek <jsiwek at corelight.com>
> Subject: Re: [Zeek] Hui Lin_DNP3 analyzer not working in current
>         version of      zeek
> To: "Hui Lin (Hugo)" <hlin33 at illinois.edu>
> Cc: zeek <zeek at zeek.org>
> Message-ID:
>         <
> CAMzgZ0+RHVhvSv5UHVhOz-4cgEg3_km4eDd+NcCic9SR8eEuXg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Found the difference:
>
> This behavior changed in Bro 2.5.4 (really what changed is in BinPAC
> 0.49, not Bro), but the new parsing behavior is legitimate.  The old
> behavior just caused broken protocol grammars to possibly parse more
> things than they should have, such as in cases where there wasn't enough
> data to fill an array.  So it appeared to be working for you, but it
> was not.
>
> In this case, the DNP3 protocol grammar we use is either incomplete or
> needs a further fix.  With some debugging for this example pcap, you can
> see where the parsing is failing:
>
> protocol violation, [orig_h=10.0.0.3, orig_p=37147/tcp,
> resp_h=10.0.0.1, resp_p=20000/tcp], Analyzer::ANALYZER_DNP3_TCP,
> Binpac exception: binpac exception: out_of_bound:
> Request_Objects:ojbects: 8 > 0
> protocol violation, [orig_h=10.0.0.3, orig_p=55021/tcp,
> resp_h=10.0.0.2, resp_p=20000/tcp], Analyzer::ANALYZER_DNP3_TCP,
> Binpac exception: binpac exception: out_of_bound:
> Request_Objects:ojbects: 8 > 0
>
> That's here:
>
>
> https://github.com/zeek/zeek/blob/e2dc0092f3a1caea1ebc71e347663e723298fb6b/src/analyzer/protocol/dnp3/dnp3-protocol.pac#L97
>
> You can look in the pcap (e.g. Wireshark) and see in the first READ
> request that there's no objects being sent for us to parse even though
> our protocol definition is written to expect that.  So that protocol
> violation is legit in the sense that we've defined the protocol in a way
> that differs from what's being sent on the wire.  And a protocol
> violation in the case of DNP3 disables all further analysis.
>
> You maybe understand DNP3 better than me, so please create an issue
> or pull request if you come up with a fix that improves the DNP3 parser.
> Attached is a naive patch that seems to generate the same number of
> requests/responses as before Bro 2.5.4; maybe it helps as a
> starting point or reference.
>
> - Jon
>
> On Mon, Jun 17, 2019 at 11:53 AM Hui Lin (Hugo) <hlin33 at illinois.edu>
> wrote:
> >
> > Thanks Jon,
> >
> > The version that is working is version 2.5-457. I have attached the
> sample pcap here.
> >
> > Best,
> >
> > Hui Lin
> >
> > On Mon, Jun 17, 2019 at 10:32 AM Jon Siwek <jsiwek at corelight.com> wrote:
> >>
> >> On Sun, Jun 16, 2019 at 3:17 PM Hui Lin (Hugo) <hlin33 at illinois.edu>
> wrote:
> >> > Actually for the same pcap, in a version that I git last year, bro
> works fine by printing all messages. Any idea what happens? If needed, I
> can provide the pcap for the testing.
> >>
> >> Not sure, please either try to debug / explore the diffs, or provide a
> >> pcap and say which was the last known working version.
> >>
> >> - Jon
> >
> >
> >
> > --
> > Hui Lin
> > Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
> > DEPEND (http://depend.csl.illinois.edu/)
> > ECE, Uni. of Illinois at Urbana-Champaign
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: dnp3-naive.patch
> Type: application/octet-stream
> Size: 1229 bytes
> Desc: not available
> Url :
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190617/e6d65dd9/attachment-0001.obj
>
> ------------------------------
>
> Message: 4
> Date: Mon, 17 Jun 2019 21:17:40 -0700
> From: "Hui Lin (Hugo)" <hlin33 at illinois.edu>
> Subject: Re: [Zeek] Hui Lin_DNP3 analyzer not working in current
>         version of      zeek
> To: Jon Siwek <jsiwek at corelight.com>
> Cc: zeek <zeek at zeek.org>
> Message-ID:
>         <
> CAKq214mGdRLKPDZtaXe-w6juvBcpUpmmz6SFYrxgBOfsPwVVQA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Jon,
>
> This is a very confusing part of DNP3 protocol, but only in the request.
> The "number_of_item" obtained from "object_header" in the request is mainly
> applied to the response, telling outstation that this is the number of
> items that you should include in the response. But there are a few
> exceptions where the request is also using the "number_of_item", especially
> the control operations, meaning that these are the operations that we would
> like to apply to the outstation.
>
> Back then when I had implemented it, I use a common record
> type, Request_Data_Object, to hide those differences. In the READ request,
> there still should be Request_Data_Object[8]. However, according to the
> value of the function code (which is the input of the Request_Data_Object),
> the size of each Request_Data_Object becomes 0 if it is READ request. Even
> though there are 8 objects, but each of them has 0 bytes, so totally there
> are no data coming. That is why actually there are no more data coming,
> which is not a mistake. I guess that it is probably how binpac changes the
> way to handle this type of situation now, making the analyzer fail to work.
>
> For me, the workaround should not be difficult (also I am pretty sure that
> Robin and Seth would like to keep the binpac works as it is now).  As there
> are only a very few exceptions, I just include those exceptions directly
> there (similar to what you did in the patch), and then default most other
> requests to empty objects.
>
> I probably will do that on July as I am catching a deadline on July 1st. I
> will contact you privately as I may need you to help me to input a
> different public key for upload as I have already graduated.
>
> Best,
>
> Hui Lin
>
> On Mon, Jun 17, 2019 at 7:57 PM Jon Siwek <jsiwek at corelight.com> wrote:
>
> > Found the difference:
> >
> > This behavior changed in Bro 2.5.4 (really what changed is in BinPAC
> > 0.49, not Bro), but the new parsing behavior is legitimate.  The old
> > behavior just caused broken protocol grammars to possibly parse more
> > things than they should have, such as in cases where there wasn't enough
> > data to fill an array.  So it appeared to be working for you, but it
> > was not.
> >
> > In this case, the DNP3 protocol grammar we use is either incomplete or
> > needs a further fix.  With some debugging for this example pcap, you can
> > see where the parsing is failing:
> >
> > protocol violation, [orig_h=10.0.0.3, orig_p=37147/tcp,
> > resp_h=10.0.0.1, resp_p=20000/tcp], Analyzer::ANALYZER_DNP3_TCP,
> > Binpac exception: binpac exception: out_of_bound:
> > Request_Objects:ojbects: 8 > 0
> > protocol violation, [orig_h=10.0.0.3, orig_p=55021/tcp,
> > resp_h=10.0.0.2, resp_p=20000/tcp], Analyzer::ANALYZER_DNP3_TCP,
> > Binpac exception: binpac exception: out_of_bound:
> > Request_Objects:ojbects: 8 > 0
> >
> > That's here:
> >
> >
> >
> https://github.com/zeek/zeek/blob/e2dc0092f3a1caea1ebc71e347663e723298fb6b/src/analyzer/protocol/dnp3/dnp3-protocol.pac#L97
> >
> > You can look in the pcap (e.g. Wireshark) and see in the first READ
> > request that there's no objects being sent for us to parse even though
> > our protocol definition is written to expect that.  So that protocol
> > violation is legit in the sense that we've defined the protocol in a way
> > that differs from what's being sent on the wire.  And a protocol
> > violation in the case of DNP3 disables all further analysis.
> >
> > You maybe understand DNP3 better than me, so please create an issue
> > or pull request if you come up with a fix that improves the DNP3 parser.
> > Attached is a naive patch that seems to generate the same number of
> > requests/responses as before Bro 2.5.4; maybe it helps as a
> > starting point or reference.
> >
> > - Jon
> >
> > On Mon, Jun 17, 2019 at 11:53 AM Hui Lin (Hugo) <hlin33 at illinois.edu>
> > wrote:
> > >
> > > Thanks Jon,
> > >
> > > The version that is working is version 2.5-457. I have attached the
> > sample pcap here.
> > >
> > > Best,
> > >
> > > Hui Lin
> > >
> > > On Mon, Jun 17, 2019 at 10:32 AM Jon Siwek <jsiwek at corelight.com>
> wrote:
> > >>
> > >> On Sun, Jun 16, 2019 at 3:17 PM Hui Lin (Hugo) <hlin33 at illinois.edu>
> > wrote:
> > >> > Actually for the same pcap, in a version that I git last year, bro
> > works fine by printing all messages. Any idea what happens? If needed, I
> > can provide the pcap for the testing.
> > >>
> > >> Not sure, please either try to debug / explore the diffs, or provide a
> > >> pcap and say which was the last known working version.
> > >>
> > >> - Jon
> > >
> > >
> > >
> > > --
> > > Hui Lin
> > > Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
> > > DEPEND (http://depend.csl.illinois.edu/)
> > > ECE, Uni. of Illinois at Urbana-Champaign
> > >
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Hui Lin
> Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
> DEPEND (http://depend.csl.illinois.edu/)
> ECE, Uni. of Illinois at Urbana-Champaign
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190617/06350065/attachment.html
>
> ------------------------------
>
> _______________________________________________
> Zeek mailing list
> Zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
> End of Zeek Digest, Vol 158, Issue 22
> *************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190617/cae167bf/attachment-0001.html 

From michalpurzynski1 at gmail.com  Mon Jun 17 23:39:35 2019
From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=)
Date: Mon, 17 Jun 2019 23:39:35 -0700
Subject: [Zeek] State of p0f support
In-Reply-To: <CAM2MKSpUKCs2F4SGn-nzk9WXoTRO7fyTKd0Gc40=s-kg46AD-A@mail.gmail.com>
References: <mailman.97546.1560831554.837.zeek@zeek.org>
	<CAM2MKSpUKCs2F4SGn-nzk9WXoTRO7fyTKd0Gc40=s-kg46AD-A@mail.gmail.com>
Message-ID: <D72411E6-888B-45D8-8F95-4B3E60CE1D3A@gmail.com>

What?s needed here is some heuristics. If I see, for example, windows crypto api, BITS, calls to MS services for reporting what usb devices were plugged in, certain DNS lookups - that?s MS.
Apple also has similar services. So does iOS and Android. It?s more an art than a science ;)

JA3 would also be great. 

> On Jun 17, 2019, at 11:34 PM, TQ <nothinrandom at gmail.com> wrote:
> 
> @Michal,
> 
> That's a really good suggestion!  Latest p0f is from 2016, so it's not that maintained anyway I guess.  The thing I noticed for software.log is that the OS info gets logged only via software calls from apps like Firefox/Chrome/etc; it would be nice to not rely on this.
> 
> Thanks,
> 
>> On Mon, Jun 17, 2019 at 9:22 PM <zeek-request at zeek.org> wrote:
>> Send Zeek mailing list submissions to
>>         zeek at zeek.org
>> 
>> To subscribe or unsubscribe via the World Wide Web, visit
>>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>> or, via email, send a message with subject or body 'help' to
>>         zeek-request at zeek.org
>> 
>> You can reach the person managing the list at
>>         zeek-owner at zeek.org
>> 
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Zeek digest..."
>> 
>> 
>> Today's Topics:
>> 
>>    1. State of p0f support (Robin Sommer)
>>    2. Re: State of p0f support (Micha? Purzy?ski)
>>    3. Re: Hui Lin_DNP3 analyzer not working in current version of
>>       zeek (Jon Siwek)
>>    4. Re: Hui Lin_DNP3 analyzer not working in current version of
>>       zeek (Hui Lin (Hugo))
>> 
>> 
>> ----------------------------------------------------------------------
>> 
>> Message: 1
>> Date: Mon, 17 Jun 2019 13:45:27 -0700
>> From: Robin Sommer <robin at corelight.com>
>> Subject: [Zeek] State of p0f support
>> To: zeek <zeek at zeek.org>
>> Message-ID: <20190617204527.GB61709 at corelight.com>
>> Content-Type: text/plain; charset=us-ascii
>> 
>> Looking for some input here.
>> 
>> Zeek has provided support for passive OS fingerprinting for a long
>> time through p0f. However, we are using using a very outdated version
>> of the p0f engine, and the signature set is likewise stale (last
>> update from 2011!).
>> 
>> Unfortunately p0f has changed quite a bit in meantime, so that it's
>> not easy to upgrade. While we'd certainly be happy to do that if
>> anybody wanted to work on it, for now we are considering to remove the
>> old engine that's currently shipping with Zeek because it doesn't seem
>> to provide much value anymore.
>> 
>> Please chime in if that would be a problem for you. Is anybody still
>> relying on the p0f support in Zeek as it is today?
>> 
>> Thanks,
>> 
>> Robin
>> 
>> 
>> -- 
>> Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com
>> 
>> 
>> ------------------------------
>> 
>> Message: 2
>> Date: Mon, 17 Jun 2019 15:05:18 -0700
>> From: Micha? Purzy?ski <michalpurzynski1 at gmail.com>
>> Subject: Re: [Zeek] State of p0f support
>> To: Robin Sommer <robin at corelight.com>
>> Cc: zeek <zeek at zeek.org>
>> Message-ID:
>>         <CAJ6bFK1MzSH=fpWAcDQu2ANFTLAGOiicBHA33ZNL=5De2NLQuA at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>> 
>> There is so much data in various logs, like software.log, http.log, SSL,
>> DNS, known_*, x509 and even in the conn.log that recognizing the OS is most
>> of the time trivial. I would rather invest into correlation and build a
>> scoring engine that logs a verdict "based on A, B and C I think this is a
>> Windows 10"
>> 
>> On Mon, Jun 17, 2019 at 1:55 PM Robin Sommer <robin at corelight.com> wrote:
>> 
>> > Looking for some input here.
>> >
>> > Zeek has provided support for passive OS fingerprinting for a long
>> > time through p0f. However, we are using using a very outdated version
>> > of the p0f engine, and the signature set is likewise stale (last
>> > update from 2011!).
>> >
>> > Unfortunately p0f has changed quite a bit in meantime, so that it's
>> > not easy to upgrade. While we'd certainly be happy to do that if
>> > anybody wanted to work on it, for now we are considering to remove the
>> > old engine that's currently shipping with Zeek because it doesn't seem
>> > to provide much value anymore.
>> >
>> > Please chime in if that would be a problem for you. Is anybody still
>> > relying on the p0f support in Zeek as it is today?
>> >
>> > Thanks,
>> >
>> > Robin
>> >
>> >
>> > --
>> > Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com
>> > _______________________________________________
>> > Zeek mailing list
>> > zeek at zeek.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>> >
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190617/3f89f3bf/attachment-0001.html 
>> 
>> ------------------------------
>> 
>> Message: 3
>> Date: Mon, 17 Jun 2019 19:46:57 -0700
>> From: Jon Siwek <jsiwek at corelight.com>
>> Subject: Re: [Zeek] Hui Lin_DNP3 analyzer not working in current
>>         version of      zeek
>> To: "Hui Lin (Hugo)" <hlin33 at illinois.edu>
>> Cc: zeek <zeek at zeek.org>
>> Message-ID:
>>         <CAMzgZ0+RHVhvSv5UHVhOz-4cgEg3_km4eDd+NcCic9SR8eEuXg at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>> 
>> Found the difference:
>> 
>> This behavior changed in Bro 2.5.4 (really what changed is in BinPAC
>> 0.49, not Bro), but the new parsing behavior is legitimate.  The old
>> behavior just caused broken protocol grammars to possibly parse more
>> things than they should have, such as in cases where there wasn't enough
>> data to fill an array.  So it appeared to be working for you, but it
>> was not.
>> 
>> In this case, the DNP3 protocol grammar we use is either incomplete or
>> needs a further fix.  With some debugging for this example pcap, you can
>> see where the parsing is failing:
>> 
>> protocol violation, [orig_h=10.0.0.3, orig_p=37147/tcp,
>> resp_h=10.0.0.1, resp_p=20000/tcp], Analyzer::ANALYZER_DNP3_TCP,
>> Binpac exception: binpac exception: out_of_bound:
>> Request_Objects:ojbects: 8 > 0
>> protocol violation, [orig_h=10.0.0.3, orig_p=55021/tcp,
>> resp_h=10.0.0.2, resp_p=20000/tcp], Analyzer::ANALYZER_DNP3_TCP,
>> Binpac exception: binpac exception: out_of_bound:
>> Request_Objects:ojbects: 8 > 0
>> 
>> That's here:
>> 
>> https://github.com/zeek/zeek/blob/e2dc0092f3a1caea1ebc71e347663e723298fb6b/src/analyzer/protocol/dnp3/dnp3-protocol.pac#L97
>> 
>> You can look in the pcap (e.g. Wireshark) and see in the first READ
>> request that there's no objects being sent for us to parse even though
>> our protocol definition is written to expect that.  So that protocol
>> violation is legit in the sense that we've defined the protocol in a way
>> that differs from what's being sent on the wire.  And a protocol
>> violation in the case of DNP3 disables all further analysis.
>> 
>> You maybe understand DNP3 better than me, so please create an issue
>> or pull request if you come up with a fix that improves the DNP3 parser.
>> Attached is a naive patch that seems to generate the same number of
>> requests/responses as before Bro 2.5.4; maybe it helps as a
>> starting point or reference.
>> 
>> - Jon
>> 
>> On Mon, Jun 17, 2019 at 11:53 AM Hui Lin (Hugo) <hlin33 at illinois.edu> wrote:
>> >
>> > Thanks Jon,
>> >
>> > The version that is working is version 2.5-457. I have attached the sample pcap here.
>> >
>> > Best,
>> >
>> > Hui Lin
>> >
>> > On Mon, Jun 17, 2019 at 10:32 AM Jon Siwek <jsiwek at corelight.com> wrote:
>> >>
>> >> On Sun, Jun 16, 2019 at 3:17 PM Hui Lin (Hugo) <hlin33 at illinois.edu> wrote:
>> >> > Actually for the same pcap, in a version that I git last year, bro works fine by printing all messages. Any idea what happens? If needed, I can provide the pcap for the testing.
>> >>
>> >> Not sure, please either try to debug / explore the diffs, or provide a
>> >> pcap and say which was the last known working version.
>> >>
>> >> - Jon
>> >
>> >
>> >
>> > --
>> > Hui Lin
>> > Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
>> > DEPEND (http://depend.csl.illinois.edu/)
>> > ECE, Uni. of Illinois at Urbana-Champaign
>> >
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: dnp3-naive.patch
>> Type: application/octet-stream
>> Size: 1229 bytes
>> Desc: not available
>> Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190617/e6d65dd9/attachment-0001.obj 
>> 
>> ------------------------------
>> 
>> Message: 4
>> Date: Mon, 17 Jun 2019 21:17:40 -0700
>> From: "Hui Lin (Hugo)" <hlin33 at illinois.edu>
>> Subject: Re: [Zeek] Hui Lin_DNP3 analyzer not working in current
>>         version of      zeek
>> To: Jon Siwek <jsiwek at corelight.com>
>> Cc: zeek <zeek at zeek.org>
>> Message-ID:
>>         <CAKq214mGdRLKPDZtaXe-w6juvBcpUpmmz6SFYrxgBOfsPwVVQA at mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>> 
>> Hi Jon,
>> 
>> This is a very confusing part of DNP3 protocol, but only in the request.
>> The "number_of_item" obtained from "object_header" in the request is mainly
>> applied to the response, telling outstation that this is the number of
>> items that you should include in the response. But there are a few
>> exceptions where the request is also using the "number_of_item", especially
>> the control operations, meaning that these are the operations that we would
>> like to apply to the outstation.
>> 
>> Back then when I had implemented it, I use a common record
>> type, Request_Data_Object, to hide those differences. In the READ request,
>> there still should be Request_Data_Object[8]. However, according to the
>> value of the function code (which is the input of the Request_Data_Object),
>> the size of each Request_Data_Object becomes 0 if it is READ request. Even
>> though there are 8 objects, but each of them has 0 bytes, so totally there
>> are no data coming. That is why actually there are no more data coming,
>> which is not a mistake. I guess that it is probably how binpac changes the
>> way to handle this type of situation now, making the analyzer fail to work.
>> 
>> For me, the workaround should not be difficult (also I am pretty sure that
>> Robin and Seth would like to keep the binpac works as it is now).  As there
>> are only a very few exceptions, I just include those exceptions directly
>> there (similar to what you did in the patch), and then default most other
>> requests to empty objects.
>> 
>> I probably will do that on July as I am catching a deadline on July 1st. I
>> will contact you privately as I may need you to help me to input a
>> different public key for upload as I have already graduated.
>> 
>> Best,
>> 
>> Hui Lin
>> 
>> On Mon, Jun 17, 2019 at 7:57 PM Jon Siwek <jsiwek at corelight.com> wrote:
>> 
>> > Found the difference:
>> >
>> > This behavior changed in Bro 2.5.4 (really what changed is in BinPAC
>> > 0.49, not Bro), but the new parsing behavior is legitimate.  The old
>> > behavior just caused broken protocol grammars to possibly parse more
>> > things than they should have, such as in cases where there wasn't enough
>> > data to fill an array.  So it appeared to be working for you, but it
>> > was not.
>> >
>> > In this case, the DNP3 protocol grammar we use is either incomplete or
>> > needs a further fix.  With some debugging for this example pcap, you can
>> > see where the parsing is failing:
>> >
>> > protocol violation, [orig_h=10.0.0.3, orig_p=37147/tcp,
>> > resp_h=10.0.0.1, resp_p=20000/tcp], Analyzer::ANALYZER_DNP3_TCP,
>> > Binpac exception: binpac exception: out_of_bound:
>> > Request_Objects:ojbects: 8 > 0
>> > protocol violation, [orig_h=10.0.0.3, orig_p=55021/tcp,
>> > resp_h=10.0.0.2, resp_p=20000/tcp], Analyzer::ANALYZER_DNP3_TCP,
>> > Binpac exception: binpac exception: out_of_bound:
>> > Request_Objects:ojbects: 8 > 0
>> >
>> > That's here:
>> >
>> >
>> > https://github.com/zeek/zeek/blob/e2dc0092f3a1caea1ebc71e347663e723298fb6b/src/analyzer/protocol/dnp3/dnp3-protocol.pac#L97
>> >
>> > You can look in the pcap (e.g. Wireshark) and see in the first READ
>> > request that there's no objects being sent for us to parse even though
>> > our protocol definition is written to expect that.  So that protocol
>> > violation is legit in the sense that we've defined the protocol in a way
>> > that differs from what's being sent on the wire.  And a protocol
>> > violation in the case of DNP3 disables all further analysis.
>> >
>> > You maybe understand DNP3 better than me, so please create an issue
>> > or pull request if you come up with a fix that improves the DNP3 parser.
>> > Attached is a naive patch that seems to generate the same number of
>> > requests/responses as before Bro 2.5.4; maybe it helps as a
>> > starting point or reference.
>> >
>> > - Jon
>> >
>> > On Mon, Jun 17, 2019 at 11:53 AM Hui Lin (Hugo) <hlin33 at illinois.edu>
>> > wrote:
>> > >
>> > > Thanks Jon,
>> > >
>> > > The version that is working is version 2.5-457. I have attached the
>> > sample pcap here.
>> > >
>> > > Best,
>> > >
>> > > Hui Lin
>> > >
>> > > On Mon, Jun 17, 2019 at 10:32 AM Jon Siwek <jsiwek at corelight.com> wrote:
>> > >>
>> > >> On Sun, Jun 16, 2019 at 3:17 PM Hui Lin (Hugo) <hlin33 at illinois.edu>
>> > wrote:
>> > >> > Actually for the same pcap, in a version that I git last year, bro
>> > works fine by printing all messages. Any idea what happens? If needed, I
>> > can provide the pcap for the testing.
>> > >>
>> > >> Not sure, please either try to debug / explore the diffs, or provide a
>> > >> pcap and say which was the last known working version.
>> > >>
>> > >> - Jon
>> > >
>> > >
>> > >
>> > > --
>> > > Hui Lin
>> > > Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
>> > > DEPEND (http://depend.csl.illinois.edu/)
>> > > ECE, Uni. of Illinois at Urbana-Champaign
>> > >
>> > _______________________________________________
>> > Zeek mailing list
>> > zeek at zeek.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>> 
>> 
>> 
>> -- 
>> Hui Lin
>> Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
>> DEPEND (http://depend.csl.illinois.edu/)
>> ECE, Uni. of Illinois at Urbana-Champaign
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190617/06350065/attachment.html 
>> 
>> ------------------------------
>> 
>> _______________________________________________
>> Zeek mailing list
>> Zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>> 
>> 
>> End of Zeek Digest, Vol 158, Issue 22
>> *************************************
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190617/3755226d/attachment-0001.html 

From vlad at es.net  Tue Jun 18 07:13:48 2019
From: vlad at es.net (Vlad Grigorescu)
Date: Tue, 18 Jun 2019 14:13:48 +0000
Subject: [Zeek] State of p0f support
In-Reply-To: <CAJ6bFK1MzSH=fpWAcDQu2ANFTLAGOiicBHA33ZNL=5De2NLQuA@mail.gmail.com>
References: <20190617204527.GB61709@corelight.com>
	<CAJ6bFK1MzSH=fpWAcDQu2ANFTLAGOiicBHA33ZNL=5De2NLQuA@mail.gmail.com>
Message-ID: <CAPqbkwvKDiTTsDkqU7bTv3Mk1HnK+X9ohBiP1MNzu6+OVs-qMg@mail.gmail.com>

(Returning this to the non-digest thread)

I wrote
https://docs.zeek.org/en/stable/scripts/policy/frameworks/software/windows-version-detection.bro.html
specifically because p0f wasn't doing a good job of finding XP hosts.

I think the best approach is using application-layer data, as Michal
suggested, *as well as* TCP fingerprinting. If there's data on the wire
that provides operational use, we shouldn't just be ignoring it. There was
a p0f rewrite called p0f v3 (http://lcamtuf.coredump.cx/p0f3/#) which last
had a release in 2016. There's also a tool called PRADS:
https://github.com/gamelinux/prads

These tools all rely on low-level TCP semantics, basically the same data in
the SYN_packet record[1] . What I would want is some mechanism to expose
that in script-land, so I can do whatever makes sense in my environment:
Run them past p0f signatures, add a field to conn.log, raise a notice on
some odd combination that only Metasploit uses.

This data falls in a weird grey area in Zeek: it gets parsed, but is
essentially unavailable in script-land because it can only be accessed
through events that we've always been told are too expensive to handle in
production (and rightly so).

This discussion comes at an opportune time, with the recent SACK
vulnerability (https://access.redhat.com/security/vulnerabilities/tcpsack).

Ultimately, I'm not sure what the right model looks like. Adding new events
that only are generated once isn't the right answer either, as the SACK
vulnerability requires a sequence of malicious packets. However, I think
there's a better solution out there than the current behavior.

  --Vlad

[1] - <
https://docs.zeek.org/en/stable/scripts/base/init-bare.bro.html#type-SYN_packet
>

On Tue, Jun 18, 2019 at 6:41 AM Micha? Purzy?ski <michalpurzynski1 at gmail.com>
wrote:

> What?s needed here is some heuristics. If I see, for example, windows
> crypto api, BITS, calls to MS services for reporting what usb devices were
> plugged in, certain DNS lookups - that?s MS.
> Apple also has similar services. So does iOS and Android. It?s more an art
> than a science ;)
>
> JA3 would also be great.
>
> On Jun 17, 2019, at 11:34 PM, TQ <nothinrandom at gmail.com> wrote:
>
> @Michal,
>>
>> That's a really good suggestion!  Latest p0f is from 2016, so it's not
>> that maintained anyway I guess.  The thing I noticed for software.log is
>> that the OS info gets logged only via software calls from apps like
>> Firefox/Chrome/etc; it would be nice to not rely on this.
>>
>> Thanks,
>>
>
On Mon, Jun 17, 2019 at 10:07 PM Micha? Purzy?ski <
michalpurzynski1 at gmail.com> wrote:

> There is so much data in various logs, like software.log, http.log, SSL,
> DNS, known_*, x509 and even in the conn.log that recognizing the OS is most
> of the time trivial. I would rather invest into correlation and build a
> scoring engine that logs a verdict "based on A, B and C I think this is a
> Windows 10"
>
> On Mon, Jun 17, 2019 at 1:55 PM Robin Sommer <robin at corelight.com> wrote:
>
>> Looking for some input here.
>>
>> Zeek has provided support for passive OS fingerprinting for a long
>> time through p0f. However, we are using using a very outdated version
>> of the p0f engine, and the signature set is likewise stale (last
>> update from 2011!).
>>
>> Unfortunately p0f has changed quite a bit in meantime, so that it's
>> not easy to upgrade. While we'd certainly be happy to do that if
>> anybody wanted to work on it, for now we are considering to remove the
>> old engine that's currently shipping with Zeek because it doesn't seem
>> to provide much value anymore.
>>
>> Please chime in if that would be a problem for you. Is anybody still
>> relying on the p0f support in Zeek as it is today?
>>
>> Thanks,
>>
>> Robin
>>
>>
>> --
>> Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190618/bf5a27e6/attachment.html 

From jsiwek at corelight.com  Tue Jun 18 11:43:18 2019
From: jsiwek at corelight.com (Jon Siwek)
Date: Tue, 18 Jun 2019 11:43:18 -0700
Subject: [Zeek] Hui Lin_DNP3 analyzer not working in current version of
	zeek
In-Reply-To: <CAKq214mGdRLKPDZtaXe-w6juvBcpUpmmz6SFYrxgBOfsPwVVQA@mail.gmail.com>
References: <CAKq214m0SfEd51UanH3phX2mGCsUKJVcVzKzJ=ZNf8QpkxdHNg@mail.gmail.com>
	<5d15086bbacc46468202e31684b123c1@BYAPR11MB2662.namprd11.prod.outlook.com>
	<CAKq214kk6iME=nrFS0uFoa8A9f0nwKrKZNDRk1b6_oaEj54H6w@mail.gmail.com>
	<CAMzgZ0+RHVhvSv5UHVhOz-4cgEg3_km4eDd+NcCic9SR8eEuXg@mail.gmail.com>
	<CAKq214mGdRLKPDZtaXe-w6juvBcpUpmmz6SFYrxgBOfsPwVVQA@mail.gmail.com>
Message-ID: <CAMzgZ0LXbDHjxRMzwRZL7s=uOV3F_6Vfu0Qts-P-7yFwvaA0wQ@mail.gmail.com>

On Mon, Jun 17, 2019 at 9:19 PM Hui Lin (Hugo) <hlin33 at illinois.edu> wrote:

> Back then when I had implemented it, I use a common record type, Request_Data_Object, to hide those differences. In the READ request, there still should be Request_Data_Object[8]. However, according to the value of the function code (which is the input of the Request_Data_Object), the size of each Request_Data_Object becomes 0 if it is READ request. Even though there are 8 objects, but each of them has 0 bytes, so totally there are no data coming. That is why actually there are no more data coming, which is not a mistake. I guess that it is probably how binpac changes the way to handle this type of situation now, making the analyzer fail to work.

Based on that description, I attached a patch that's possibly less
naive in case it helps give a good starting point for a proper fix.

An "array of empty objects" does (at first) seem like something that
should work, and it may have worked before (possibly for the wrong
reasons), but I think the current behavior of assuming array elements
have a minimum size of 1-byte is Good "for security reasons".
Specifically, DoS vulnerabilities become trivial when allowing for an
"array of empty objects".  For example:

type Message = record {
  flag: uint8;
  num: uint32;
  objs: Object(flag)[num];
};

type Object(flag: uint8) = case flag of {
  true -> empty;
  false -> uint8;
};

There, we don't statically know the size of an Object, so have to
parse each one, and a person can easily set "num" to 4 billion, not
actually have to send 4 billion bytes to back it up because they
intend for the Objects to all be empty, but yet leave us chugging away
for 4 billion iterations parsing out empty Objects.

> I probably will do that on July as I am catching a deadline on July 1st.

Thanks for reporting the issue and offering to take a look, let me
know what you come up with.

- Jon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnp3-less-naive.patch
Type: application/octet-stream
Size: 1732 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190618/d49d5266/attachment.obj 

From merril.mathew at baby2body.com  Wed Jun 19 04:50:58 2019
From: merril.mathew at baby2body.com (Merril Mathew)
Date: Wed, 19 Jun 2019 12:50:58 +0100
Subject: [Zeek] Install Bro as a non-root user
Message-ID: <CAPqihfw2nVdDL4QsBQiGYKofa3zbf=-n_LyRAZdPSGKXXOjbxw@mail.gmail.com>

Hi all,

Is there a way to install Bro as a non-root user? Everything works fine if
its installed as root but I had problems sending Bro logs to logstash as a
non-root user.

When I tried to install as a regular user with sudo privilege, I noticed
two errors mainly.

1) Error: unable to open database file: /usr/local/bro/spool/state.db
2) fatal error: /opt/bro/bin/bro: problem with interface eth0 -
pcap_open_live: eth0: You don't have permission to capture on that device
(socket: Operation not permitted)

Any idea where to go next for me?

Kind regards,
Merril.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190619/9713bc15/attachment.html 

From nskelsey at gmail.com  Wed Jun 19 05:16:37 2019
From: nskelsey at gmail.com (Nick Skelsey)
Date: Wed, 19 Jun 2019 14:16:37 +0200
Subject: [Zeek] Install Bro as a non-root user
In-Reply-To: <CAPqihfw2nVdDL4QsBQiGYKofa3zbf=-n_LyRAZdPSGKXXOjbxw@mail.gmail.com>
References: <CAPqihfw2nVdDL4QsBQiGYKofa3zbf=-n_LyRAZdPSGKXXOjbxw@mail.gmail.com>
Message-ID: <CAL14oKBUCxvZy_y5urDP=Mx9OAQqa5EaFR4Z333XOmSPgaEGkQ@mail.gmail.com>

Hi Merril,

To address the first issue maybe you need to ensure that the user executing
the bro process can read and write to /usr/local/bro/logs and
/usr/local/bro/spool/

For the second issue, If you running a newer version of linux you can get
around the packet capture permission issue by giving the bro binary the
capability to perform a raw packet capture with a command like:

> sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/zeek

Good luck,
  Nick

On Wed, Jun 19, 2019 at 1:59 PM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi all,
>
> Is there a way to install Bro as a non-root user? Everything works fine if
> its installed as root but I had problems sending Bro logs to logstash as a
> non-root user.
>
> When I tried to install as a regular user with sudo privilege, I noticed
> two errors mainly.
>
> 1) Error: unable to open database file: /usr/local/bro/spool/state.db
> 2) fatal error: /opt/bro/bin/bro: problem with interface eth0 -
> pcap_open_live: eth0: You don't have permission to capture on that device
> (socket: Operation not permitted)
>
> Any idea where to go next for me?
>
> Kind regards,
> Merril.
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190619/76366638/attachment.html 

From jmellander at lbl.gov  Wed Jun 19 10:05:11 2019
From: jmellander at lbl.gov (Jim Mellander)
Date: Wed, 19 Jun 2019 10:05:11 -0700
Subject: [Zeek] State of p0f support
In-Reply-To: <CAPqbkwvKDiTTsDkqU7bTv3Mk1HnK+X9ohBiP1MNzu6+OVs-qMg@mail.gmail.com>
References: <20190617204527.GB61709@corelight.com>
	<CAJ6bFK1MzSH=fpWAcDQu2ANFTLAGOiicBHA33ZNL=5De2NLQuA@mail.gmail.com>
	<CAPqbkwvKDiTTsDkqU7bTv3Mk1HnK+X9ohBiP1MNzu6+OVs-qMg@mail.gmail.com>
Message-ID: <CADju=b5gYtkca4Hx-ayX_BUnZxa9NpUDQqcWPjHuRBwxA=Z0yA@mail.gmail.com>

It seems to me that a fairly lightweight approach might be a per-connection
event returning the factors of interest, since according to the p03 v3
README:

For TCP/IP, the tool fingerprints the client-originating SYN packet and the
first SYN+ACK response from the server, paying attention to factors such as the
ordering of TCP options, the relation between maximum segment size and window
size, the progression of TCP timestamps, and the state of about a dozen possible
implementation quirks (e.g. non-zero values in "must be zero" fields).

(from http://lcamtuf.coredump.cx/p0f3/README - which also documents
the actual factors that are observed).

As far as the SACK vulnerability, the last paragraph of the document
indicates that the MSS is set to 48 to trigger the vulnerability, so
reporting MSS might give a leg up on that, as well.



On Tue, Jun 18, 2019 at 7:21 AM Vlad Grigorescu <vlad at es.net> wrote:

> (Returning this to the non-digest thread)
>
> I wrote
> https://docs.zeek.org/en/stable/scripts/policy/frameworks/software/windows-version-detection.bro.html
> specifically because p0f wasn't doing a good job of finding XP hosts.
>
> I think the best approach is using application-layer data, as Michal
> suggested, *as well as* TCP fingerprinting. If there's data on the wire
> that provides operational use, we shouldn't just be ignoring it. There was
> a p0f rewrite called p0f v3 (http://lcamtuf.coredump.cx/p0f3/#) which
> last had a release in 2016. There's also a tool called PRADS:
> https://github.com/gamelinux/prads
>
> These tools all rely on low-level TCP semantics, basically the same data
> in the SYN_packet record[1] . What I would want is some mechanism to expose
> that in script-land, so I can do whatever makes sense in my environment:
> Run them past p0f signatures, add a field to conn.log, raise a notice on
> some odd combination that only Metasploit uses.
>
> This data falls in a weird grey area in Zeek: it gets parsed, but is
> essentially unavailable in script-land because it can only be accessed
> through events that we've always been told are too expensive to handle in
> production (and rightly so).
>
> This discussion comes at an opportune time, with the recent SACK
> vulnerability (https://access.redhat.com/security/vulnerabilities/tcpsack
> ).
>
> Ultimately, I'm not sure what the right model looks like. Adding new
> events that only are generated once isn't the right answer either, as the
> SACK vulnerability requires a sequence of malicious packets. However, I
> think there's a better solution out there than the current behavior.
>
>   --Vlad
>
> [1] - <
> https://docs.zeek.org/en/stable/scripts/base/init-bare.bro.html#type-SYN_packet
> >
>
> On Tue, Jun 18, 2019 at 6:41 AM Micha? Purzy?ski <
> michalpurzynski1 at gmail.com> wrote:
>
>> What?s needed here is some heuristics. If I see, for example, windows
>> crypto api, BITS, calls to MS services for reporting what usb devices were
>> plugged in, certain DNS lookups - that?s MS.
>> Apple also has similar services. So does iOS and Android. It?s more an
>> art than a science ;)
>>
>> JA3 would also be great.
>>
>> On Jun 17, 2019, at 11:34 PM, TQ <nothinrandom at gmail.com> wrote:
>>
>> @Michal,
>>>
>>> That's a really good suggestion!  Latest p0f is from 2016, so it's not
>>> that maintained anyway I guess.  The thing I noticed for software.log is
>>> that the OS info gets logged only via software calls from apps like
>>> Firefox/Chrome/etc; it would be nice to not rely on this.
>>>
>>> Thanks,
>>>
>>
> On Mon, Jun 17, 2019 at 10:07 PM Micha? Purzy?ski <
> michalpurzynski1 at gmail.com> wrote:
>
>> There is so much data in various logs, like software.log, http.log, SSL,
>> DNS, known_*, x509 and even in the conn.log that recognizing the OS is most
>> of the time trivial. I would rather invest into correlation and build a
>> scoring engine that logs a verdict "based on A, B and C I think this is a
>> Windows 10"
>>
>> On Mon, Jun 17, 2019 at 1:55 PM Robin Sommer <robin at corelight.com> wrote:
>>
>>> Looking for some input here.
>>>
>>> Zeek has provided support for passive OS fingerprinting for a long
>>> time through p0f. However, we are using using a very outdated version
>>> of the p0f engine, and the signature set is likewise stale (last
>>> update from 2011!).
>>>
>>> Unfortunately p0f has changed quite a bit in meantime, so that it's
>>> not easy to upgrade. While we'd certainly be happy to do that if
>>> anybody wanted to work on it, for now we are considering to remove the
>>> old engine that's currently shipping with Zeek because it doesn't seem
>>> to provide much value anymore.
>>>
>>> Please chime in if that would be a problem for you. Is anybody still
>>> relying on the p0f support in Zeek as it is today?
>>>
>>> Thanks,
>>>
>>> Robin
>>>
>>>
>>> --
>>> Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190619/6a607e44/attachment-0001.html 

From nskelsey at gmail.com  Thu Jun 20 01:14:03 2019
From: nskelsey at gmail.com (Nick Skelsey)
Date: Thu, 20 Jun 2019 10:14:03 +0200
Subject: [Zeek] State of p0f support
In-Reply-To: <CADju=b5gYtkca4Hx-ayX_BUnZxa9NpUDQqcWPjHuRBwxA=Z0yA@mail.gmail.com>
References: <20190617204527.GB61709@corelight.com>
	<CAJ6bFK1MzSH=fpWAcDQu2ANFTLAGOiicBHA33ZNL=5De2NLQuA@mail.gmail.com>
	<CAPqbkwvKDiTTsDkqU7bTv3Mk1HnK+X9ohBiP1MNzu6+OVs-qMg@mail.gmail.com>
	<CADju=b5gYtkca4Hx-ayX_BUnZxa9NpUDQqcWPjHuRBwxA=Z0yA@mail.gmail.com>
Message-ID: <CAL14oKCmHGdXqppG4YbGAisMyR=dg1rcHgfEOQbQmTBxAaWgRQ@mail.gmail.com>

Hi Robin et all,

I would like to underline the importance of having a way to identify
machines based on traffic flow and connection behavior. It's clear that
Zeek works well at a connection level, so it's important to have some way
to determine what systems are connecting to each other. Otherwise, what's
the point?

However, relying on fingerprints constructed by a library from 2011 that
has not been updated since 2014 is not a great strategy. Also because it
seems to me that the methodology used to generate these signatures was
submission via email.

If I were in your shoes, I'd remove it.

And while I am commenting, why not consider a strategy to use zeek to
generate fingerprints based on a pcap and some __standard__ format to
define hosts in a known controlled network (like a Configuration Management
DB). This way at startup, the user can choose to apply a signature DB, that
they can modify, that annotates their systems.

On Wed, Jun 19, 2019 at 7:10 PM Jim Mellander <jmellander at lbl.gov> wrote:

> It seems to me that a fairly lightweight approach might be a
> per-connection event returning the factors of interest, since according to
> the p03 v3 README:
>
> For TCP/IP, the tool fingerprints the client-originating SYN packet and the
> first SYN+ACK response from the server, paying attention to factors such as the
> ordering of TCP options, the relation between maximum segment size and window
> size, the progression of TCP timestamps, and the state of about a dozen possible
> implementation quirks (e.g. non-zero values in "must be zero" fields).
>
> (from http://lcamtuf.coredump.cx/p0f3/README - which also documents the actual factors that are observed).
>
> As far as the SACK vulnerability, the last paragraph of the document indicates that the MSS is set to 48 to trigger the vulnerability, so reporting MSS might give a leg up on that, as well.
>
>
>
> On Tue, Jun 18, 2019 at 7:21 AM Vlad Grigorescu <vlad at es.net> wrote:
>
>> (Returning this to the non-digest thread)
>>
>> I wrote
>> https://docs.zeek.org/en/stable/scripts/policy/frameworks/software/windows-version-detection.bro.html
>> specifically because p0f wasn't doing a good job of finding XP hosts.
>>
>> I think the best approach is using application-layer data, as Michal
>> suggested, *as well as* TCP fingerprinting. If there's data on the wire
>> that provides operational use, we shouldn't just be ignoring it. There was
>> a p0f rewrite called p0f v3 (http://lcamtuf.coredump.cx/p0f3/#) which
>> last had a release in 2016. There's also a tool called PRADS:
>> https://github.com/gamelinux/prads
>>
>> These tools all rely on low-level TCP semantics, basically the same data
>> in the SYN_packet record[1] . What I would want is some mechanism to expose
>> that in script-land, so I can do whatever makes sense in my environment:
>> Run them past p0f signatures, add a field to conn.log, raise a notice on
>> some odd combination that only Metasploit uses.
>>
>> This data falls in a weird grey area in Zeek: it gets parsed, but is
>> essentially unavailable in script-land because it can only be accessed
>> through events that we've always been told are too expensive to handle in
>> production (and rightly so).
>>
>> This discussion comes at an opportune time, with the recent SACK
>> vulnerability (https://access.redhat.com/security/vulnerabilities/tcpsack
>> ).
>>
>> Ultimately, I'm not sure what the right model looks like. Adding new
>> events that only are generated once isn't the right answer either, as the
>> SACK vulnerability requires a sequence of malicious packets. However, I
>> think there's a better solution out there than the current behavior.
>>
>>   --Vlad
>>
>> [1] - <
>> https://docs.zeek.org/en/stable/scripts/base/init-bare.bro.html#type-SYN_packet
>> >
>>
>> On Tue, Jun 18, 2019 at 6:41 AM Micha? Purzy?ski <
>> michalpurzynski1 at gmail.com> wrote:
>>
>>> What?s needed here is some heuristics. If I see, for example, windows
>>> crypto api, BITS, calls to MS services for reporting what usb devices were
>>> plugged in, certain DNS lookups - that?s MS.
>>> Apple also has similar services. So does iOS and Android. It?s more an
>>> art than a science ;)
>>>
>>> JA3 would also be great.
>>>
>>> On Jun 17, 2019, at 11:34 PM, TQ <nothinrandom at gmail.com> wrote:
>>>
>>> @Michal,
>>>>
>>>> That's a really good suggestion!  Latest p0f is from 2016, so it's not
>>>> that maintained anyway I guess.  The thing I noticed for software.log is
>>>> that the OS info gets logged only via software calls from apps like
>>>> Firefox/Chrome/etc; it would be nice to not rely on this.
>>>>
>>>> Thanks,
>>>>
>>>
>> On Mon, Jun 17, 2019 at 10:07 PM Micha? Purzy?ski <
>> michalpurzynski1 at gmail.com> wrote:
>>
>>> There is so much data in various logs, like software.log, http.log, SSL,
>>> DNS, known_*, x509 and even in the conn.log that recognizing the OS is most
>>> of the time trivial. I would rather invest into correlation and build a
>>> scoring engine that logs a verdict "based on A, B and C I think this is a
>>> Windows 10"
>>>
>>> On Mon, Jun 17, 2019 at 1:55 PM Robin Sommer <robin at corelight.com>
>>> wrote:
>>>
>>>> Looking for some input here.
>>>>
>>>> Zeek has provided support for passive OS fingerprinting for a long
>>>> time through p0f. However, we are using using a very outdated version
>>>> of the p0f engine, and the signature set is likewise stale (last
>>>> update from 2011!).
>>>>
>>>> Unfortunately p0f has changed quite a bit in meantime, so that it's
>>>> not easy to upgrade. While we'd certainly be happy to do that if
>>>> anybody wanted to work on it, for now we are considering to remove the
>>>> old engine that's currently shipping with Zeek because it doesn't seem
>>>> to provide much value anymore.
>>>>
>>>> Please chime in if that would be a problem for you. Is anybody still
>>>> relying on the p0f support in Zeek as it is today?
>>>>
>>>> Thanks,
>>>>
>>>> Robin
>>>>
>>>>
>>>> --
>>>> Robin Sommer * Corelight, Inc. * robin at corelight.com *
>>>> www.corelight.com
>>>> _______________________________________________
>>>> Zeek mailing list
>>>> zeek at zeek.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>>
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190620/f02ebd95/attachment.html 

From salwa.alem at univ-ubs.fr  Thu Jun 20 09:20:05 2019
From: salwa.alem at univ-ubs.fr (Salwa Alem)
Date: Thu, 20 Jun 2019 18:20:05 +0200 (CEST)
Subject: [Zeek] Modbus script/statistics
Message-ID: <1550615869.2086017.1561047605482.JavaMail.zimbra@univ-ubs.fr>

Hello, 

Has someone already programmed a more developed modbus script than the one provided with zeek allowing more extraction metrics please ? 

Thanks in advance for your reponse. 

Best regards, 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190620/d6540187/attachment.html 

From csgarbag at gmail.com  Thu Jun 20 09:45:13 2019
From: csgarbag at gmail.com (Fyf Fitty)
Date: Thu, 20 Jun 2019 12:45:13 -0400
Subject: [Zeek] Updating Zeek 2.5.3
Message-ID: <CAEV8HuPyzZq9hoRYRHh-80M_RyxcWhEN6GR+GLtmk58x-bg2pw@mail.gmail.com>

Hello there,

I was wondering if theres a way to update the signature database in Zeek
2.5.3 without updating to a newer version of Zeek.

V/R
Charles S. Garbag
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190620/45ab9900/attachment.html 

From kclawson at gmail.com  Thu Jun 20 09:57:26 2019
From: kclawson at gmail.com (Kurtis Lawson)
Date: Thu, 20 Jun 2019 09:57:26 -0700
Subject: [Zeek] Duplicate DNS packets
In-Reply-To: <CAPfnCugNfoVoZrtgOmLZmSf9TA3JgGRTwup3ruqAQK_RKETh8g@mail.gmail.com>
References: <CAJSUi1AOPXG1bNYshYhahuE7mQQsB2KZOX6+Nsg8Dh1fqLcJag@mail.gmail.com>
	<CAPfnCugNfoVoZrtgOmLZmSf9TA3JgGRTwup3ruqAQK_RKETh8g@mail.gmail.com>
Message-ID: <CAJSUi1DYwt6HXbQDah7iYqk8doUQAOGcjpnoohcZTFBS0i1y8A@mail.gmail.com>

Just a follow up.

The AF_Ring plugin was a quick and easy solution for my duplication
problem.  No more duplicates and performance is good, even at sensors with
multi-gigabit traffic.  Thanks for your help Justin!

KCL

On Fri, May 24, 2019 at 9:00 AM Justin Azoff <justin at corelight.com> wrote:

> On Wed, May 22, 2019 at 7:21 PM Kurtis Lawson <kclawson at gmail.com> wrote:
>
>> Hello fellow Zeekers,
>>
>> I am new to the mailing list and fairly new to Zeek.
>> I am having an issue where DNS traffic is duplicated.  It seem fairly
>> obvious to me that the issue is that the manager is sending a single
>> "session" to all of the workers defined in node.cfg.
>>
>
> not quite, the manager doesn't send any traffic,  the workers read it
> directly, but you are correct in that all of the workers are seeing the
> same traffic
>
>
>> Other info:
>>
>> - The span feed is clean of duplicates (validated with multiple packet
>> captures)
>>
>> - Other logs are generally not duplicated, and I suspect that this only
>> happens with UDP traffic
>>
>> - I've tried changing the LB type in the broctl.cfg file to 2-tuple,
>> 5-tuple, and round-robin (4-tuple is default) but none of those resolved
>> the issue
>>
>> - I've tried installing the latest dev version of pf_ring to no avail
>>
>> - From previously archived threads, it appears that this is not a new
>> issue, and that it also happens with af_packet ... which is what I was
>> going to try next :(
>>
>>
> Your problem is that you are not actually using pf_ring to load balance,
> you're just running 10 workers all seeing 100% of the traffic.  This isn't
> really an issue it's just a common misconfiguration.
>
> The easiest way to fix this is to install
> https://packages.bro.org/packages/view/1bafeed3-c141-11e8-88be-0a645a3f3086
> And not try to use the PF ring libpcap which is where your problem is (It
> may be installed but you're not actually using it)
>
> Using af_packet
> https://packages.bro.org/packages/view/74610004-4fb7-11e8-88be-0a645a3f3086 It's
> probably easier anyway and that does not have this problem
>
> --
> Justin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190620/4d4c57c7/attachment-0001.html 

From eurban at umn.edu  Thu Jun 20 10:00:15 2019
From: eurban at umn.edu (Eric Urban)
Date: Thu, 20 Jun 2019 12:00:15 -0500
Subject: [Zeek] Updating Zeek 2.5.3
In-Reply-To: <CAEV8HuPyzZq9hoRYRHh-80M_RyxcWhEN6GR+GLtmk58x-bg2pw@mail.gmail.com>
References: <CAEV8HuPyzZq9hoRYRHh-80M_RyxcWhEN6GR+GLtmk58x-bg2pw@mail.gmail.com>
Message-ID: <CAE-rCTZtV4GK4sgqZhaN9J9gmfCXiJ+XBWA5yX6VqxG_AZhRmw@mail.gmail.com>

Do you mean the Team Cymru malware hashes?  If so, I believe the database
is not stored on disk but instead those are network (DNS TXT record)
lookups.  The Zeek scripting examples actually walks through that one at
https://docs.zeek.org/en/stable/examples/scripting/.

-- 
Eric Urban
University Information Security | Office of Information Technology |
it.umn.edu
University of Minnesota | umn.edu
eurban at umn.edu


On Thu, Jun 20, 2019 at 11:48 AM Fyf Fitty <csgarbag at gmail.com> wrote:

> Hello there,
>
> I was wondering if theres a way to update the signature database in Zeek
> 2.5.3 without updating to a newer version of Zeek.
>
> V/R
> Charles S. Garbag
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190620/582926d2/attachment.html 

From johanna at icir.org  Thu Jun 20 10:05:42 2019
From: johanna at icir.org (Johanna Amann)
Date: Thu, 20 Jun 2019 10:05:42 -0700
Subject: [Zeek] Updating Zeek 2.5.3
In-Reply-To: <CAEV8HuPyzZq9hoRYRHh-80M_RyxcWhEN6GR+GLtmk58x-bg2pw@mail.gmail.com>
References: <CAEV8HuPyzZq9hoRYRHh-80M_RyxcWhEN6GR+GLtmk58x-bg2pw@mail.gmail.com>
Message-ID: <20190620170542.w755sglbymbhtpz4@Trafalgar.local>

Hi,

> I was wondering if theres a way to update the signature database in Zeek
> 2.5.3 without updating to a newer version of Zeek.

What exactly do you mean by the signature database?

Zeek is not really signature centric like other projects - and does not
come with an internal database of attack signatures (or similar) - hence
the question :).

If you install additional scripts that perform detection (e.g. from
bro-pkg) - a lot of them will run on several versions of Zeek.

Johanna

From johanna at icir.org  Thu Jun 20 10:21:32 2019
From: johanna at icir.org (Johanna Amann)
Date: Thu, 20 Jun 2019 10:21:32 -0700
Subject: [Zeek] Extracting packets from a particular connection
In-Reply-To: <7C26AEE4-FA23-4310-8925-1C2FBBB31C41@contoso.com>
References: <7C26AEE4-FA23-4310-8925-1C2FBBB31C41@contoso.com>
Message-ID: <20190620172132.oidgw3hg4ycqdt5d@Trafalgar.local>

Hi,

a bit late, but...

> I was hoping to understand how Zeek aggregates packets by connection. Is
> there any documentation that summarizes the approach? Is there a way to
> extract all the packets that correspond to a particular connection?

I don't think there is much documentation sadly. Basically - Zeek
identifies connections by 5-tuple and passes the packets on to the
TCP/UDP/ICMP protocol parsers for a specific connection. Connections are
timed out after a time amount that depends on the protocol, port, and
phase of connection establishment.

The set_record_packets bif can be used to write the packets of a
connection to a file (however that code has not seen a lot of testing
recently - it should work, but I don't really want to guarantee it).

Johanna

From michalpurzynski1 at gmail.com  Thu Jun 20 10:26:12 2019
From: michalpurzynski1 at gmail.com (=?UTF-8?B?TWljaGHFgiBQdXJ6ecWEc2tp?=)
Date: Thu, 20 Jun 2019 10:26:12 -0700
Subject: [Zeek] Install Bro as a non-root user
In-Reply-To: <CAPqihfw2nVdDL4QsBQiGYKofa3zbf=-n_LyRAZdPSGKXXOjbxw@mail.gmail.com>
References: <CAPqihfw2nVdDL4QsBQiGYKofa3zbf=-n_LyRAZdPSGKXXOjbxw@mail.gmail.com>
Message-ID: <CAJ6bFK2AGPrsk=4AOY+=RwZn5ygDDmH74TP3fmgTNR=h6uExsg@mail.gmail.com>

There's a couple of things you should do. To keep Zeek LSB compliant, I use
something like this, when building an RPM (yeah, I rolled out my own
packages)

%cmake .. -DCMAKE_INSTALL_PREFIX=/usr -DBRO_ROOT_DIR=/usr
-DBRO_ETC_INSTALL_DIR=/etc -DINSTALL_BROCTL=true -DBRO_LOCAL_STATE_DIR=/var
-DBRO_SPOOL_DIR=/var/spool/bro -DBRO_LOG_DIR=/var/log/nsm/bro

You could also give rights for the zeek user to write to state directories
with Linux ACLs, just don't change owner of entire directory, that's not
necessary.

The net_admin capability is not necessary and dangerous, all that's needed
is CAP_NET_RAW.

*setcap cap_net_raw,cap=eip <path to zeek>*


What's the distribution you're trying to use? Where did you get those
packages? Did you build it yourself?


On Wed, Jun 19, 2019 at 4:59 AM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi all,
>
> Is there a way to install Bro as a non-root user? Everything works fine if
> its installed as root but I had problems sending Bro logs to logstash as a
> non-root user.
>
> When I tried to install as a regular user with sudo privilege, I noticed
> two errors mainly.
>
> 1) Error: unable to open database file: /usr/local/bro/spool/state.db
> 2) fatal error: /opt/bro/bin/bro: problem with interface eth0 -
> pcap_open_live: eth0: You don't have permission to capture on that device
> (socket: Operation not permitted)
>
> Any idea where to go next for me?
>
> Kind regards,
> Merril.
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190620/9a42db9e/attachment.html 

From johanna at icir.org  Thu Jun 20 10:27:23 2019
From: johanna at icir.org (Johanna Amann)
Date: Thu, 20 Jun 2019 10:27:23 -0700
Subject: [Zeek] Help with zeek script
In-Reply-To: <CACNP10iq+TG00kaMZny6Qc3rx+pYVoXsnCiPT_sXdyecioQtzw@mail.gmail.com>
References: <CACNP10iq+TG00kaMZny6Qc3rx+pYVoXsnCiPT_sXdyecioQtzw@mail.gmail.com>
Message-ID: <20190620172723.7pjkoc5hxym2v4z3@Trafalgar.local>

Hi,

also a bit late, but...

> I am working on a Zeek  script and would like to understand how can I make
> Zeek look only for the first ten packets in a tcp session.

At the moment - there sadly probably is not better approach than what you
already found in script-land - we don't offer any specialized event to
only get notified for the first x packets.

A more complicated alternative is to write a C++-level analyzer - which could drop out
after a set number of packets.

Johanna


From johanna at icir.org  Thu Jun 20 10:33:21 2019
From: johanna at icir.org (Johanna Amann)
Date: Thu, 20 Jun 2019 10:33:21 -0700
Subject: [Zeek] logger node in a cluster
In-Reply-To: <cd8ad4f44cb94d6b819f7f369bd9d883@SRVEX03.aizoon.local>
References: <cd8ad4f44cb94d6b819f7f369bd9d883@SRVEX03.aizoon.local>
Message-ID: <20190620173321.x47k6cbus25ivob5@Trafalgar.local>

Hi Mauro,

> I am not sure I am getting it right, but i t seems to me that a Zeek
> logger in a cluster configuration simply sits there waiting for logs
> and then writes them down. Does it do any additional work? For
> example, checking for duplicated logs from workers? If yes, where is
> the code for this additional checks?

You pretty much got it right - the logger currently basically only writes
already preformetted logs out.

It does not do any checking for duplicated log lines, etc. Also - logs are
sent over the wire in a preformatted form so scripts on the logger cacnnot
get access to them anymore.

The reason to have a separate node is that it turns out that writing
huge volumes of logs takes a significant amount of CPU - which led to the
manager (who did this in the past) not being able to keep up with its
other tasks in some cases.

Johanna

From johanna at icir.org  Thu Jun 20 10:45:58 2019
From: johanna at icir.org (Johanna Amann)
Date: Thu, 20 Jun 2019 10:45:58 -0700
Subject: [Zeek] BroCon18 slides
In-Reply-To: <DM5PR11MB162757C86BA55D5519D6945FBB190@DM5PR11MB1627.namprd11.prod.outlook.com>
References: <DM5PR11MB162757C86BA55D5519D6945FBB190@DM5PR11MB1627.namprd11.prod.outlook.com>
Message-ID: <20190620174558.2v7qlzs2dgstqow3@Trafalgar.local>

Hi,

On Fri, May 31, 2019 at 01:58:08PM +0000, Avila, Kay wrote:
> Alan Commike's Bro protocol analyzer talk from BroCon 18 on YouTube is missing the slides link (https://www.youtube.com/watch?v=UtEe-VTPcDY&t=145s).

The reason that the talk is missing the slides link is that, as far as I
can tell, we don't have the slides.

> Looks like the slides for other talks are hosted at https://www.zeek.org/brocon2018/slides/ but directory indexing has been turned off.

...and thus they also just are not in there :). I would just try
contacting Alan directly.

Johanna

From robin at corelight.com  Thu Jun 20 11:05:21 2019
From: robin at corelight.com (Robin Sommer)
Date: Thu, 20 Jun 2019 11:05:21 -0700
Subject: [Zeek] State of p0f support
In-Reply-To: <20190617204527.GB61709@corelight.com>
References: <20190617204527.GB61709@corelight.com>
Message-ID: <20190620180521.GA67629@corelight.com>

To wrap this up: What I think I'm hearing is that there's certainly
opportunity for a much improved/modern version of such functionality,
but it also sounds like that nobody's is relying on that old
functionality anymore (not a surprise). So we'll go ahead and remove
the current p0f code in Zeek.

Robin

On Mon, Jun 17, 2019 at 13:45 -0700, I wrote:

> Looking for some input here.
> 
> Zeek has provided support for passive OS fingerprinting for a long
> time through p0f. However, we are using using a very outdated version
> of the p0f engine, and the signature set is likewise stale (last
> update from 2011!).
> 
> Unfortunately p0f has changed quite a bit in meantime, so that it's
> not easy to upgrade. While we'd certainly be happy to do that if
> anybody wanted to work on it, for now we are considering to remove the
> old engine that's currently shipping with Zeek because it doesn't seem
> to provide much value anymore.
> 
> Please chime in if that would be a problem for you. Is anybody still
> relying on the p0f support in Zeek as it is today?
> 
> Thanks,
> 
> Robin
> 
> 
> -- 
> Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com


-- 
Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com

From akgraner at corelight.com  Thu Jun 20 12:01:21 2019
From: akgraner at corelight.com (Amber Graner)
Date: Thu, 20 Jun 2019 12:01:21 -0700
Subject: [Zeek] Zeke on Zeek: Paraglob Post
Message-ID: <CAJhOzur8FRW-Z=kjPnWB_VcS3+3OrwSUMxsy2p4jquZCq4LPrg@mail.gmail.com>

Hi all,

Check out the first of a series of Zeke on Zeek posts we're rolling out.
This week's post is on Paraglob.
https://blog.zeek.org/2019/06/zeke-on-zeek-paraglob.html

If you have topics you'd like us write more about please let us know.

Thanks,
~Amber
-- 
*Amber Graner*
Director of Community
Corelight, Inc

828.582.9469


 * Ask me about how you can participate in the Zeek (formerly Bro)
community.
 * Remember - ZEEK AND YOU SHALL FIND!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190620/0ad46275/attachment.html 

From akgraner at corelight.com  Thu Jun 20 15:34:21 2019
From: akgraner at corelight.com (Amber Graner)
Date: Thu, 20 Jun 2019 15:34:21 -0700
Subject: [Zeek] Open Source Zeek - Strategic Community Goals
Message-ID: <CAJhOzup=-rV8Dr8D5sL5YX-WiZpqq2zC4znsK1uKooB-EYHezA@mail.gmail.com>

Hi all,

I've just shared the Community goals for the year with you, the community.
You can find out more about those goals at:
https://blog.zeek.org/2019/06/open-source-zeek-strategic-community.html

I look forward to your questions, comments, feedback, suggestions and more!

I look forward to collaborating with you all. Here?s to stronger
communities, safer networks and many successes as we work together!

With gratitude,
~Amber
-- 
*Amber Graner*
Director of Community
Corelight, Inc

828.582.9469


 * Ask me about how you can participate in the Zeek (formerly Bro)
community.
 * Remember - ZEEK AND YOU SHALL FIND!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190620/d4fee0cb/attachment.html 

From zeke at corelight.com  Thu Jun 20 18:59:28 2019
From: zeke at corelight.com (Zeke Medley)
Date: Thu, 20 Jun 2019 18:59:28 -0700
Subject: [Zeek] Zeke on Zeek: Paraglob Post
In-Reply-To: <CAJhOzur8FRW-Z=kjPnWB_VcS3+3OrwSUMxsy2p4jquZCq4LPrg@mail.gmail.com>
References: <CAJhOzur8FRW-Z=kjPnWB_VcS3+3OrwSUMxsy2p4jquZCq4LPrg@mail.gmail.com>
Message-ID: <CA+L-By6_EtmDvzVcq5F4bRYZTK-qRcsR4Zo0xiJC3LgL=YsQNg@mail.gmail.com>

Paraglob was built for Zeek, can be helpful to people outside of Zeek
specific work as well.

Paraglob's API is rather limited inside Zeek for reason's I talk about
a little in the post, but its C++ API is fairly flexible and its
makefile is already set up to be linked with a different project.
There will be an example of linking it up in Zeek soon. Its source
code is here: https://github.com/zeek/paraglob and I tried to make the
code fairy well commented. I hope you all find it useful.

Thanks,
Zeke


On Thu, Jun 20, 2019 at 12:09 PM Amber Graner <akgraner at corelight.com> wrote:
>
> Hi all,
>
> Check out the first of a series of Zeke on Zeek posts we're rolling out.  This week's post is on Paraglob.  https://blog.zeek.org/2019/06/zeke-on-zeek-paraglob.html
>
> If you have topics you'd like us write more about please let us know.
>
> Thanks,
> ~Amber
> --
> Amber Graner
> Director of Community
> Corelight, Inc
>
> 828.582.9469
>
>
>  * Ask me about how you can participate in the Zeek (formerly Bro) community.
>  * Remember - ZEEK AND YOU SHALL FIND!!
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

From sachin.giribuva at niyuj.com  Fri Jun 21 03:50:08 2019
From: sachin.giribuva at niyuj.com (Sachinji Giri)
Date: Fri, 21 Jun 2019 16:20:08 +0530
Subject: [Zeek] Where to get detect-webapps log file?
Message-ID: <CACwQ=9yLvuzfA3945e5=opVY=YqFgFa8ni+H-AS_XktqNU6MHQ@mail.gmail.com>

Hi there,
I am using zeek in a container with hosts network. My bro/zeek version is
following. Bold text are the commands that get executed in the container.

# docker run --cap-add=NET_RAW --net=host --rm blacktop/*zeek  --version*
bro version 2.6-255

I ran zeek with detect-webapps bro script from policy. I browsed a couple
of phpadmin websites etc but *I could not get any logs specific to
detect-webapps.*

# docker run --cap-add=NET_RAW --net=host --rm blacktop/*zeek  -i 'enp2s0'
protocols/http/detect-webapps*
listening on enp2s0
~~~~~

It runs forever and I got following log files :

conn.log           dns.log            packet_filter.log  weird.log
dhcp.log           files.log          ssl.log            x509.log

*Where to get detect-webapps log file?*

*What does detect-webapps do and where it logs its data?*

Any help will be much appreciated.
-- 
Regards,
Sachin Giri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190621/8d6234e6/attachment.html 

From richard at corelight.com  Fri Jun 21 09:10:39 2019
From: richard at corelight.com (Richard Bejtlich)
Date: Fri, 21 Jun 2019 12:10:39 -0400
Subject: [Zeek] Where to get detect-webapps log file?
In-Reply-To: <CACwQ=9yLvuzfA3945e5=opVY=YqFgFa8ni+H-AS_XktqNU6MHQ@mail.gmail.com>
References: <CACwQ=9yLvuzfA3945e5=opVY=YqFgFa8ni+H-AS_XktqNU6MHQ@mail.gmail.com>
Message-ID: <CAOtSMjZ0-omai_+j7YaP0Pho7Vn=XJ81QkmLkJoVcp0XfDef2Q@mail.gmail.com>

Hello,

I don't see a http.log. That implies that you may not have seen any HTTP
traffic. Can you share a pcap of what you are watching?

Sincerely,

Richard

On Fri, Jun 21, 2019 at 6:58 AM Sachinji Giri <sachin.giribuva at niyuj.com>
wrote:

> Hi there,
> I am using zeek in a container with hosts network. My bro/zeek version is
> following. Bold text are the commands that get executed in the container.
>
> # docker run --cap-add=NET_RAW --net=host --rm blacktop/*zeek  --version*
> bro version 2.6-255
>
> I ran zeek with detect-webapps bro script from policy. I browsed a couple
> of phpadmin websites etc but *I could not get any logs specific to
> detect-webapps.*
>
> # docker run --cap-add=NET_RAW --net=host --rm blacktop/*zeek  -i
> 'enp2s0' protocols/http/detect-webapps*
> listening on enp2s0
> ~~~~~
>
> It runs forever and I got following log files :
>
> conn.log           dns.log            packet_filter.log  weird.log
> dhcp.log           files.log          ssl.log            x509.log
>
> *Where to get detect-webapps log file?*
>
> *What does detect-webapps do and where it logs its data?*
>
> Any help will be much appreciated.
> --
> Regards,
> Sachin Giri
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Richard Bejtlich
Principal Security Strategist, Corelight
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190621/05b9c368/attachment.html 

From sachin.giribuva at niyuj.com  Fri Jun 21 09:15:33 2019
From: sachin.giribuva at niyuj.com (Sachinji Giri)
Date: Fri, 21 Jun 2019 21:45:33 +0530
Subject: [Zeek] Where to get detect-webapps log file?
In-Reply-To: <CAOtSMjZ0-omai_+j7YaP0Pho7Vn=XJ81QkmLkJoVcp0XfDef2Q@mail.gmail.com>
References: <CACwQ=9yLvuzfA3945e5=opVY=YqFgFa8ni+H-AS_XktqNU6MHQ@mail.gmail.com>
	<CAOtSMjZ0-omai_+j7YaP0Pho7Vn=XJ81QkmLkJoVcp0XfDef2Q@mail.gmail.com>
Message-ID: <CACwQ=9ycRVwsOLQs9oy7y0ERg0RNMGBK1m6nDBnYX7Pf2=W=Og@mail.gmail.com>

Hi, sorry, there is http.log too. It got generated when browsed some of the
data.

 I am watching the interface with -i.

On Fri 21 Jun, 2019, 9:40 PM Richard Bejtlich, <richard at corelight.com>
wrote:

> Hello,
>
> I don't see a http.log. That implies that you may not have seen any HTTP
> traffic. Can you share a pcap of what you are watching?
>
> Sincerely,
>
> Richard
>
> On Fri, Jun 21, 2019 at 6:58 AM Sachinji Giri <sachin.giribuva at niyuj.com>
> wrote:
>
>> Hi there,
>> I am using zeek in a container with hosts network. My bro/zeek version is
>> following. Bold text are the commands that get executed in the container.
>>
>> # docker run --cap-add=NET_RAW --net=host --rm blacktop/*zeek  --version*
>> bro version 2.6-255
>>
>> I ran zeek with detect-webapps bro script from policy. I browsed a couple
>> of phpadmin websites etc but *I could not get any logs specific to
>> detect-webapps.*
>>
>> # docker run --cap-add=NET_RAW --net=host --rm blacktop/*zeek  -i
>> 'enp2s0' protocols/http/detect-webapps*
>> listening on enp2s0
>> ~~~~~
>>
>> It runs forever and I got following log files :
>>
>> conn.log           dns.log            packet_filter.log  weird.log
>> dhcp.log           files.log          ssl.log            x509.log
>>
>> *Where to get detect-webapps log file?*
>>
>> *What does detect-webapps do and where it logs its data?*
>>
>> Any help will be much appreciated.
>> --
>> Regards,
>> Sachin Giri
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Richard Bejtlich
> Principal Security Strategist, Corelight
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190621/bcdd5f73/attachment-0001.html 

From sachin.giribuva at niyuj.com  Fri Jun 21 09:18:42 2019
From: sachin.giribuva at niyuj.com (Sachinji Giri)
Date: Fri, 21 Jun 2019 21:48:42 +0530
Subject: [Zeek] Where to get detect-webapps log file?
In-Reply-To: <CACwQ=9ycRVwsOLQs9oy7y0ERg0RNMGBK1m6nDBnYX7Pf2=W=Og@mail.gmail.com>
References: <CACwQ=9yLvuzfA3945e5=opVY=YqFgFa8ni+H-AS_XktqNU6MHQ@mail.gmail.com>
	<CAOtSMjZ0-omai_+j7YaP0Pho7Vn=XJ81QkmLkJoVcp0XfDef2Q@mail.gmail.com>
	<CACwQ=9ycRVwsOLQs9oy7y0ERg0RNMGBK1m6nDBnYX7Pf2=W=Og@mail.gmail.com>
Message-ID: <CACwQ=9z4uBDsOYioozhL-n_RMDYmsGaFX+9G6+uiCb1uj4tK8w@mail.gmail.com>

*browsed some http websites and then http.log appears. what exactly the
detect web apps log look like or it is just a part of http.log?? i really
don't know.

On Fri 21 Jun, 2019, 9:45 PM Sachinji Giri, <sachin.giribuva at niyuj.com>
wrote:

> Hi, sorry, there is http.log too. It got generated when browsed some of
> the data.
>
>  I am watching the interface with -i.
>
> On Fri 21 Jun, 2019, 9:40 PM Richard Bejtlich, <richard at corelight.com>
> wrote:
>
>> Hello,
>>
>> I don't see a http.log. That implies that you may not have seen any HTTP
>> traffic. Can you share a pcap of what you are watching?
>>
>> Sincerely,
>>
>> Richard
>>
>> On Fri, Jun 21, 2019 at 6:58 AM Sachinji Giri <sachin.giribuva at niyuj.com>
>> wrote:
>>
>>> Hi there,
>>> I am using zeek in a container with hosts network. My bro/zeek version
>>> is following. Bold text are the commands that get executed in the container.
>>>
>>> # docker run --cap-add=NET_RAW --net=host --rm blacktop/*zeek
>>>  --version*
>>> bro version 2.6-255
>>>
>>> I ran zeek with detect-webapps bro script from policy. I browsed a
>>> couple of phpadmin websites etc but *I could not get any logs specific
>>> to detect-webapps.*
>>>
>>> # docker run --cap-add=NET_RAW --net=host --rm blacktop/*zeek  -i
>>> 'enp2s0' protocols/http/detect-webapps*
>>> listening on enp2s0
>>> ~~~~~
>>>
>>> It runs forever and I got following log files :
>>>
>>> conn.log           dns.log            packet_filter.log  weird.log
>>> dhcp.log           files.log          ssl.log            x509.log
>>>
>>> *Where to get detect-webapps log file?*
>>>
>>> *What does detect-webapps do and where it logs its data?*
>>>
>>> Any help will be much appreciated.
>>> --
>>> Regards,
>>> Sachin Giri
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
>>
>> --
>> Richard Bejtlich
>> Principal Security Strategist, Corelight
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190621/245a6277/attachment.html 

From bill.de.ping at gmail.com  Sun Jun 23 05:20:23 2019
From: bill.de.ping at gmail.com (william de ping)
Date: Sun, 23 Jun 2019 15:20:23 +0300
Subject: [Zeek]  - set default to an enum type
Message-ID: <CAKZA8xhCypvCkzanG2X3=BijmsKKT5GT-WmOFkpJq9vfUFJvqg@mail.gmail.com>

Hi everyone,

I have a variable that has &optional &default attributes.
I want the &default attribute to have a value of an enum.

So if the enum is : type color: enum { Red, White, Blue, };
c: color &default=Red;

Does not work..

Any ideas on the correct syntax ?

Thank you
B
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190623/9b39cb65/attachment.html 

From justin at corelight.com  Sun Jun 23 08:07:02 2019
From: justin at corelight.com (Justin Azoff)
Date: Sun, 23 Jun 2019 11:07:02 -0400
Subject: [Zeek] - set default to an enum type
In-Reply-To: <CAKZA8xhCypvCkzanG2X3=BijmsKKT5GT-WmOFkpJq9vfUFJvqg@mail.gmail.com>
References: <CAKZA8xhCypvCkzanG2X3=BijmsKKT5GT-WmOFkpJq9vfUFJvqg@mail.gmail.com>
Message-ID: <CAPfnCujMcHQBwkB0BJ1-t9YNqQuXX18TBokaRyRRaBiiA4kHkw@mail.gmail.com>

That is the correct syntax.

http://try.bro.org/#/trybro/saved/334009

$ cat color.bro
type Color: enum {Red, Green, Blue};
type Whatever: record {
    color: Color &default=Red;
};

event bro_init()
{
    local t:  Whatever;
    print t$color;
}

$ bro color.bro
Red

On Sun, Jun 23, 2019 at 8:20 AM william de ping <bill.de.ping at gmail.com> wrote:
>
> Hi everyone,
>
> I have a variable that has &optional &default attributes.
> I want the &default attribute to have a value of an enum.
>
> So if the enum is : type color: enum { Red, White, Blue, };
> c: color &default=Red;
>
> Does not work..
>
> Any ideas on the correct syntax ?
>
> Thank you
> B
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Justin

From bill.de.ping at gmail.com  Mon Jun 24 04:27:49 2019
From: bill.de.ping at gmail.com (william de ping)
Date: Mon, 24 Jun 2019 14:27:49 +0300
Subject: [Zeek]  - EXEC framework - run command
Message-ID: <CAKZA8xhjvbD40Fc-XV7g6hn-4wWzjADB=38uuGOiiOXggAyaEQ@mail.gmail.com>

Hi everyone,

I'm trying to run the following script :
https://github.com/hosom/file-extraction/blob/master/scripts/plugins/store-files-by-md5.bro

The issue is that the EXEC::run command is not working as expected.
I run bro on a pcap file, in debug.log I see that a thread was initiated
and finished with no issues, however the file is not moved..

Any ideas ?

Thank you
B
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190624/54f584d1/attachment.html 

From justin at corelight.com  Mon Jun 24 07:19:48 2019
From: justin at corelight.com (Justin Azoff)
Date: Mon, 24 Jun 2019 10:19:48 -0400
Subject: [Zeek] - EXEC framework - run command
In-Reply-To: <CAKZA8xhjvbD40Fc-XV7g6hn-4wWzjADB=38uuGOiiOXggAyaEQ@mail.gmail.com>
References: <CAKZA8xhjvbD40Fc-XV7g6hn-4wWzjADB=38uuGOiiOXggAyaEQ@mail.gmail.com>
Message-ID: <CAPfnCug6D3+iJpAuu5O7dud7hK+wVgeRkR+uYTdFLycLA9v4NA@mail.gmail.com>

There's no need to use exec for this as there is a rename bif now.  I
sent a PR to update this:

https://github.com/hosom/file-extraction/pull/10/files

On Mon, Jun 24, 2019 at 7:34 AM william de ping <bill.de.ping at gmail.com> wrote:
>
> Hi everyone,
>
> I'm trying to run the following script :
> https://github.com/hosom/file-extraction/blob/master/scripts/plugins/store-files-by-md5.bro
>
> The issue is that the EXEC::run command is not working as expected.
> I run bro on a pcap file, in debug.log I see that a thread was initiated and finished with no issues, however the file is not moved..
>
> Any ideas ?
>
> Thank you
> B
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Justin

From hlin33 at illinois.edu  Mon Jun 24 13:24:09 2019
From: hlin33 at illinois.edu (Hui Lin (Hugo))
Date: Mon, 24 Jun 2019 13:24:09 -0700
Subject: [Zeek] non_ip_packet_in_ethernet on a TCP three way handshake
Message-ID: <CAKq214nuop1SmFdcXWqqTKpwNY7eyYFgN50mcDaFJuzcqZLiWA@mail.gmail.com>

Hi,

I have a pcap containing only a TCP three way hand shake. When I tried this
pcap in "try zeek" online with a simple tcp_packet event handler, nothing
is print out and an non_ip_packet_in_ethernet warning is generated in the
wierd log. Any idea what is going on?

Best regards,

Hui Lin




-- 
Hui Lin
Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
DEPEND (http://depend.csl.illinois.edu/)
ECE, Uni. of Illinois at Urbana-Champaign
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190624/f842137e/attachment.html 

From johanna at icir.org  Mon Jun 24 13:46:09 2019
From: johanna at icir.org (Johanna Amann)
Date: Mon, 24 Jun 2019 13:46:09 -0700
Subject: [Zeek] non_ip_packet_in_ethernet on a TCP three way handshake
In-Reply-To: <CAKq214nuop1SmFdcXWqqTKpwNY7eyYFgN50mcDaFJuzcqZLiWA@mail.gmail.com>
References: <CAKq214nuop1SmFdcXWqqTKpwNY7eyYFgN50mcDaFJuzcqZLiWA@mail.gmail.com>
Message-ID: <649C54F6-7021-4FEA-A40B-374959775485@icir.org>

Hi Hui,

Just to check the obvious - did you look at the trace in 
tcpdump/something else to check that it actually has correct ethernet 
headers, etc?

Johanna

On 24 Jun 2019, at 13:24, Hui Lin (Hugo) wrote:

> Hi,
>
> I have a pcap containing only a TCP three way hand shake. When I tried 
> this
> pcap in "try zeek" online with a simple tcp_packet event handler, 
> nothing
> is print out and an non_ip_packet_in_ethernet warning is generated in 
> the
> wierd log. Any idea what is going on?
>
> Best regards,
>
> Hui Lin
>
>
>
>
> -- 
> Hui Lin
> Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
> DEPEND (http://depend.csl.illinois.edu/)
> ECE, Uni. of Illinois at Urbana-Champaign
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

From hlin33 at illinois.edu  Mon Jun 24 14:00:20 2019
From: hlin33 at illinois.edu (Hui Lin (Hugo))
Date: Mon, 24 Jun 2019 14:00:20 -0700
Subject: [Zeek] non_ip_packet_in_ethernet on a TCP three way handshake
In-Reply-To: <649C54F6-7021-4FEA-A40B-374959775485@icir.org>
References: <CAKq214nuop1SmFdcXWqqTKpwNY7eyYFgN50mcDaFJuzcqZLiWA@mail.gmail.com>
	<649C54F6-7021-4FEA-A40B-374959775485@icir.org>
Message-ID: <CAKq214m_ifDnHxZz5Lk6p0C2z5PF5GBPn8fcp1SW=fVnpx3rww@mail.gmail.com>

Hi Johanna,

A little bit more debug that I did.

I catch the trace through wireshark; the wireshark shows no errors on this
three way handshake.

I used the original trace that has the LLDP packet as the first packet, the
same warning is still generated on the first packet.

I am not sure what triggers the error in Bro.

Thanks a lot and best,

Hui Lin


On Mon, Jun 24, 2019 at 1:54 PM Johanna Amann <johanna at icir.org> wrote:

> Hi Hui,
>
> Just to check the obvious - did you look at the trace in
> tcpdump/something else to check that it actually has correct ethernet
> headers, etc?
>
> Johanna
>
> On 24 Jun 2019, at 13:24, Hui Lin (Hugo) wrote:
>
> > Hi,
> >
> > I have a pcap containing only a TCP three way hand shake. When I tried
> > this
> > pcap in "try zeek" online with a simple tcp_packet event handler,
> > nothing
> > is print out and an non_ip_packet_in_ethernet warning is generated in
> > the
> > wierd log. Any idea what is going on?
> >
> > Best regards,
> >
> > Hui Lin
> >
> >
> >
> >
> > --
> > Hui Lin
> > Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
> > DEPEND (http://depend.csl.illinois.edu/)
> > ECE, Uni. of Illinois at Urbana-Champaign
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>


-- 
Hui Lin
Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
DEPEND (http://depend.csl.illinois.edu/)
ECE, Uni. of Illinois at Urbana-Champaign
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190624/26f4ba26/attachment.html 

From hlin33 at illinois.edu  Mon Jun 24 15:18:30 2019
From: hlin33 at illinois.edu (Hui Lin (Hugo))
Date: Mon, 24 Jun 2019 15:18:30 -0700
Subject: [Zeek] non_ip_packet_in_ethernet on a TCP three way handshake
In-Reply-To: <CAKq214m_ifDnHxZz5Lk6p0C2z5PF5GBPn8fcp1SW=fVnpx3rww@mail.gmail.com>
References: <CAKq214nuop1SmFdcXWqqTKpwNY7eyYFgN50mcDaFJuzcqZLiWA@mail.gmail.com>
	<649C54F6-7021-4FEA-A40B-374959775485@icir.org>
	<CAKq214m_ifDnHxZz5Lk6p0C2z5PF5GBPn8fcp1SW=fVnpx3rww@mail.gmail.com>
Message-ID: <CAKq214mr3FJyr4UsseewLJb441xZruQNKqXiv2kGbJSqx24Uuw@mail.gmail.com>

HI Johanna,

It turned out to be the problem from wireshark. I reboot the everything and
then use the wireshark to collect the same traffic from the machine. It is
working fine. I am not exactly sure what causes the problem, but I will
share with you the pcap as these scenario can be a potential DoS for Bro.
As mail list block attachment, I will send you the pcap in private email.

Thank you and Best regards,

Hui Lin

On Mon, Jun 24, 2019 at 2:00 PM Hui Lin (Hugo) <hlin33 at illinois.edu> wrote:

> Hi Johanna,
>
> A little bit more debug that I did.
>
> I catch the trace through wireshark; the wireshark shows no errors on this
> three way handshake.
>
> I used the original trace that has the LLDP packet as the first packet,
> the same warning is still generated on the first packet.
>
> I am not sure what triggers the error in Bro.
>
> Thanks a lot and best,
>
> Hui Lin
>
>
> On Mon, Jun 24, 2019 at 1:54 PM Johanna Amann <johanna at icir.org> wrote:
>
>> Hi Hui,
>>
>> Just to check the obvious - did you look at the trace in
>> tcpdump/something else to check that it actually has correct ethernet
>> headers, etc?
>>
>> Johanna
>>
>> On 24 Jun 2019, at 13:24, Hui Lin (Hugo) wrote:
>>
>> > Hi,
>> >
>> > I have a pcap containing only a TCP three way hand shake. When I tried
>> > this
>> > pcap in "try zeek" online with a simple tcp_packet event handler,
>> > nothing
>> > is print out and an non_ip_packet_in_ethernet warning is generated in
>> > the
>> > wierd log. Any idea what is going on?
>> >
>> > Best regards,
>> >
>> > Hui Lin
>> >
>> >
>> >
>> >
>> > --
>> > Hui Lin
>> > Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
>> > DEPEND (http://depend.csl.illinois.edu/)
>> > ECE, Uni. of Illinois at Urbana-Champaign
>> > _______________________________________________
>> > Zeek mailing list
>> > zeek at zeek.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>
>
> --
> Hui Lin
> Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
> DEPEND (http://depend.csl.illinois.edu/)
> ECE, Uni. of Illinois at Urbana-Champaign
>
>

-- 
Hui Lin
Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
DEPEND (http://depend.csl.illinois.edu/)
ECE, Uni. of Illinois at Urbana-Champaign
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190624/7e4c2c10/attachment-0001.html 

From bill.de.ping at gmail.com  Tue Jun 25 04:35:52 2019
From: bill.de.ping at gmail.com (william de ping)
Date: Tue, 25 Jun 2019 14:35:52 +0300
Subject: [Zeek] - EXEC framework - run command
In-Reply-To: <CAPfnCug6D3+iJpAuu5O7dud7hK+wVgeRkR+uYTdFLycLA9v4NA@mail.gmail.com>
References: <CAKZA8xhjvbD40Fc-XV7g6hn-4wWzjADB=38uuGOiiOXggAyaEQ@mail.gmail.com>
	<CAPfnCug6D3+iJpAuu5O7dud7hK+wVgeRkR+uYTdFLycLA9v4NA@mail.gmail.com>
Message-ID: <CAKZA8xhAbr+zkX=9CdThbtkEGycm=GhP7+iri5q3iC_-NTed-Q@mail.gmail.com>

Thank you, that solves one issue I have.
In case I would like to rm the file, I would have to use the EXEC
framework, correct ?

On Mon, Jun 24, 2019 at 5:20 PM Justin Azoff <justin at corelight.com> wrote:

> There's no need to use exec for this as there is a rename bif now.  I
> sent a PR to update this:
>
> https://github.com/hosom/file-extraction/pull/10/files
>
> On Mon, Jun 24, 2019 at 7:34 AM william de ping <bill.de.ping at gmail.com>
> wrote:
> >
> > Hi everyone,
> >
> > I'm trying to run the following script :
> >
> https://github.com/hosom/file-extraction/blob/master/scripts/plugins/store-files-by-md5.bro
> >
> > The issue is that the EXEC::run command is not working as expected.
> > I run bro on a pcap file, in debug.log I see that a thread was initiated
> and finished with no issues, however the file is not moved..
> >
> > Any ideas ?
> >
> > Thank you
> > B
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Justin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190625/1562d5fc/attachment.html 

From bill.de.ping at gmail.com  Tue Jun 25 04:37:10 2019
From: bill.de.ping at gmail.com (william de ping)
Date: Tue, 25 Jun 2019 14:37:10 +0300
Subject: [Zeek] - EXEC framework - run command
In-Reply-To: <CAKZA8xhAbr+zkX=9CdThbtkEGycm=GhP7+iri5q3iC_-NTed-Q@mail.gmail.com>
References: <CAKZA8xhjvbD40Fc-XV7g6hn-4wWzjADB=38uuGOiiOXggAyaEQ@mail.gmail.com>
	<CAPfnCug6D3+iJpAuu5O7dud7hK+wVgeRkR+uYTdFLycLA9v4NA@mail.gmail.com>
	<CAKZA8xhAbr+zkX=9CdThbtkEGycm=GhP7+iri5q3iC_-NTed-Q@mail.gmail.com>
Message-ID: <CAKZA8xgsH686cfBeZeS4wt3v2FSq8pUkKPjoacW38cg-hF72zw@mail.gmail.com>

Never mind, Ive just seen the unlink command :)

On Tue, Jun 25, 2019 at 2:35 PM william de ping <bill.de.ping at gmail.com>
wrote:

> Thank you, that solves one issue I have.
> In case I would like to rm the file, I would have to use the EXEC
> framework, correct ?
>
> On Mon, Jun 24, 2019 at 5:20 PM Justin Azoff <justin at corelight.com> wrote:
>
>> There's no need to use exec for this as there is a rename bif now.  I
>> sent a PR to update this:
>>
>> https://github.com/hosom/file-extraction/pull/10/files
>>
>> On Mon, Jun 24, 2019 at 7:34 AM william de ping <bill.de.ping at gmail.com>
>> wrote:
>> >
>> > Hi everyone,
>> >
>> > I'm trying to run the following script :
>> >
>> https://github.com/hosom/file-extraction/blob/master/scripts/plugins/store-files-by-md5.bro
>> >
>> > The issue is that the EXEC::run command is not working as expected.
>> > I run bro on a pcap file, in debug.log I see that a thread was
>> initiated and finished with no issues, however the file is not moved..
>> >
>> > Any ideas ?
>> >
>> > Thank you
>> > B
>> > _______________________________________________
>> > Zeek mailing list
>> > zeek at zeek.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
>>
>> --
>> Justin
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190625/5dfdb7bc/attachment.html 

From brianallen at wustl.edu  Tue Jun 25 05:55:43 2019
From: brianallen at wustl.edu (Allen, Brian)
Date: Tue, 25 Jun 2019 12:55:43 +0000
Subject: [Zeek] Bro doctor fails
Message-ID: <4B748179-8947-4089-AA0A-751217764D69@wustl.edu>

I had bro doctor working, but then we had an issue/accident in the datacenter and I had to rebuild the manager from scratch.  I tried to follow my detailed notes from when I installed it the first time.  Now bro doctor isn't working, and I'm trying to figure out why.  Any suggestions?

$ sudo ./zeekctl doctor.bro

Warning: ZeekControl plugin uses legacy BroControl API. Use
'import ZeekControl.plugin' instead of 'import BroControl.plugin'

Warning: Plugin 'doctor' not activated because its init() method raised exception: 'plugin doctor lookup of unknown config option bro'
Error: unknown command 'doctor.bro'

ZeekControl Version 1.9-49

Thanks for your help,
-Brian


________________________________
The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.


From justin at corelight.com  Tue Jun 25 06:16:00 2019
From: justin at corelight.com (Justin Azoff)
Date: Tue, 25 Jun 2019 09:16:00 -0400
Subject: [Zeek] Bro doctor fails
In-Reply-To: <4B748179-8947-4089-AA0A-751217764D69@wustl.edu>
References: <4B748179-8947-4089-AA0A-751217764D69@wustl.edu>
Message-ID: <CAPfnCuiLyBrv6a742jx7r+H9RWYo2QzSNhAn28FjzH+yRXye+A@mail.gmail.com>

gah, looks like I need to change some 'bro's to 'zeek's to work with
master.  If you don't mind editing it real quick until I can get a new
release out, I think minimally changing this line:

        self.bro_binary = self.getGlobalOption("bro")

to

        self.bro_binary = self.getGlobalOption("zeek")

should get things working.

On Tue, Jun 25, 2019 at 8:57 AM Allen, Brian <brianallen at wustl.edu> wrote:
>
> I had bro doctor working, but then we had an issue/accident in the datacenter and I had to rebuild the manager from scratch.  I tried to follow my detailed notes from when I installed it the first time.  Now bro doctor isn't working, and I'm trying to figure out why.  Any suggestions?
>
> $ sudo ./zeekctl doctor.bro
>
> Warning: ZeekControl plugin uses legacy BroControl API. Use
> 'import ZeekControl.plugin' instead of 'import BroControl.plugin'
>
> Warning: Plugin 'doctor' not activated because its init() method raised exception: 'plugin doctor lookup of unknown config option bro'
> Error: unknown command 'doctor.bro'
>
> ZeekControl Version 1.9-49
>
> Thanks for your help,
> -Brian
>
>
> ________________________________
> The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Justin


From justin at corelight.com  Tue Jun 25 14:09:48 2019
From: justin at corelight.com (Justin Azoff)
Date: Tue, 25 Jun 2019 17:09:48 -0400
Subject: [Zeek] Bro doctor fails
In-Reply-To: <CAPfnCuiLyBrv6a742jx7r+H9RWYo2QzSNhAn28FjzH+yRXye+A@mail.gmail.com>
References: <4B748179-8947-4089-AA0A-751217764D69@wustl.edu>
	<CAPfnCuiLyBrv6a742jx7r+H9RWYo2QzSNhAn28FjzH+yRXye+A@mail.gmail.com>
Message-ID: <CAPfnCuhH2u8VVDR1+ZdORYh3bmAdnm2CrwqDAiHyeWBtvcBLww@mail.gmail.com>

Hi!

I just pushed v 2.0.0 to github that should work on zeek master as
well as 2.6.x (if not, the older versions are still available)

I also updated the command to now just be 'doctor' instead of
'doctor.bro' - in older versions you had to have a subcommand, but
Daniel fixed that for me shortly after I released the first version.

On Tue, Jun 25, 2019 at 9:16 AM Justin Azoff <justin at corelight.com> wrote:
>
> gah, looks like I need to change some 'bro's to 'zeek's to work with
> master.  If you don't mind editing it real quick until I can get a new
> release out, I think minimally changing this line:
>
>         self.bro_binary = self.getGlobalOption("bro")
>
> to
>
>         self.bro_binary = self.getGlobalOption("zeek")
>
> should get things working.
>
> On Tue, Jun 25, 2019 at 8:57 AM Allen, Brian <brianallen at wustl.edu> wrote:
> >
> > I had bro doctor working, but then we had an issue/accident in the datacenter and I had to rebuild the manager from scratch.  I tried to follow my detailed notes from when I installed it the first time.  Now bro doctor isn't working, and I'm trying to figure out why.  Any suggestions?
> >
> > $ sudo ./zeekctl doctor.bro
> >
> > Warning: ZeekControl plugin uses legacy BroControl API. Use
> > 'import ZeekControl.plugin' instead of 'import BroControl.plugin'
> >
> > Warning: Plugin 'doctor' not activated because its init() method raised exception: 'plugin doctor lookup of unknown config option bro'
> > Error: unknown command 'doctor.bro'
> >
> > ZeekControl Version 1.9-49
> >
> > Thanks for your help,
> > -Brian
> >
> >
> > ________________________________
> > The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.
> >
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Justin



-- 
Justin


From fyiohhai at gmail.com  Thu Jun 27 10:00:41 2019
From: fyiohhai at gmail.com (Enki)
Date: Thu, 27 Jun 2019 11:00:41 -0600
Subject: [Zeek] (no subject)
Message-ID: <CAPeSHMP6p5V10jEw6Ah5SNDa_dmPLN=6Cz6Smze+OFjV+wPHnw@mail.gmail.com>

I?m trying to create my first protocol analyzer with BinPac for the
synchrophasor protocol (IEEE Std C37.118) ? from what I can tell, nobody
has made an analyzer for it yet. I'm trying to define the message format in
synchrophasor-protocol.pac. However, stuff like the format of data packets
are based on a previously sent configuration packet. How do I write
synchrophasor-protocol.pac so I can parse them based on the previously sent
packet? Here?s some documentation on the protocol if you need it:
http://smartgridcenter.tamu.edu/resume/pdf/1/SynPhasor_std.pdf



Again, this is my first time trying to write a protocol analyzer with
BinPac, so sorry if this is obvious.



Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190627/e9861018/attachment.html 

From gary.w.weasel2.civ at mail.mil  Thu Jun 27 10:27:03 2019
From: gary.w.weasel2.civ at mail.mil (Weasel, Gary W CIV DISA RE (US))
Date: Thu, 27 Jun 2019 17:27:03 +0000
Subject: [Zeek] Troubleshooting workers constantly dying
Message-ID: <0C34D9CA9B9DBB45B1C51871C177B4B291CD02DC@UMECHPA68.easf.csd.disa.mil>

All,

I'm trying to troubleshoot why my zeek workers keep regularly dying.  The diag log is rather unhelpful, yielding nohup ${pin_command} $pin_cpu "$mybro" "$@"

Is there some additional troubleshooting methods I can employ to figure out why they're constantly dying?

Thanks,
- Gary


From hugolin615 at gmail.com  Thu Jun 27 13:08:55 2019
From: hugolin615 at gmail.com (Hugo)
Date: Thu, 27 Jun 2019 13:08:55 -0700
Subject: [Zeek] (no subject)
In-Reply-To: <CAPeSHMP6p5V10jEw6Ah5SNDa_dmPLN=6Cz6Smze+OFjV+wPHnw@mail.gmail.com>
References: <CAPeSHMP6p5V10jEw6Ah5SNDa_dmPLN=6Cz6Smze+OFjV+wPHnw@mail.gmail.com>
Message-ID: <CAKq214=xv3v9k5VN+tAN8gBP-gOW25zKTEpzyKOWCej85uK+OQ@mail.gmail.com>

Hi Enki,

I have not read C37.118 in details before. But I contributed the DNP3
analyzer in Bro both on top of TCP and UPD, may be you can take a look.
DNP3 also have some similar characteristics, like the parsing of the
current packets depends on the previous packet. Hope this helps.

Best,

Hui Lin

On Thu, Jun 27, 2019 at 10:09 AM Enki <fyiohhai at gmail.com> wrote:

> I?m trying to create my first protocol analyzer with BinPac for the
> synchrophasor protocol (IEEE Std C37.118) ? from what I can tell, nobody
> has made an analyzer for it yet. I'm trying to define the message format in
> synchrophasor-protocol.pac. However, stuff like the format of data packets
> are based on a previously sent configuration packet. How do I write
> synchrophasor-protocol.pac so I can parse them based on the previously sent
> packet? Here?s some documentation on the protocol if you need it:
> http://smartgridcenter.tamu.edu/resume/pdf/1/SynPhasor_std.pdf
>
>
>
> Again, this is my first time trying to write a protocol analyzer with
> BinPac, so sorry if this is obvious.
>
>
>
> Thank you
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190627/052a9765/attachment.html 

From request.aborted at gmail.com  Thu Jun 27 22:25:56 2019
From: request.aborted at gmail.com (Req Deny)
Date: Thu, 27 Jun 2019 22:25:56 -0700
Subject: [Zeek] Zeek Recommended Hardware
Message-ID: <CACfE0eQ5z4aNurT-L=eycCUDbAr=M8+oYbFVnUFQFyjWZ39Tng@mail.gmail.com>

All

Looking for some general information for hardware to support
1Gbps (Single Port)  and 10Gps (Single Port)

How many cores/threads/processors @ ram?

I did see some info on Zeek under clusters that its about 250mb per
core/per worker, just wanted to see if that is still viable information.

Thanks

Req
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190627/d0cac705/attachment.html