[Zeek] Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

[Weasel, Gary W CIV DISA RE (US)]

I did change the SMB load directive but continued getting errors such as

Error in /opt/bro/share/bro/base/gif/plugins/./Bro_DCE_RPC.events.bif.bro, line 125 and /opt/bro/share/bro/policy/bzar/./bzar_dce-rpc.bro, line 224: incompatible types (event(c:connection; fid:count; ctx_id:count; opnum:count; stub_len:count;) and event(c:connection: fid:count; opnum:count; stud_len:count))

And after trying to reconcile that

Error in /opt/bro/share/bro/policy/bzar/./bzar_smb.bro, line 39: "redef" used but not previously defined (SMB::write_cmd_log)
Error in /opt/bro/share/bro/base/bif/plugins/./Bro_SMB.smb2_com_create.bif.bro, line 17 and /opt/bro/share/bro/policy/bzar/./bzar_smb.bro, line 252: incompatible types (event(c:connection; hdr:SMB2::Header; request:SMB2::CreateRequest;) and event(c:connection; hdr:SMB2::Header; name:string;))

I stopped attempting to resolve on my own at that point.

v/r
Gary W. Weasel, Jr. | Computer Engineer
Incident Response and Recovery Team, RE62
COM: 717.267.5777


-----Original Message-----
From: Fernandez, Mark I <mfernandez at mitre.org>
Sent: Wednesday, March 27, 2019 3:03 PM
To: zeek at zeek.org; Weasel, Gary W CIV DISA RE (US) <gary.w.weasel2.civ at mail.mil>
Subject: [Non-DoD Source] RE: [Zeek] Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

Hi Gary,

>> Is this developed for Bro/Zeek 2.5.5?  I'm getting errors when attempting
to load this in Bro/Zeek 2.6.1.

Yes, I used v2.5.x.  What types of errors are you getting?  Is it @load
errors with SMB, by chance?

One thing I know changed with v2.6 is that the SMB analyzer was previously
disabled by default in v2.5.x and I believe it is enable by default in v2.6.
In main.bro line 10:
@load policy/protocols/smb.  This should be backward compatible with older
versions of Bro/Zeek.  But if you are getting @laod SMB errors, you could
try changing line 10 to this: @load base/protocols/smb.

Mark