From akgraner at corelight.com Thu Jan 2 06:33:33 2020 From: akgraner at corelight.com (akgraner at corelight.com) Date: Thu, 02 Jan 2020 14:33:33 +0000 Subject: [Zeek] Invitation: Reoccurring Zeek Community Call @ Fri Jan 3, 2020 3pm - 3:45pm (EST) (zeek@zeek.org) Message-ID: <000000000000ea09fb059b291335@google.com> You have been invited to the following event. Title: Reoccurring Zeek Community Call Agenda: * Results from Alternate to IRC Poll * Newsletter *Other (Public call w/anyone who wants to join) ?????????? Amber Graner is inviting you to a scheduled Zoom meeting. Join Zoom Meeting https://corelight.zoom.us/j/585147093 Meeting ID: 585 147 093 One tap mobile +16465588656,,585147093# US (New York) +16699006833,,585147093# US (San Jose) Dial by your location +1 646 558 8656 US (New York) +1 669 900 6833 US (San Jose) 888 475 4499 US Toll-free 877 853 5257 US Toll-free Meeting ID: 585 147 093 Find your local number: https://corelight.zoom.us/u/acY5L1LN7 ?????????? When: Fri Jan 3, 2020 3pm ? 3:45pm Eastern Time - New York Where: Go to meeting (Link to be added next week), https://corelight.zoom.us/j/585147093 Calendar: zeek at zeek.org Who: * akgraner at corelight.com - organizer * dopheide at gmail.com * phil at brimsecurity.com * fatema.bannatwala at gmail.com * jan.grashoefer at gmail.com * tet68mt at gmail.com * dopheide at es.net * zeek at zeek.org Event details: https://www.google.com/calendar/event?action=VIEW&eid=NzE2dXJ1MXAzNDBsa2g4aGZ2ZGVibXAxam1fMjAyMDAxMDNUMjAwMDAwWiB6ZWVrQHplZWsub3Jn&tok=MjIjYWtncmFuZXJAY29yZWxpZ2h0LmNvbWFiYWU2MThjOGEwNjY5ZmY0ZTUzMWUxYmZhNDM1MTI2NDNjZWJkYmU&ctz=America%2FNew_York&hl=en&es=0 Invitation from Google Calendar: https://www.google.com/calendar/ You are receiving this courtesy email at the account zeek at zeek.org because you are an attendee of this event. To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar. Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn more at https://support.google.com/calendar/answer/37135#forwarding -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200102/88d562c7/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/calendar Size: 3495 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200102/88d562c7/attachment-0002.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: invite.ics Type: application/ics Size: 3569 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200102/88d562c7/attachment-0003.bin From akgraner at corelight.com Thu Jan 2 06:38:34 2020 From: akgraner at corelight.com (akgraner at corelight.com) Date: Thu, 02 Jan 2020 14:38:34 +0000 Subject: [Zeek] Invitation: Reoccurring Zeek Community Call @ Monthly from 3pm to 3:45pm on the first Friday (EST) (zeek@zeek.org) Message-ID: <000000000000dfd283059b292561@google.com> You have been invited to the following event. Title: Reoccurring Zeek Community Call AGENDATBD(Public call w/anyone who wants to join)??????????Amber Graner is inviting you to a scheduled Zoom meeting.Join Zoom Meetinghttps://corelight.zoom.us/j/898658920Meeting ID: 898 658 920One tap mobile+16465588656,,898658920# US (New York)+16699006833,,898658920# US (San Jose)Dial by your location +1 646 558 8656 US (New York) +1 669 900 6833 US (San Jose) 877 853 5257 US Toll-free 888 475 4499 US Toll-freeMeeting ID: 898 658 920Find your local number: https://corelight.zoom.us/u/acY5L1LN7?????????? When: Monthly from 3pm to 3:45pm on the first Friday Eastern Time - New York Where: https://corelight.zoom.us/j/898658920 Calendar: zeek at zeek.org Who: * akgraner at corelight.com - organizer * jan.grashoefer at gmail.com * dopheide at gmail.com * fatema.bannatwala at gmail.com * tet68mt at gmail.com * dopheide at es.net * phil at brimsecurity.com * zeek at zeek.org Event details: https://www.google.com/calendar/event?action=VIEW&eid=NzE2dXJ1MXAzNDBsa2g4aGZ2ZGVibXAxam1fUjIwMjAwMjA3VDIwMDAwMCB6ZWVrQHplZWsub3Jn&tok=MjIjYWtncmFuZXJAY29yZWxpZ2h0LmNvbTc2ZWIxOGRiYTUxZTE3NGJjMzQwNDk4MDcxOGMzNDM2NjBlMGUyYmI&ctz=America%2FNew_York&hl=en&es=0 Invitation from Google Calendar: https://www.google.com/calendar/ You are receiving this courtesy email at the account zeek at zeek.org because you are an attendee of this event. To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar. Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn more at https://support.google.com/calendar/answer/37135#forwarding -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200102/5a2f18d6/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/calendar Size: 3459 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200102/5a2f18d6/attachment-0002.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: invite.ics Type: application/ics Size: 3533 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200102/5a2f18d6/attachment-0003.bin From akgraner at corelight.com Thu Jan 2 06:39:43 2020 From: akgraner at corelight.com (Amber Graner) Date: Thu, 2 Jan 2020 09:39:43 -0500 Subject: [Zeek] Monthly Zeek Community Call - January Message-ID: Hi all, HAPPY NEW YEAR!!! Just a reminder that tomorrow (the first Friday of every month) 3 January 2020 at 3pm Eastern will be our first monthly call of 2020. I've sent a calendar reminder to everyone on the the Zeek Mailing list. I've also sent reminders for the rest of the year as well. ===Agenda=== * Results from the Alternate to IRC Poll * Monthly Newsletter * Other ===To Join The Call=== Join Zoom Meeting https://corelight.zoom.us/j/585147093 Meeting ID: 585 147 093 One tap mobile +16465588656,,585147093# US (New York) +16699006833,,585147093# US (San Jose) Dial by your location +1 646 558 8656 US (New York) +1 669 900 6833 US (San Jose) 888 475 4499 US Toll-free 877 853 5257 US Toll-free Meeting ID: 585 147 093 Find your local number: https://corelight.zoom.us/u/acY5L1LN7 Please note this call is not for technical questions, but anything community related. If you have topics that you'd like for me to add to the agenda or if you have questions please let me know. Thanks, ~Amber -- *Amber Graner* Director of Community Corelight, Inc 828.582.9469 Schedule time on my calendar here. * Ask me about how you can participate in the Zeek (formerly Bro) community. * Remember - ZEEK AND YOU SHALL FIND!! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200102/0eba31e6/attachment.html From quentin.mallet at gmail.com Sat Jan 4 01:48:36 2020 From: quentin.mallet at gmail.com (quentin mallet) Date: Sat, 4 Jan 2020 10:48:36 +0100 Subject: [Zeek] Extending zeek with rust Message-ID: Greetings, I've been looking at several plugin examples for zeek and I have failed to find a definite answer to the following question: is it possible to write zeek plugins in Rust? The obvious way would be to compile any rust implementation in it's own lib and then wrap it in C/C++ but I would be interested in something more "native". Would it be possible? Thanks for your help, Regards -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200104/79cf99d5/attachment.html From akgraner at corelight.com Sat Jan 4 06:58:10 2020 From: akgraner at corelight.com (Amber Graner) Date: Sat, 4 Jan 2020 09:58:10 -0500 Subject: [Zeek] 3 Jan Community Call - Notes and Summary Message-ID: Hi all, Below are the notes, links to the slides and the recording. I forgot to hit record for the first half of the call so apologies in advance. The more we have of these calls the better we'll get at all this. :-) ==Agenda== * Results from Alternative to IRC Poll - Slack was picked over Matrix - No to replacing the Mailing list * Zeek Monthly Newsletter - Once a month, first full week of the month - Who can help? ==Notes== * *Alternate to IRC* - I'll be reaching out to those who said that could help maintain and admin the slack channel, so if you said yes to helping on either poll, look for an email and calendar invite for next week. We'll get this channel set up and promoted in January. * *Newsletter* - We'll be shooting for the first full week of each month to produce and promote each newsletter. If you would like to help with this please let me know so I can add you to the Zeek Newsletter calls. Format is detailed in the slide deck. The threat of the month/issue of the month/code share will start next month. Thank you to all those who said you could help with this. * *Events - *Look for information about upcoming events on the mailing list, twitter and the website. Heads up that there will be a workshop in Portland, OR on 18 February (details are still being finalized) and there will also be a join threat hunting workshop with Zeek and Elastic at BSides SFO the weekend of 21 -23 February. (More details to be published soon). ==Links== * 3 January Call Folder - http://bit.ly/ZeekCommunityCall_3Jan20 - Link to Agenda Slides - http://bit.ly/ZeekCommunityCall_3Jan20_Slides - Link to Audio Only - http://bit.ly/ZeekCommunityCall_3Jan20_Audio - Link to Video - http://bit.ly/ZeekCommunityCall_3Jan20_Video ==Next Call== 7 February 2020 at 3pm Eastern ==Topics== If you have anything you'd like me to add to the agenda please let me know. Thanks again everyone, please let me know if you have any questions, comments, feedback etc. Here's to a great 2020 and beyond! With gratitude, ~Amber -- *Amber Graner* Director of Community Corelight, Inc 828.582.9469 Schedule time on my calendar here. * Ask me about how you can participate in the Zeek (formerly Bro) community. * Remember - ZEEK AND YOU SHALL FIND!! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200104/79000fdd/attachment.html From center.mnt at gmail.com Sun Jan 5 07:32:48 2020 From: center.mnt at gmail.com (sec-x sec-x) Date: Sun, 5 Jan 2020 17:32:48 +0200 Subject: [Zeek] Zeek with ELK Message-ID: Hi, I recently used zeek IDS on FreeBSD 12.1 - Default Policy (GetTraffic from TAP on the network) and i want to send all the logs to ELK in realtime. I saw Filebeat ports on BSD is old and has problems. How can i send the logs from the BSD to the Elastic (what is the correct/best way)? Thanks, CM. From patrick.kelley at criticalpathsecurity.com Sun Jan 5 08:00:16 2020 From: patrick.kelley at criticalpathsecurity.com (Patrick Kelley) Date: Sun, 5 Jan 2020 11:00:16 -0500 Subject: [Zeek] Zeek with ELK In-Reply-To: References: Message-ID: Logstash is the best option. http://thegreyblog.blogspot.com/2014/01/installing-logstash-on-freebsd.html?m=1 Patrick Kelley, CISSP, C|EH, ITIL CTO patrick.kelley at criticalpathsecurity.com > On Jan 5, 2020, at 10:35 AM, sec-x sec-x wrote: > > ?Hi, > > I recently used zeek IDS on FreeBSD 12.1 - Default Policy (GetTraffic > from TAP on the network) and i want to send all the logs to ELK in > realtime. > > I saw Filebeat ports on BSD is old and has problems. > > How can i send the logs from the BSD to the Elastic (what is the > correct/best way)? > > > Thanks, > > CM. > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200105/053834ea/attachment.html From shirkdog.bsd at gmail.com Sun Jan 5 08:05:52 2020 From: shirkdog.bsd at gmail.com (Michael Shirk) Date: Sun, 5 Jan 2020 11:05:52 -0500 Subject: [Zeek] Zeek with ELK In-Reply-To: References: Message-ID: You should be able to fire up Elastic, Logstash and Kibana on FreeBSD, using recommend Logstash configs to read in the log files from the file system. I can check about the Filebeat port to see if that can be updated or fixed. I myself just use the CLI tools but have been working on something "Not Java" to ingest log files into other than Splunk. -- Michael Shirk Daemon Security, Inc. https://www.daemon-security.com On Sun, Jan 5, 2020, 10:35 sec-x sec-x wrote: > Hi, > > I recently used zeek IDS on FreeBSD 12.1 - Default Policy (GetTraffic > from TAP on the network) and i want to send all the logs to ELK in > realtime. > > I saw Filebeat ports on BSD is old and has problems. > > How can i send the logs from the BSD to the Elastic (what is the > correct/best way)? > > > Thanks, > > CM. > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200105/6041b626/attachment.html From phatbuckett at gmail.com Sun Jan 5 16:40:02 2020 From: phatbuckett at gmail.com (Darren S.) Date: Sun, 5 Jan 2020 17:40:02 -0700 Subject: [Zeek] Zeek with ELK In-Reply-To: References: Message-ID: I read OP question as "I have Zeek running on FreeBSD, what is a sensible option for shipping logs from the sensor to an Elastic Stack?" Apologies if it's the wrong read. In that case I wouldn't want to install either the whole stack nor even Logstash on the sensor as it alone tends to consume an excessive amount of memory, not what you want on a sensor. Filebeat (a small footprint data collector/shipper) is the way to go if you're shipping remotely. If Filebeat isn't an option on the platform, maybe explore Fluent Bit: https://github.com/fluent/fluent-bit https://fluentbit.io/ Fluent Bit can output directly to Elasticsearch: https://fluentbit.io/documentation/0.14/output/elasticsearch.html Even a Fluentd can run with typically lower memory consumption than Logstash, so perhaps worth exploring both/either: https://github.com/fluent/fluentd https://www.fluentd.org/ Fluentd can also output to Elasticsearch: https://docs.fluentd.org/output/elasticsearch There are other options for shippers too, such as Syslog-ng: https://www.syslog-ng.com/community/b/blog/posts/logging-to-elasticsearch-made-simple-with-syslog-ng - Darren On Sun, Jan 5, 2020 at 9:11 AM Michael Shirk wrote: > > You should be able to fire up Elastic, Logstash and Kibana on FreeBSD, using recommend Logstash configs to read in the log files from the file system. I can check about the Filebeat port to see if that can be updated or fixed. > > I myself just use the CLI tools but have been working on something "Not Java" to ingest log files into other than Splunk. > > > -- > Michael Shirk > Daemon Security, Inc. > https://www.daemon-security.com > > On Sun, Jan 5, 2020, 10:35 sec-x sec-x wrote: >> >> Hi, >> >> I recently used zeek IDS on FreeBSD 12.1 - Default Policy (GetTraffic >> from TAP on the network) and i want to send all the logs to ELK in >> realtime. >> >> I saw Filebeat ports on BSD is old and has problems. >> >> How can i send the logs from the BSD to the Elastic (what is the >> correct/best way)? >> >> >> Thanks, >> >> CM. >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Darren Spruell phatbuckett at gmail.com From darkheaven1983 at gmail.com Sun Jan 5 17:52:52 2020 From: darkheaven1983 at gmail.com (duhang) Date: Mon, 6 Jan 2020 09:52:52 +0800 Subject: [Zeek] Zeek with ELK In-Reply-To: References: Message-ID: You can try rsyslog imfile module to send logs to logstash. The following is my configuration. $ModLoad imfile $InputFileName /usr/local/bro/logs/current/dns.log $InputFileTag dns: $InputFileStateFile stat-dns $InputFileSeverity info $InputFileFacility local2 $InputRunFileMonitor $SystemLogRateLimitInterval 0 $SystemLogRateLimitBurst 0 $MaxMessageSize 64k sec-x sec-x ?2020?1?5??? ??11:36??? > Hi, > > I recently used zeek IDS on FreeBSD 12.1 - Default Policy (GetTraffic > from TAP on the network) and i want to send all the logs to ELK in > realtime. > > I saw Filebeat ports on BSD is old and has problems. > > How can i send the logs from the BSD to the Elastic (what is the > correct/best way)? > > > Thanks, > > CM. > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200106/91801d18/attachment.html From joffer at sju.edu Mon Jan 6 12:07:42 2020 From: joffer at sju.edu (James Offer) Date: Mon, 6 Jan 2020 15:07:42 -0500 Subject: [Zeek] Zeek Digest, Vol 165, Issue 6 In-Reply-To: References: Message-ID: All, This is helpful. Other than my sysadmins' preference, is there any reason to choose one or the other, between rsyslog and syslog-ng? Thanks, Jim On Mon, Jan 6, 2020 at 3:00 PM wrote: > Send Zeek mailing list submissions to > zeek at zeek.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > or, via email, send a message with subject or body 'help' to > zeek-request at zeek.org > > You can reach the person managing the list at > zeek-owner at zeek.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Zeek digest..." > > > Today's Topics: > > 1. Re: Zeek with ELK (Darren S.) > 2. Re: Zeek with ELK (duhang) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 5 Jan 2020 17:40:02 -0700 > From: "Darren S." > Subject: Re: [Zeek] Zeek with ELK > To: sec-x sec-x > Cc: Zeek at zeek.org > Message-ID: > < > CAKVSOJWSnfCrzPyreChQtVVU5LS1yEKO3ufV3S2ZdyJXwj4-9w at mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > I read OP question as "I have Zeek running on FreeBSD, what is a > sensible option for shipping logs from the sensor to an Elastic > Stack?" Apologies if it's the wrong read. > > In that case I wouldn't want to install either the whole stack nor > even Logstash on the sensor as it alone tends to consume an excessive > amount of memory, not what you want on a sensor. Filebeat (a small > footprint data collector/shipper) is the way to go if you're shipping > remotely. > > If Filebeat isn't an option on the platform, maybe explore Fluent Bit: > > https://github.com/fluent/fluent-bit > https://fluentbit.io/ > > Fluent Bit can output directly to Elasticsearch: > https://fluentbit.io/documentation/0.14/output/elasticsearch.html > > Even a Fluentd can run with typically lower memory consumption than > Logstash, so perhaps worth exploring both/either: > > https://github.com/fluent/fluentd > https://www.fluentd.org/ > > Fluentd can also output to Elasticsearch: > https://docs.fluentd.org/output/elasticsearch > > There are other options for shippers too, such as Syslog-ng: > > https://www.syslog-ng.com/community/b/blog/posts/logging-to-elasticsearch-made-simple-with-syslog-ng > > - Darren > > On Sun, Jan 5, 2020 at 9:11 AM Michael Shirk > wrote: > > > > You should be able to fire up Elastic, Logstash and Kibana on FreeBSD, > using recommend Logstash configs to read in the log files from the file > system. I can check about the Filebeat port to see if that can be updated > or fixed. > > > > I myself just use the CLI tools but have been working on something "Not > Java" to ingest log files into other than Splunk. > > > > > > -- > > Michael Shirk > > Daemon Security, Inc. > > https://www.daemon-security.com > > > > On Sun, Jan 5, 2020, 10:35 sec-x sec-x wrote: > >> > >> Hi, > >> > >> I recently used zeek IDS on FreeBSD 12.1 - Default Policy (GetTraffic > >> from TAP on the network) and i want to send all the logs to ELK in > >> realtime. > >> > >> I saw Filebeat ports on BSD is old and has problems. > >> > >> How can i send the logs from the BSD to the Elastic (what is the > >> correct/best way)? > >> > >> > >> Thanks, > >> > >> CM. > >> _______________________________________________ > >> Zeek mailing list > >> zeek at zeek.org > >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > -- > Darren Spruell > phatbuckett at gmail.com > > > ------------------------------ > > Message: 2 > Date: Mon, 6 Jan 2020 09:52:52 +0800 > From: duhang > Subject: Re: [Zeek] Zeek with ELK > To: sec-x sec-x > Cc: Zeek at zeek.org > Message-ID: > < > CAG+yijM94rhd5m9PifrbnEAf1yRii-N4aWA8-qfDJzCGnr9u9Q at mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > You can try rsyslog imfile module to send logs to logstash. The following > is my configuration. > > $ModLoad imfile > $InputFileName /usr/local/bro/logs/current/dns.log > $InputFileTag dns: > $InputFileStateFile stat-dns > $InputFileSeverity info > $InputFileFacility local2 > $InputRunFileMonitor > > $SystemLogRateLimitInterval 0 > $SystemLogRateLimitBurst 0 > $MaxMessageSize 64k > > sec-x sec-x ?2020?1?5??? ??11:36??? > > > Hi, > > > > I recently used zeek IDS on FreeBSD 12.1 - Default Policy (GetTraffic > > from TAP on the network) and i want to send all the logs to ELK in > > realtime. > > > > I saw Filebeat ports on BSD is old and has problems. > > > > How can i send the logs from the BSD to the Elastic (what is the > > correct/best way)? > > > > > > Thanks, > > > > CM. > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200106/91801d18/attachment-0001.html > > ------------------------------ > > _______________________________________________ > Zeek mailing list > Zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > End of Zeek Digest, Vol 165, Issue 6 > ************************************ > -- Jim Offer Network Security Analyst Saint Joseph's University (610) 660-1573 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200106/e0105b41/attachment.html From SHARRIS at hollywoodfl.org Mon Jan 6 12:16:49 2020 From: SHARRIS at hollywoodfl.org (Scot Harris) Date: Mon, 6 Jan 2020 20:16:49 +0000 Subject: [Zeek] Error on startup Message-ID: I think I caused this problem by trying to change the directory where the spool data is processed. Changing that back did not correct the problem. Unable to startup zeek at this time. [zeek at heimdallr logger]$ zeekctl start Warning: ZeekControl plugin uses legacy BroControl API. Use 'import ZeekControl.plugin' instead of 'import BroControl.plugin' starting logger ... Error: logger terminated immediately after starting; check output with "diag" error in /opt/zeek/share/zeek/base/frameworks/cluster/./setup-connections.zeek, lines 93-95: Failed to listen on INADDR_ANY:47761 (Broker::listen(Broker::default_listen_address, Cluster::self$p, Broker::default_listen_retry)) warning: WriterFrontend cluster/Log::WRITER_ASCII expected 3 fields in write, got 4. Skipping line. fatal error: errors occurred while initializing Any ideas appreciated. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200106/234b1687/attachment.html From patrick.kelley at criticalpathsecurity.com Mon Jan 6 12:49:42 2020 From: patrick.kelley at criticalpathsecurity.com (Patrick Kelley) Date: Mon, 6 Jan 2020 15:49:42 -0500 Subject: [Zeek] Error on startup In-Reply-To: References: Message-ID: This was resolved sidebar. Listener was holding the process and port. #### Did you reboot in between the changes? I would do that are perform a... netstat -tanp | grep 47761 and kill any open associated processes. INADDR_ANY:47761 tells me something might be open. On Mon, Jan 6, 2020 at 3:29 PM Scot Harris wrote: > I think I caused this problem by trying to change the directory where the > spool data is processed. > > > > Changing that back did not correct the problem. > > > > Unable to startup zeek at this time. > > > > > > > > [zeek at heimdallr logger]$ zeekctl start > > > > Warning: ZeekControl plugin uses legacy BroControl API. Use > > 'import ZeekControl.plugin' instead of 'import BroControl.plugin' > > > > starting logger ... > > Error: logger terminated immediately after starting; check output with > "diag" > > > > > > > > > > error in > /opt/zeek/share/zeek/base/frameworks/cluster/./setup-connections.zeek, > lines 93-95: Failed to listen on INADDR_ANY:47761 > (Broker::listen(Broker::default_listen_address, Cluster::self$p, > Broker::default_listen_retry)) > > warning: WriterFrontend cluster/Log::WRITER_ASCII expected 3 fields in > write, got 4. Skipping line. > > fatal error: errors occurred while initializing > > > > > > > > > > Any ideas appreciated. > > > > Thank you. > > > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- *Patrick Kelley, CISSP, C|EH, ITIL* *CTO* patrick.kelley at criticalpathsecurity.com (o) 770-224-6482 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200106/1f66011d/attachment-0001.html From akgraner at corelight.com Fri Jan 10 07:33:54 2020 From: akgraner at corelight.com (Amber Graner) Date: Fri, 10 Jan 2020 07:33:54 -0800 Subject: [Zeek] Update: Zeek Monthly Newsletter - Schedule and Publication Plan Message-ID: Hi all, As I mentioned on the 3 Jan Zeek community , we want to roll out a monthly newsletter. My goal is to get those published at the beginning of the first full week of each month; however, I realized I had not shared the contribution plan, topic ideas, where you contribute and how to get involved. Given the above, we'll publish on Monday 13 January 2020. Below is that information. Please let me know if you have any questions and I look forward to collaborating with you all. Thanks, ~Amber Do you want to contribute to the monthly newsletter? --------------------------------------------------------------------- Please email me (akgraner at corelight.com) and add your name and email to the following gdoc: https://docs.google.com/document/d/1CkmV5XVZfz02Bu86G1yIiOmq7UJcNU5RkszT6SODChI/edit#heading=h.kvuwripro0c4 How to contribute --------------------------------------------------------------------- Below are some suggestions, but are not limited to these suggestions. The more we do these newsletters the better and more inclusive they will become. * Find public articles of interest and drop into the working document. * Write blog posts throughout the month. * Help interview people throughout the month. * Write 3 to 5 sentence summaries of each article we will include. * Threat of the Month - Share how Zeek helped you or your organization. What is the current issue that is being worked on? --------------------------------------------------------------------- Issue 1 - January 2020 (Covers December 2019) (working document) Issue 2 - February 2020 (Covers January 2020) (working document) How will the newsletter get populated? ---------------------------------------------------- Throughout the month, those who want to contribute can add links to the working document. Then editors will go through to add a summary about each article contributed. The weekend before each publication date all final formatting and additions will be done. All of this information will be formatted and published on the Zeek, blog. Publication Schedule --------------------------------------------------------------------- * Issue Number - Issue Name (Dates Covered) - Planned Publication Dates * Issue 1 - January 2020 (Covers December 2019) - 13 January 2020 * Issue 2 - February 2020 (Covers January 2020) - 3 February 2020 * Issue 3 - March 2020 (Covers February 2020) - 2 March 2020 * Issue 4 - April 2020 (Covers March 2020) - 6 April 2020 * Issue 5 - May 2020 (Covers April 2020) - 4 May 2020 * Issue 6 - June 2020 (Covers May 2020) - 1 June 2020 * Issue 7 - July 2020 (Covers June 2020) - 6 July 2020 * Issue 8 - August 2020 (Covers July 2020) - 3 August 2020 * Issue 9 - September 2020 (Covers August 2020) - 7 September 2020 * Special Issue 1 - September 2020 (Covers ZeekWeek 2020) - 21 September 2020 * Issue 10 - October 2020 (Covers September 2020) - 5 October 2020 * Issue 11 - November 2020 (Covers October 2020) - 2 November 2020 * Issue 12 - December 2020 (Covers November 2020) - 7 December 2020 * Issue 13 - Special Issue 2 - (Year End Review) - 21 December 2020 What will the newsletter cover? --------------------------------------------------------------------- Topics include but not limited to the following: * Development Updates --Release Schedule --Release Notes --Feature Updates --Security Updates * Zeek in the News * Interviews with LT/Core Contributors/Other * Threat of the Month with a Summary of how Zeek plays into hunting/detection/Solving (what role did the use of Zeek play in the detection or solution for this threat in someway) * Events * Call to Action * Contribution/Contributor of the Month - Which would include an interview with that person and or a description of the contribution * Zeek-related job openings * Other * Contributors More information --------------------------------------------------------------------- Team Folder -- *Amber Graner* Director of Community Corelight, Inc 828.582.9469 Schedule time on my calendar here. * Ask me about how you can participate in the Zeek (formerly Bro) community. * Remember - ZEEK AND YOU SHALL FIND!! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200110/7b6c289b/attachment.html From akgraner at corelight.com Mon Jan 13 11:45:34 2020 From: akgraner at corelight.com (Amber Graner) Date: Mon, 13 Jan 2020 14:45:34 -0500 Subject: [Zeek] ASK THE ZEEKSPERTS - January Webinars Message-ID: Hi all, Below are the dates and registration links for the January 2020 ASK THE ZEEKSPERTS (ATZ) Webinars. We've updated the times to 12:30pm PST/3:30pm ET for future webinars. Hopefully this will allow more people to participate. I'll also be sending out calendar invites the mailing list as well. ===What is an ASK THE ZEEKSPERTS webinar?=== This is a bi-monthly call for the Zeek (formerly Bro) community to interface directly with leading contributors to the open-source project and ask questions live to better understand, expand or troubleshoot deployments of the network security monitoring software. The webinars are free to attend, but registration is required ===How do I REGISTER for the Webinar?=== Click the links below and fill out the registration form. * January 16 2020 Webinar - Hosted by Seth Hall Registration Link - http://bit.ly/ATZ_30Jan2020 * January 30 2020 Webinar - Host TBD. Registration Link - http://bit.ly/ATZ_16Jan2020 Please let me know if you have any questions. Thanks, ~Amber -- *Amber Graner* Director of Community Corelight, Inc 828.582.9469 Schedule time on my calendar here. * Ask me about how you can participate in the Zeek (formerly Bro) community. * Remember - ZEEK AND YOU SHALL FIND!! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200113/2bd090fa/attachment.html From akgraner at corelight.com Mon Jan 13 11:56:34 2020 From: akgraner at corelight.com (akgraner at corelight.com) Date: Mon, 13 Jan 2020 19:56:34 +0000 Subject: [Zeek] Invitation: ASK THE ZEEKSPERTS @ Thu Jan 16, 2020 3:30pm - 4:30pm (EST) (zeek@zeek.org) Message-ID: <000000000000586ee2059c0adfd5@google.com> You have been invited to the following event. Title: ASK THE ZEEKSPERTS This is a bi-monthly call for the open-source Zeek (formerly Bro) community to interface directly with leading contributors to the open-source project and ask questions live to better understand, expand or troubleshoot deployments of the network security monitoring software. The webinar is free to attend but registration is required (Link below)FEATURED SPEAKER for Thursday January 19th will be Seth HallRegistration link . -  https://attendee.gotowebinar.com/register/5597309536345352715 When: Thu Jan 16, 2020 3:30pm ? 4:30pm Eastern Time - New York Where: https://attendee.gotowebinar.com/register/5597309536345352715 Calendar: zeek at zeek.org Who: (Guest list has been hidden at organizer's request) Event details: https://www.google.com/calendar/event?action=VIEW&eid=NHVuNnI5NnNiamdvZ2c3MHNjZDZkb2hxOG8gemVla0B6ZWVrLm9yZw&tok=MjIjYWtncmFuZXJAY29yZWxpZ2h0LmNvbTI5ZjZhYzQ5NzdmOTMzYmMzZGZhNTM4NGM0MDQ3MjUxZTRhOGFhNDk&ctz=America%2FNew_York&hl=en&es=0 Invitation from Google Calendar: https://www.google.com/calendar/ You are receiving this courtesy email at the account zeek at zeek.org because you are an attendee of this event. To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar. Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn more at https://support.google.com/calendar/answer/37135#forwarding -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200113/96ce4a38/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/calendar Size: 1777 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200113/96ce4a38/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: invite.ics Type: application/ics Size: 1813 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200113/96ce4a38/attachment-0001.bin From akgraner at corelight.com Mon Jan 13 11:58:32 2020 From: akgraner at corelight.com (akgraner at corelight.com) Date: Mon, 13 Jan 2020 19:58:32 +0000 Subject: [Zeek] Invitation: ASK THE ZEEKSPERTS @ Thu Jan 30, 2020 3:30pm - 4:30pm (EST) (zeek@zeek.org) Message-ID: <0000000000006086de059c0ae672@google.com> You have been invited to the following event. Title: ASK THE ZEEKSPERTS This is a bi-monthly call for the open-source Zeek (formerly Bro) community to interface directly with leading contributors to the open-source project and ask questions live to better understand, expand or troubleshoot deployments of the network security monitoring software. The webinar is free to attend but registration is required (Link below)FEATURED SPEAKER for Thursday January 30th - TBDRegistration link . -  https://attendee.gotowebinar.com/register/4730628291843942667 When: Thu Jan 30, 2020 3:30pm ? 4:30pm Eastern Time - New York Where: https://attendee.gotowebinar.com/register/4730628291843942667 Calendar: zeek at zeek.org Who: (Guest list has been hidden at organizer's request) Event details: https://www.google.com/calendar/event?action=VIEW&eid=NzFjbnQybzdhdWp0OG1uOTloNDQxaWY5bDcgemVla0B6ZWVrLm9yZw&tok=MjIjYWtncmFuZXJAY29yZWxpZ2h0LmNvbTNhN2JjZTgyZjY1OTFkYzE5YjA3NTgwYzk4NDk4MTA1YTg1NDg3YzI&ctz=America%2FNew_York&hl=en&es=0 Invitation from Google Calendar: https://www.google.com/calendar/ You are receiving this courtesy email at the account zeek at zeek.org because you are an attendee of this event. To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar. Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn more at https://support.google.com/calendar/answer/37135#forwarding -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200113/ca780451/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/calendar Size: 1766 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200113/ca780451/attachment-0002.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: invite.ics Type: application/ics Size: 1802 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200113/ca780451/attachment-0003.bin From akgraner at corelight.com Mon Jan 13 12:58:52 2020 From: akgraner at corelight.com (Amber Graner) Date: Mon, 13 Jan 2020 15:58:52 -0500 Subject: [Zeek] ASK THE ZEEKSPERTS - January Webinars In-Reply-To: References: Message-ID: Hi all, Updated the links. Everyone on the list should have also gotten a calendar invite. * January 16 2020 Webinar - Hosted by Seth Hall Registration Link - http://bit.ly/ATZ_16Jan2020 * January 30 2020 Webinar - Host TBD. Registration Link - http://bit.ly/ATZ_30Jan2020 Thanks, ~Amber On Mon, Jan 13, 2020 at 2:45 PM Amber Graner wrote: > Hi all, > > Below are the dates and registration links for the January 2020 ASK THE > ZEEKSPERTS (ATZ) Webinars. > > We've updated the times to 12:30pm PST/3:30pm ET for future webinars. > Hopefully this will allow more people to participate. > > I'll also be sending out calendar invites the mailing list as well. > > ===What is an ASK THE ZEEKSPERTS webinar?=== > > This is a bi-monthly call for the Zeek (formerly Bro) community to > interface directly with leading contributors to the open-source project and > ask questions live to better understand, expand or troubleshoot deployments > of the network security monitoring software. > > The webinars are free to attend, but registration is required > > ===How do I REGISTER for the Webinar?=== > > Click the links below and fill out the registration form. > > * January 16 2020 Webinar - Hosted by Seth Hall > Registration Link - http://bit.ly/ATZ_30Jan2020 > > * January 30 2020 Webinar - Host TBD. > Registration Link - http://bit.ly/ATZ_16Jan2020 > > > Please let me know if you have any questions. > > Thanks, > ~Amber > > > -- > > *Amber Graner* > Director of Community > Corelight, Inc > > 828.582.9469 > > Schedule time on my calendar here. > > > > * Ask me about how you can participate in the Zeek (formerly Bro) > community. > * Remember - ZEEK AND YOU SHALL FIND!! > > > -- *Amber Graner* Director of Community Corelight, Inc 828.582.9469 Schedule time on my calendar here. * Ask me about how you can participate in the Zeek (formerly Bro) community. * Remember - ZEEK AND YOU SHALL FIND!! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200113/2019d91a/attachment.html From johanna at icir.org Mon Jan 13 14:03:29 2020 From: johanna at icir.org (Johanna Amann) Date: Mon, 13 Jan 2020 14:03:29 -0800 Subject: [Zeek] Extending zeek with rust In-Reply-To: References: Message-ID: Hi Quentin, > I've been looking at several plugin examples for zeek and I have > failed to > find a definite answer to the following question: is it possible to > write > zeek plugins in Rust? The obvious way would be to compile any rust > implementation in it's own lib and then wrap it in C/C++ but I would > be > interested in something more "native". Disclaimer: I have not used Rust myself. The only API that we currently provide for writing plug-ins is based on C++. So - Zeek has to be able to call into your code with the C++ API that it expects, and your code has to be able to call back into Zeek. The way that you outline - with the Rust code in its own library - sounds like the easiest alternative. If Rust can directly call into C++ - and can generate a library that is callable in exactly the way that C++ expects, you might be able to make this work without the wrapper - but after a short peek into the documetation this does not seem trivially possible. Johanna From quentin.mallet at gmail.com Mon Jan 13 14:29:33 2020 From: quentin.mallet at gmail.com (Quentin Mallet) Date: Mon, 13 Jan 2020 23:29:33 +0100 Subject: [Zeek] Extending zeek with rust In-Reply-To: References: Message-ID: <46de68c4-eb94-4ffc-bfda-10c8bdd14736@gmail.com> Thank you very much for your instructive answer. That's pretty much what I figured, either wrap it up or start writing bindings until my fingers bleed, still it's better to get an expert's opinion before resigning oneself. Regards, On 13 Jan 2020, 23:03, at 23:03, Johanna Amann wrote: >Hi Quentin, > >> I've been looking at several plugin examples for zeek and I have >> failed to >> find a definite answer to the following question: is it possible to >> write >> zeek plugins in Rust? The obvious way would be to compile any rust >> implementation in it's own lib and then wrap it in C/C++ but I would >> be >> interested in something more "native". > >Disclaimer: I have not used Rust myself. > >The only API that we currently provide for writing plug-ins is based on > >C++. So - Zeek has to be able to call into your code with the C++ API >that it expects, and your code has to be able to call back into Zeek. > >The way that you outline - with the Rust code in its own library - >sounds like the easiest alternative. > >If Rust can directly call into C++ - and can generate a library that is > >callable in exactly the way that C++ expects, you might be able to make > >this work without the wrapper - but after a short peek into the >documetation this does not seem trivially possible. > >Johanna -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200113/0d295c09/attachment.html From don.thomas.cissp at gmail.com Tue Jan 14 10:50:03 2020 From: don.thomas.cissp at gmail.com (Don Thomas) Date: Tue, 14 Jan 2020 10:50:03 -0800 Subject: [Zeek] Fwd: Next Webcast: How to use a Raspberry Pi as a Network Sensor In-Reply-To: References: Message-ID: BHIS is going to have a Webinar around Zeek and the Raspberry Pi ! Just wanted to pass this one along in case anyone was interested. *-dt* ---------- Forwarded message --------- From: John Strand - Black Hills Information Security < john at blackhillsinfosec.com> Date: Mon, Jan 13, 2020 at 12:59 PM Subject: Next Webcast: How to use a Raspberry Pi as a Network Sensor We?re excited about our next webcast? with Bill Sterns, from Active Countermeasures. How to use a Raspberry Pi as a Network Sensor! Stealth - Size - Cost - Bang for the buck: pick any 4. :-) Running a network sensor, IDS, or IPS can be a costly venture; the high-end ones can cost more than a used car. In this webcast we?ll cover running a network sensor using a Raspberry Pi, a miniature single-board computer that runs most anything you can run under Linux. Bill will show you how to install and use the Zeek IDS and cover the performance aspects you'll need to know. Setting up IDSs that cost about the same as a bike means you can monitor far more network segments simultaneously, and hide them behind a power brick if you have to. Please register for -- How to use a Raspberry Pi as a Network Sensor -- on Jan 16, 2020 2:00 PM EST at: https://attendee.gotowebinar.com/register/2540509980495221261 No previous experience with the Pi is needed - you'll have a shopping list of what to get. You'll probably want basic familiarity with running commands under Linux. (Note: We have a Linux webcast on Feb 6th ? https://attendee.gotowebinar.com/register/3568259782331562509) - John P.s. There are a bunch of two-day training courses being offering at Way West Wild West Hackin? Fest, in San Diego, March 2020: https://www.wildwesthackinfest.com/now/training/#schedule -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200114/2fc219ce/attachment.html From akgraner at corelight.com Tue Jan 14 11:47:37 2020 From: akgraner at corelight.com (Amber Graner) Date: Tue, 14 Jan 2020 14:47:37 -0500 Subject: [Zeek] Zeek Days Workshop Portland - 18 February 2020 Message-ID: Hi all, If you are going to be near Portland State University on 18 February, please join us for a Zeek Days Workshop. Registration is now open - https://www.eventbrite.com/e/zeek-days-workshop-portland-or-tickets-89780043527 This Zeek Day workshop hosted by Portland State University and sponsored by Corelight, Inc. This workshop is free to attend by registration is required. In this workshop we'll introduce you to Zeek, best practice around deploying and running Zeek then we'll take a deeper look at the Zeek logs and how to use the data derived from the Zeek logs. And for those who want to know more and become an active contributor and participant in the Zeek community we'll get you started. *===Agenda===* * 8:30am-9:00am - Registration * 9am - 9:15am - Welcome and Overview of the Day * 9:15am - 10:00am - Introduction to Zeek * 10:00am - 11am - Deploying and Running Zeek * 11am - 11:15am - Break * 11:15 - Noon - Zeek Log Review, pt. 1 * Noon - 1pm - Lunch * 1pm - 1:30pm - Zeek Log Review, pt.2 * 1:30pm - 2:30pm - Practical Application of Zeek Data and Logs * 2:30pm - 3pm - Stories from the Trenches: How Zeek helped solving incidents with Zeek. * 3pm - 3:30pm - Wrap-up and giveaways We'll also be giving away a Raspberry Pi 4 with Raspian and Zeek preloaded. More about Zeek (formerly Bro) can be found at: zeek.org ===Venue Information=== Portland State University Smith Memorial Student Union (Room SMSU 327/8/9) 1825 SW Broadway Portland, OR 97201 ===Registration Information=== https://www.eventbrite.com/e/zeek-days-workshop-portland-or-tickets-89780043527 Please let me know if you have any questions or if you or your organization is interested in hosting a Zeek Days Workshop in your area. With gratitude, ~Amber *Amber Graner* Director of Community Corelight, Inc 828.582.9469 Schedule time on my calendar here. * Ask me about how you can participate in the Zeek (formerly Bro) community. * Remember - ZEEK AND YOU SHALL FIND!! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200114/4e5bd767/attachment-0001.html From akgraner at corelight.com Tue Jan 14 12:15:10 2020 From: akgraner at corelight.com (Amber Graner) Date: Tue, 14 Jan 2020 15:15:10 -0500 Subject: [Zeek] Fwd: Next Webcast: How to use a Raspberry Pi as a Network Sensor In-Reply-To: References: Message-ID: Hi Don, This is great. I'll add this to the newsletter and to upcoming events on the website. As you schedule future Zeek related events please let me know or email them to news at zeek.org so we can help you promote. Also, if anyone has any Zeek related event information please send it our way. Thanks! ~Amber On Tue, Jan 14, 2020 at 1:52 PM Don Thomas wrote: > BHIS is going to have a Webinar around Zeek and the Raspberry Pi ! > > Just wanted to pass this one along in case anyone was interested. > > *-dt* > > > > ---------- Forwarded message --------- > From: John Strand - Black Hills Information Security < > john at blackhillsinfosec.com> > Date: Mon, Jan 13, 2020 at 12:59 PM > Subject: Next Webcast: How to use a Raspberry Pi as a Network Sensor > > > > We?re excited about our next webcast? with Bill Sterns, from Active > Countermeasures. > > How to use a Raspberry Pi as a Network Sensor! > > Stealth - Size - Cost - Bang for the buck: pick any 4. :-) > > Running a network sensor, IDS, or IPS can be a costly venture; the > high-end ones can cost more than a used car. > > In this webcast we?ll cover running a network sensor using a Raspberry Pi, > a miniature single-board computer that runs most anything you can run under > Linux. > > Bill will show you how to install and use the Zeek IDS and cover the > performance aspects you'll need to know. Setting up IDSs that cost about > the same as a bike means you can monitor far more network segments > simultaneously, and hide them behind a power brick if you have to. > > Please register for -- How to use a Raspberry Pi as a Network Sensor > -- on Jan 16, 2020 2:00 PM EST at: > https://attendee.gotowebinar.com/register/2540509980495221261 > > No previous experience with the Pi is needed - you'll have a shopping list > of what to get. > > You'll probably want basic familiarity with running commands under Linux. > (Note: We have a Linux webcast on Feb 6th ? > https://attendee.gotowebinar.com/register/3568259782331562509) > > - John > > P.s. There are a bunch of two-day training courses being offering at Way > West Wild West Hackin? Fest, in San Diego, March 2020: > https://www.wildwesthackinfest.com/now/training/#schedule > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- *Amber Graner* Director of Community Corelight, Inc 828.582.9469 Schedule time on my calendar here. * Ask me about how you can participate in the Zeek (formerly Bro) community. * Remember - ZEEK AND YOU SHALL FIND!! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200114/618901da/attachment.html From akgraner at corelight.com Tue Jan 14 13:07:33 2020 From: akgraner at corelight.com (Amber Graner) Date: Tue, 14 Jan 2020 16:07:33 -0500 Subject: [Zeek] Now Available - Zeek Monthly Newsletter, Issue 1 - January 2020 Message-ID: ===Welcome to the Zeek Monthly Newsletter, Issue 1 covers December 2019 as well as upcoming events.=== Link to downloadable PDF - http://bit.ly/ZeekMonthlyNews_Issue1_Jan2020 Link to blog post - https://blog.zeek.org/2020/01/zeek-monthly-newsletter-issue-1-january.html ===In this Issue:=== * General Community News/Updates * Development Updates * Zeek In the News * Interviews * Threat of the Month * Upcoming Events * Contribution/Contributor of the Month * Zeek Related Issues * Publication Schedule * Get Involved ===General Community News/Updates=== We?re very excited to publish this first Zeek newsletter. This newsletter will be published monthly on the first full week of each month. The publication schedule can be found below In this issue you?ll notice some sections will only have a description as we are actively looking for content and contributors. Please consider becoming an editor. If you are interested please email news at zeek.org ===Development Updates=== Zeek 3.0.1 release available - This is a bug-fix release that most notably addresses a JSON logging performance regression in 3.0.0, but also fixes other minor bugs. http://mailman.icsi.berkeley.edu/pipermail/zeek/2019-December/014845.html ===Zeek in the News=== This section will be for articles published outside of the Zeek Blog. If you come across articles referencing Zeek in your news feed and you?d like us to share it in the newsletter, please send the link to news at zeek.org or add it to the Issue 2 working document at: https://docs.google.com/document/d/1spPRm7fYDIeRgqiQ5_IM53q6kcBNjPaLSuY5tIfASx8/edit ===Interviews with LT/Core Contributors/Other=== What community member or contributor would you like to know more about? If you have suggestions please email us at news at zeek.org. Since there wasn?t any from December and this is our first newsletter below are the links to a couple from earlier in 2019. * Robin Sommer - https://blog.zeek.org/2019/04/people-of-zeek-interview-series-robin.html * Zeke Medley - https://blog.zeek.org/2019/06/people-of-zeek-interview-series.html * Fatema Bannat Wala - https://blog.zeek.org/2019/07/people-of-zeek-interview-series.html ===Threat of the Month=== Do you have a threat you?d like to share with the community and how using Zeek in your security stack helped you identify that threat? Please email news at zeek.org and we?ll work with you to get it written up and shared in the next newsletter. ===Upcoming Events=== If you or your organization would like to host a Zeek event or if you know of any public Zeek related workshops, please send us the links so that we can include those in the newsletter and on the website. * ASK THE ZEEKSPERTS Ask the Zeeksperts is a one hour bi-weekly call that is hosted by various ?Zeeksperts? in the community. This is where you can drop by and ask your Zeek Related questions. The webinars are free to attend, but registration is required. * 16 January 2020 - 12:30pm PT - Hosted by Seth Hall Registration Link - http://bit.ly/ATZ_16Jan2020 * 30 January 2020 - 12:30pm PT - Host TBD Registration Link - http://bit.ly/ATZ_30Jan2020 * HOW TO USE A RASPBERRY PI AS A NETWORK SENSOR - WEBINAR * 16 January 2020 - 2:00PM EST This webinar is being hosted by Black Hills Information Security and presented by Bill Sterns, from Active Countermeasures. This webcast will cover running a network sensor using a Raspberry Pi, a miniature single-board computer that runs most anything you can run under Linux. Bill will show you how to install and use the Zeek IDS and cover the performance aspects you'll need to know. Setting up IDSs that cost about the same as a bike means you can monitor far more network segments simultaneously, and hide them behind a power brick if you have to. Register for this webinar at: https://attendee.gotowebinar.com/register/2540509980495221261 * ZEEK DAYS WORKSHOPS * 18 February 2020 - Portland OR This is a one day Zeek workshop hosted by Portland State University and sponsored by Corelight, Inc. This workshop is free to attend by registration is required. In this workshop we'll introduce you to Zeek, best practice around deploying and running Zeek then we'll take a deeper look at the Zeek logs and how to use the data derived from the Zeek logs. And for those who want to know more and become an active contributor and participant in the Zeek community we'll get you started. Registration and more information - https://www.eventbrite.com/e/zeek-days-workshop-portland-or-tickets-89780043527 ===Contribution/Contributor of the Month=== Check out packages.zeek.com. Every month we?ll pick a package to highlight. Consider contributing a package during January 2020, so we can highlight your contribution on the Zeek Blog and in the February 2020 Zeek Newsletter. If you?d like to review the packages and interview the contributors, please email news at zeek.org. ===Zeek-related Jobs=== If you or someone you know have any Zeek related job postings you?d like us to share in the monthly newsletter please send links to news at zeek.org. ===Publication Schedule=== Issue 1 - January 2020 (Covers December 2019) - 14 January 2020 Issue 2 - February 2020 (Covers January 2020) - 3 February 2020 Issue 3 - March 2020 (Covers February 2020) - 2 March 2020 Issue 4 - April 2020 (Covers March 2020) - 6 April 2020 Issue 5 - May 2020 (Covers April 2020) - 4 May 2020 Issue 6 - June 2020 (Covers May 2020) - 1 June 2020 Issue 7 - July 2020 (Covers June 2020) - 6 July 2020 Issue 8 - August 2020 (Covers July 2020) - 3 August 2020 Issue 9 - September 2020 (Covers August 2020) - 7 September 2020 Issue 10 - Special Issue 1 - September 2020 (Covers ZeekWeek 2020) - 21 September 2020 Issue 11 - October 2020 (Covers September 2020) - 5 October 2020 Issue 12 - November 2020 (Covers October 2020) - 2 November 2020 Issue 13 - December 2020 (Covers November 2020) - 7 December 2020 Issue 14 - Special Issue 2 - (Year End Review) - 21 December 2020 ===Get Involved=== If you are interested in getting involved with the Zeek Newsletter, please email news at zeek.org. More information about the newsletter can be found at: https://docs.google.com/document/d/1Jo6EBdExKgiYgi6MKIoUougJRJevjuV4wv58fmP6bPw/edit# Follow us on Twitter at: https://twitter.com/Zeekurity -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200114/6c04385e/attachment-0001.html From johanna at icir.org Tue Jan 14 18:42:19 2020 From: johanna at icir.org (Johanna Amann) Date: Tue, 14 Jan 2020 18:42:19 -0800 Subject: [Zeek] Work-in-progress package to detect CVE-2020-0601 Message-ID: <0960C97C-CDD0-405C-BFCA-565C87EB8A55@icir.org> Hi, I assume most of you heard of CVE-2020-0601. If not - see the advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 and the descriptio nat https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF. I have a small work-in-progress Zeek package that should be able to detect if someone is trying to exploit this in TLS communication, e.g. when impersonating a server. The package is available at https://github.com/0xxon/cve-2020-0601; the script itself is very short and available at https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-0601.bro. How does it work ================ From the description above, the attack seems to require curves that are explicitly-defined to be present in certificates; furthermore the curve needs to be a non-standard curve. Having an explicitly defined curve in a certificate is quite unusual - RFC 5480 actually forbids this specifically. The script linked above checks if a certificate is an elliptic curve certificate - and then checks if the curve field was set by Zeek - which it should always be for named curves. If the curve is not set, a notice is raised. Limitations & False positives ============================= Short version: there may be false positives - it should not be many. If I understand CVE-2020-0601 correctly, this script should always alert when a suspicious certificate is found in traffic. However, there are a few cases where it may alert when a certificate is benign. Specifically, it is possible for a certificate to explicitly define a well-known curve, instead of just putting the ID of the curve in the certificate. When this happens, the alert behavior of the script currently depends on the locally installed version of OpenSSL. Some versions of OpenSSL convert the curve back to its name - in which case no alert is raised (which is correct). However, other versions do not do this - and lead to Zeek leaving the field empty. This will lead to a notice being raised. I am not sure why the behavior differs - this seems to depend on configuration choices of different Linux distributions - and sadly this seems to not work in a lot of linux distributions. I could not map it to specific versions of OpenSSL. The package contains several tests - if the explicit.bro test fails, your OpenSSL installation does not perform the conversion - which theoretically lead to false positives. That being said - in theory, explicit curves should not be used for TLS communication. Which brings me to? Feedback ======== If you use this and see it raising a lot of notices, or have other feedback - please write either here or to me directly. I am currently working on trying to get the detection better - this will require making this a binary module that directly calls into OpenSSL to examine the certificate datastructures. Johanna From asharma at lbl.gov Tue Jan 14 21:13:49 2020 From: asharma at lbl.gov (Aashish Sharma) Date: Tue, 14 Jan 2020 21:13:49 -0800 Subject: [Zeek] Work-in-progress package to detect CVE-2020-0601 In-Reply-To: <0960C97C-CDD0-405C-BFCA-565C87EB8A55@icir.org> References: <0960C97C-CDD0-405C-BFCA-565C87EB8A55@icir.org> Message-ID: <20200115051348.GM82154@MacPro.local> Thanks Johanna - I must say quite timely package. On Tue, Jan 14, 2020 at 06:42:19PM -0800, Johanna Amann wrote: > Hi, > > I assume most of you heard of CVE-2020-0601. If not - see the advisory > at > https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 > and the descriptio nat > https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF. > > I have a small work-in-progress Zeek package that should be able to > detect if someone is trying to exploit this in TLS communication, e.g. > when impersonating a server. > > The package is available at https://github.com/0xxon/cve-2020-0601; the > script itself is very short and available at > https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-0601.bro. > > How does it work > ================ > > From the description above, the attack seems to require curves that are > explicitly-defined to be present in certificates; furthermore the curve > needs to be a non-standard curve. Having an explicitly defined curve in > a certificate is quite unusual - RFC 5480 actually forbids this > specifically. > > The script linked above checks if a certificate is an elliptic curve > certificate - and then checks if the curve field was set by Zeek - which > it should always be for named curves. If the curve is not set, a notice > is raised. > > Limitations & False positives > ============================= > > Short version: there may be false positives - it should not be many. > > If I understand CVE-2020-0601 correctly, this script should always alert > when a suspicious certificate is found in traffic. However, there are a > few cases where it may alert when a certificate is benign. > > Specifically, it is possible for a certificate to explicitly define a > well-known curve, instead of just putting the ID of the curve in the > certificate. When this happens, the alert behavior of the script > currently depends on the locally installed version of OpenSSL. Some > versions of OpenSSL convert the curve back to its name - in which case > no alert is raised (which is correct). However, other versions do not do > this - and lead to Zeek leaving the field empty. This will lead to a > notice being raised. > > I am not sure why the behavior differs - this seems to depend on > configuration choices of different Linux distributions - and sadly this > seems to not work in a lot of linux distributions. I could not map it to > specific versions of OpenSSL. > > The package contains several tests - if the explicit.bro test fails, > your OpenSSL installation does not perform the conversion - which > theoretically lead to false positives. > > That being said - in theory, explicit curves should not be used for TLS > communication. Which brings me to? > > Feedback > ======== > > If you use this and see it raising a lot of notices, or have other > feedback - please write either here or to me directly. > > I am currently working on trying to get the detection better - this will > require making this a binary module that directly calls into OpenSSL to > examine the certificate datastructures. > > Johanna > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From michalpurzynski1 at gmail.com Tue Jan 14 21:51:41 2020 From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=) Date: Tue, 14 Jan 2020 21:51:41 -0800 Subject: [Zeek] Work-in-progress package to detect CVE-2020-0601 In-Reply-To: <20200115051348.GM82154@MacPro.local> References: <20200115051348.GM82154@MacPro.local> Message-ID: <1B2C5627-963A-483A-AEEE-191FA8D7290D@gmail.com> Thanks a lot! Can we have that tweeted from the Zeek account? > On Jan 14, 2020, at 9:23 PM, Aashish Sharma wrote: > > ?Thanks Johanna - I must say quite timely package. > >> On Tue, Jan 14, 2020 at 06:42:19PM -0800, Johanna Amann wrote: >> Hi, >> >> I assume most of you heard of CVE-2020-0601. If not - see the advisory >> at >> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 >> and the descriptio nat >> https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF. >> >> I have a small work-in-progress Zeek package that should be able to >> detect if someone is trying to exploit this in TLS communication, e.g. >> when impersonating a server. >> >> The package is available at https://github.com/0xxon/cve-2020-0601; the >> script itself is very short and available at >> https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-0601.bro. >> >> How does it work >> ================ >> >> From the description above, the attack seems to require curves that are >> explicitly-defined to be present in certificates; furthermore the curve >> needs to be a non-standard curve. Having an explicitly defined curve in >> a certificate is quite unusual - RFC 5480 actually forbids this >> specifically. >> >> The script linked above checks if a certificate is an elliptic curve >> certificate - and then checks if the curve field was set by Zeek - which >> it should always be for named curves. If the curve is not set, a notice >> is raised. >> >> Limitations & False positives >> ============================= >> >> Short version: there may be false positives - it should not be many. >> >> If I understand CVE-2020-0601 correctly, this script should always alert >> when a suspicious certificate is found in traffic. However, there are a >> few cases where it may alert when a certificate is benign. >> >> Specifically, it is possible for a certificate to explicitly define a >> well-known curve, instead of just putting the ID of the curve in the >> certificate. When this happens, the alert behavior of the script >> currently depends on the locally installed version of OpenSSL. Some >> versions of OpenSSL convert the curve back to its name - in which case >> no alert is raised (which is correct). However, other versions do not do >> this - and lead to Zeek leaving the field empty. This will lead to a >> notice being raised. >> >> I am not sure why the behavior differs - this seems to depend on >> configuration choices of different Linux distributions - and sadly this >> seems to not work in a lot of linux distributions. I could not map it to >> specific versions of OpenSSL. >> >> The package contains several tests - if the explicit.bro test fails, >> your OpenSSL installation does not perform the conversion - which >> theoretically lead to false positives. >> >> That being said - in theory, explicit curves should not be used for TLS >> communication. Which brings me to? >> >> Feedback >> ======== >> >> If you use this and see it raising a lot of notices, or have other >> feedback - please write either here or to me directly. >> >> I am currently working on trying to get the detection better - this will >> require making this a binary module that directly calls into OpenSSL to >> examine the certificate datastructures. >> >> Johanna >> >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From adamp at os.pl Wed Jan 15 10:15:36 2020 From: adamp at os.pl (os) Date: Wed, 15 Jan 2020 19:15:36 +0100 Subject: [Zeek] Signatures::LOG - rotation Message-ID: <32964fc1-64fb-e455-35f3-a760bd778627@os.pl> hello members, Please, can you help me I have problem with log rotation for signature LOG (only) when I use scripts , event zeek_init() ??? { ??? local f = Log::get_filter(Signatures::LOG, "default"); ??? f$interv = 1 min; ??? Log::add_filter(Signatures::LOG, f); ??? } after run I have error. expression error in /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line 579: no such index (Log::all_streams[Log::id]) fatal error: errors occurred while initializing The problem occurs in versions 3.0.1; 3.1.0-dev.376 Thank you , hello Zeek Team, Please, can you help me I have problem with log rotation for signature LOG (only) when I use scripts , event zeek_init() ??? { ??? local f = Log::get_filter(Signatures::LOG, "default"); ??? f$interv = 1 min; ??? Log::add_filter(Signatures::LOG, f); ??? } ?after run zeek? a see error. expression error in /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line 579: no such index (Log::all_streams[Log::id]) fatal error: errors occurred while initializing The problem occurs in versions 3.0.1; 3.1.0-dev.376 Thank you, for any help. Adam Adam - - - - - - - - - - - - - - - - - - - - H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l From justin at corelight.com Wed Jan 15 11:18:32 2020 From: justin at corelight.com (Justin Azoff) Date: Wed, 15 Jan 2020 14:18:32 -0500 Subject: [Zeek] Signatures::LOG - rotation In-Reply-To: <32964fc1-64fb-e455-35f3-a760bd778627@os.pl> References: <32964fc1-64fb-e455-35f3-a760bd778627@os.pl> Message-ID: How exactly are you reproducing that? I tried this: ==> foo.sig <== signature foo { ip-proto == tcp tcp-state established,originator event "hello" payload /.*hello/ } ==> foo.zeek <== @load-sigs ./foo.sig event zeek_init() { local f = Log::get_filter(Signatures::LOG, "default"); f$interv = 30 secs; Log::add_filter(Signatures::LOG, f); } and just running zeek foo.zeek and after making 2 connections a minute apart ended up with 2 rotated log files. On Wed, Jan 15, 2020 at 1:18 PM os wrote: > hello members, > > Please, can you help me > > I have problem with log rotation for signature LOG (only) > > when I use scripts , > > event zeek_init() > { > local f = Log::get_filter(Signatures::LOG, "default"); > f$interv = 1 min; > Log::add_filter(Signatures::LOG, f); > } > > after run I have error. > > expression error in > /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line > 579: no such index (Log::all_streams[Log::id]) > fatal error: errors occurred while initializing > > The problem occurs in versions 3.0.1; 3.1.0-dev.376 > > Thank you , hello Zeek Team, > Please, can you help me > > I have problem with log rotation for signature LOG (only) > when I use scripts , > event zeek_init() > { > local f = Log::get_filter(Signatures::LOG, "default"); > f$interv = 1 min; > Log::add_filter(Signatures::LOG, f); > } > after run zeek a see error. > expression error in > /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line > 579: no such index (Log::all_streams[Log::id]) > fatal error: errors occurred while initializing > > The problem occurs in versions 3.0.1; 3.1.0-dev.376 > > Thank you, for any help. > > Adam > Adam > > > > > - - - - - - - - - - - - - - - - - - - - > > H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z > a p o l o w e - k l a t k a . p l > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200115/aef74bec/attachment-0001.html From adamp at os.pl Wed Jan 15 14:30:46 2020 From: adamp at os.pl (os) Date: Wed, 15 Jan 2020 23:30:46 +0100 Subject: [Zeek] Signatures::LOG - rotation In-Reply-To: References: <32964fc1-64fb-e455-35f3-a760bd778627@os.pl> Message-ID: <71db1436-b354-458a-d5d3-40c14cec8b5a@os.pl> Thank you for your response. I did the test with your configuration and it works fine. So I need to check my configuration carefully. Thank you for your time W dniu 15.01.2020 o?20:18, Justin Azoff pisze: > How exactly are you reproducing that? > > I tried this: > > ==> foo.sig <== > signature foo { > ? ip-proto == tcp > ? tcp-state established,originator > ? event "hello" > ? payload /.*hello/ > } > > ==> foo.zeek <== > @load-sigs ./foo.sig > event zeek_init() > ? ? ?{ > ? ? ?local f = Log::get_filter(Signatures::LOG, "default"); > ? ? ?f$interv = 30 secs; > ? ? ?Log::add_filter(Signatures::LOG, f); > ? ? ?} > > and just running zeek foo.zeek and after making 2 connections a minute > apart ended up with 2 rotated log files. > > > On Wed, Jan 15, 2020 at 1:18 PM os > > wrote: > > hello members, > > Please, can you help me > > I have problem with log rotation for signature LOG (only) > > when I use scripts , > > event zeek_init() > ???? { > ???? local f = Log::get_filter(Signatures::LOG, "default"); > ???? f$interv = 1 min; > ???? Log::add_filter(Signatures::LOG, f); > ???? } > > after run I have error. > > expression error in > /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line > 579: no such index (Log::all_streams[Log::id]) > fatal error: errors occurred while initializing > > The problem occurs in versions 3.0.1; 3.1.0-dev.376 > > Thank you , hello Zeek Team, > Please, can you help me > > I have problem with log rotation for signature LOG (only) > when I use scripts , > event zeek_init() > ???? { > ???? local f = Log::get_filter(Signatures::LOG, "default"); > ???? f$interv = 1 min; > ???? Log::add_filter(Signatures::LOG, f); > ???? } > ??after run zeek? a see error. > expression error in > /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line > 579: no such index (Log::all_streams[Log::id]) > fatal error: errors occurred while initializing > > The problem occurs in versions 3.0.1; 3.1.0-dev.376 > > Thank you, for any help. > > Adam > Adam > > > > > - - - - - - - - - - - - - - - - - - - - > > H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f i k a t e m ?S S > L? ?z a? ?p o l o w e - k l a t k a . p l > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > -- > Justin - - - - - - - - - - - - - - - - - - - - H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l From johanna at icir.org Wed Jan 15 15:48:42 2020 From: johanna at icir.org (Johanna Amann) Date: Wed, 15 Jan 2020 15:48:42 -0800 Subject: [Zeek] Updated package to detect CVE-2020-0601 In-Reply-To: <0960C97C-CDD0-405C-BFCA-565C87EB8A55@icir.org> References: <0960C97C-CDD0-405C-BFCA-565C87EB8A55@icir.org> Message-ID: <5B3B5734-A9B6-4EC3-9AFF-98CBB8FC0BC6@icir.org> Hello everyone, I just wanted to announce that there now is an updated package to detect CVE-2020-0601. The package is available at https://github.com/0xxon/cve-2020-0601-plugin But - before you run and install it - please read this email for more details on the package and the advantages/disadvantages over the old one. Due to the fact that not everyone will be able to use the new package, the old package will also stays available at https://github.com/0xxon/cve-2020-0601 Description of new package ========================== As described in the last email, the attack requires a non-standard explicitly-defined curves to be present in the certificate. The new package uses OpenSSL to directly examine if the curve used in a certificate is a standard curve or a non-standard curve. This means that this new package should give a very high confidence signal once it finds a suspicious certificate. The notices of the new package are also more detailed, giving a return-code that shows why this package thinks a certificate might be suspicious. If you are interested in looking at the code - the main test code is contained in https://github.com/0xxon/cve-2020-0601-plugin/blob/master/src/openssl_curves.c (which is mostly from the OpenSSL source tree - with small modifications). This code is called from https://github.com/0xxon/cve-2020-0601-plugin/blob/master/src/mscve.bif, which extracts the necessary data from certificates. Disadvantages of the new package ================================ The new package requires OpenSSL 1.1.x. I am currently not planning to backport this to older versions of OpenSSL. The new package also uses C++-code - as always in binary plugins there is a higher chance that errors are introduced. Like, e.g., memory leaks, or potentially even crashes. Furthermore, the old package already gives a pretty high-quality signal. While there is a chance for false positives, I know of several sites that currently have the old version of the package installed - so far without any false positives. Short version: if you have OpenSSL 1.1.x, want a high-confidence signal and do not mind loading binary plugins: use this new version. In all other cases, stay with the old version - which remains unchanged. Feedback ======== If you run this package, and encounter problems, or if you run it and it works - please share your experiences :). Optimally on this mailing list so that the community can profit from it - and if that is not possible feel free to just drop me an email. Johanna On 14 Jan 2020, at 18:42, Johanna Amann wrote: > Hi, > > I assume most of you heard of CVE-2020-0601. If not - see the advisory > at > https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 > and the descriptio nat > https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF. > > I have a small work-in-progress Zeek package that should be able to > detect if someone is trying to exploit this in TLS communication, e.g. > when impersonating a server. > > The package is available at https://github.com/0xxon/cve-2020-0601; > the > script itself is very short and available at > https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-0601.bro. > > How does it work > ================ > > From the description above, the attack seems to require curves that > are > explicitly-defined to be present in certificates; furthermore the > curve > needs to be a non-standard curve. Having an explicitly defined curve > in > a certificate is quite unusual - RFC 5480 actually forbids this > specifically. > > The script linked above checks if a certificate is an elliptic curve > certificate - and then checks if the curve field was set by Zeek - > which > it should always be for named curves. If the curve is not set, a > notice > is raised. > > Limitations & False positives > ============================= > > Short version: there may be false positives - it should not be many. > > If I understand CVE-2020-0601 correctly, this script should always > alert > when a suspicious certificate is found in traffic. However, there are > a > few cases where it may alert when a certificate is benign. > > Specifically, it is possible for a certificate to explicitly define a > well-known curve, instead of just putting the ID of the curve in the > certificate. When this happens, the alert behavior of the script > currently depends on the locally installed version of OpenSSL. Some > versions of OpenSSL convert the curve back to its name - in which case > no alert is raised (which is correct). However, other versions do not > do > this - and lead to Zeek leaving the field empty. This will lead to a > notice being raised. > > I am not sure why the behavior differs - this seems to depend on > configuration choices of different Linux distributions - and sadly > this > seems to not work in a lot of linux distributions. I could not map it > to > specific versions of OpenSSL. > > The package contains several tests - if the explicit.bro test fails, > your OpenSSL installation does not perform the conversion - which > theoretically lead to false positives. > > That being said - in theory, explicit curves should not be used for > TLS > communication. Which brings me to? > > Feedback > ======== > > If you use this and see it raising a lot of notices, or have other > feedback - please write either here or to me directly. > > I am currently working on trying to get the detection better - this > will > require making this a binary module that directly calls into OpenSSL > to > examine the certificate datastructures. > > Johanna > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From johanna at icir.org Thu Jan 16 09:30:47 2020 From: johanna at icir.org (Johanna Amann) Date: Thu, 16 Jan 2020 09:30:47 -0800 Subject: [Zeek] Updated package to detect CVE-2020-0601 In-Reply-To: <5B3B5734-A9B6-4EC3-9AFF-98CBB8FC0BC6@icir.org> References: <0960C97C-CDD0-405C-BFCA-565C87EB8A55@icir.org> <5B3B5734-A9B6-4EC3-9AFF-98CBB8FC0BC6@icir.org> Message-ID: <4CF38A95-485F-4FD7-AE03-5C06754AEC09@icir.org> Hello everyone, in more news on this, I was just pointed to a POC for this - which is available at https://github.com/ollypwn/cve-2020-0601. Using this, I verified that both versions of the package successfully detect the exploit; I also added a test-case with a real exploit certificate to both packages (no other changes). As previously mentioned - if you run this and see any exploit activity, I would be really interested in hearing about it. Johanna On 15 Jan 2020, at 15:48, Johanna Amann wrote: > Hello everyone, > > I just wanted to announce that there now is an updated package to > detect > CVE-2020-0601. > > The package is available at > https://github.com/0xxon/cve-2020-0601-plugin > > But - before you run and install it - please read this email for more > details on the package and the advantages/disadvantages over the old > one. > > Due to the fact that not everyone will be able to use the new package, > the old package will also stays available at > https://github.com/0xxon/cve-2020-0601 > > Description of new package > ========================== > > As described in the last email, the attack requires a non-standard > explicitly-defined curves to be present in the certificate. The new > package uses OpenSSL to directly examine if the curve used in a > certificate is a standard curve or a non-standard curve. > > This means that this new package should give a very high confidence > signal once it finds a suspicious certificate. The notices of the new > package are also more detailed, giving a return-code that shows why > this > package thinks a certificate might be suspicious. > > If you are interested in looking at the code - the main test code is > contained in > https://github.com/0xxon/cve-2020-0601-plugin/blob/master/src/openssl_curves.c > (which is mostly from the OpenSSL source tree - with small > modifications). This code is called from > https://github.com/0xxon/cve-2020-0601-plugin/blob/master/src/mscve.bif, > which extracts the necessary data from certificates. > > Disadvantages of the new package > ================================ > > The new package requires OpenSSL 1.1.x. I am currently not planning to > backport this to older versions of OpenSSL. The new package also uses > C++-code - as always in binary plugins there is a higher chance that > errors are introduced. Like, e.g., memory leaks, or potentially even > crashes. > > Furthermore, the old package already gives a pretty high-quality > signal. > While there is a chance for false positives, I know of several sites > that currently have the old version of the package installed - so far > without any false positives. > > Short version: if you have OpenSSL 1.1.x, want a high-confidence > signal > and do not mind loading binary plugins: use this new version. > > In all other cases, stay with the old version - which remains > unchanged. > > Feedback > ======== > > If you run this package, and encounter problems, or if you run it and > it > works - please share your experiences :). Optimally on this mailing > list > so that the community can profit from it - and if that is not possible > feel free to just drop me an email. > > Johanna > > > On 14 Jan 2020, at 18:42, Johanna Amann wrote: > >> Hi, >> >> I assume most of you heard of CVE-2020-0601. If not - see the >> advisory >> at >> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 >> and the descriptio nat >> https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF. >> >> I have a small work-in-progress Zeek package that should be able to >> detect if someone is trying to exploit this in TLS communication, >> e.g. >> when impersonating a server. >> >> The package is available at https://github.com/0xxon/cve-2020-0601; >> the >> script itself is very short and available at >> https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-0601.bro. >> >> How does it work >> ================ >> >> From the description above, the attack seems to require curves that >> are >> explicitly-defined to be present in certificates; furthermore the >> curve >> needs to be a non-standard curve. Having an explicitly defined curve >> in >> a certificate is quite unusual - RFC 5480 actually forbids this >> specifically. >> >> The script linked above checks if a certificate is an elliptic curve >> certificate - and then checks if the curve field was set by Zeek - >> which >> it should always be for named curves. If the curve is not set, a >> notice >> is raised. >> >> Limitations & False positives >> ============================= >> >> Short version: there may be false positives - it should not be many. >> >> If I understand CVE-2020-0601 correctly, this script should always >> alert >> when a suspicious certificate is found in traffic. However, there are >> a >> few cases where it may alert when a certificate is benign. >> >> Specifically, it is possible for a certificate to explicitly define a >> well-known curve, instead of just putting the ID of the curve in the >> certificate. When this happens, the alert behavior of the script >> currently depends on the locally installed version of OpenSSL. Some >> versions of OpenSSL convert the curve back to its name - in which >> case >> no alert is raised (which is correct). However, other versions do not >> do >> this - and lead to Zeek leaving the field empty. This will lead to a >> notice being raised. >> >> I am not sure why the behavior differs - this seems to depend on >> configuration choices of different Linux distributions - and sadly >> this >> seems to not work in a lot of linux distributions. I could not map it >> to >> specific versions of OpenSSL. >> >> The package contains several tests - if the explicit.bro test fails, >> your OpenSSL installation does not perform the conversion - which >> theoretically lead to false positives. >> >> That being said - in theory, explicit curves should not be used for >> TLS >> communication. Which brings me to? >> >> Feedback >> ======== >> >> If you use this and see it raising a lot of notices, or have other >> feedback - please write either here or to me directly. >> >> I am currently working on trying to get the detection better - this >> will >> require making this a binary module that directly calls into OpenSSL >> to >> examine the certificate datastructures. >> >> Johanna >> >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From chavez243 at gmail.com Thu Jan 16 09:56:36 2020 From: chavez243 at gmail.com (Rick Chisholm) Date: Thu, 16 Jan 2020 12:56:36 -0500 Subject: [Zeek] Updated package to detect CVE-2020-0601 In-Reply-To: <4CF38A95-485F-4FD7-AE03-5C06754AEC09@icir.org> References: <0960C97C-CDD0-405C-BFCA-565C87EB8A55@icir.org> <5B3B5734-A9B6-4EC3-9AFF-98CBB8FC0BC6@icir.org> <4CF38A95-485F-4FD7-AE03-5C06754AEC09@icir.org> Message-ID: You *could* also point a browser in your environment at hxxps:// cve20200601.dshield.org - they setup that site to test for vulnerable browser, but I found in testing that it also triggered my NSM. Excellent work on this plugin / script - very handy! On Thu, Jan 16, 2020 at 12:45 PM Johanna Amann wrote: > Hello everyone, > > in more news on this, I was just pointed to a POC for this - which is > available at https://github.com/ollypwn/cve-2020-0601. > > Using this, I verified that both versions of the package successfully > detect the exploit; I also added a test-case with a real exploit > certificate to both packages (no other changes). > > As previously mentioned - if you run this and see any exploit activity, > I would be really interested in hearing about it. > > Johanna > > On 15 Jan 2020, at 15:48, Johanna Amann wrote: > > > Hello everyone, > > > > I just wanted to announce that there now is an updated package to > > detect > > CVE-2020-0601. > > > > The package is available at > > https://github.com/0xxon/cve-2020-0601-plugin > > > > But - before you run and install it - please read this email for more > > details on the package and the advantages/disadvantages over the old > > one. > > > > Due to the fact that not everyone will be able to use the new package, > > the old package will also stays available at > > https://github.com/0xxon/cve-2020-0601 > > > > Description of new package > > ========================== > > > > As described in the last email, the attack requires a non-standard > > explicitly-defined curves to be present in the certificate. The new > > package uses OpenSSL to directly examine if the curve used in a > > certificate is a standard curve or a non-standard curve. > > > > This means that this new package should give a very high confidence > > signal once it finds a suspicious certificate. The notices of the new > > package are also more detailed, giving a return-code that shows why > > this > > package thinks a certificate might be suspicious. > > > > If you are interested in looking at the code - the main test code is > > contained in > > > https://github.com/0xxon/cve-2020-0601-plugin/blob/master/src/openssl_curves.c > > (which is mostly from the OpenSSL source tree - with small > > modifications). This code is called from > > https://github.com/0xxon/cve-2020-0601-plugin/blob/master/src/mscve.bif, > > which extracts the necessary data from certificates. > > > > Disadvantages of the new package > > ================================ > > > > The new package requires OpenSSL 1.1.x. I am currently not planning to > > backport this to older versions of OpenSSL. The new package also uses > > C++-code - as always in binary plugins there is a higher chance that > > errors are introduced. Like, e.g., memory leaks, or potentially even > > crashes. > > > > Furthermore, the old package already gives a pretty high-quality > > signal. > > While there is a chance for false positives, I know of several sites > > that currently have the old version of the package installed - so far > > without any false positives. > > > > Short version: if you have OpenSSL 1.1.x, want a high-confidence > > signal > > and do not mind loading binary plugins: use this new version. > > > > In all other cases, stay with the old version - which remains > > unchanged. > > > > Feedback > > ======== > > > > If you run this package, and encounter problems, or if you run it and > > it > > works - please share your experiences :). Optimally on this mailing > > list > > so that the community can profit from it - and if that is not possible > > feel free to just drop me an email. > > > > Johanna > > > > > > On 14 Jan 2020, at 18:42, Johanna Amann wrote: > > > >> Hi, > >> > >> I assume most of you heard of CVE-2020-0601. If not - see the > >> advisory > >> at > >> > https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 > >> and the descriptio nat > >> > https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF > . > >> > >> I have a small work-in-progress Zeek package that should be able to > >> detect if someone is trying to exploit this in TLS communication, > >> e.g. > >> when impersonating a server. > >> > >> The package is available at https://github.com/0xxon/cve-2020-0601; > >> the > >> script itself is very short and available at > >> > https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-0601.bro > . > >> > >> How does it work > >> ================ > >> > >> From the description above, the attack seems to require curves that > >> are > >> explicitly-defined to be present in certificates; furthermore the > >> curve > >> needs to be a non-standard curve. Having an explicitly defined curve > >> in > >> a certificate is quite unusual - RFC 5480 actually forbids this > >> specifically. > >> > >> The script linked above checks if a certificate is an elliptic curve > >> certificate - and then checks if the curve field was set by Zeek - > >> which > >> it should always be for named curves. If the curve is not set, a > >> notice > >> is raised. > >> > >> Limitations & False positives > >> ============================= > >> > >> Short version: there may be false positives - it should not be many. > >> > >> If I understand CVE-2020-0601 correctly, this script should always > >> alert > >> when a suspicious certificate is found in traffic. However, there are > >> a > >> few cases where it may alert when a certificate is benign. > >> > >> Specifically, it is possible for a certificate to explicitly define a > >> well-known curve, instead of just putting the ID of the curve in the > >> certificate. When this happens, the alert behavior of the script > >> currently depends on the locally installed version of OpenSSL. Some > >> versions of OpenSSL convert the curve back to its name - in which > >> case > >> no alert is raised (which is correct). However, other versions do not > >> do > >> this - and lead to Zeek leaving the field empty. This will lead to a > >> notice being raised. > >> > >> I am not sure why the behavior differs - this seems to depend on > >> configuration choices of different Linux distributions - and sadly > >> this > >> seems to not work in a lot of linux distributions. I could not map it > >> to > >> specific versions of OpenSSL. > >> > >> The package contains several tests - if the explicit.bro test fails, > >> your OpenSSL installation does not perform the conversion - which > >> theoretically lead to false positives. > >> > >> That being said - in theory, explicit curves should not be used for > >> TLS > >> communication. Which brings me to? > >> > >> Feedback > >> ======== > >> > >> If you use this and see it raising a lot of notices, or have other > >> feedback - please write either here or to me directly. > >> > >> I am currently working on trying to get the detection better - this > >> will > >> require making this a binary module that directly calls into OpenSSL > >> to > >> examine the certificate datastructures. > >> > >> Johanna > >> > >> _______________________________________________ > >> Zeek mailing list > >> zeek at zeek.org > >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Rick Chisholm ========================= -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200116/07784893/attachment-0001.html From johanna at icir.org Thu Jan 16 10:21:24 2020 From: johanna at icir.org (Johanna Amann) Date: Thu, 16 Jan 2020 10:21:24 -0800 Subject: [Zeek] Updated package to detect CVE-2020-0601 In-Reply-To: <4CF38A95-485F-4FD7-AE03-5C06754AEC09@icir.org> References: <0960C97C-CDD0-405C-BFCA-565C87EB8A55@icir.org> <5B3B5734-A9B6-4EC3-9AFF-98CBB8FC0BC6@icir.org> <4CF38A95-485F-4FD7-AE03-5C06754AEC09@icir.org> Message-ID: Hi, in even more news - after a suggestion of Justin, I updated the script in a way that lets you log suspicious certificates - in case you will want to dig into exploit attempts afterwards. Both versions of the plugin now have a setting (disabled by default) that will log all suspicious certificates encoded as base64. To enable this, update your package and redef CVE_2020_0601::log_certs to true. Johanna On 16 Jan 2020, at 9:30, Johanna Amann wrote: > Hello everyone, > > in more news on this, I was just pointed to a POC for this - which is > available at https://github.com/ollypwn/cve-2020-0601. > > Using this, I verified that both versions of the package successfully > detect the exploit; I also added a test-case with a real exploit > certificate to both packages (no other changes). > > As previously mentioned - if you run this and see any exploit > activity, > I would be really interested in hearing about it. > > Johanna > > On 15 Jan 2020, at 15:48, Johanna Amann wrote: > >> Hello everyone, >> >> I just wanted to announce that there now is an updated package to >> detect >> CVE-2020-0601. >> >> The package is available at >> https://github.com/0xxon/cve-2020-0601-plugin >> >> But - before you run and install it - please read this email for more >> details on the package and the advantages/disadvantages over the old >> one. >> >> Due to the fact that not everyone will be able to use the new >> package, >> the old package will also stays available at >> https://github.com/0xxon/cve-2020-0601 >> >> Description of new package >> ========================== >> >> As described in the last email, the attack requires a non-standard >> explicitly-defined curves to be present in the certificate. The new >> package uses OpenSSL to directly examine if the curve used in a >> certificate is a standard curve or a non-standard curve. >> >> This means that this new package should give a very high confidence >> signal once it finds a suspicious certificate. The notices of the new >> package are also more detailed, giving a return-code that shows why >> this >> package thinks a certificate might be suspicious. >> >> If you are interested in looking at the code - the main test code is >> contained in >> https://github.com/0xxon/cve-2020-0601-plugin/blob/master/src/openssl_curves.c >> (which is mostly from the OpenSSL source tree - with small >> modifications). This code is called from >> https://github.com/0xxon/cve-2020-0601-plugin/blob/master/src/mscve.bif, >> which extracts the necessary data from certificates. >> >> Disadvantages of the new package >> ================================ >> >> The new package requires OpenSSL 1.1.x. I am currently not planning >> to >> backport this to older versions of OpenSSL. The new package also uses >> C++-code - as always in binary plugins there is a higher chance that >> errors are introduced. Like, e.g., memory leaks, or potentially even >> crashes. >> >> Furthermore, the old package already gives a pretty high-quality >> signal. >> While there is a chance for false positives, I know of several sites >> that currently have the old version of the package installed - so far >> without any false positives. >> >> Short version: if you have OpenSSL 1.1.x, want a high-confidence >> signal >> and do not mind loading binary plugins: use this new version. >> >> In all other cases, stay with the old version - which remains >> unchanged. >> >> Feedback >> ======== >> >> If you run this package, and encounter problems, or if you run it and >> it >> works - please share your experiences :). Optimally on this mailing >> list >> so that the community can profit from it - and if that is not >> possible >> feel free to just drop me an email. >> >> Johanna >> >> >> On 14 Jan 2020, at 18:42, Johanna Amann wrote: >> >>> Hi, >>> >>> I assume most of you heard of CVE-2020-0601. If not - see the >>> advisory >>> at >>> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601 >>> and the descriptio nat >>> https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF. >>> >>> I have a small work-in-progress Zeek package that should be able to >>> detect if someone is trying to exploit this in TLS communication, >>> e.g. >>> when impersonating a server. >>> >>> The package is available at https://github.com/0xxon/cve-2020-0601; >>> the >>> script itself is very short and available at >>> https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-0601.bro. >>> >>> How does it work >>> ================ >>> >>> From the description above, the attack seems to require curves that >>> are >>> explicitly-defined to be present in certificates; furthermore the >>> curve >>> needs to be a non-standard curve. Having an explicitly defined curve >>> in >>> a certificate is quite unusual - RFC 5480 actually forbids this >>> specifically. >>> >>> The script linked above checks if a certificate is an elliptic curve >>> certificate - and then checks if the curve field was set by Zeek - >>> which >>> it should always be for named curves. If the curve is not set, a >>> notice >>> is raised. >>> >>> Limitations & False positives >>> ============================= >>> >>> Short version: there may be false positives - it should not be many. >>> >>> If I understand CVE-2020-0601 correctly, this script should always >>> alert >>> when a suspicious certificate is found in traffic. However, there >>> are >>> a >>> few cases where it may alert when a certificate is benign. >>> >>> Specifically, it is possible for a certificate to explicitly define >>> a >>> well-known curve, instead of just putting the ID of the curve in the >>> certificate. When this happens, the alert behavior of the script >>> currently depends on the locally installed version of OpenSSL. Some >>> versions of OpenSSL convert the curve back to its name - in which >>> case >>> no alert is raised (which is correct). However, other versions do >>> not >>> do >>> this - and lead to Zeek leaving the field empty. This will lead to a >>> notice being raised. >>> >>> I am not sure why the behavior differs - this seems to depend on >>> configuration choices of different Linux distributions - and sadly >>> this >>> seems to not work in a lot of linux distributions. I could not map >>> it >>> to >>> specific versions of OpenSSL. >>> >>> The package contains several tests - if the explicit.bro test fails, >>> your OpenSSL installation does not perform the conversion - which >>> theoretically lead to false positives. >>> >>> That being said - in theory, explicit curves should not be used for >>> TLS >>> communication. Which brings me to? >>> >>> Feedback >>> ======== >>> >>> If you use this and see it raising a lot of notices, or have other >>> feedback - please write either here or to me directly. >>> >>> I am currently working on trying to get the detection better - this >>> will >>> require making this a binary module that directly calls into OpenSSL >>> to >>> examine the certificate datastructures. >>> >>> Johanna >>> >>> _______________________________________________ >>> Zeek mailing list >>> zeek at zeek.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From yizhu at shapesecurity.com Thu Jan 16 15:33:30 2020 From: yizhu at shapesecurity.com (Yi Zhu) Date: Thu, 16 Jan 2020 15:33:30 -0800 Subject: [Zeek] Missing request body Message-ID: Hi, I found zeek are missing request bodies in my testing setup. Could you please help with it? I am testing with one testing client, one testing server and one zeek server. Zeek server runs version 3.0.0 with pfring and 8 workers. For example, if I send 10000 testing requests, zeek can get 10000 records. But, around 100 records do not have request bodies. And the request body length is 0. I run tcpdump against the mirroring interface. The request bodies are in the tcpdump logs. Also I can see the content_length is 28 which matches my testing requests. Thanks, Yi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200116/d487132e/attachment.html From akgraner at corelight.com Fri Jan 17 18:50:13 2020 From: akgraner at corelight.com (Amber Graner) Date: Fri, 17 Jan 2020 18:50:13 -0800 Subject: [Zeek] Blog Post on Detecting CVE-2020-0601 with Zeek Message-ID: Hi all, Check out the latest Zeek Blog by Johanna Amann on Detecting CVE-2020-0601 with Zeek at: https://blog.zeek.org/2020/01/detecting-cve-2020-0601-with-zeek.html Thanks, ~Amber -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200117/1539eb12/attachment.html From adamp at os.pl Fri Jan 17 06:00:22 2020 From: adamp at os.pl (os) Date: Fri, 17 Jan 2020 15:00:22 +0100 Subject: [Zeek] Signatures::LOG - rotation In-Reply-To: <71db1436-b354-458a-d5d3-40c14cec8b5a@os.pl> References: <32964fc1-64fb-e455-35f3-a760bd778627@os.pl> <71db1436-b354-458a-d5d3-40c14cec8b5a@os.pl> Message-ID: hello, I did some tests and something is wrong. please see the sample configuration ==> notice.zeek <== event zeek_init() ??? { ??? local f = Log::get_filter(Notice::LOG, "default"); ??? f$interv = 1 min; ??? Log::add_filter(Notice::LOG, f); ??? } ==> dhcp.zeek <== event zeek_init() ??? { ??? local f = Log::get_filter(DHCP::LOG, "default"); ??? f$interv = 1 min; ??? Log::add_filter(DHCP::LOG, f); ??? } ==> foo.sig <== signature foo { ? ip-proto == tcp ? tcp-state established,originator ? event "hello" ? payload /.*hello/ } ==> foo.zeek <== @load-sigs ./foo.sig event zeek_init() ? ? ?{ ? ? ?local f = Log::get_filter(Signatures::LOG, "default"); ? ? ?f$interv = 30 secs; ? ? ?Log::add_filter(Signatures::LOG, f); ? ? ?} ==> start.zeek <== @load ./notice.zeek @load ./dhcp.zeek @load ./foo.zeek /usr/local/zeek/bin/zeek -r /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap? ./start.zeek expression error in /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line 579: no such index (Log::all_streams[Log::id]) fatal error: errors occurred while initializing when I make changes #@load ./notice.zeek @load ./dhcp.zeek @load ./foo.zeek or @load ./notice.zeek #@load ./dhcp.zeek @load ./foo.zeek or @load ./notice.zeek @load ./dhcp.zeek #@load ./foo.zeek no error occurs after running Adam W dniu 15.01.2020 o?23:30, os pisze: > Thank you for your response. > I did the test with your configuration and it works fine. > So I need to check my configuration carefully. > > Thank you for your time > > > > W dniu 15.01.2020 o?20:18, Justin Azoff pisze: >> How exactly are you reproducing that? >> >> I tried this: >> >> ==> foo.sig <== >> signature foo { >> ? ip-proto == tcp >> ? tcp-state established,originator >> ? event "hello" >> ? payload /.*hello/ >> } >> >> ==> foo.zeek <== >> @load-sigs ./foo.sig >> event zeek_init() >> ? ? ?{ >> ? ? ?local f = Log::get_filter(Signatures::LOG, "default"); >> ? ? ?f$interv = 30 secs; >> ? ? ?Log::add_filter(Signatures::LOG, f); >> ? ? ?} >> >> and just running zeek foo.zeek and after making 2 connections a minute >> apart ended up with 2 rotated log files. >> >> >> On Wed, Jan 15, 2020 at 1:18 PM os > >> wrote: >> >> hello members, >> >> Please, can you help me >> >> I have problem with log rotation for signature LOG (only) >> >> when I use scripts , >> >> event zeek_init() >> ???? { >> ???? local f = Log::get_filter(Signatures::LOG, "default"); >> ???? f$interv = 1 min; >> ???? Log::add_filter(Signatures::LOG, f); >> ???? } >> >> after run I have error. >> >> expression error in >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line >> 579: no such index (Log::all_streams[Log::id]) >> fatal error: errors occurred while initializing >> >> The problem occurs in versions 3.0.1; 3.1.0-dev.376 >> >> Thank you , hello Zeek Team, >> Please, can you help me >> >> I have problem with log rotation for signature LOG (only) >> when I use scripts , >> event zeek_init() >> ???? { >> ???? local f = Log::get_filter(Signatures::LOG, "default"); >> ???? f$interv = 1 min; >> ???? Log::add_filter(Signatures::LOG, f); >> ???? } >> ??after run zeek? a see error. >> expression error in >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line >> 579: no such index (Log::all_streams[Log::id]) >> fatal error: errors occurred while initializing >> >> The problem occurs in versions 3.0.1; 3.1.0-dev.376 >> >> Thank you, for any help. >> >> Adam >> Adam >> >> >> >> >> - - - - - - - - - - - - - - - - - - - - >> >> H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f i k a t e m ?S S >> L? ?z a? ?p o l o w e - k l a t k a . p l >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> >> >> -- >> Justin > > > > > - - - - - - - - - - - - - - - - - - - - > > H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek - - - - - - - - - - - - - - - - - - - - H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l From justin at corelight.com Fri Jan 17 06:12:14 2020 From: justin at corelight.com (Justin Azoff) Date: Fri, 17 Jan 2020 09:12:14 -0500 Subject: [Zeek] Missing request body In-Reply-To: References: Message-ID: What do the corresponding conn.log records for these connections look like? On Thu, Jan 16, 2020 at 6:41 PM Yi Zhu wrote: > Hi, > > I found zeek are missing request bodies in my testing setup. > Could you please help with it? > > I am testing with one testing client, one testing server and one zeek > server. > Zeek server runs version 3.0.0 with pfring and 8 workers. > For example, if I send 10000 testing requests, zeek can get 10000 records. > But, around 100 records do not have request bodies. And the request body > length is 0. > I run tcpdump against the mirroring interface. > The request bodies are in the tcpdump logs. Also I can see the > content_length is 28 which matches my testing requests. > > Thanks, > Yi > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200117/3e0fedc9/attachment.html From justin at corelight.com Fri Jan 17 06:27:08 2020 From: justin at corelight.com (Justin Azoff) Date: Fri, 17 Jan 2020 09:27:08 -0500 Subject: [Zeek] Signatures::LOG - rotation In-Reply-To: References: <32964fc1-64fb-e455-35f3-a760bd778627@os.pl> <71db1436-b354-458a-d5d3-40c14cec8b5a@os.pl> Message-ID: That still works for me. The error you are getting is from add_filter failing to find a log stream with that ID, but Log::create_stream is what creates that. I can make it fail like that if I mess with the priorities, like event zeek_init() &priority=100 { local f = Log::get_filter(DHCP::LOG, "default"); f$interv = 1 min; Log::add_filter(DHCP::LOG, f); } which makes that run before the event zeek_init() &priority=5 { Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, $path="dhcp"]); Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports); } in the dhcp script. but with the default priorities I can't see why that would fail. On Fri, Jan 17, 2020 at 9:00 AM os wrote: > hello, > > > I did some tests and something is wrong. > please see the sample configuration > > ==> notice.zeek <== > > event zeek_init() > { > local f = Log::get_filter(Notice::LOG, "default"); > f$interv = 1 min; > Log::add_filter(Notice::LOG, f); > } > > ==> dhcp.zeek <== > > event zeek_init() > { > local f = Log::get_filter(DHCP::LOG, "default"); > f$interv = 1 min; > Log::add_filter(DHCP::LOG, f); > } > > ==> foo.sig <== > signature foo { > ip-proto == tcp > tcp-state established,originator > event "hello" > payload /.*hello/ > } > > ==> foo.zeek <== > @load-sigs ./foo.sig > event zeek_init() > { > local f = Log::get_filter(Signatures::LOG, "default"); > f$interv = 30 secs; > Log::add_filter(Signatures::LOG, f); > } > > ==> start.zeek <== > > @load ./notice.zeek > @load ./dhcp.zeek > @load ./foo.zeek > > /usr/local/zeek/bin/zeek -r > /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap ./start.zeek > > > expression error in > /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line > 579: no such index (Log::all_streams[Log::id]) > fatal error: errors occurred while initializing > > when I make changes > > #@load ./notice.zeek > @load ./dhcp.zeek > @load ./foo.zeek > > or > > @load ./notice.zeek > #@load ./dhcp.zeek > @load ./foo.zeek > > or > > @load ./notice.zeek > @load ./dhcp.zeek > #@load ./foo.zeek > > > no error occurs after running > > Adam > > > W dniu 15.01.2020 o 23:30, os pisze: > > Thank you for your response. > > I did the test with your configuration and it works fine. > > So I need to check my configuration carefully. > > > > Thank you for your time > > > > > > > > W dniu 15.01.2020 o 20:18, Justin Azoff pisze: > >> How exactly are you reproducing that? > >> > >> I tried this: > >> > >> ==> foo.sig <== > >> signature foo { > >> ip-proto == tcp > >> tcp-state established,originator > >> event "hello" > >> payload /.*hello/ > >> } > >> > >> ==> foo.zeek <== > >> @load-sigs ./foo.sig > >> event zeek_init() > >> { > >> local f = Log::get_filter(Signatures::LOG, "default"); > >> f$interv = 30 secs; > >> Log::add_filter(Signatures::LOG, f); > >> } > >> > >> and just running zeek foo.zeek and after making 2 connections a minute > >> apart ended up with 2 rotated log files. > >> > >> > >> On Wed, Jan 15, 2020 at 1:18 PM os > > >> wrote: > >> > >> hello members, > >> > >> Please, can you help me > >> > >> I have problem with log rotation for signature LOG (only) > >> > >> when I use scripts , > >> > >> event zeek_init() > >> { > >> local f = Log::get_filter(Signatures::LOG, > "default"); > >> f$interv = 1 min; > >> Log::add_filter(Signatures::LOG, f); > >> } > >> > >> after run I have error. > >> > >> expression error in > >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, > line > >> 579: no such index (Log::all_streams[Log::id]) > >> fatal error: errors occurred while initializing > >> > >> The problem occurs in versions 3.0.1; 3.1.0-dev.376 > >> > >> Thank you , hello Zeek Team, > >> Please, can you help me > >> > >> I have problem with log rotation for signature LOG (only) > >> when I use scripts , > >> event zeek_init() > >> { > >> local f = Log::get_filter(Signatures::LOG, "default"); > >> f$interv = 1 min; > >> Log::add_filter(Signatures::LOG, f); > >> } > >> after run zeek a see error. > >> expression error in > >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, > line > >> 579: no such index (Log::all_streams[Log::id]) > >> fatal error: errors occurred while initializing > >> > >> The problem occurs in versions 3.0.1; 3.1.0-dev.376 > >> > >> Thank you, for any help. > >> > >> Adam > >> Adam > >> > >> > >> > >> > >> - - - - - - - - - - - - - - - - - - - - > >> > >> H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S > >> L z a p o l o w e - k l a t k a . p l > >> _______________________________________________ > >> Zeek mailing list > >> zeek at zeek.org > >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > >> > >> > >> > >> -- > >> Justin > > > > > > > > > > - - - - - - - - - - - - - - - - - - - - > > > > H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L > z a p o l o w e - k l a t k a . p l > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > > > - - - - - - - - - - - - - - - - - - - - > > H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z > a p o l o w e - k l a t k a . p l > -- Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200117/a3ed0fdd/attachment-0001.html From akirk at corelight.com Fri Jan 17 06:31:00 2020 From: akirk at corelight.com (Alex Kirk) Date: Fri, 17 Jan 2020 09:31:00 -0500 Subject: [Zeek] Blog Post on Detecting CVE-2020-0601 with Zeek In-Reply-To: References: Message-ID: This is an excellent write up. Not only does it explain the vulnerability in technical detail that?s not so deep as to lose less technical folks, it makes it clear just how easy it is for us to detect the issue with extremely high fidelity. Especially given Jamey?s note that we?ll have instructions today for loading this on Corelight appliances, we should all be sharing this liberally. On Thu, Jan 16, 2020 at 10:00 PM Amber Graner wrote: > Hi all, > > Check out the latest Zeek Blog by Johanna Amann on Detecting CVE-2020-0601 > with Zeek at: > https://blog.zeek.org/2020/01/detecting-cve-2020-0601-with-zeek.html > > Thanks, > ~Amber > > > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Alex Kirk Sales Engineer, Southeast US 404-291-6588 akirk at corelight.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200117/d1f24b7e/attachment.html From adamp at os.pl Fri Jan 17 07:47:28 2020 From: adamp at os.pl (os) Date: Fri, 17 Jan 2020 16:47:28 +0100 Subject: [Zeek] Signatures::LOG - rotation In-Reply-To: References: <32964fc1-64fb-e455-35f3-a760bd778627@os.pl> <71db1436-b354-458a-d5d3-40c14cec8b5a@os.pl> Message-ID: <449dac95-2507-b2a1-2774-b74c3a937c31@os.pl> very strange, becouse I didn't change priorities anywhere W dniu 17.01.2020 o?15:27, Justin Azoff pisze: > That still works for me.? The error you are getting is from add_filter > failing to find a log stream with that ID, but?Log::create_stream is > what creates that.? I can make it fail like that if I mess with the > priorities, like > > event zeek_init() &priority=100 > ? ? ?{ > ? ? ?local f = Log::get_filter(DHCP::LOG, "default"); > ? ? ?f$interv = 1 min; > ? ? ?Log::add_filter(DHCP::LOG, f); > ? ? ?} > > which makes that run before the > > event zeek_init() &priority=5 > ? ? { > ? ? Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, > $path="dhcp"]); > ? ? Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports); > ? ? } > > in the dhcp script. > > but with the default priorities I can't see why that would fail. > > > > On Fri, Jan 17, 2020 at 9:00 AM os > > wrote: > > hello, > > > I did some tests and? something is wrong. > please see the sample configuration > > ==> notice.zeek <== > > event zeek_init() > ???? { > ???? local f = Log::get_filter(Notice::LOG, "default"); > ???? f$interv = 1 min; > ???? Log::add_filter(Notice::LOG, f); > ???? } > > ==> dhcp.zeek <== > > event zeek_init() > ???? { > ???? local f = Log::get_filter(DHCP::LOG, "default"); > ???? f$interv = 1 min; > ???? Log::add_filter(DHCP::LOG, f); > ???? } > > ==> foo.sig <== > signature foo { > ?? ip-proto == tcp > ?? tcp-state established,originator > ?? event "hello" > ?? payload /.*hello/ > } > > ==> foo.zeek <== > @load-sigs ./foo.sig > event zeek_init() > ?? ? ?{ > ?? ? ?local f = Log::get_filter(Signatures::LOG, "default"); > ?? ? ?f$interv = 30 secs; > ?? ? ?Log::add_filter(Signatures::LOG, f); > ?? ? ?} > > ==> start.zeek <== > > @load ./notice.zeek > @load ./dhcp.zeek > @load ./foo.zeek > > /usr/local/zeek/bin/zeek -r > /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap? ./start.zeek > > > expression error in > /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line > 579: no such index (Log::all_streams[Log::id]) > fatal error: errors occurred while initializing > > when I make changes > > #@load ./notice.zeek > @load ./dhcp.zeek > @load ./foo.zeek > > or > > @load ./notice.zeek > #@load ./dhcp.zeek > @load ./foo.zeek > > or > > @load ./notice.zeek > @load ./dhcp.zeek > #@load ./foo.zeek > > > no error occurs after running > > Adam > > > W dniu 15.01.2020 o?23:30, os pisze: > > Thank you for your response. > > I did the test with your configuration and it works fine. > > So I need to check my configuration carefully. > > > > Thank you for your time > > > > > > > > W dniu 15.01.2020 o?20:18, Justin Azoff pisze: > >> How exactly are you reproducing that? > >> > >> I tried this: > >> > >> ==> foo.sig <== > >> signature foo { > >>? ? ip-proto == tcp > >>? ? tcp-state established,originator > >>? ? event "hello" > >>? ? payload /.*hello/ > >> } > >> > >> ==> foo.zeek <== > >> @load-sigs ./foo.sig > >> event zeek_init() > >>? ? ? ?{ > >>? ? ? ?local f = Log::get_filter(Signatures::LOG, "default"); > >>? ? ? ?f$interv = 30 secs; > >>? ? ? ?Log::add_filter(Signatures::LOG, f); > >>? ? ? ?} > >> > >> and just running zeek foo.zeek and after making 2 connections a > minute > >> apart ended up with 2 rotated log files. > >> > >> > >> On Wed, Jan 15, 2020 at 1:18 PM os >> > >> wrote: > >> > >>? ? ? hello members, > >> > >>? ? ? Please, can you help me > >> > >>? ? ? I have problem with log rotation for signature LOG (only) > >> > >>? ? ? when I use scripts , > >> > >>? ? ? event zeek_init() > >>? ? ? ???? { > >>? ? ? ???? local f = Log::get_filter(Signatures::LOG, > "default"); > >>? ? ? ???? f$interv = 1 min; > >>? ? ? ???? Log::add_filter(Signatures::LOG, f); > >>? ? ? ???? } > >> > >>? ? ? after run I have error. > >> > >>? ? ? expression error in > >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, > line > >>? ? ? 579: no such index (Log::all_streams[Log::id]) > >>? ? ? fatal error: errors occurred while initializing > >> > >>? ? ? The problem occurs in versions 3.0.1; 3.1.0-dev.376 > >> > >>? ? ? Thank you , hello Zeek Team, > >>? ? ? Please, can you help me > >> > >>? ? ? I have problem with log rotation for signature LOG (only) > >>? ? ? when I use scripts , > >>? ? ? event zeek_init() > >>? ? ? ???? { > >>? ? ? ???? local f = Log::get_filter(Signatures::LOG, "default"); > >>? ? ? ???? f$interv = 1 min; > >>? ? ? ???? Log::add_filter(Signatures::LOG, f); > >>? ? ? ???? } > >>? ? ? ??after run zeek? a see error. > >>? ? ? expression error in > >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, > line > >>? ? ? 579: no such index (Log::all_streams[Log::id]) > >>? ? ? fatal error: errors occurred while initializing > >> > >>? ? ? The problem occurs in versions 3.0.1; 3.1.0-dev.376 > >> > >>? ? ? Thank you, for any help. > >> > >>? ? ? Adam > >>? ? ? Adam > >> > >> > >> > >> > >>? ? ? - - - - - - - - - - - - - - - - - - - - > >> > >>? ? ? H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f i k a t > e m ?S S > >>? ? ? L? ?z a? ?p o l o w e - k l a t k a . p l > >>? ? ? _______________________________________________ > >>? ? ? Zeek mailing list > >> zeek at zeek.org > > >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > >> > >> > >> > >> -- > >> Justin > > > > > > > > > > - - - - - - - - - - - - - - - - - - - - > > > > H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f i k a t e m? > ?S S L? ?z a? ?p o l o w e - k l a t k a . p l > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > > > - - - - - - - - - - - - - - - - - - - - > > H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f i k a t e m ?S S > L? ?z a? ?p o l o w e - k l a t k a . p l > > > > -- > Justin - - - - - - - - - - - - - - - - - - - - H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l From adamp at os.pl Fri Jan 17 11:02:10 2020 From: adamp at os.pl (os) Date: Fri, 17 Jan 2020 20:02:10 +0100 Subject: [Zeek] Signatures::LOG - rotation In-Reply-To: <449dac95-2507-b2a1-2774-b74c3a937c31@os.pl> References: <32964fc1-64fb-e455-35f3-a760bd778627@os.pl> <71db1436-b354-458a-d5d3-40c14cec8b5a@os.pl> <449dac95-2507-b2a1-2774-b74c3a937c31@os.pl> Message-ID: <4c20b3f4-c03a-435b-e7f1-1ab1a1b0c40c@os.pl> hello, I changed the priority in the file and it looks like it works /usr/local/zeek/share/zeek/base/frameworks/signatures/main.zeek event zeek_init() &priority=5 { Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, $path="signatures"]); } Thank you for your? help and time W dniu 17.01.2020 o?16:47, os pisze: > very strange, becouse I didn't change priorities anywhere > > > W dniu 17.01.2020 o?15:27, Justin Azoff pisze: >> That still works for me.? The error you are getting is from add_filter >> failing to find a log stream with that ID, but?Log::create_stream is >> what creates that.? I can make it fail like that if I mess with the >> priorities, like >> >> event zeek_init() &priority=100 >> ? ? ?{ >> ? ? ?local f = Log::get_filter(DHCP::LOG, "default"); >> ? ? ?f$interv = 1 min; >> ? ? ?Log::add_filter(DHCP::LOG, f); >> ? ? ?} >> >> which makes that run before the >> >> event zeek_init() &priority=5 >> ? ? { >> ? ? Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, >> $path="dhcp"]); >> ? ? Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports); >> ? ? } >> >> in the dhcp script. >> >> but with the default priorities I can't see why that would fail. >> >> >> >> On Fri, Jan 17, 2020 at 9:00 AM os > >> wrote: >> >> hello, >> >> >> I did some tests and? something is wrong. >> please see the sample configuration >> >> ==> notice.zeek <== >> >> event zeek_init() >> ???? { >> ???? local f = Log::get_filter(Notice::LOG, "default"); >> ???? f$interv = 1 min; >> ???? Log::add_filter(Notice::LOG, f); >> ???? } >> >> ==> dhcp.zeek <== >> >> event zeek_init() >> ???? { >> ???? local f = Log::get_filter(DHCP::LOG, "default"); >> ???? f$interv = 1 min; >> ???? Log::add_filter(DHCP::LOG, f); >> ???? } >> >> ==> foo.sig <== >> signature foo { >> ?? ip-proto == tcp >> ?? tcp-state established,originator >> ?? event "hello" >> ?? payload /.*hello/ >> } >> >> ==> foo.zeek <== >> @load-sigs ./foo.sig >> event zeek_init() >> ?? ? ?{ >> ?? ? ?local f = Log::get_filter(Signatures::LOG, "default"); >> ?? ? ?f$interv = 30 secs; >> ?? ? ?Log::add_filter(Signatures::LOG, f); >> ?? ? ?} >> >> ==> start.zeek <== >> >> @load ./notice.zeek >> @load ./dhcp.zeek >> @load ./foo.zeek >> >> /usr/local/zeek/bin/zeek -r >> /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap? ./start.zeek >> >> >> expression error in >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, line >> 579: no such index (Log::all_streams[Log::id]) >> fatal error: errors occurred while initializing >> >> when I make changes >> >> #@load ./notice.zeek >> @load ./dhcp.zeek >> @load ./foo.zeek >> >> or >> >> @load ./notice.zeek >> #@load ./dhcp.zeek >> @load ./foo.zeek >> >> or >> >> @load ./notice.zeek >> @load ./dhcp.zeek >> #@load ./foo.zeek >> >> >> no error occurs after running >> >> Adam >> >> >> W dniu 15.01.2020 o?23:30, os pisze: >> > Thank you for your response. >> > I did the test with your configuration and it works fine. >> > So I need to check my configuration carefully. >> > >> > Thank you for your time >> > >> > >> > >> > W dniu 15.01.2020 o?20:18, Justin Azoff pisze: >> >> How exactly are you reproducing that? >> >> >> >> I tried this: >> >> >> >> ==> foo.sig <== >> >> signature foo { >> >>? ? ip-proto == tcp >> >>? ? tcp-state established,originator >> >>? ? event "hello" >> >>? ? payload /.*hello/ >> >> } >> >> >> >> ==> foo.zeek <== >> >> @load-sigs ./foo.sig >> >> event zeek_init() >> >>? ? ? ?{ >> >>? ? ? ?local f = Log::get_filter(Signatures::LOG, "default"); >> >>? ? ? ?f$interv = 30 secs; >> >>? ? ? ?Log::add_filter(Signatures::LOG, f); >> >>? ? ? ?} >> >> >> >> and just running zeek foo.zeek and after making 2 connections a >> minute >> >> apart ended up with 2 rotated log files. >> >> >> >> >> >> On Wed, Jan 15, 2020 at 1:18 PM os > >> >> >> wrote: >> >> >> >>? ? ? hello members, >> >> >> >>? ? ? Please, can you help me >> >> >> >>? ? ? I have problem with log rotation for signature LOG (only) >> >> >> >>? ? ? when I use scripts , >> >> >> >>? ? ? event zeek_init() >> >>? ? ? ???? { >> >>? ? ? ???? local f = Log::get_filter(Signatures::LOG, >> "default"); >> >>? ? ? ???? f$interv = 1 min; >> >>? ? ? ???? Log::add_filter(Signatures::LOG, f); >> >>? ? ? ???? } >> >> >> >>? ? ? after run I have error. >> >> >> >>? ? ? expression error in >> >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, >> line >> >>? ? ? 579: no such index (Log::all_streams[Log::id]) >> >>? ? ? fatal error: errors occurred while initializing >> >> >> >>? ? ? The problem occurs in versions 3.0.1; 3.1.0-dev.376 >> >> >> >>? ? ? Thank you , hello Zeek Team, >> >>? ? ? Please, can you help me >> >> >> >>? ? ? I have problem with log rotation for signature LOG (only) >> >>? ? ? when I use scripts , >> >>? ? ? event zeek_init() >> >>? ? ? ???? { >> >>? ? ? ???? local f = Log::get_filter(Signatures::LOG, "default"); >> >>? ? ? ???? f$interv = 1 min; >> >>? ? ? ???? Log::add_filter(Signatures::LOG, f); >> >>? ? ? ???? } >> >>? ? ? ??after run zeek? a see error. >> >>? ? ? expression error in >> >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, >> line >> >>? ? ? 579: no such index (Log::all_streams[Log::id]) >> >>? ? ? fatal error: errors occurred while initializing >> >> >> >>? ? ? The problem occurs in versions 3.0.1; 3.1.0-dev.376 >> >> >> >>? ? ? Thank you, for any help. >> >> >> >>? ? ? Adam >> >>? ? ? Adam >> >> >> >> >> >> >> >> >> >>? ? ? - - - - - - - - - - - - - - - - - - - - >> >> >> >>? ? ? H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f i k a t >> e m ?S S >> >>? ? ? L? ?z a? ?p o l o w e - k l a t k a . p l >> >>? ? ? _______________________________________________ >> >>? ? ? Zeek mailing list >> >> zeek at zeek.org > > >> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> >> >> >> >> >> >> -- >> >> Justin >> > >> > >> > >> > >> > - - - - - - - - - - - - - - - - - - - - >> > >> > H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f i k a t e m >> ?S S L? ?z a? ?p o l o w e - k l a t k a . p l >> > _______________________________________________ >> > Zeek mailing list >> > zeek at zeek.org >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> >> >> >> >> - - - - - - - - - - - - - - - - - - - - >> >> H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f i k a t e m ?S S >> L? ?z a? ?p o l o w e - k l a t k a . p l >> >> >> >> -- >> Justin > > > > > - - - - - - - - - - - - - - - - - - - - > > H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek - - - - - - - - - - - - - - - - - - - - H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l From mkg at vt.edu Fri Jan 17 11:28:37 2020 From: mkg at vt.edu (Mark Gardner) Date: Fri, 17 Jan 2020 14:28:37 -0500 Subject: [Zeek] how can i config bro to let it only capture and analyze http packages? In-Reply-To: <5832443F-321E-4972-9977-A0ADFC59E1CD@corelight.com> References: <5832443F-321E-4972-9977-A0ADFC59E1CD@corelight.com> Message-ID: Johanna, On Wed, Oct 23, 2019 at 4:39 AM Johanna Amann wrote: > Hi Mark, > > the old packages currently are still available at the old location > > https://software.opensuse.org//download.html?project=network%3Abro&package=bro > / https://build.opensuse.org/package/show/network:bro/bro > > And just for reference - Zeek downloads moved to > > https://software.opensuse.org//download.html?project=security%3Azeek&package=zeek > / https://build.opensuse.org/package/show/security:zeek/zeek I was unsuccessful in installing a Zeek package after installing using the Debian packages from OBS. (I ended up installing from source.) The problem is that some files are missing from the Debian package(s) being built by OBS. (And Jan needs to make some changes to the Zeek package also.) Enclosed are some emails highlighting the issue and Justin's summary of what needs to be done to make installing Zeek packages using zeek-pkg work. I would appreciate it if you would look into the missing files in the Debian Zeek package(s) so that zeek-pkg works. Mark -- Mark Gardner -- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200117/fd636330/attachment-0001.html -------------- next part -------------- Date: Wed, 23 Oct 2019 09:32:36 -0700 From: mkgvt To: J-Gras/bro-af_packet-plugin Subject: [J-Gras/bro-af_packet-plugin] Can't install with bro-pkg (#13) Installing using "bro-pkg install bro-af_packet-plugin" on bro v2.6.4 on Debian 10 installed by adding the repository and installing manually as per the instructions. (I also saw the same problem when installing on v.2.6.1. Finally gave up, compiled and installed by hand. Eventually it would be nice to have bro-pkg work.) $ dpkg -l '*bro*' Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=================-============-============-====================================================== ii bro 2.6.4-0 amd64 Bro is a powerful framework for network analysis and s ii bro-core 2.6.4-0 amd64 Bro is a powerful framework for network analysis and s ii bro-pkg 1.5.2-1 all Bro Package Manager ii broctl 2.6.4-0 amd64 Bro's interactive shell for operating Bro installation $ uname -a Linux zeekmgr 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux $ dpkg -l linux-headers-4.19.0-6-amd64 Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-============================-=================-============-===================================== ii linux-headers-4.19.0-6-amd64 4.19.67-2+deb10u1 amd64 Header files for Linux 4.19.0-6-amd64 $ cat /root/.bro-pkg/logs/bro-af_packet-plugin-build.log === STDERR === CMake Error at CMakeLists.txt:6 (include): include could not find load file: BroPlugin CMake Warning at CMakeLists.txt:8 (find_package): By not providing "FindKernelHeaders.cmake" in CMAKE_MODULE_PATH this project has asked CMake to find a package configuration file provided by "KernelHeaders", but CMake did not find one. Could not find a package configuration file provided by "KernelHeaders" with any of the following names: KernelHeadersConfig.cmake kernelheaders-config.cmake Add the installation prefix of "KernelHeaders" to CMAKE_PREFIX_PATH or set "KernelHeaders_DIR" to a directory containing one of the above files. If "KernelHeaders" provides a separate development package or SDK, be sure it has been installed. CMake Error at CMakeLists.txt:22 (message): Kernel headers not found. === STDOUT === Build Directory : build Bro Source Directory : -- The C compiler identification is GNU 8.3.0 -- The CXX compiler identification is GNU 8.3.0 -- Check for working C compiler: /usr/bin/cc -- Check for working C compiler: /usr/bin/cc -- wo`rks -- Detecting C compiler ABI info -- Detecting C compiler ABI info - done -- Detecting C compile features -- Detecting C compile features - done -- Check for working CXX compiler: /usr/bin/c++ -- Check for working CXX compiler: /usr/bin/c++ -- works -- Detecting CXX compiler ABI info -- Detecting CXX compiler ABI info - done -- Detecting CXX compile features -- Detecting CXX compile features - done -- Configuring incomplete, errors occurred! See also "/root/.bro-pkg/testing/bro-af_packet-plugin/clones/bro-af_packet-plugin/build/CMakeFiles/CMakeOutput.log". -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/J-Gras/bro-af_packet-plugin/issues/13 -------------- next part -------------- From: Justin To: J-Gras/bro-af_packet-plugin Cc: mkgvt , Author 2.6.0 was the first version: > - "make install" now installs Bro's include headers (and more) into > "--prefix" so that compiling plugins no longer needs access to a > source/build tree. For OS distributions, this also facilitates > creating "bro-devel" packages providing all files necessary to build > plugins. If you installed from a package then bro_dist should be blank, you don't actually have the source tree. However, you should have the cmake_dir. It looks like there is an issue with the binary packages missing that directory: ``` root at 395583468d09:~# bro-config --cmake_dir /opt/bro/share/bro/cmake root at 395583468d09:~# ls /opt/bro/share/bro/cmake ls: cannot access '/opt/bro/share/bro/cmake': No such file or directory ``` which is why your build is failing with ``` include could not find load file: BroPlugin ``` So, it Jan is able to fix the kernel headers issue for debian, but it looks like the binary packages are missing some files that should be present that make it impossible to currently build plugins against them :-( In any case, none of this is a problem with bro-pkg. -- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/J-Gras/bro-af_packet-plugin/issues/13#issuecomment-546394745 From justin at corelight.com Fri Jan 17 11:59:36 2020 From: justin at corelight.com (Justin Azoff) Date: Fri, 17 Jan 2020 14:59:36 -0500 Subject: [Zeek] Signatures::LOG - rotation In-Reply-To: <4c20b3f4-c03a-435b-e7f1-1ab1a1b0c40c@os.pl> References: <32964fc1-64fb-e455-35f3-a760bd778627@os.pl> <71db1436-b354-458a-d5d3-40c14cec8b5a@os.pl> <449dac95-2507-b2a1-2774-b74c3a937c31@os.pl> <4c20b3f4-c03a-435b-e7f1-1ab1a1b0c40c@os.pl> Message-ID: Ah, you should change yours to -5, don't modify the shipped scripts. I think that change is correct though and that this is a bug in the signatures script. running this, I can see that almost every script sets a priority of 5 for the zeek_init event: fgrep -r Log::create_str scripts/ -B 2|grep 'event zeek_init' there are only 3 that don't: scripts//base/frameworks/signatures/main.zeek-event zeek_init() scripts//policy/files/x509/log-ocsp.zeek-event zeek_init() scripts//policy/protocols/conn/known-hosts.zeek-event zeek_init() which explains why you were having this problem.. without a priority the default is 0, and the two events will run in an undefined order.. for me they were running in the order that worked, for you they were running in the other order and you were hitting the bug. On Fri, Jan 17, 2020 at 2:02 PM os wrote: > hello, > > I changed the priority in the file and it looks like it works > > /usr/local/zeek/share/zeek/base/frameworks/signatures/main.zeek > > event zeek_init() &priority=5 > > { > > Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, > $path="signatures"]); > > } > > > Thank you for your help and time > > > > > > W dniu 17.01.2020 o 16:47, os pisze: > > very strange, becouse I didn't change priorities anywhere > > > > > > W dniu 17.01.2020 o 15:27, Justin Azoff pisze: > >> That still works for me. The error you are getting is from add_filter > >> failing to find a log stream with that ID, but Log::create_stream is > >> what creates that. I can make it fail like that if I mess with the > >> priorities, like > >> > >> event zeek_init() &priority=100 > >> { > >> local f = Log::get_filter(DHCP::LOG, "default"); > >> f$interv = 1 min; > >> Log::add_filter(DHCP::LOG, f); > >> } > >> > >> which makes that run before the > >> > >> event zeek_init() &priority=5 > >> { > >> Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, > >> $path="dhcp"]); > >> Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports); > >> } > >> > >> in the dhcp script. > >> > >> but with the default priorities I can't see why that would fail. > >> > >> > >> > >> On Fri, Jan 17, 2020 at 9:00 AM os > > >> wrote: > >> > >> hello, > >> > >> > >> I did some tests and something is wrong. > >> please see the sample configuration > >> > >> ==> notice.zeek <== > >> > >> event zeek_init() > >> { > >> local f = Log::get_filter(Notice::LOG, "default"); > >> f$interv = 1 min; > >> Log::add_filter(Notice::LOG, f); > >> } > >> > >> ==> dhcp.zeek <== > >> > >> event zeek_init() > >> { > >> local f = Log::get_filter(DHCP::LOG, "default"); > >> f$interv = 1 min; > >> Log::add_filter(DHCP::LOG, f); > >> } > >> > >> ==> foo.sig <== > >> signature foo { > >> ip-proto == tcp > >> tcp-state established,originator > >> event "hello" > >> payload /.*hello/ > >> } > >> > >> ==> foo.zeek <== > >> @load-sigs ./foo.sig > >> event zeek_init() > >> { > >> local f = Log::get_filter(Signatures::LOG, "default"); > >> f$interv = 30 secs; > >> Log::add_filter(Signatures::LOG, f); > >> } > >> > >> ==> start.zeek <== > >> > >> @load ./notice.zeek > >> @load ./dhcp.zeek > >> @load ./foo.zeek > >> > >> /usr/local/zeek/bin/zeek -r > >> /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap ./start.zeek > >> > >> > >> expression error in > >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, > line > >> 579: no such index (Log::all_streams[Log::id]) > >> fatal error: errors occurred while initializing > >> > >> when I make changes > >> > >> #@load ./notice.zeek > >> @load ./dhcp.zeek > >> @load ./foo.zeek > >> > >> or > >> > >> @load ./notice.zeek > >> #@load ./dhcp.zeek > >> @load ./foo.zeek > >> > >> or > >> > >> @load ./notice.zeek > >> @load ./dhcp.zeek > >> #@load ./foo.zeek > >> > >> > >> no error occurs after running > >> > >> Adam > >> > >> > >> W dniu 15.01.2020 o 23:30, os pisze: > >> > Thank you for your response. > >> > I did the test with your configuration and it works fine. > >> > So I need to check my configuration carefully. > >> > > >> > Thank you for your time > >> > > >> > > >> > > >> > W dniu 15.01.2020 o 20:18, Justin Azoff pisze: > >> >> How exactly are you reproducing that? > >> >> > >> >> I tried this: > >> >> > >> >> ==> foo.sig <== > >> >> signature foo { > >> >> ip-proto == tcp > >> >> tcp-state established,originator > >> >> event "hello" > >> >> payload /.*hello/ > >> >> } > >> >> > >> >> ==> foo.zeek <== > >> >> @load-sigs ./foo.sig > >> >> event zeek_init() > >> >> { > >> >> local f = Log::get_filter(Signatures::LOG, "default"); > >> >> f$interv = 30 secs; > >> >> Log::add_filter(Signatures::LOG, f); > >> >> } > >> >> > >> >> and just running zeek foo.zeek and after making 2 connections a > >> minute > >> >> apart ended up with 2 rotated log files. > >> >> > >> >> > >> >> On Wed, Jan 15, 2020 at 1:18 PM os >> >> > >> >> wrote: > >> >> > >> >> hello members, > >> >> > >> >> Please, can you help me > >> >> > >> >> I have problem with log rotation for signature LOG (only) > >> >> > >> >> when I use scripts , > >> >> > >> >> event zeek_init() > >> >> { > >> >> local f = Log::get_filter(Signatures::LOG, > >> "default"); > >> >> f$interv = 1 min; > >> >> Log::add_filter(Signatures::LOG, f); > >> >> } > >> >> > >> >> after run I have error. > >> >> > >> >> expression error in > >> >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, > >> line > >> >> 579: no such index (Log::all_streams[Log::id]) > >> >> fatal error: errors occurred while initializing > >> >> > >> >> The problem occurs in versions 3.0.1; 3.1.0-dev.376 > >> >> > >> >> Thank you , hello Zeek Team, > >> >> Please, can you help me > >> >> > >> >> I have problem with log rotation for signature LOG (only) > >> >> when I use scripts , > >> >> event zeek_init() > >> >> { > >> >> local f = Log::get_filter(Signatures::LOG, "default"); > >> >> f$interv = 1 min; > >> >> Log::add_filter(Signatures::LOG, f); > >> >> } > >> >> after run zeek a see error. > >> >> expression error in > >> >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, > >> line > >> >> 579: no such index (Log::all_streams[Log::id]) > >> >> fatal error: errors occurred while initializing > >> >> > >> >> The problem occurs in versions 3.0.1; 3.1.0-dev.376 > >> >> > >> >> Thank you, for any help. > >> >> > >> >> Adam > >> >> Adam > >> >> > >> >> > >> >> > >> >> > >> >> - - - - - - - - - - - - - - - - - - - - > >> >> > >> >> H o s t i n g z d a r m o w y m c e r t y f i k a t > >> e m S S > >> >> L z a p o l o w e - k l a t k a . p l > >> >> _______________________________________________ > >> >> Zeek mailing list > >> >> zeek at zeek.org >> > > >> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > >> >> > >> >> > >> >> > >> >> -- > >> >> Justin > >> > > >> > > >> > > >> > > >> > - - - - - - - - - - - - - - - - - - - - > >> > > >> > H o s t i n g z d a r m o w y m c e r t y f i k a t e m > >> S S L z a p o l o w e - k l a t k a . p l > >> > _______________________________________________ > >> > Zeek mailing list > >> > zeek at zeek.org > >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > >> > >> > >> > >> > >> > >> - - - - - - - - - - - - - - - - - - - - > >> > >> H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S > >> L z a p o l o w e - k l a t k a . p l > >> > >> > >> > >> -- > >> Justin > > > > > > > > > > - - - - - - - - - - - - - - - - - - - - > > > > H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L > z a p o l o w e - k l a t k a . p l > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > > > - - - - - - - - - - - - - - - - - - - - > > H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z > a p o l o w e - k l a t k a . p l > -- Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200117/c4633bfe/attachment-0001.html From manyiant at 163.com Tue Jan 21 18:42:37 2020 From: manyiant at 163.com (my) Date: Wed, 22 Jan 2020 10:42:37 +0800 (CST) Subject: [Zeek] =?gbk?q?Help=A3=ACAbout_Packet_Filter?= Message-ID: <593e71f.1ac0.16fcb21578c.Coremail.manyiant@163.com> Hi?friends: I use restrict_filters to filter the traffic. but the settings did not take effect, all of the traffic was filtered. What should I do? My script is as follows: redef restrict_filters += { ["unmonitored host"] = "host 123.2.15.75" }; I am looking forwoard to your replay. Thakns. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200122/3b3c233d/attachment.html From akgraner at corelight.com Fri Jan 24 07:32:26 2020 From: akgraner at corelight.com (Amber Graner) Date: Fri, 24 Jan 2020 10:32:26 -0500 Subject: [Zeek] Intro to Installing and Configuring Zeek Webinar lead by Fatema Bannat Wala Message-ID: Hi all, Fatema Bannat Wala will be leading "An introduction and walk through of the process of installing and configuring Zeek NSM" tomorrow, 24 January 2020 at 2pm pacific time. If you are interested in this series that is being sponsored by Virtual Testing you can register at: https://zoom.us/webinar/register/WN_bcJH9kNcTy2DAkm86F2tpQ Also if you or anyone you know is hosting a Zeek related webinar, workshop, meetup etc, please let me know so we can help promote and support your event. Thanks, ~Amber -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200124/d5efa9f9/attachment.html From justin at corelight.com Thu Jan 23 08:15:22 2020 From: justin at corelight.com (Justin Azoff) Date: Thu, 23 Jan 2020 11:15:22 -0500 Subject: [Zeek] =?utf-8?q?Help=EF=BC=8CAbout_Packet_Filter?= In-Reply-To: <593e71f.1ac0.16fcb21578c.Coremail.manyiant@163.com> References: <593e71f.1ac0.16fcb21578c.Coremail.manyiant@163.com> Message-ID: Is your traffic encapsulated with vlan tags? Does changing the filter to vlan and host 123.2.15.75 work any better? On Tue, Jan 21, 2020 at 9:44 PM my wrote: > Hi?friends: > > I use restrict_filters to filter the traffic. but the settings did not take effect, all of the traffic was filtered. What should I do? > > My script is as follows: > > redef restrict_filters += { > > ["unmonitored host"] = "host 123.2.15.75" > }; > > > I am looking forwoard to your replay. Thakns. > > > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200123/df576670/attachment.html From brianallen at wustl.edu Thu Jan 23 13:35:44 2020 From: brianallen at wustl.edu (Allen, Brian) Date: Thu, 23 Jan 2020 21:35:44 +0000 Subject: [Zeek] Zeek and json output question Message-ID: <5B0CA7D4-42FF-4344-B7F6-45E1B5A71B61@wustl.edu> Hi All- I want to run a test, but I don?t want to use all my zeek cluster data. I do know how to output all my zeek logs in JSON output, but how can I output just a single log to JSON output (like the ftp.log)? What I?m looking for: All the zeek logs output like normal (tab separated), PLUS the FTP log is output in JSON format as well. Can I break one out or is it all or nothing? Thank you, -Brian ________________________________ The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200123/cf030dc7/attachment.html From SHARRIS at hollywoodfl.org Thu Jan 23 14:01:45 2020 From: SHARRIS at hollywoodfl.org (Scot Harris) Date: Thu, 23 Jan 2020 22:01:45 +0000 Subject: [Zeek] Exfiltration of data Message-ID: Are there any specific packages for zeek or built in scripts that are used to identify exfiltration of data? I have loaded the large file package. But am looking for something that can be searched for specific file names when requested. I see some data in the files logs as well as in the smb logs. Looking for something that would identify the file, source, destination. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200123/976b4c4f/attachment.html From neslog at gmail.com Thu Jan 23 14:07:46 2020 From: neslog at gmail.com (Neslog) Date: Thu, 23 Jan 2020 17:07:46 -0500 Subject: [Zeek] Exfiltration of data In-Reply-To: References: Message-ID: I have not seen much. I have modified files.log to include additional info for my needs. The f variable has a lot of info available. On Thu, Jan 23, 2020 at 5:03 PM Scot Harris wrote: > Are there any specific packages for zeek or built in scripts that are used > to identify exfiltration of data? > > > > I have loaded the large file package. > > > > But am looking for something that can be searched for specific file names > when requested. > > > > I see some data in the files logs as well as in the smb logs. > > > > Looking for something that would identify the file, source, destination. > > > > Thank you. > > > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200123/3885ce15/attachment.html From Francois.Lachance at conexus.ca Thu Jan 23 14:32:02 2020 From: Francois.Lachance at conexus.ca (Francois Lachance) Date: Thu, 23 Jan 2020 22:32:02 +0000 Subject: [Zeek] BZAR (Bro/Zeek ATT&CK-based Analytics and Reporting) Message-ID: BZAR is a set of Bro/Zeek scripts utilizing the SMB and DCE-RPC protocol analyzers and the File Extraction Framework to detect ATT&CK-like activity, raise notices, and write to the Notice Log. https://github.com/mitre-attack/car/tree/master/implementations/bzar Has anyone tried this? Anyone have any feedback on these scripts? I have Security Onion in my environment and I am considering trying this. I just don't know where to start when it comes to installing and running custom scripts Thanks! Francois This email (including attachments) is confidential, may be legally privileged or may contain information that is otherwise exempt from disclosure under applicable law. No waiver of confidentiality or privilege nor consent to disclosure may be inferred from the electronic nature or transmission of this communication. If you are not the intended recipient, your use, dissemination, copying or retention of this email is strictly prohibited. If you have received this email in error or are not a named recipient, please immediately notify the sender, by return email, and destroy all copies of the email in your possession. ________________________________ You are receiving this message because you are a valued member of Conexus Credit Union. If you no longer wish to receive commercial electronic messages from Conexus, Please reply to this email with "Unsubscribe" in the subject line. We will remove you from our distribution list within 10 business days of receipt. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200123/66c13f4b/attachment-0001.html From justin at corelight.com Thu Jan 23 14:47:46 2020 From: justin at corelight.com (Justin Azoff) Date: Thu, 23 Jan 2020 17:47:46 -0500 Subject: [Zeek] Zeek and json output question In-Reply-To: <5B0CA7D4-42FF-4344-B7F6-45E1B5A71B61@wustl.edu> References: <5B0CA7D4-42FF-4344-B7F6-45E1B5A71B61@wustl.edu> Message-ID: Yep! Give this a try event zeek_init() { Log::add_filter(FTP::LOG, [ $name = "ftp-json", $path = "ftp_json", $config = table(["use_json"] = "T") ]); } This package does this in a bit more advanced way: https://github.com/J-Gras/add-json On Thu, Jan 23, 2020 at 4:44 PM Allen, Brian wrote: > Hi All- > > I want to run a test, but I don?t want to use all my zeek cluster data. I > do know how to output all my zeek logs in JSON output, but how can I output > just a single log to JSON output (like the ftp.log)? > > > > What I?m looking for: All the zeek logs output like normal (tab > separated), PLUS the FTP log is output in JSON format as well. Can I break > one out or is it all or nothing? > > > > Thank you, > > -Brian > > > > > ------------------------------ > > The materials in this message are private and may contain Protected > Healthcare Information or other information of a sensitive nature. If you > are not the intended recipient, be advised that any unauthorized use, > disclosure, copying or the taking of any action in reliance on the contents > of this information is strictly prohibited. If you have received this email > in error, please immediately notify the sender via telephone or return mail. > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200123/8769bf3a/attachment.html From jan.grashoefer at gmail.com Fri Jan 24 01:34:30 2020 From: jan.grashoefer at gmail.com (=?UTF-8?Q?Jan_Grash=c3=b6fer?=) Date: Fri, 24 Jan 2020 10:34:30 +0100 Subject: [Zeek] Zeek and json output question In-Reply-To: References: <5B0CA7D4-42FF-4344-B7F6-45E1B5A71B61@wustl.edu> Message-ID: <5b5433e7-1d99-9273-2b61-0743774595dc@gmail.com> On 23/01/2020 23:47, Justin Azoff wrote: > This package does this in a bit more advanced way: > > https://github.com/J-Gras/add-json If you want to use that package, the following enables JSON for FTP only: redef Log::enable_all_json = F; redef Log::include_json += {FTP::LOG}; Jan From adamp at os.pl Fri Jan 24 02:12:31 2020 From: adamp at os.pl (os) Date: Fri, 24 Jan 2020 11:12:31 +0100 Subject: [Zeek] Signatures::LOG - rotation In-Reply-To: References: <32964fc1-64fb-e455-35f3-a760bd778627@os.pl> <71db1436-b354-458a-d5d3-40c14cec8b5a@os.pl> <449dac95-2507-b2a1-2774-b74c3a937c31@os.pl> <4c20b3f4-c03a-435b-e7f1-1ab1a1b0c40c@os.pl> Message-ID: <9dac5086-7e89-ef3e-f0a0-13a80c0c64ea@os.pl> hello, Another problem with the log file format - default settings ntp-20-01-24_10.22.34.log notice.2020-01-24-10-23-00.log Thank you for your? help and time W dniu 17.01.2020 o?20:59, Justin Azoff pisze: > Ah, you should change yours to -5, don't modify the shipped scripts. > > I think that change is correct though and that this is a bug in the > signatures script. > > running this, I can see that almost every script sets a priority of 5 > for the zeek_init event: > > ? ??fgrep -r ?Log::create_str scripts/ ?-B 2|grep 'event zeek_init' > > there are only 3 that don't: > > scripts//base/frameworks/signatures/main.zeek-event zeek_init() > scripts//policy/files/x509/log-ocsp.zeek-event zeek_init() > scripts//policy/protocols/conn/known-hosts.zeek-event zeek_init() > > which explains why you were having this problem.. without a priority > the default is 0, and the two events will run in an undefined order.. > for me they were running in the order that worked, for you they were > running in the other order and you were hitting the bug. > > > On Fri, Jan 17, 2020 at 2:02 PM os > > wrote: > > hello, > > I changed the priority in the file and it looks like it works > > /usr/local/zeek/share/zeek/base/frameworks/signatures/main.zeek > > event zeek_init() &priority=5 > > { > > Log::create_stream(Signatures::LOG, [$columns=Info, > $ev=log_signature, > $path="signatures"]); > > } > > > Thank you for your? help and time > > > > > > W dniu 17.01.2020 o?16:47, os pisze: > > very strange, becouse I didn't change priorities anywhere > > > > > > W dniu 17.01.2020 o?15:27, Justin Azoff pisze: > >> That still works for me.? The error you are getting is from > add_filter > >> failing to find a log stream with that ID, > but?Log::create_stream is > >> what creates that.? I can make it fail like that if I mess with the > >> priorities, like > >> > >> event zeek_init() &priority=100 > >>? ? ? ?{ > >>? ? ? ?local f = Log::get_filter(DHCP::LOG, "default"); > >>? ? ? ?f$interv = 1 min; > >>? ? ? ?Log::add_filter(DHCP::LOG, f); > >>? ? ? ?} > >> > >> which makes that run before the > >> > >> event zeek_init() &priority=5 > >>? ? ? { > >>? ? ? Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, > >> $path="dhcp"]); > >> Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports); > >>? ? ? } > >> > >> in the dhcp script. > >> > >> but with the default priorities I can't see why that would fail. > >> > >> > >> > >> On Fri, Jan 17, 2020 at 9:00 AM os >> > >> wrote: > >> > >>? ? ? hello, > >> > >> > >>? ? ? I did some tests and? something is wrong. > >>? ? ? please see the sample configuration > >> > >>? ? ? ==> notice.zeek <== > >> > >>? ? ? event zeek_init() > >>? ? ? ???? { > >>? ? ? ???? local f = Log::get_filter(Notice::LOG, "default"); > >>? ? ? ???? f$interv = 1 min; > >>? ? ? ???? Log::add_filter(Notice::LOG, f); > >>? ? ? ???? } > >> > >>? ? ? ==> dhcp.zeek <== > >> > >>? ? ? event zeek_init() > >>? ? ? ???? { > >>? ? ? ???? local f = Log::get_filter(DHCP::LOG, "default"); > >>? ? ? ???? f$interv = 1 min; > >>? ? ? ???? Log::add_filter(DHCP::LOG, f); > >>? ? ? ???? } > >> > >>? ? ? ==> foo.sig <== > >>? ? ? signature foo { > >>? ? ? ?? ip-proto == tcp > >>? ? ? ?? tcp-state established,originator > >>? ? ? ?? event "hello" > >>? ? ? ?? payload /.*hello/ > >>? ? ? } > >> > >>? ? ? ==> foo.zeek <== > >>? ? ? @load-sigs ./foo.sig > >>? ? ? event zeek_init() > >>? ? ? ?? ? ?{ > >>? ? ? ?? ? ?local f = Log::get_filter(Signatures::LOG, "default"); > >>? ? ? ?? ? ?f$interv = 30 secs; > >>? ? ? ?? ? ?Log::add_filter(Signatures::LOG, f); > >>? ? ? ?? ? ?} > >> > >>? ? ? ==> start.zeek <== > >> > >>? ? ? @load ./notice.zeek > >>? ? ? @load ./dhcp.zeek > >>? ? ? @load ./foo.zeek > >> > >>? ? ? /usr/local/zeek/bin/zeek -r > >>? ? ? /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap ./start.zeek > >> > >> > >>? ? ? expression error in > >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, > line > >>? ? ? 579: no such index (Log::all_streams[Log::id]) > >>? ? ? fatal error: errors occurred while initializing > >> > >>? ? ? when I make changes > >> > >>? ? ? #@load ./notice.zeek > >>? ? ? @load ./dhcp.zeek > >>? ? ? @load ./foo.zeek > >> > >>? ? ? or > >> > >>? ? ? @load ./notice.zeek > >>? ? ? #@load ./dhcp.zeek > >>? ? ? @load ./foo.zeek > >> > >>? ? ? or > >> > >>? ? ? @load ./notice.zeek > >>? ? ? @load ./dhcp.zeek > >>? ? ? #@load ./foo.zeek > >> > >> > >>? ? ? no error occurs after running > >> > >>? ? ? Adam > >> > >> > >>? ? ? W dniu 15.01.2020 o?23:30, os pisze: > >>? ? ? > Thank you for your response. > >>? ? ? > I did the test with your configuration and it works fine. > >>? ? ? > So I need to check my configuration carefully. > >>? ? ? > > >>? ? ? > Thank you for your time > >>? ? ? > > >>? ? ? > > >>? ? ? > > >>? ? ? > W dniu 15.01.2020 o?20:18, Justin Azoff pisze: > >>? ? ? >> How exactly are you reproducing that? > >>? ? ? >> > >>? ? ? >> I tried this: > >>? ? ? >> > >>? ? ? >> ==> foo.sig <== > >>? ? ? >> signature foo { > >>? ? ? >>? ? ip-proto == tcp > >>? ? ? >>? ? tcp-state established,originator > >>? ? ? >>? ? event "hello" > >>? ? ? >>? ? payload /.*hello/ > >>? ? ? >> } > >>? ? ? >> > >>? ? ? >> ==> foo.zeek <== > >>? ? ? >> @load-sigs ./foo.sig > >>? ? ? >> event zeek_init() > >>? ? ? >>? ? ? ?{ > >>? ? ? >>? ? ? ?local f = Log::get_filter(Signatures::LOG, > "default"); > >>? ? ? >>? ? ? ?f$interv = 30 secs; > >>? ? ? >>? ? ? ?Log::add_filter(Signatures::LOG, f); > >>? ? ? >>? ? ? ?} > >>? ? ? >> > >>? ? ? >> and just running zeek foo.zeek and after making 2 > connections a > >>? ? ? minute > >>? ? ? >> apart ended up with 2 rotated log files. > >>? ? ? >> > >>? ? ? >> > >>? ? ? >> On Wed, Jan 15, 2020 at 1:18 PM os > >>? ? ? > > >>> > >>? ? ? >> wrote: > >>? ? ? >> > >>? ? ? >>? ? ? hello members, > >>? ? ? >> > >>? ? ? >>? ? ? Please, can you help me > >>? ? ? >> > >>? ? ? >>? ? ? I have problem with log rotation for signature LOG > (only) > >>? ? ? >> > >>? ? ? >>? ? ? when I use scripts , > >>? ? ? >> > >>? ? ? >>? ? ? event zeek_init() > >>? ? ? >>? ? ? ???? { > >>? ? ? >>? ? ? ???? local f = Log::get_filter(Signatures::LOG, > >>? ? ? "default"); > >>? ? ? >>? ? ? ???? f$interv = 1 min; > >>? ? ? >> Log::add_filter(Signatures::LOG, f); > >>? ? ? >>? ? ? ???? } > >>? ? ? >> > >>? ? ? >>? ? ? after run I have error. > >>? ? ? >> > >>? ? ? >>? ? ? expression error in > >>? ? ? >> > /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, > >>? ? ? line > >>? ? ? >>? ? ? 579: no such index (Log::all_streams[Log::id]) > >>? ? ? >>? ? ? fatal error: errors occurred while initializing > >>? ? ? >> > >>? ? ? >>? ? ? The problem occurs in versions 3.0.1; 3.1.0-dev.376 > >>? ? ? >> > >>? ? ? >>? ? ? Thank you , hello Zeek Team, > >>? ? ? >>? ? ? Please, can you help me > >>? ? ? >> > >>? ? ? >>? ? ? I have problem with log rotation for signature LOG > (only) > >>? ? ? >>? ? ? when I use scripts , > >>? ? ? >>? ? ? event zeek_init() > >>? ? ? >>? ? ? ???? { > >>? ? ? >>? ? ? ???? local f = Log::get_filter(Signatures::LOG, > "default"); > >>? ? ? >>? ? ? ???? f$interv = 1 min; > >>? ? ? >> Log::add_filter(Signatures::LOG, f); > >>? ? ? >>? ? ? ???? } > >>? ? ? >>? ? ? ??after run zeek? a see error. > >>? ? ? >>? ? ? expression error in > >>? ? ? >> > /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, > >>? ? ? line > >>? ? ? >>? ? ? 579: no such index (Log::all_streams[Log::id]) > >>? ? ? >>? ? ? fatal error: errors occurred while initializing > >>? ? ? >> > >>? ? ? >>? ? ? The problem occurs in versions 3.0.1; 3.1.0-dev.376 > >>? ? ? >> > >>? ? ? >>? ? ? Thank you, for any help. > >>? ? ? >> > >>? ? ? >>? ? ? Adam > >>? ? ? >>? ? ? Adam > >>? ? ? >> > >>? ? ? >> > >>? ? ? >> > >>? ? ? >> > >>? ? ? >>? ? ? - - - - - - - - - - - - - - - - - - - - > >>? ? ? >> > >>? ? ? >>? ? ? H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f > i k a t > >>? ? ? e m ?S S > >>? ? ? >>? ? ? L? ?z a? ?p o l o w e - k l a t k a . p l > >>? ? ? >> _______________________________________________ > >>? ? ? >>? ? ? Zeek mailing list > >>? ? ? >> zeek at zeek.org > > > > >>? ? ? >> > >>? ? ? >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > >>? ? ? >> > >>? ? ? >> > >>? ? ? >> > >>? ? ? >> -- > >>? ? ? >> Justin > >>? ? ? > > >>? ? ? > > >>? ? ? > > >>? ? ? > > >>? ? ? > - - - - - - - - - - - - - - - - - - - - > >>? ? ? > > >>? ? ? > H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f i k a > t e m > >>? ? ? ?S S L? ?z a? ?p o l o w e - k l a t k a . p l > >>? ? ? > _______________________________________________ > >>? ? ? > Zeek mailing list > >>? ? ? > zeek at zeek.org > > > >>? ? ? > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > >> > >> > >> > >> > >> > >>? ? ? - - - - - - - - - - - - - - - - - - - - > >> > >>? ? ? H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f i k a t > e m ?S S > >>? ? ? L? ?z a? ?p o l o w e - k l a t k a . p l > >> > >> > >> > >> -- > >> Justin > > > > > > > > > > - - - - - - - - - - - - - - - - - - - - > > > > H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f i k a t e m? > ?S S L? ?z a? ?p o l o w e - k l a t k a . p l > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > > > - - - - - - - - - - - - - - - - - - - - > > H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f i k a t e m ?S S > L? ?z a? ?p o l o w e - k l a t k a . p l > > > > -- > Justin - - - - - - - - - - - - - - - - - - - - H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l From 0psec1 at protonmail.com Fri Jan 24 10:08:39 2020 From: 0psec1 at protonmail.com (Virgil) Date: Fri, 24 Jan 2020 18:08:39 +0000 Subject: [Zeek] Adding connection data to the SSL log Message-ID: <-OBkPuJyi0pJqKEofNQA0ciPVB6OTuFk_198QKfKu5IaqyBbDmKcjKn5xCsx3oOIB7RXB0y_Y3ffvV-2B5TWJaOTY__Tu7w30EFmretYwlw=@protonmail.com> Hello Zeek community, I'm trying to add connection data including duration, orig_bytes, and resp_bytes to some of the logs that don't usually have these fields. Keying off of the connection_state_remove event, I'm able to add the fields to some logs, such as RDP, but I'm having trouble adding the fields to the SSL log. When I run my script against different pcap files containing SSL traffic, the desired fields appear in the log but aren't populated. Putting a "print c$ssl;" in the script shows that at least when the script is running, the fields appear to be populated correctly, but somehow aren't then written to the SSL log. The logic of the script that works to populate these fields successfully in the RDP log doesn't appear to work the same for the SSL log. Would appreciate any help you can provide. Thank you kindly. export { redef record SSL::Info += { duration: interval &log &optional; orig_ip_bytes: count &log &optional; resp_ip_bytes: count &log &optional; }; } event connection_state_remove (c: connection) { if (! c?$ssl) return; if ( c?$ssl && c?$duration){ c$ssl$duration = c$duration; } if ( c?$ssl && c$conn?$orig_ip_bytes){ c$ssl$orig_ip_bytes = c$conn$orig_ip_bytes; } if ( c?$ssl && c$conn?$orig_ip_bytes){ c$ssl$orig_ip_bytes = c$conn$orig_ip_bytes; } #print c$ssl; } -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200124/82defa7d/attachment-0001.html From smoot at corelight.com Fri Jan 24 15:26:02 2020 From: smoot at corelight.com (Steve Smoot) Date: Fri, 24 Jan 2020 15:26:02 -0800 Subject: [Zeek] Adding connection data to the SSL log In-Reply-To: <-OBkPuJyi0pJqKEofNQA0ciPVB6OTuFk_198QKfKu5IaqyBbDmKcjKn5xCsx3oOIB7RXB0y_Y3ffvV-2B5TWJaOTY__Tu7w30EFmretYwlw=@protonmail.com> References: <-OBkPuJyi0pJqKEofNQA0ciPVB6OTuFk_198QKfKu5IaqyBbDmKcjKn5xCsx3oOIB7RXB0y_Y3ffvV-2B5TWJaOTY__Tu7w30EFmretYwlw=@protonmail.com> Message-ID: SSL doesn't write its log on connection_state_remove, you'll want hook ssl_finishing instead -s On Fri, Jan 24, 2020 at 10:11 AM Virgil <0psec1 at protonmail.com> wrote: > > Hello Zeek community, > I'm trying to add connection data including duration, orig_bytes, and resp_bytes to some of the logs that don't usually have these fields. Keying off of the connection_state_remove event, I'm able to add the fields to some logs, such as RDP, but I'm having trouble adding the fields to the SSL log. When I run my script against different pcap files containing SSL traffic, the desired fields appear in the log but aren't populated. Putting a "print c$ssl;" in the script shows that at least when the script is running, the fields appear to be populated correctly, but somehow aren't then written to the SSL log. The logic of the script that works to populate these fields successfully in the RDP log doesn't appear to work the same for the SSL log. Would appreciate any help you can provide. Thank you kindly. > > export { > redef record SSL::Info += { > duration: interval &log &optional; > orig_ip_bytes: count &log &optional; > resp_ip_bytes: count &log &optional; > }; > } > > event connection_state_remove (c: connection) > { > if (! c?$ssl) return; > if ( c?$ssl && c?$duration){ > c$ssl$duration = c$duration; > } > if ( c?$ssl && c$conn?$orig_ip_bytes){ > c$ssl$orig_ip_bytes = c$conn$orig_ip_bytes; > } > if ( c?$ssl && c$conn?$orig_ip_bytes){ > c$ssl$orig_ip_bytes = c$conn$orig_ip_bytes; > } > #print c$ssl; > } > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Stephen R. Smoot, PhD VP, Customer Success Corelight From joeylord at gmail.com Sun Jan 26 16:37:51 2020 From: joeylord at gmail.com (Joey Lord) Date: Sun, 26 Jan 2020 19:37:51 -0500 Subject: [Zeek] BinPAC quickstart Message-ID: HI all! So, I had the pleasure of trying to do an analyzer lately and many thanks to Jon Schipp for his online tutorials on how to write an analyzer using BinPac (https://www.youtube.com/watch?v=eZAgqSFd9-c) and Vlad Grigorescu's Binpac Quickstart (https://github.com/grigorescu/binpac_quickstart) which took care of the boilerplate coding. Unfortunately, with Zeek's new name, binpac_quickstart no longer creates the right file extensions and won't let you compile your plugin if you used binpac_quickstart with your plugin. I made the necessary changes to binpac_quickstart so that it works under the new name Zeek. I did submit some commits on Vlad's binpac_quickstart but they haven't been accepted yet. For those who seeks a solution, here is my repo of binpac_quickstart which is forked from Vlad, with all the changes that will allow you to use it under the new name. https://github.com/g0nzu1/binpac_quickstart I just though I would share with the community since I though working with Binpac and Zeek was a very powerful combo, although kind of hard to find info since Binpac (HILTI/Spicy) is still in development. I wouldn't want to see the integration of HILTI/Spicy slow down because of simple stuff like this. Cheers and happy coding! G0nZu1 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200126/83e1bcbb/attachment.html From adamp at os.pl Mon Jan 27 01:26:27 2020 From: adamp at os.pl (os) Date: Mon, 27 Jan 2020 10:26:27 +0100 Subject: [Zeek] Signatures::LOG - rotation In-Reply-To: <9dac5086-7e89-ef3e-f0a0-13a80c0c64ea@os.pl> References: <32964fc1-64fb-e455-35f3-a760bd778627@os.pl> <71db1436-b354-458a-d5d3-40c14cec8b5a@os.pl> <449dac95-2507-b2a1-2774-b74c3a937c31@os.pl> <4c20b3f4-c03a-435b-e7f1-1ab1a1b0c40c@os.pl> <9dac5086-7e89-ef3e-f0a0-13a80c0c64ea@os.pl> Message-ID: I'm a bit confused and I don't understand why this is happening. I changed :default_rotation_date_format redef Log::default_rotation_date_format="%y-%m-%d_%H.%M.%S"; and the output log file have diffrent format,? which in turn generates an error signatures.20-01-24_10.23.00.log notice-20-01-24_10.22.34.log /bin/mv: cannot stat 'signatures-20-01-24_10.23.00.log': No such file or director disable #redef Log::default_rotation_date_format="%y-%m-%d_%H.%M.%S"; default settings Log::default_rotation_date_format Type:?? ?string Attributes:?? ?&redef Default:?? ?"%Y-%m-%d-%H-%M-%S" output file: dns-20-01-24_10.22.44.log ntp-20-01-24_10.22.34.log signatures.2020-01-24-10-23-00.log notice-20-01-24_10.22.34.log ntp-20-01-24_10.23.00.log weird-20-01-24_10.22.34.log and error /bin/mv: cannot stat 'signatures-20-01-24_10.23.00.log': No such file or directory what does the output file format depend on once is "-" and once is "." Thank you for answers. Adam W dniu 24.01.2020 o?11:12, os pisze: > hello, > > Another problem with the log file format - default settings > ntp-20-01-24_10.22.34.log > notice.2020-01-24-10-23-00.log > > Thank you for your? help and time > > > W dniu 17.01.2020 o?20:59, Justin Azoff pisze: >> Ah, you should change yours to -5, don't modify the shipped scripts. >> >> I think that change is correct though and that this is a bug in the >> signatures script. >> >> running this, I can see that almost every script sets a priority of 5 >> for the zeek_init event: >> >> ? ??fgrep -r ?Log::create_str scripts/ ?-B 2|grep 'event zeek_init' >> >> there are only 3 that don't: >> >> scripts//base/frameworks/signatures/main.zeek-event zeek_init() >> scripts//policy/files/x509/log-ocsp.zeek-event zeek_init() >> scripts//policy/protocols/conn/known-hosts.zeek-event zeek_init() >> >> which explains why you were having this problem.. without a priority >> the default is 0, and the two events will run in an undefined order.. >> for me they were running in the order that worked, for you they were >> running in the other order and you were hitting the bug. >> >> >> On Fri, Jan 17, 2020 at 2:02 PM os > >> wrote: >> >> hello, >> >> I changed the priority in the file and it looks like it works >> >> /usr/local/zeek/share/zeek/base/frameworks/signatures/main.zeek >> >> event zeek_init() &priority=5 >> >> { >> >> Log::create_stream(Signatures::LOG, [$columns=Info, >> $ev=log_signature, >> $path="signatures"]); >> >> } >> >> >> Thank you for your? help and time >> >> >> >> >> >> W dniu 17.01.2020 o?16:47, os pisze: >> > very strange, becouse I didn't change priorities anywhere >> > >> > >> > W dniu 17.01.2020 o?15:27, Justin Azoff pisze: >> >> That still works for me.? The error you are getting is from >> add_filter >> >> failing to find a log stream with that ID, >> but?Log::create_stream is >> >> what creates that.? I can make it fail like that if I mess with the >> >> priorities, like >> >> >> >> event zeek_init() &priority=100 >> >>? ? ? ?{ >> >>? ? ? ?local f = Log::get_filter(DHCP::LOG, "default"); >> >>? ? ? ?f$interv = 1 min; >> >>? ? ? ?Log::add_filter(DHCP::LOG, f); >> >>? ? ? ?} >> >> >> >> which makes that run before the >> >> >> >> event zeek_init() &priority=5 >> >>? ? ? { >> >>? ? ? Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, >> >> $path="dhcp"]); >> >> Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports); >> >>? ? ? } >> >> >> >> in the dhcp script. >> >> >> >> but with the default priorities I can't see why that would fail. >> >> >> >> >> >> >> >> On Fri, Jan 17, 2020 at 9:00 AM os > >> >> >> wrote: >> >> >> >>? ? ? hello, >> >> >> >> >> >>? ? ? I did some tests and? something is wrong. >> >>? ? ? please see the sample configuration >> >> >> >>? ? ? ==> notice.zeek <== >> >> >> >>? ? ? event zeek_init() >> >>? ? ? ???? { >> >>? ? ? ???? local f = Log::get_filter(Notice::LOG, "default"); >> >>? ? ? ???? f$interv = 1 min; >> >>? ? ? ???? Log::add_filter(Notice::LOG, f); >> >>? ? ? ???? } >> >> >> >>? ? ? ==> dhcp.zeek <== >> >> >> >>? ? ? event zeek_init() >> >>? ? ? ???? { >> >>? ? ? ???? local f = Log::get_filter(DHCP::LOG, "default"); >> >>? ? ? ???? f$interv = 1 min; >> >>? ? ? ???? Log::add_filter(DHCP::LOG, f); >> >>? ? ? ???? } >> >> >> >>? ? ? ==> foo.sig <== >> >>? ? ? signature foo { >> >>? ? ? ?? ip-proto == tcp >> >>? ? ? ?? tcp-state established,originator >> >>? ? ? ?? event "hello" >> >>? ? ? ?? payload /.*hello/ >> >>? ? ? } >> >> >> >>? ? ? ==> foo.zeek <== >> >>? ? ? @load-sigs ./foo.sig >> >>? ? ? event zeek_init() >> >>? ? ? ?? ? ?{ >> >>? ? ? ?? ? ?local f = Log::get_filter(Signatures::LOG, "default"); >> >>? ? ? ?? ? ?f$interv = 30 secs; >> >>? ? ? ?? ? ?Log::add_filter(Signatures::LOG, f); >> >>? ? ? ?? ? ?} >> >> >> >>? ? ? ==> start.zeek <== >> >> >> >>? ? ? @load ./notice.zeek >> >>? ? ? @load ./dhcp.zeek >> >>? ? ? @load ./foo.zeek >> >> >> >>? ? ? /usr/local/zeek/bin/zeek -r >> >>? ? ? /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap ./start.zeek >> >> >> >> >> >>? ? ? expression error in >> >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, >> line >> >>? ? ? 579: no such index (Log::all_streams[Log::id]) >> >>? ? ? fatal error: errors occurred while initializing >> >> >> >>? ? ? when I make changes >> >> >> >>? ? ? #@load ./notice.zeek >> >>? ? ? @load ./dhcp.zeek >> >>? ? ? @load ./foo.zeek >> >> >> >>? ? ? or >> >> >> >>? ? ? @load ./notice.zeek >> >>? ? ? #@load ./dhcp.zeek >> >>? ? ? @load ./foo.zeek >> >> >> >>? ? ? or >> >> >> >>? ? ? @load ./notice.zeek >> >>? ? ? @load ./dhcp.zeek >> >>? ? ? #@load ./foo.zeek >> >> >> >> >> >>? ? ? no error occurs after running >> >> >> >>? ? ? Adam >> >> >> >> >> >>? ? ? W dniu 15.01.2020 o?23:30, os pisze: >> >>? ? ? > Thank you for your response. >> >>? ? ? > I did the test with your configuration and it works fine. >> >>? ? ? > So I need to check my configuration carefully. >> >>? ? ? > >> >>? ? ? > Thank you for your time >> >>? ? ? > >> >>? ? ? > >> >>? ? ? > >> >>? ? ? > W dniu 15.01.2020 o?20:18, Justin Azoff pisze: >> >>? ? ? >> How exactly are you reproducing that? >> >>? ? ? >> >> >>? ? ? >> I tried this: >> >>? ? ? >> >> >>? ? ? >> ==> foo.sig <== >> >>? ? ? >> signature foo { >> >>? ? ? >>? ? ip-proto == tcp >> >>? ? ? >>? ? tcp-state established,originator >> >>? ? ? >>? ? event "hello" >> >>? ? ? >>? ? payload /.*hello/ >> >>? ? ? >> } >> >>? ? ? >> >> >>? ? ? >> ==> foo.zeek <== >> >>? ? ? >> @load-sigs ./foo.sig >> >>? ? ? >> event zeek_init() >> >>? ? ? >>? ? ? ?{ >> >>? ? ? >>? ? ? ?local f = Log::get_filter(Signatures::LOG, >> "default"); >> >>? ? ? >>? ? ? ?f$interv = 30 secs; >> >>? ? ? >>? ? ? ?Log::add_filter(Signatures::LOG, f); >> >>? ? ? >>? ? ? ?} >> >>? ? ? >> >> >>? ? ? >> and just running zeek foo.zeek and after making 2 >> connections a >> >>? ? ? minute >> >>? ? ? >> apart ended up with 2 rotated log files. >> >>? ? ? >> >> >>? ? ? >> >> >>? ? ? >> On Wed, Jan 15, 2020 at 1:18 PM os > >> >>? ? ? > >> > >>> >> >>? ? ? >> wrote: >> >>? ? ? >> >> >>? ? ? >>? ? ? hello members, >> >>? ? ? >> >> >>? ? ? >>? ? ? Please, can you help me >> >>? ? ? >> >> >>? ? ? >>? ? ? I have problem with log rotation for signature LOG >> (only) >> >>? ? ? >> >> >>? ? ? >>? ? ? when I use scripts , >> >>? ? ? >> >> >>? ? ? >>? ? ? event zeek_init() >> >>? ? ? >>? ? ? ???? { >> >>? ? ? >>? ? ? ???? local f = Log::get_filter(Signatures::LOG, >> >>? ? ? "default"); >> >>? ? ? >>? ? ? ???? f$interv = 1 min; >> >>? ? ? >> Log::add_filter(Signatures::LOG, f); >> >>? ? ? >>? ? ? ???? } >> >>? ? ? >> >> >>? ? ? >>? ? ? after run I have error. >> >>? ? ? >> >> >>? ? ? >>? ? ? expression error in >> >>? ? ? >> >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, >> >>? ? ? line >> >>? ? ? >>? ? ? 579: no such index (Log::all_streams[Log::id]) >> >>? ? ? >>? ? ? fatal error: errors occurred while initializing >> >>? ? ? >> >> >>? ? ? >>? ? ? The problem occurs in versions 3.0.1; 3.1.0-dev.376 >> >>? ? ? >> >> >>? ? ? >>? ? ? Thank you , hello Zeek Team, >> >>? ? ? >>? ? ? Please, can you help me >> >>? ? ? >> >> >>? ? ? >>? ? ? I have problem with log rotation for signature LOG >> (only) >> >>? ? ? >>? ? ? when I use scripts , >> >>? ? ? >>? ? ? event zeek_init() >> >>? ? ? >>? ? ? ???? { >> >>? ? ? >>? ? ? ???? local f = Log::get_filter(Signatures::LOG, >> "default"); >> >>? ? ? >>? ? ? ???? f$interv = 1 min; >> >>? ? ? >> Log::add_filter(Signatures::LOG, f); >> >>? ? ? >>? ? ? ???? } >> >>? ? ? >>? ? ? ??after run zeek? a see error. >> >>? ? ? >>? ? ? expression error in >> >>? ? ? >> >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, >> >>? ? ? line >> >>? ? ? >>? ? ? 579: no such index (Log::all_streams[Log::id]) >> >>? ? ? >>? ? ? fatal error: errors occurred while initializing >> >>? ? ? >> >> >>? ? ? >>? ? ? The problem occurs in versions 3.0.1; 3.1.0-dev.376 >> >>? ? ? >> >> >>? ? ? >>? ? ? Thank you, for any help. >> >>? ? ? >> >> >>? ? ? >>? ? ? Adam >> >>? ? ? >>? ? ? Adam >> >>? ? ? >> >> >>? ? ? >> >> >>? ? ? >> >> >>? ? ? >> >> >>? ? ? >>? ? ? - - - - - - - - - - - - - - - - - - - - >> >>? ? ? >> >> >>? ? ? >>? ? ? H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f >> i k a t >> >>? ? ? e m ?S S >> >>? ? ? >>? ? ? L? ?z a? ?p o l o w e - k l a t k a . p l >> >>? ? ? >> _______________________________________________ >> >>? ? ? >>? ? ? Zeek mailing list >> >>? ? ? >> zeek at zeek.org >> > >> >> >>? ? ? >> >> >>? ? ? >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >>? ? ? >> >> >>? ? ? >> >> >>? ? ? >> >> >>? ? ? >> -- >> >>? ? ? >> Justin >> >>? ? ? > >> >>? ? ? > >> >>? ? ? > >> >>? ? ? > >> >>? ? ? > - - - - - - - - - - - - - - - - - - - - >> >>? ? ? > >> >>? ? ? > H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f i k a >> t e m >> >>? ? ? ?S S L? ?z a? ?p o l o w e - k l a t k a . p l >> >>? ? ? > _______________________________________________ >> >>? ? ? > Zeek mailing list >> >>? ? ? > zeek at zeek.org >> > >> >>? ? ? > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> >> >> >> >> >> >> >> >> >> >>? ? ? - - - - - - - - - - - - - - - - - - - - >> >> >> >>? ? ? H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f i k a t >> e m ?S S >> >>? ? ? L? ?z a? ?p o l o w e - k l a t k a . p l >> >> >> >> >> >> >> >> -- >> >> Justin >> > >> > >> > >> > >> > - - - - - - - - - - - - - - - - - - - - >> > >> > H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f i k a t e m >> ?S S L? ?z a? ?p o l o w e - k l a t k a . p l >> > _______________________________________________ >> > Zeek mailing list >> > zeek at zeek.org >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> >> >> >> >> - - - - - - - - - - - - - - - - - - - - >> >> H o s t i n g? ?z? ?d a r m o w y m? ?c e r t y f i k a t e m ?S S >> L? ?z a? ?p o l o w e - k l a t k a . p l >> >> >> >> -- >> Justin > > > > > - - - - - - - - - - - - - - - - - - - - > > H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek - - - - - - - - - - - - - - - - - - - - H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L z a p o l o w e - k l a t k a . p l From clopmz at outlook.com Mon Jan 27 01:41:52 2020 From: clopmz at outlook.com (Carlos Lopez) Date: Mon, 27 Jan 2020 09:41:52 +0000 Subject: [Zeek] Zeek status under OpenBSD Message-ID: Good morning, Can anyone tell me if installing Zeek under OpenBSD 6.6 is feasible? I see that there is an open bug, https://github.com/actor-framework/actor-framework/pull/955. Regards, C. L. Martinez From 0psec1 at protonmail.com Mon Jan 27 05:38:04 2020 From: 0psec1 at protonmail.com (Virgil) Date: Mon, 27 Jan 2020 13:38:04 +0000 Subject: [Zeek] Adding connection data to the SSL log In-Reply-To: References: <-OBkPuJyi0pJqKEofNQA0ciPVB6OTuFk_198QKfKu5IaqyBbDmKcjKn5xCsx3oOIB7RXB0y_Y3ffvV-2B5TWJaOTY__Tu7w30EFmretYwlw=@protonmail.com> Message-ID: Unfortunately, hook ssl_finishing doesn't appear to work for this either. Creating an entirely new log and using the connection_state_remove event, the connection data and SSL::Info fields can both be written, but this is not ideal due to duplication of data (and possibly missing additional field values in SSL:Info, if the log is written later than connection_state_remove?) Sent with ProtonMail Secure Email. ??????? Original Message ??????? On Friday, January 24, 2020 6:26 PM, Steve Smoot wrote: > SSL doesn't write its log on connection_state_remove, you'll want hook > ssl_finishing instead > -s > > On Fri, Jan 24, 2020 at 10:11 AM Virgil 0psec1 at protonmail.com wrote: > > > Hello Zeek community, > > I'm trying to add connection data including duration, orig_bytes, and resp_bytes to some of the logs that don't usually have these fields. Keying off of the connection_state_remove event, I'm able to add the fields to some logs, such as RDP, but I'm having trouble adding the fields to the SSL log. When I run my script against different pcap files containing SSL traffic, the desired fields appear in the log but aren't populated. Putting a "print c$ssl;" in the script shows that at least when the script is running, the fields appear to be populated correctly, but somehow aren't then written to the SSL log. The logic of the script that works to populate these fields successfully in the RDP log doesn't appear to work the same for the SSL log. Would appreciate any help you can provide. Thank you kindly. > > export { > > redef record SSL::Info += { > > duration: interval &log &optional; > > orig_ip_bytes: count &log &optional; > > resp_ip_bytes: count &log &optional; > > }; > > } > > event connection_state_remove (c: connection) > > { > > if (! c?$ssl) return; > > if ( c?$ssl && c?$duration){ > > c$ssl$duration = c$duration; > > } > > if ( c?$ssl && c$conn?$orig_ip_bytes){ > > c$ssl$orig_ip_bytes = c$conn$orig_ip_bytes; > > } > > if ( c?$ssl && c$conn?$orig_ip_bytes){ > > c$ssl$orig_ip_bytes = c$conn$orig_ip_bytes; > > } > > #print c$ssl; > > } > > > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > -- > > Stephen R. Smoot, PhD > VP, Customer Success > Corelight From vlad at es.net Mon Jan 27 07:07:05 2020 From: vlad at es.net (Vlad Grigorescu) Date: Mon, 27 Jan 2020 15:07:05 +0000 Subject: [Zeek] BinPAC quickstart In-Reply-To: References: Message-ID: Hi Joey, Thank you! My apologies for having your pull request sitting for so long; somehow GitHub did not notify me about it. There were a couple of other pull requests sitting there, which I accepted. Unfortunately, your pull request did not apply cleanly anymore, but I made your changes to master. I'm using this as an opportunity to give the project some much-needed TLC, so stay tuned for some further changes... --Vlad On Mon, Jan 27, 2020 at 12:46 AM Joey Lord wrote: > HI all! > > So, I had the pleasure of trying to do an analyzer lately and many thanks > to Jon Schipp for his online tutorials on how to write an analyzer using > BinPac (https://www.youtube.com/watch?v=eZAgqSFd9-c) and Vlad > Grigorescu's Binpac Quickstart ( > https://github.com/grigorescu/binpac_quickstart) which took care of the > boilerplate coding. > > Unfortunately, with Zeek's new name, binpac_quickstart no longer creates > the right file extensions and won't let you compile your plugin if you used > binpac_quickstart with your plugin. > > I made the necessary changes to binpac_quickstart so that it works > under the new name Zeek. I did submit some commits on Vlad's > binpac_quickstart but they haven't been accepted yet. > > For those who seeks a solution, here is my repo of binpac_quickstart which > is forked from Vlad, with all the changes that will allow you to use it > under the new name. > > https://github.com/g0nzu1/binpac_quickstart > > I just though I would share with the community since I though working with > Binpac and Zeek was a very powerful combo, although kind of hard to find > info since Binpac (HILTI/Spicy) is still in development. I wouldn't want to > see the integration of HILTI/Spicy slow down because of simple stuff like > this. > > Cheers and happy coding! > > G0nZu1 > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200127/306cff31/attachment.html From jsiwek at corelight.com Mon Jan 27 09:33:51 2020 From: jsiwek at corelight.com (Jon Siwek) Date: Mon, 27 Jan 2020 09:33:51 -0800 Subject: [Zeek] Zeek status under OpenBSD In-Reply-To: References: Message-ID: On Mon, Jan 27, 2020 at 1:50 AM Carlos Lopez wrote: > Can anyone tell me if installing Zeek under OpenBSD 6.6 is feasible? Zeek 3.0.1 should build there, but I've only tested briefly myself. OpenBSD isn't an officially supported platform and not regularly tested so you might expect more frequent (but usually minor) breakages compared to other platforms. Patches to fix OpenBSD portability have historically been accepted whenever necessary. > I see that there is an open bug, https://github.com/actor-framework/actor-framework/pull/955. That, and related issues it mentioned, were addressed in Zeek 3.0.1. - Jon From shirkdog.bsd at gmail.com Mon Jan 27 10:01:31 2020 From: shirkdog.bsd at gmail.com (Michael Shirk) Date: Mon, 27 Jan 2020 13:01:31 -0500 Subject: [Zeek] Zeek status under OpenBSD In-Reply-To: References: Message-ID: I will take a look on OpenBSD Current. If anything, the port/pkg may need to be updated. I know the DEV who was using it and helped get the port updated moved onto other work. -- Michael Shirk Daemon Security, Inc. https://www.daemon-security.com On Mon, Jan 27, 2020, 12:53 Jon Siwek wrote: > On Mon, Jan 27, 2020 at 1:50 AM Carlos Lopez wrote: > > > Can anyone tell me if installing Zeek under OpenBSD 6.6 is feasible? > > Zeek 3.0.1 should build there, but I've only tested briefly myself. > OpenBSD isn't an officially supported platform and not regularly > tested so you might expect more frequent (but usually minor) breakages > compared to other platforms. Patches to fix OpenBSD portability have > historically been accepted whenever necessary. > > > I see that there is an open bug, > https://github.com/actor-framework/actor-framework/pull/955. > > That, and related issues it mentioned, were addressed in Zeek 3.0.1. > > - Jon > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200127/f366a87f/attachment.html From akgraner at corelight.com Mon Jan 27 11:39:06 2020 From: akgraner at corelight.com (Amber Graner) Date: Mon, 27 Jan 2020 14:39:06 -0500 Subject: [Zeek] Upcoming ASK THE ZEEKSPERTS webinar - hosted by ROBIN SOMMER - 30 January 2020 Message-ID: Hi all, Robin Sommer will be hosting the next ASK THE ZEEKSPERTS webinar on 30 January 2020 at 12:30pm PST/3:30pm EST. These webinars are free but registration is required. Below is the registration link: http://bit.ly/ATZ_30Jan2020 If you are attending the webinar and would like to send in your questions ahead of the call, please feel free to add them to the following webform: http://bit.ly/ATZ-Questions Please let me know if you have any questions. Thanks, ~Amber -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200127/32eb4746/attachment.html From brittany.donowho at nrl.navy.mil Mon Jan 27 12:03:06 2020 From: brittany.donowho at nrl.navy.mil (Brittany Donowho) Date: Mon, 27 Jan 2020 15:03:06 -0500 Subject: [Zeek] Configuring with PF_RING Message-ID: <79963D5E-A92F-453D-AA77-A5B6A505C998@nrl.navy.mil> To anybody integrating PF_RING with Zeek - in some cases flags are necessary for Zeek's configuration to work properly: LDFLAGS=?-lpfring -lpcap? ./configure --with-pcap={ path_to_lib/libpcap } FYI this info is not in the zeek docs, but it is in ntop?s docs: https://www.ntop.org/guides/pf_ring/thirdparty/bro.html Best, Brittany Donowho US Naval Research Laboratory -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200127/24d2186a/attachment.html From johanna at corelight.com Wed Jan 29 15:01:58 2020 From: johanna at corelight.com (Johanna Amann) Date: Wed, 29 Jan 2020 15:01:58 -0800 Subject: [Zeek] Adding connection data to the SSL log In-Reply-To: References: <-OBkPuJyi0pJqKEofNQA0ciPVB6OTuFk_198QKfKu5IaqyBbDmKcjKn5xCsx3oOIB7RXB0y_Y3ffvV-2B5TWJaOTY__Tu7w30EFmretYwlw=@protonmail.com> Message-ID: <3401D174-CAD7-4A1F-A009-31818938566A@corelight.com> Hi Virgil, first - note that the accuracy of this response depends a bit on the Zeek version that you are running. I assume that you are running Zeek 3.0 for this. What you are trying to do here is a bit more complex for SSL than for a lot of other protocols. The reason for this is that, unlike for a lot of other protocols, the ssl.log typically is not written at the end of the connection. Instead it is written when the connection switches to be encrypted - because after that time we cannot read any more information that typically would make it into ssl.log. So - Smoot is correct that ? typically ? you would use the ssl_finishing hook to change the ssl log files. However, in this specific case you cannot use it because the information that you want is only available at the end of the connection. Funnily what you want to achieve here is surprisingly difficult since we did not forsee this specific use-case. For up to 15 seconds of delay, you can use delay-tokens (which are another special case of the ssl logs). However, these are not really enough in this case. You already came up with a workable solution - which is creating an entirely new log. It is also possible to just disable the logging mechanism that is used by the ssl scripts - and instead use your own logging. Note that this is kind of hack-ish and I am not really sure I would recommend it. In any case, you could do something along these limes: export { redef record SSL::Info += { duration: interval &log &optional; orig_ip_bytes: count &log &optional; resp_ip_bytes: count &log &optional; }; } event ssl_established(c: connection) &priority=-4 { # pretend that this record already was logged. c$ssl$logged = T; } # Starting at 3.1.0-dev.282, we switch to successful_connection_remove @if ( Version::at_least("3.1.0") && ( Version::info$beta = T || Version::info$commit == 0 || Version::info$commit >= 282 ) ) event successful_connection_remove(c: connection) &priority=-4 @else event connection_state_remove(c: connection) &priority=-4 @endif { if ( ! c?$ssl ) return; if ( c?$ssl && c?$duration) c$ssl$duration = c$duration; if ( c?$ssl && c$conn?$orig_ip_bytes) c$ssl$orig_ip_bytes = c$conn$orig_ip_bytes; if ( c?$ssl && c$conn?$resp_ip_bytes) c$ssl$resp_ip_bytes = c$conn$resp_ip_bytes; # let it be logged by the event with priority -5 c$ssl$logged = F; } Johanna On 27 Jan 2020, at 5:38, Virgil wrote: > Unfortunately, hook ssl_finishing doesn't appear to work for this > either. Creating an entirely new log and using the > connection_state_remove event, the connection data and SSL::Info > fields can both be written, but this is not ideal due to duplication > of data (and possibly missing additional field values in SSL:Info, if > the log is written later than connection_state_remove?) > > > Sent with ProtonMail Secure Email. > > ??????? Original Message ??????? > On Friday, January 24, 2020 6:26 PM, Steve Smoot > wrote: > >> SSL doesn't write its log on connection_state_remove, you'll want >> hook >> ssl_finishing instead >> -s >> >> On Fri, Jan 24, 2020 at 10:11 AM Virgil 0psec1 at protonmail.com wrote: >> >>> Hello Zeek community, >>> I'm trying to add connection data including duration, orig_bytes, >>> and resp_bytes to some of the logs that don't usually have these >>> fields. Keying off of the connection_state_remove event, I'm able to >>> add the fields to some logs, such as RDP, but I'm having trouble >>> adding the fields to the SSL log. When I run my script against >>> different pcap files containing SSL traffic, the desired fields >>> appear in the log but aren't populated. Putting a "print c$ssl;" in >>> the script shows that at least when the script is running, the >>> fields appear to be populated correctly, but somehow aren't then >>> written to the SSL log. The logic of the script that works to >>> populate these fields successfully in the RDP log doesn't appear to >>> work the same for the SSL log. Would appreciate any help you can >>> provide. Thank you kindly. >>> export { >>> redef record SSL::Info += { >>> duration: interval &log &optional; >>> orig_ip_bytes: count &log &optional; >>> resp_ip_bytes: count &log &optional; >>> }; >>> } >>> event connection_state_remove (c: connection) >>> { >>> if (! c?$ssl) return; >>> if ( c?$ssl && c?$duration){ >>> c$ssl$duration = c$duration; >>> } >>> if ( c?$ssl && c$conn?$orig_ip_bytes){ >>> c$ssl$orig_ip_bytes = c$conn$orig_ip_bytes; >>> } >>> if ( c?$ssl && c$conn?$orig_ip_bytes){ >>> c$ssl$orig_ip_bytes = c$conn$orig_ip_bytes; >>> } >>> #print c$ssl; >>> } >>> >>> Zeek mailing list >>> zeek at zeek.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> -- >> >> Stephen R. Smoot, PhD >> VP, Customer Success >> Corelight > > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From johanna at corelight.com Wed Jan 29 15:06:31 2020 From: johanna at corelight.com (Johanna Amann) Date: Wed, 29 Jan 2020 15:06:31 -0800 Subject: [Zeek] Signatures::LOG - rotation In-Reply-To: References: <32964fc1-64fb-e455-35f3-a760bd778627@os.pl> <71db1436-b354-458a-d5d3-40c14cec8b5a@os.pl> <449dac95-2507-b2a1-2774-b74c3a937c31@os.pl> <4c20b3f4-c03a-435b-e7f1-1ab1a1b0c40c@os.pl> Message-ID: <31EAAC41-1344-4880-A010-94E40E41A7A0@corelight.com> Just as a small followup - to close the circle on this - this was fixed in master and will be part of 3.1.0: https://github.com/zeek/zeek/pull/746 Johanna On 17 Jan 2020, at 11:59, Justin Azoff wrote: > Ah, you should change yours to -5, don't modify the shipped scripts. > > I think that change is correct though and that this is a bug in the > signatures script. > > running this, I can see that almost every script sets a priority of 5 > for > the zeek_init event: > > fgrep -r Log::create_str scripts/ -B 2|grep 'event zeek_init' > > there are only 3 that don't: > > scripts//base/frameworks/signatures/main.zeek-event zeek_init() > scripts//policy/files/x509/log-ocsp.zeek-event zeek_init() > scripts//policy/protocols/conn/known-hosts.zeek-event zeek_init() > > which explains why you were having this problem.. without a priority > the > default is 0, and the two events will run in an undefined order.. for > me > they were running in the order that worked, for you they were running > in > the other order and you were hitting the bug. > > > On Fri, Jan 17, 2020 at 2:02 PM os wrote: > >> hello, >> >> I changed the priority in the file and it looks like it works >> >> /usr/local/zeek/share/zeek/base/frameworks/signatures/main.zeek >> >> event zeek_init() &priority=5 >> >> { >> >> Log::create_stream(Signatures::LOG, [$columns=Info, >> $ev=log_signature, >> $path="signatures"]); >> >> } >> >> >> Thank you for your help and time >> >> >> >> >> >> W dniu 17.01.2020 o 16:47, os pisze: >>> very strange, becouse I didn't change priorities anywhere >>> >>> >>> W dniu 17.01.2020 o 15:27, Justin Azoff pisze: >>>> That still works for me. The error you are getting is from >>>> add_filter >>>> failing to find a log stream with that ID, but Log::create_stream >>>> is >>>> what creates that. I can make it fail like that if I mess with the >>>> priorities, like >>>> >>>> event zeek_init() &priority=100 >>>> { >>>> local f = Log::get_filter(DHCP::LOG, "default"); >>>> f$interv = 1 min; >>>> Log::add_filter(DHCP::LOG, f); >>>> } >>>> >>>> which makes that run before the >>>> >>>> event zeek_init() &priority=5 >>>> { >>>> Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp, >>>> $path="dhcp"]); >>>> Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports); >>>> } >>>> >>>> in the dhcp script. >>>> >>>> but with the default priorities I can't see why that would fail. >>>> >>>> >>>> >>>> On Fri, Jan 17, 2020 at 9:00 AM os >>> > >>>> wrote: >>>> >>>> hello, >>>> >>>> >>>> I did some tests and something is wrong. >>>> please see the sample configuration >>>> >>>> ==> notice.zeek <== >>>> >>>> event zeek_init() >>>> { >>>> local f = Log::get_filter(Notice::LOG, "default"); >>>> f$interv = 1 min; >>>> Log::add_filter(Notice::LOG, f); >>>> } >>>> >>>> ==> dhcp.zeek <== >>>> >>>> event zeek_init() >>>> { >>>> local f = Log::get_filter(DHCP::LOG, "default"); >>>> f$interv = 1 min; >>>> Log::add_filter(DHCP::LOG, f); >>>> } >>>> >>>> ==> foo.sig <== >>>> signature foo { >>>> ip-proto == tcp >>>> tcp-state established,originator >>>> event "hello" >>>> payload /.*hello/ >>>> } >>>> >>>> ==> foo.zeek <== >>>> @load-sigs ./foo.sig >>>> event zeek_init() >>>> { >>>> local f = Log::get_filter(Signatures::LOG, "default"); >>>> f$interv = 30 secs; >>>> Log::add_filter(Signatures::LOG, f); >>>> } >>>> >>>> ==> start.zeek <== >>>> >>>> @load ./notice.zeek >>>> @load ./dhcp.zeek >>>> @load ./foo.zeek >>>> >>>> /usr/local/zeek/bin/zeek -r >>>> /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap ./start.zeek >>>> >>>> >>>> expression error in >>>> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, >> line >>>> 579: no such index (Log::all_streams[Log::id]) >>>> fatal error: errors occurred while initializing >>>> >>>> when I make changes >>>> >>>> #@load ./notice.zeek >>>> @load ./dhcp.zeek >>>> @load ./foo.zeek >>>> >>>> or >>>> >>>> @load ./notice.zeek >>>> #@load ./dhcp.zeek >>>> @load ./foo.zeek >>>> >>>> or >>>> >>>> @load ./notice.zeek >>>> @load ./dhcp.zeek >>>> #@load ./foo.zeek >>>> >>>> >>>> no error occurs after running >>>> >>>> Adam >>>> >>>> >>>> W dniu 15.01.2020 o 23:30, os pisze: >>>> > Thank you for your response. >>>> > I did the test with your configuration and it works fine. >>>> > So I need to check my configuration carefully. >>>> > >>>> > Thank you for your time >>>> > >>>> > >>>> > >>>> > W dniu 15.01.2020 o 20:18, Justin Azoff pisze: >>>> >> How exactly are you reproducing that? >>>> >> >>>> >> I tried this: >>>> >> >>>> >> ==> foo.sig <== >>>> >> signature foo { >>>> >> ip-proto == tcp >>>> >> tcp-state established,originator >>>> >> event "hello" >>>> >> payload /.*hello/ >>>> >> } >>>> >> >>>> >> ==> foo.zeek <== >>>> >> @load-sigs ./foo.sig >>>> >> event zeek_init() >>>> >> { >>>> >> local f = Log::get_filter(Signatures::LOG, >>>> "default"); >>>> >> f$interv = 30 secs; >>>> >> Log::add_filter(Signatures::LOG, f); >>>> >> } >>>> >> >>>> >> and just running zeek foo.zeek and after making 2 >>>> connections a >>>> minute >>>> >> apart ended up with 2 rotated log files. >>>> >> >>>> >> >>>> >> On Wed, Jan 15, 2020 at 1:18 PM os >>> >>> >> >>>> >> wrote: >>>> >> >>>> >> hello members, >>>> >> >>>> >> Please, can you help me >>>> >> >>>> >> I have problem with log rotation for signature LOG >>>> (only) >>>> >> >>>> >> when I use scripts , >>>> >> >>>> >> event zeek_init() >>>> >> { >>>> >> local f = Log::get_filter(Signatures::LOG, >>>> "default"); >>>> >> f$interv = 1 min; >>>> >> Log::add_filter(Signatures::LOG, f); >>>> >> } >>>> >> >>>> >> after run I have error. >>>> >> >>>> >> expression error in >>>> >> >>>> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, >>>> line >>>> >> 579: no such index (Log::all_streams[Log::id]) >>>> >> fatal error: errors occurred while initializing >>>> >> >>>> >> The problem occurs in versions 3.0.1; 3.1.0-dev.376 >>>> >> >>>> >> Thank you , hello Zeek Team, >>>> >> Please, can you help me >>>> >> >>>> >> I have problem with log rotation for signature LOG >>>> (only) >>>> >> when I use scripts , >>>> >> event zeek_init() >>>> >> { >>>> >> local f = Log::get_filter(Signatures::LOG, >>>> "default"); >>>> >> f$interv = 1 min; >>>> >> Log::add_filter(Signatures::LOG, f); >>>> >> } >>>> >> after run zeek a see error. >>>> >> expression error in >>>> >> >>>> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek, >>>> line >>>> >> 579: no such index (Log::all_streams[Log::id]) >>>> >> fatal error: errors occurred while initializing >>>> >> >>>> >> The problem occurs in versions 3.0.1; 3.1.0-dev.376 >>>> >> >>>> >> Thank you, for any help. >>>> >> >>>> >> Adam >>>> >> Adam >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> - - - - - - - - - - - - - - - - - - - - >>>> >> >>>> >> H o s t i n g z d a r m o w y m c e r t y f i k >>>> a t >>>> e m S S >>>> >> L z a p o l o w e - k l a t k a . p l >>>> >> _______________________________________________ >>>> >> Zeek mailing list >>>> >> zeek at zeek.org >>> > >>>> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> Justin >>>> > >>>> > >>>> > >>>> > >>>> > - - - - - - - - - - - - - - - - - - - - >>>> > >>>> > H o s t i n g z d a r m o w y m c e r t y f i k a t e >>>> m >>>> S S L z a p o l o w e - k l a t k a . p l >>>> > _______________________________________________ >>>> > Zeek mailing list >>>> > zeek at zeek.org >>>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >>>> >>>> >>>> >>>> >>>> >>>> - - - - - - - - - - - - - - - - - - - - >>>> >>>> H o s t i n g z d a r m o w y m c e r t y f i k a t e m >>>> S S >>>> L z a p o l o w e - k l a t k a . p l >>>> >>>> >>>> >>>> -- >>>> Justin >>> >>> >>> >>> >>> - - - - - - - - - - - - - - - - - - - - >>> >>> H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S >>> L >> z a p o l o w e - k l a t k a . p l >>> _______________________________________________ >>> Zeek mailing list >>> zeek at zeek.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> >> >> >> >> - - - - - - - - - - - - - - - - - - - - >> >> H o s t i n g z d a r m o w y m c e r t y f i k a t e m S S L >> z >> a p o l o w e - k l a t k a . p l >> > > > -- > Justin > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From ben.reardon at corelight.com Wed Jan 29 16:26:15 2020 From: ben.reardon at corelight.com (Ben Reardon) Date: Thu, 30 Jan 2020 10:26:15 +1000 Subject: [Zeek] Bluegate DOS/RCE Message-ID: Hi all, I'm looking into a few detection ideas around the Remote Desktop Gateway RCE vulns CVE-2020-0609 and CVE-2020-0610 (AKA Bluegate). These vulns are exposed on UDP Port 3391 (DTLS), which is essentially a speedup of RDP. Given it's DTLS, zeek logs all connections happily into ssl.log, including JA3. YMMV but one detection method is to look for (JA3=2e29256489ce9efe000820389e24b2fd OR JA3=698698ef3647fddcc035694ba0878bf2) AND UDP 3391. These are the JA3 of the tools noted below. Another method is to baseline a known list of JA3. You could do this methodically, or take the pragmatic approach and just list what JA3 connected to your server on DTLS/3391 server prior to the CVE and then look for anything JA3 that is nett new. There are other ways to detect this as well, and I'm interested if anyone is looking into these bugs, and particularly if you are running RDG legit - could you contact me to chat about the sort of legit traffic you see (pcap snippets would be great but a chat is good too) Attack/scanning toolsets currently publicly available (list not exhaustive): 1. https://github.com/ollypwn/BlueGate operates in "checking mode" and "DOS" mode. 2. https://twitter.com/layle_ctf/status/1221514332049113095 an RCE demo has been published but tool not publically available yet. 3. https://github.com/ioncodes/BlueGate. Check and DOS mode 4. https://github.com/MalwareTech/RDGScanner. Check mode only Thanks Ben Reardon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200130/b7ce843e/attachment.html From jgarciar at sia.es Fri Jan 31 03:27:58 2020 From: jgarciar at sia.es (Jorge Garcia Rodriguez) Date: Fri, 31 Jan 2020 11:27:58 +0000 Subject: [Zeek] Is it possible to split the Weird.log? Message-ID: Hi everyone, I have been investigating this matter with no succes, and i ?ve decided to send this mail in hopes of some of you could help me. In 2 of my zeeks I have a lot of entries in the Weird.log about "bad_HTTP_request", this generates a lot of traffic that I want to split from the other Weird events before forwarding the events. Is it possible to send this "bad_HTTP_request" to another custom log like "bad_request.log"? If not possible the first option, is it possible to stop generating this events? Thank you all. Regards. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200131/013ab12c/attachment.html From 0psec1 at protonmail.com Fri Jan 31 08:15:52 2020 From: 0psec1 at protonmail.com (Virgil) Date: Fri, 31 Jan 2020 16:15:52 +0000 Subject: [Zeek] Adding connection data to the SSL log In-Reply-To: <3401D174-CAD7-4A1F-A009-31818938566A@corelight.com> References: <-OBkPuJyi0pJqKEofNQA0ciPVB6OTuFk_198QKfKu5IaqyBbDmKcjKn5xCsx3oOIB7RXB0y_Y3ffvV-2B5TWJaOTY__Tu7w30EFmretYwlw=@protonmail.com> <3401D174-CAD7-4A1F-A009-31818938566A@corelight.com> Message-ID: Thank you kindly, this is very helpful, and the context is helpful too. Does there exist a reference document that would show the timing and/or order of what's happening internally in Zeek as traffic is processed? Using this example, something that might show the timing of when the SSL log is written and the preceding and following internal events? I haven't seen such a reference but it would be useful to have for unusual problems like this. Thanks again! Sent with ProtonMail Secure Email. ??????? Original Message ??????? On Wednesday, January 29, 2020 6:01 PM, Johanna Amann wrote: > Hi Virgil, > > first - note that the accuracy of this response depends a bit on the > Zeek version that you are running. I assume that you are running Zeek > 3.0 for this. > > What you are trying to do here is a bit more complex for SSL than for a > lot of other protocols. The reason for this is that, unlike for a lot of > other protocols, the ssl.log typically is not written at the end of the > connection. Instead it is written when the connection switches to be > encrypted - because after that time we cannot read any more information > that typically would make it into ssl.log. > > So - Smoot is correct that ? typically ? you would use the > ssl_finishing hook to change the ssl log files. However, in this > specific case you cannot use it because the information that you want is > only available at the end of the connection. > > Funnily what you want to achieve here is surprisingly difficult since we > did not forsee this specific use-case. For up to 15 seconds of delay, > you can use delay-tokens (which are another special case of the ssl > logs). However, these are not really enough in this case. > > You already came up with a workable solution - which is creating an > entirely new log. It is also possible to just disable the logging > mechanism that is used by the ssl scripts - and instead use your own > logging. Note that this is kind of hack-ish and I am not really sure I > would recommend it. > > In any case, you could do something along these limes: > > export { > redef record SSL::Info += { > duration: interval &log &optional; > orig_ip_bytes: count &log &optional; > resp_ip_bytes: count &log &optional; > }; > } > > event ssl_established(c: connection) &priority=-4 > { > # pretend that this record already was logged. > c$ssl$logged = T; > } > > Starting at 3.1.0-dev.282, we switch to successful_connection_remove > > ===================================================================== > > @if ( Version::at_least("3.1.0") && ( Version::info$beta = T || > Version::info$commit == 0 || Version::info$commit >= 282 ) ) > event successful_connection_remove(c: connection) &priority=-4 > @else > event connection_state_remove(c: connection) &priority=-4 > @endif > { > if ( ! c?$ssl ) > return; > > if ( c?$ssl && c?$duration) > c$ssl$duration = c$duration; > if ( c?$ssl && c$conn?$orig_ip_bytes) > c$ssl$orig_ip_bytes = c$conn$orig_ip_bytes; > if ( c?$ssl && c$conn?$resp_ip_bytes) > c$ssl$resp_ip_bytes = c$conn$resp_ip_bytes; > > # let it be logged by the event with priority -5 > c$ssl$logged = F; > } > > Johanna > > On 27 Jan 2020, at 5:38, Virgil wrote: > > > Unfortunately, hook ssl_finishing doesn't appear to work for this > > either. Creating an entirely new log and using the > > connection_state_remove event, the connection data and SSL::Info > > fields can both be written, but this is not ideal due to duplication > > of data (and possibly missing additional field values in SSL:Info, if > > the log is written later than connection_state_remove?) > > Sent with ProtonMail Secure Email. > > ??????? Original Message ??????? > > On Friday, January 24, 2020 6:26 PM, Steve Smoot smoot at corelight.com > > wrote: > > > > > SSL doesn't write its log on connection_state_remove, you'll want > > > hook > > > ssl_finishing instead > > > -s > > > On Fri, Jan 24, 2020 at 10:11 AM Virgil 0psec1 at protonmail.com wrote: > > > > > > > Hello Zeek community, > > > > I'm trying to add connection data including duration, orig_bytes, > > > > and resp_bytes to some of the logs that don't usually have these > > > > fields. Keying off of the connection_state_remove event, I'm able to > > > > add the fields to some logs, such as RDP, but I'm having trouble > > > > adding the fields to the SSL log. When I run my script against > > > > different pcap files containing SSL traffic, the desired fields > > > > appear in the log but aren't populated. Putting a "print c$ssl;" in > > > > the script shows that at least when the script is running, the > > > > fields appear to be populated correctly, but somehow aren't then > > > > written to the SSL log. The logic of the script that works to > > > > populate these fields successfully in the RDP log doesn't appear to > > > > work the same for the SSL log. Would appreciate any help you can > > > > provide. Thank you kindly. > > > > export { > > > > redef record SSL::Info += { > > > > duration: interval &log &optional; > > > > orig_ip_bytes: count &log &optional; > > > > resp_ip_bytes: count &log &optional; > > > > }; > > > > } > > > > event connection_state_remove (c: connection) > > > > { > > > > if (! c?$ssl) return; > > > > if ( c?$ssl && c?$duration){ > > > > c$ssl$duration = c$duration; > > > > } > > > > if ( c?$ssl && c$conn?$orig_ip_bytes){ > > > > c$ssl$orig_ip_bytes = c$conn$orig_ip_bytes; > > > > } > > > > if ( c?$ssl && c$conn?$orig_ip_bytes){ > > > > c$ssl$orig_ip_bytes = c$conn$orig_ip_bytes; > > > > } > > > > #print c$ssl; > > > > } > > > > Zeek mailing list > > > > zeek at zeek.org > > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > > > -- > > > Stephen R. Smoot, PhD > > > VP, Customer Success > > > Corelight > > > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From pumphrey.adam at gmail.com Fri Jan 31 09:09:30 2020 From: pumphrey.adam at gmail.com (ap) Date: Fri, 31 Jan 2020 12:09:30 -0500 Subject: [Zeek] Is it possible to split the Weird.log? In-Reply-To: References: Message-ID: Hi Jorge, You?re in luck. Log Filters allow you to do just that. With filters you have two primary tools at your disposal: $pred - filter out events before they are written to the log (https://docs.zeek.org/en/stable/frameworks/logging.html#filter-log-records ) $path_func - determine which log file each event should be written to (https://docs.zeek.org/en/stable/frameworks/logging.html#determine-log-path-dynamically ) Those links have some concise examples of how to use each and info about working with filters in general. There is also a blog from ?12 that has some good examples https://blog.zeek.org/2012/02/filtering-logs-with-bro.html . It's from the bro days but the concepts are still relevant. Adam > On Jan 31, 2020, at 6:27 AM, Jorge Garcia Rodriguez wrote: > > Hi everyone, > > I have been investigating this matter with no succes, and i ?ve decided to send this mail in hopes of some of you could help me. > > In 2 of my zeeks I have a lot of entries in the Weird.log about ?bad_HTTP_request?, this generates a lot of traffic that I want to split from the other Weird events before forwarding the events. > > Is it possible to send this ?bad_HTTP_request? to another custom log like ?bad_request.log?? > > If not possible the first option, is it possible to stop generating this events? > > Thank you all. > > Regards. > > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200131/cc40bb91/attachment-0001.html From justin at corelight.com Fri Jan 31 11:27:07 2020 From: justin at corelight.com (Justin Azoff) Date: Fri, 31 Jan 2020 14:27:07 -0500 Subject: [Zeek] Is it possible to split the Weird.log? In-Reply-To: References: Message-ID: ap was spot on with the log filters, so I have nothing to add there. I am wondering about what those weirds are about though. If you do some reporting on the logs, is it by any chance all coming from the same client or server or port? It might be something that can be fixed to not generate these weirds in the first place. On Fri, Jan 31, 2020 at 6:30 AM Jorge Garcia Rodriguez wrote: > Hi everyone, > > > > I have been investigating this matter with no succes, and i ?ve decided to > send this mail in hopes of some of you could help me. > > > > In 2 of my zeeks I have a lot of entries in the Weird.log about > ?bad_HTTP_request?, this generates a lot of traffic that I want to split > from the other Weird events before forwarding the events. > > > > Is it possible to send this ?bad_HTTP_request? to another custom log like > ?bad_request.log?? > > > > If not possible the first option, is it possible to stop generating this > events? > > > > Thank you all. > > > > Regards. > > > > > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200131/2524fa80/attachment.html From johanna at corelight.com Fri Jan 31 15:50:43 2020 From: johanna at corelight.com (Johanna Amann) Date: Fri, 31 Jan 2020 15:50:43 -0800 Subject: [Zeek] Adding connection data to the SSL log In-Reply-To: References: <-OBkPuJyi0pJqKEofNQA0ciPVB6OTuFk_198QKfKu5IaqyBbDmKcjKn5xCsx3oOIB7RXB0y_Y3ffvV-2B5TWJaOTY__Tu7w30EFmretYwlw=@protonmail.com> <3401D174-CAD7-4A1F-A009-31818938566A@corelight.com> Message-ID: Hi Virgil, On 31 Jan 2020, at 8:15, Virgil wrote: > Thank you kindly, this is very helpful, and the context is helpful > too. > > Does there exist a reference document that would show the timing > and/or order of what's happening internally in Zeek as traffic is > processed? Using this example, something that might show the timing of > when the SSL log is written and the preceding and following internal > events? Nothing that I know of. You can kind of figure such things out by loading the misc/dump-events script. That script dumps out the events that are processed in the order that they are processed. If you use that with a fairly minimal pcap file, it is not too hard to figure out what is going on. In addition to that, for use-cases that are a bit outside of the norm, you might always still have to look at what exactly the base script for the protocol that you are interested in is doing. Johanna From akgraner at corelight.com Fri Jan 31 16:06:02 2020 From: akgraner at corelight.com (Amber Graner) Date: Fri, 31 Jan 2020 19:06:02 -0500 Subject: [Zeek] Keeping Austin weird.logs - Save The Date - ZeekWeek2020 Message-ID: Hi all, SAVE THE DATE - ZeekWeek 2020 We're happy to announce that ZeekWeek 2020 will be held on 7-9 October 2020 in Austin Texas! More details can be found on the Zeek Blog at: https://blog.zeek.org/2020/01/keeping-austin-weirdlogs-save-date.html Mark your calendars and we hope to see you in Austin in October. Stay tuned, more information coming soon. Happy Friday! Thanks, ~Amber -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200131/ad08a349/attachment.html