[Zeek] Signatures::LOG - rotation

Justin Azoff justin at corelight.com
Fri Jan 17 11:59:36 PST 2020 

Ah, you should change yours to -5, don't modify the shipped scripts.

I think that change is correct though and that this is a bug in the
signatures script.

running this, I can see that almost every script sets a priority of 5 for
the zeek_init event:

    fgrep -r  Log::create_str scripts/  -B 2|grep 'event zeek_init'

there are only 3 that don't:

scripts//base/frameworks/signatures/main.zeek-event zeek_init()
scripts//policy/files/x509/log-ocsp.zeek-event zeek_init()
scripts//policy/protocols/conn/known-hosts.zeek-event zeek_init()

which explains why you were having this problem.. without a priority the
default is 0, and the two events will run in an undefined order.. for me
they were running in the order that worked, for you they were running in
the other order and you were hitting the bug.


On Fri, Jan 17, 2020 at 2:02 PM os <adamp at os.pl> wrote:

> hello,
>
> I changed the priority in the file and it looks like it works
>
> /usr/local/zeek/share/zeek/base/frameworks/signatures/main.zeek
>
> event zeek_init() &priority=5
>
> {
>
> Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature,
> $path="signatures"]);
>
> }
>
>
> Thank you for your  help and time
>
>
>
>
>
> W dniu 17.01.2020 o 16:47, os pisze:
> > very strange, becouse I didn't change priorities anywhere
> >
> >
> > W dniu 17.01.2020 o 15:27, Justin Azoff pisze:
> >> That still works for me.  The error you are getting is from add_filter
> >> failing to find a log stream with that ID, but Log::create_stream is
> >> what creates that.  I can make it fail like that if I mess with the
> >> priorities, like
> >>
> >> event zeek_init() &priority=100
> >>       {
> >>       local f = Log::get_filter(DHCP::LOG, "default");
> >>       f$interv = 1 min;
> >>       Log::add_filter(DHCP::LOG, f);
> >>       }
> >>
> >> which makes that run before the
> >>
> >> event zeek_init() &priority=5
> >>      {
> >>      Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp,
> >> $path="dhcp"]);
> >>      Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
> >>      }
> >>
> >> in the dhcp script.
> >>
> >> but with the default priorities I can't see why that would fail.
> >>
> >>
> >>
> >> On Fri, Jan 17, 2020 at 9:00 AM os <adamp at os.pl <mailto:adamp at os.pl>>
> >> wrote:
> >>
> >>      hello,
> >>
> >>
> >>      I did some tests and  something is wrong.
> >>      please see the sample configuration
> >>
> >>      ==> notice.zeek <==
> >>
> >>      event zeek_init()
> >>           {
> >>           local f = Log::get_filter(Notice::LOG, "default");
> >>           f$interv = 1 min;
> >>           Log::add_filter(Notice::LOG, f);
> >>           }
> >>
> >>      ==> dhcp.zeek <==
> >>
> >>      event zeek_init()
> >>           {
> >>           local f = Log::get_filter(DHCP::LOG, "default");
> >>           f$interv = 1 min;
> >>           Log::add_filter(DHCP::LOG, f);
> >>           }
> >>
> >>      ==> foo.sig <==
> >>      signature foo {
> >>         ip-proto == tcp
> >>         tcp-state established,originator
> >>         event "hello"
> >>         payload /.*hello/
> >>      }
> >>
> >>      ==> foo.zeek <==
> >>      @load-sigs ./foo.sig
> >>      event zeek_init()
> >>            {
> >>            local f = Log::get_filter(Signatures::LOG, "default");
> >>            f$interv = 30 secs;
> >>            Log::add_filter(Signatures::LOG, f);
> >>            }
> >>
> >>      ==> start.zeek <==
> >>
> >>      @load ./notice.zeek
> >>      @load ./dhcp.zeek
> >>      @load ./foo.zeek
> >>
> >>      /usr/local/zeek/bin/zeek -r
> >>      /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap  ./start.zeek
> >>
> >>
> >>      expression error in
> >>      /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
> line
> >>      579: no such index (Log::all_streams[Log::id])
> >>      fatal error: errors occurred while initializing
> >>
> >>      when I make changes
> >>
> >>      #@load ./notice.zeek
> >>      @load ./dhcp.zeek
> >>      @load ./foo.zeek
> >>
> >>      or
> >>
> >>      @load ./notice.zeek
> >>      #@load ./dhcp.zeek
> >>      @load ./foo.zeek
> >>
> >>      or
> >>
> >>      @load ./notice.zeek
> >>      @load ./dhcp.zeek
> >>      #@load ./foo.zeek
> >>
> >>
> >>      no error occurs after running
> >>
> >>      Adam
> >>
> >>
> >>      W dniu 15.01.2020 o 23:30, os pisze:
> >>      > Thank you for your response.
> >>      > I did the test with your configuration and it works fine.
> >>      > So I need to check my configuration carefully.
> >>      >
> >>      > Thank you for your time
> >>      >
> >>      >
> >>      >
> >>      > W dniu 15.01.2020 o 20:18, Justin Azoff pisze:
> >>      >> How exactly are you reproducing that?
> >>      >>
> >>      >> I tried this:
> >>      >>
> >>      >> ==> foo.sig <==
> >>      >> signature foo {
> >>      >>    ip-proto == tcp
> >>      >>    tcp-state established,originator
> >>      >>    event "hello"
> >>      >>    payload /.*hello/
> >>      >> }
> >>      >>
> >>      >> ==> foo.zeek <==
> >>      >> @load-sigs ./foo.sig
> >>      >> event zeek_init()
> >>      >>       {
> >>      >>       local f = Log::get_filter(Signatures::LOG, "default");
> >>      >>       f$interv = 30 secs;
> >>      >>       Log::add_filter(Signatures::LOG, f);
> >>      >>       }
> >>      >>
> >>      >> and just running zeek foo.zeek and after making 2 connections a
> >>      minute
> >>      >> apart ended up with 2 rotated log files.
> >>      >>
> >>      >>
> >>      >> On Wed, Jan 15, 2020 at 1:18 PM os <adamp at os.pl
> >>      <mailto:adamp at os.pl> <mailto:adamp at os.pl <mailto:adamp at os.pl>>>
> >>      >> wrote:
> >>      >>
> >>      >>      hello members,
> >>      >>
> >>      >>      Please, can you help me
> >>      >>
> >>      >>      I have problem with log rotation for signature LOG (only)
> >>      >>
> >>      >>      when I use scripts ,
> >>      >>
> >>      >>      event zeek_init()
> >>      >>           {
> >>      >>           local f = Log::get_filter(Signatures::LOG,
> >>      &quot;default&quot;);
> >>      >>           f$interv = 1 min;
> >>      >>           Log::add_filter(Signatures::LOG, f);
> >>      >>           }
> >>      >>
> >>      >>      after run I have error.
> >>      >>
> >>      >>      expression error in
> >>      >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
> >>      line
> >>      >>      579: no such index (Log::all_streams[Log::id])
> >>      >>      fatal error: errors occurred while initializing
> >>      >>
> >>      >>      The problem occurs in versions 3.0.1; 3.1.0-dev.376
> >>      >>
> >>      >>      Thank you , hello Zeek Team,
> >>      >>      Please, can you help me
> >>      >>
> >>      >>      I have problem with log rotation for signature LOG (only)
> >>      >>      when I use scripts ,
> >>      >>      event zeek_init()
> >>      >>           {
> >>      >>           local f = Log::get_filter(Signatures::LOG, "default");
> >>      >>           f$interv = 1 min;
> >>      >>           Log::add_filter(Signatures::LOG, f);
> >>      >>           }
> >>      >>        after run zeek  a see error.
> >>      >>      expression error in
> >>      >> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
> >>      line
> >>      >>      579: no such index (Log::all_streams[Log::id])
> >>      >>      fatal error: errors occurred while initializing
> >>      >>
> >>      >>      The problem occurs in versions 3.0.1; 3.1.0-dev.376
> >>      >>
> >>      >>      Thank you, for any help.
> >>      >>
> >>      >>      Adam
> >>      >>      Adam
> >>      >>
> >>      >>
> >>      >>
> >>      >>
> >>      >>      - - - - - - - - - - - - - - - - - - - -
> >>      >>
> >>      >>      H o s t i n g   z   d a r m o w y m   c e r t y f i k a t
> >>      e m  S S
> >>      >>      L   z a   p o l o w e - k l a t k a . p l
> >>      >>      _______________________________________________
> >>      >>      Zeek mailing list
> >>      >> zeek at zeek.org <mailto:zeek at zeek.org> <mailto:zeek at zeek.org
> >>      <mailto:zeek at zeek.org>>
> >>      >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> >>      >>
> >>      >>
> >>      >>
> >>      >> --
> >>      >> Justin
> >>      >
> >>      >
> >>      >
> >>      >
> >>      > - - - - - - - - - - - - - - - - - - - -
> >>      >
> >>      > H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m
> >>       S S L   z a   p o l o w e - k l a t k a . p l
> >>      > _______________________________________________
> >>      > Zeek mailing list
> >>      > zeek at zeek.org <mailto:zeek at zeek.org>
> >>      > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> >>
> >>
> >>
> >>
> >>
> >>      - - - - - - - - - - - - - - - - - - - -
> >>
> >>      H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m  S S
> >>      L   z a   p o l o w e - k l a t k a . p l
> >>
> >>
> >>
> >> --
> >> Justin
> >
> >
> >
> >
> > - - - - - - - - - - - - - - - - - - - -
> >
> > H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m   S S L
>  z a   p o l o w e - k l a t k a . p l
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
>
>
> - - - - - - - - - - - - - - - - - - - -
>
> H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m   S S L   z
> a   p o l o w e - k l a t k a . p l
>


-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200117/c4633bfe/attachment-0001.html

More information about the Zeek mailing list