[Zeek] Signatures::LOG - rotation

Johanna Amann johanna at corelight.com
Wed Jan 29 15:06:31 PST 2020 

Just as a small followup - to close the circle on this - this was fixed 
in master and will be part of 3.1.0:

https://github.com/zeek/zeek/pull/746

Johanna

On 17 Jan 2020, at 11:59, Justin Azoff wrote:

> Ah, you should change yours to -5, don't modify the shipped scripts.
>
> I think that change is correct though and that this is a bug in the
> signatures script.
>
> running this, I can see that almost every script sets a priority of 5 
> for
> the zeek_init event:
>
>     fgrep -r  Log::create_str scripts/  -B 2|grep 'event zeek_init'
>
> there are only 3 that don't:
>
> scripts//base/frameworks/signatures/main.zeek-event zeek_init()
> scripts//policy/files/x509/log-ocsp.zeek-event zeek_init()
> scripts//policy/protocols/conn/known-hosts.zeek-event zeek_init()
>
> which explains why you were having this problem.. without a priority 
> the
> default is 0, and the two events will run in an undefined order.. for 
> me
> they were running in the order that worked, for you they were running 
> in
> the other order and you were hitting the bug.
>
>
> On Fri, Jan 17, 2020 at 2:02 PM os <adamp at os.pl> wrote:
>
>> hello,
>>
>> I changed the priority in the file and it looks like it works
>>
>> /usr/local/zeek/share/zeek/base/frameworks/signatures/main.zeek
>>
>> event zeek_init() &priority=5
>>
>> {
>>
>> Log::create_stream(Signatures::LOG, [$columns=Info, 
>> $ev=log_signature,
>> $path="signatures"]);
>>
>> }
>>
>>
>> Thank you for your  help and time
>>
>>
>>
>>
>>
>> W dniu 17.01.2020 o 16:47, os pisze:
>>> very strange, becouse I didn't change priorities anywhere
>>>
>>>
>>> W dniu 17.01.2020 o 15:27, Justin Azoff pisze:
>>>> That still works for me.  The error you are getting is from 
>>>> add_filter
>>>> failing to find a log stream with that ID, but Log::create_stream 
>>>> is
>>>> what creates that.  I can make it fail like that if I mess with the
>>>> priorities, like
>>>>
>>>> event zeek_init() &priority=100
>>>>       {
>>>>       local f = Log::get_filter(DHCP::LOG, "default");
>>>>       f$interv = 1 min;
>>>>       Log::add_filter(DHCP::LOG, f);
>>>>       }
>>>>
>>>> which makes that run before the
>>>>
>>>> event zeek_init() &priority=5
>>>>      {
>>>>      Log::create_stream(DHCP::LOG, [$columns=Info, $ev=log_dhcp,
>>>> $path="dhcp"]);
>>>>      Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, ports);
>>>>      }
>>>>
>>>> in the dhcp script.
>>>>
>>>> but with the default priorities I can't see why that would fail.
>>>>
>>>>
>>>>
>>>> On Fri, Jan 17, 2020 at 9:00 AM os <adamp at os.pl 
>>>> <mailto:adamp at os.pl>>
>>>> wrote:
>>>>
>>>>      hello,
>>>>
>>>>
>>>>      I did some tests and  something is wrong.
>>>>      please see the sample configuration
>>>>
>>>>      ==> notice.zeek <==
>>>>
>>>>      event zeek_init()
>>>>           {
>>>>           local f = Log::get_filter(Notice::LOG, "default");
>>>>           f$interv = 1 min;
>>>>           Log::add_filter(Notice::LOG, f);
>>>>           }
>>>>
>>>>      ==> dhcp.zeek <==
>>>>
>>>>      event zeek_init()
>>>>           {
>>>>           local f = Log::get_filter(DHCP::LOG, "default");
>>>>           f$interv = 1 min;
>>>>           Log::add_filter(DHCP::LOG, f);
>>>>           }
>>>>
>>>>      ==> foo.sig <==
>>>>      signature foo {
>>>>         ip-proto == tcp
>>>>         tcp-state established,originator
>>>>         event "hello"
>>>>         payload /.*hello/
>>>>      }
>>>>
>>>>      ==> foo.zeek <==
>>>>      @load-sigs ./foo.sig
>>>>      event zeek_init()
>>>>            {
>>>>            local f = Log::get_filter(Signatures::LOG, "default");
>>>>            f$interv = 30 secs;
>>>>            Log::add_filter(Signatures::LOG, f);
>>>>            }
>>>>
>>>>      ==> start.zeek <==
>>>>
>>>>      @load ./notice.zeek
>>>>      @load ./dhcp.zeek
>>>>      @load ./foo.zeek
>>>>
>>>>      /usr/local/zeek/bin/zeek -r
>>>>      /var/pcap/zeek/pcap-2020-01-17-14-50-00.pcap  ./start.zeek
>>>>
>>>>
>>>>      expression error in
>>>>      /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
>> line
>>>>      579: no such index (Log::all_streams[Log::id])
>>>>      fatal error: errors occurred while initializing
>>>>
>>>>      when I make changes
>>>>
>>>>      #@load ./notice.zeek
>>>>      @load ./dhcp.zeek
>>>>      @load ./foo.zeek
>>>>
>>>>      or
>>>>
>>>>      @load ./notice.zeek
>>>>      #@load ./dhcp.zeek
>>>>      @load ./foo.zeek
>>>>
>>>>      or
>>>>
>>>>      @load ./notice.zeek
>>>>      @load ./dhcp.zeek
>>>>      #@load ./foo.zeek
>>>>
>>>>
>>>>      no error occurs after running
>>>>
>>>>      Adam
>>>>
>>>>
>>>>      W dniu 15.01.2020 o 23:30, os pisze:
>>>>      > Thank you for your response.
>>>>      > I did the test with your configuration and it works fine.
>>>>      > So I need to check my configuration carefully.
>>>>      >
>>>>      > Thank you for your time
>>>>      >
>>>>      >
>>>>      >
>>>>      > W dniu 15.01.2020 o 20:18, Justin Azoff pisze:
>>>>      >> How exactly are you reproducing that?
>>>>      >>
>>>>      >> I tried this:
>>>>      >>
>>>>      >> ==> foo.sig <==
>>>>      >> signature foo {
>>>>      >>    ip-proto == tcp
>>>>      >>    tcp-state established,originator
>>>>      >>    event "hello"
>>>>      >>    payload /.*hello/
>>>>      >> }
>>>>      >>
>>>>      >> ==> foo.zeek <==
>>>>      >> @load-sigs ./foo.sig
>>>>      >> event zeek_init()
>>>>      >>       {
>>>>      >>       local f = Log::get_filter(Signatures::LOG, 
>>>> "default");
>>>>      >>       f$interv = 30 secs;
>>>>      >>       Log::add_filter(Signatures::LOG, f);
>>>>      >>       }
>>>>      >>
>>>>      >> and just running zeek foo.zeek and after making 2 
>>>> connections a
>>>>      minute
>>>>      >> apart ended up with 2 rotated log files.
>>>>      >>
>>>>      >>
>>>>      >> On Wed, Jan 15, 2020 at 1:18 PM os <adamp at os.pl
>>>>      <mailto:adamp at os.pl> <mailto:adamp at os.pl 
>>>> <mailto:adamp at os.pl>>>
>>>>      >> wrote:
>>>>      >>
>>>>      >>      hello members,
>>>>      >>
>>>>      >>      Please, can you help me
>>>>      >>
>>>>      >>      I have problem with log rotation for signature LOG 
>>>> (only)
>>>>      >>
>>>>      >>      when I use scripts ,
>>>>      >>
>>>>      >>      event zeek_init()
>>>>      >>           {
>>>>      >>           local f = Log::get_filter(Signatures::LOG,
>>>>      &quot;default&quot;);
>>>>      >>           f$interv = 1 min;
>>>>      >>           Log::add_filter(Signatures::LOG, f);
>>>>      >>           }
>>>>      >>
>>>>      >>      after run I have error.
>>>>      >>
>>>>      >>      expression error in
>>>>      >> 
>>>> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
>>>>      line
>>>>      >>      579: no such index (Log::all_streams[Log::id])
>>>>      >>      fatal error: errors occurred while initializing
>>>>      >>
>>>>      >>      The problem occurs in versions 3.0.1; 3.1.0-dev.376
>>>>      >>
>>>>      >>      Thank you , hello Zeek Team,
>>>>      >>      Please, can you help me
>>>>      >>
>>>>      >>      I have problem with log rotation for signature LOG 
>>>> (only)
>>>>      >>      when I use scripts ,
>>>>      >>      event zeek_init()
>>>>      >>           {
>>>>      >>           local f = Log::get_filter(Signatures::LOG, 
>>>> "default");
>>>>      >>           f$interv = 1 min;
>>>>      >>           Log::add_filter(Signatures::LOG, f);
>>>>      >>           }
>>>>      >>        after run zeek  a see error.
>>>>      >>      expression error in
>>>>      >> 
>>>> /usr/local/zeek/share/zeek/base/frameworks/logging/./main.zeek,
>>>>      line
>>>>      >>      579: no such index (Log::all_streams[Log::id])
>>>>      >>      fatal error: errors occurred while initializing
>>>>      >>
>>>>      >>      The problem occurs in versions 3.0.1; 3.1.0-dev.376
>>>>      >>
>>>>      >>      Thank you, for any help.
>>>>      >>
>>>>      >>      Adam
>>>>      >>      Adam
>>>>      >>
>>>>      >>
>>>>      >>
>>>>      >>
>>>>      >>      - - - - - - - - - - - - - - - - - - - -
>>>>      >>
>>>>      >>      H o s t i n g   z   d a r m o w y m   c e r t y f i k 
>>>> a t
>>>>      e m  S S
>>>>      >>      L   z a   p o l o w e - k l a t k a . p l
>>>>      >>      _______________________________________________
>>>>      >>      Zeek mailing list
>>>>      >> zeek at zeek.org <mailto:zeek at zeek.org> <mailto:zeek at zeek.org
>>>>      <mailto:zeek at zeek.org>>
>>>>      >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>>      >>
>>>>      >>
>>>>      >>
>>>>      >> --
>>>>      >> Justin
>>>>      >
>>>>      >
>>>>      >
>>>>      >
>>>>      > - - - - - - - - - - - - - - - - - - - -
>>>>      >
>>>>      > H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e 
>>>> m
>>>>       S S L   z a   p o l o w e - k l a t k a . p l
>>>>      > _______________________________________________
>>>>      > Zeek mailing list
>>>>      > zeek at zeek.org <mailto:zeek at zeek.org>
>>>>      > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>      - - - - - - - - - - - - - - - - - - - -
>>>>
>>>>      H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m  
>>>> S S
>>>>      L   z a   p o l o w e - k l a t k a . p l
>>>>
>>>>
>>>>
>>>> --
>>>> Justin
>>>
>>>
>>>
>>>
>>> - - - - - - - - - - - - - - - - - - - -
>>>
>>> H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m   S S 
>>> L
>>  z a   p o l o w e - k l a t k a . p l
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
>>
>>
>>
>> - - - - - - - - - - - - - - - - - - - -
>>
>> H o s t i n g   z   d a r m o w y m   c e r t y f i k a t e m   S S L 
>>   z
>> a   p o l o w e - k l a t k a . p l
>>
>
>
> -- 
> Justin
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

More information about the Zeek mailing list