From manyiant at 163.com Sun Mar 1 22:33:13 2020 From: manyiant at 163.com (my) Date: Mon, 2 Mar 2020 14:33:13 +0800 (CST) Subject: [Zeek] =?gbk?q?Help=A3=ACAbout_Packet_Filter?= In-Reply-To: References: <593e71f.1ac0.16fcb21578c.Coremail.manyiant@163.com> Message-ID: <6b425659.571a.17099f2d4ed.Coremail.manyiant@163.com> Hi, I tested the config you provided, but it didn't work. I read the source code and used the following config for traffic filtering. It's not perfect. Iredef packet_filter_default = F; event zeek_init() { install_src_addr_filter($ip=123.2.15.75, $tcp_flags=63, $prob=1.0); install_src_addr_filter($ip=123.2.15.75, $tcp_flags=1, $prob=1.0); install_src_addr_filter($ip=123.2.15.75, $tcp_flags=2, $prob=1.0); install_src_addr_filter($ip=123.2.15.75, $tcp_flags=4, $prob=1.0); ... } At 2020-01-24 00:15:22, "Justin Azoff" wrote: Is your traffic encapsulated with vlan tags? Does changing the filter to vlan and host 123.2.15.75 work any better? On Tue, Jan 21, 2020 at 9:44 PM my wrote: Hi?friends: I use restrict_filters to filter the traffic. but the settings did not take effect, all of the traffic was filtered. What should I do? My script is as follows: redef restrict_filters += { ["unmonitored host"] = "host 123.2.15.75" }; I am looking forwoard to your replay. Thakns. _______________________________________________ Zeek mailing list zeek at zeek.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200302/8d51761c/attachment.html From clopmz at outlook.com Mon Mar 2 03:43:48 2020 From: clopmz at outlook.com (Carlos Lopez) Date: Mon, 2 Mar 2020 11:43:48 +0000 Subject: [Zeek] Some troubles with Corelight's Splunk app using Zeek 3.0.2 Message-ID: Good morning, I've been using the Corelight's Splunk application for several days now with only one sensor and everything works fine except for the "Data Exploration/Connections" view. It never shows me any results, it always shows "No results found". I have been debugging the searches with the option "inspect" and it is correct: none of those searches can return results. An example: for Top Services view, Corelight's app performs the following search: search (NOT sensor_name!="*" id_orig_h="*" id_orig_p="*" id_resp_h="*" id_resp_p="*" NOT is_broadcast="true" service="*" (eventtype=bro_conn OR eventtype=corelight_conn)) | top service limit=15 and without result. But If I use the following search in Splunk's general view: search (NOT is_broadcast="true" (eventtype=corelight_conn)) | top service limit=15 I get results as you can see in the screenshot attached. Am I doing something wrong or is it a bug? Many thaks Regards, C. L. Martinez -------------- next part -------------- A non-text attachment was scrubbed... Name: corelight.png Type: image/png Size: 36459 bytes Desc: corelight.png Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200302/0d2bc211/attachment-0001.bin From akgraner at corelight.com Mon Mar 2 07:40:48 2020 From: akgraner at corelight.com (Amber Graner) Date: Mon, 2 Mar 2020 10:40:48 -0500 Subject: [Zeek] Reminder - Monthly Zeek Community Call - 6 March 2020 12:00pm PST/3:00pm EST Message-ID: Hi all and Happy Monday!! Just a reminder that the next monthly Zeek Community Call will be Friday 6 March 2020 at 12:00pm PST/3:00pm EST. The calendar invite has been updated. You can find out what it will be in your timezone at timeanddate.com -https://www.timeanddate.com/worldclock/converter.html Agenda ====== - ZeekWeek 2020 - Slack Channel If you have any topics you'd like to have added to the call, please let me know and I'll update the invite and the agenda. Joining the call ============ Join Zoom Meeting https://corelight.zoom.us/j/898658920 Meeting ID: 898 658 920 One tap mobile +16465588656,,898658920# US (New York) +16699006833,,898658920# US (San Jose) Dial by your location +1 646 558 8656 US (New York) +1 669 900 6833 US (San Jose) 877 853 5257 US Toll-free 888 475 4499 US Toll-free Meeting ID: 898 658 920 Find your local number: https://corelight.zoom.us/u/acY5L1LN7 Please let me know if you have any questions. Thanks, ~Amber -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200302/ac06478a/attachment.html From akgraner at corelight.com Mon Mar 2 14:33:47 2020 From: akgraner at corelight.com (Amber Graner) Date: Mon, 2 Mar 2020 17:33:47 -0500 Subject: [Zeek] Issue 2 - Zeek Monthly Newsletter - Now Available Message-ID: Issue 2 - Zeek Monthly Newsletter - Now Available - https://blog.zeek.org/2020/03/zeek-monthly-newsletter-issue-2-march.html In this Issue: * General Community News/Updates * Development Updates * Zeek In the Community * Threat of the Month * Upcoming Events * Contribution/Contributor of the Month * Zeek Related Issues * Publication Schedule * Get Involved A .PDF version of this issue can be downloaded at: http://bit.ly/ZMN_Issue_2_March_2020 We're currently working on Issue 3 - the draft placeholder can be found at: https://docs.google.com/document/d/1SI2YC13JVj5AlEZK9sdxBjwUO8QwWZ-0o2uXKgz9_6s/edit If you would like to help with the Newsletter or if you have links that you would like for us to include, please let me know. Thanks, ~Amber -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200302/f8be44fe/attachment.html From kczarnec at pppl.gov Tue Mar 3 09:52:18 2020 From: kczarnec at pppl.gov (Kevin Czarnecki) Date: Tue, 3 Mar 2020 12:52:18 -0500 Subject: [Zeek] [External] Some troubles with Corelight's Splunk app using Zeek 3.0.2 In-Reply-To: References: Message-ID: Are you using a Corelight sensor or Zeek? I've found some field names are different on different devices. (id_orig_h vs. id.orig_h). I had to do a fair bit of "massaging" of the searches to get them working with different field and index names. On Mon, Mar 2, 2020 at 6:47 AM Carlos Lopez wrote: > Good morning, > > I've been using the Corelight's Splunk application for several days now > with only one sensor and everything works fine except for the "Data > Exploration/Connections" view. It never shows me any results, it always > shows "No results found". I have been debugging the searches with the > option "inspect" and it is correct: none of those searches can return > results. > > An example: for Top Services view, Corelight's app performs the following > search: > > search (NOT sensor_name!="*" id_orig_h="*" id_orig_p="*" id_resp_h="*" > id_resp_p="*" NOT is_broadcast="true" service="*" (eventtype=bro_conn OR > eventtype=corelight_conn)) | top service limit=15 > > and without result. But If I use the following search in Splunk's general > view: > > search (NOT is_broadcast="true" (eventtype=corelight_conn)) | top service > limit=15 > > I get results as you can see in the screenshot attached. > > Am I doing something wrong or is it a bug? > > Many thaks > > > > Regards, > C. L. Martinez > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200303/406730a5/attachment.html From jlay at slave-tothe-box.net Tue Mar 3 11:03:16 2020 From: jlay at slave-tothe-box.net (James Lay) Date: Tue, 03 Mar 2020 12:03:16 -0700 Subject: [Zeek] First attempt to upgrade to 3: Multiple interfaces Message-ID: Welp...out of luck so far: /opt/zeek/bin/zeek -C -i eth0 -i eth1 --filter '' local "Site::local_nets += { 192.168.1.0/24 }" gets me: ERROR: Only a single interface option (-i) is allowed. I didn't have this issue with 2. Any reason why only one interface is allowed now? Unless something radical has changed with the resources that zeekctl uses I have no desire to use it. I'm dead in the water with Zeek as of now. Thank you. James From tim at corelight.com Tue Mar 3 11:28:47 2020 From: tim at corelight.com (Tim Wojtulewicz) Date: Tue, 3 Mar 2020 12:28:47 -0700 Subject: [Zeek] First attempt to upgrade to 3: Multiple interfaces In-Reply-To: References: Message-ID: <5C741D97-A6B8-4ECA-915B-3A6BA4D99E13@corelight.com> If you don?t really need the latest and greatest cutting edge changes to 3.1, version 3.0.x still supports multiple interfaces. That feature was removed in 3.1 due to the wide changes to the IO Loop architecture, and you?re honestly the first user I?ve heard from that has noticed it missing. It was removed to make that work easier to accomplish, but we can certainly investigate bringing it back if there?s enough of a use case for it. Tim > On Mar 3, 2020, at 12:03 PM, James Lay wrote: > > Welp...out of luck so far: > > /opt/zeek/bin/zeek -C -i eth0 -i eth1 --filter '' local > "Site::local_nets += { 192.168.1.0/24 }" > > gets me: > > ERROR: Only a single interface option (-i) is allowed. > > I didn't have this issue with 2. Any reason why only one interface is > allowed now? Unless something radical has changed with the resources > that zeekctl uses I have no desire to use it. I'm dead in the water > with Zeek as of now. Thank you. > > James > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From smoot at corelight.com Tue Mar 3 11:42:14 2020 From: smoot at corelight.com (Steve Smoot) Date: Tue, 3 Mar 2020 11:42:14 -0800 Subject: [Zeek] First attempt to upgrade to 3: Multiple interfaces In-Reply-To: <5C741D97-A6B8-4ECA-915B-3A6BA4D99E13@corelight.com> References: <5C741D97-A6B8-4ECA-915B-3A6BA4D99E13@corelight.com> Message-ID: On Tue, Mar 3, 2020 at 11:30 AM Tim Wojtulewicz wrote: > If you don?t really need the latest and greatest cutting edge changes to > 3.1, version 3.0.x still supports multiple interfaces. That feature was > removed in 3.1 due to the wide changes to the IO Loop architecture, and > you?re honestly the first user I?ve heard from that has noticed it missing. > It was removed to make that work easier to accomplish, but we can certainly > investigate bringing it back if there?s enough of a use case for it. > Another option, I think would be to bond/bridge the interfaces and listen on that. If that would work for you, -s > Tim > > > On Mar 3, 2020, at 12:03 PM, James Lay wrote: > > > > Welp...out of luck so far: > > > > /opt/zeek/bin/zeek -C -i eth0 -i eth1 --filter '' local > > "Site::local_nets += { 192.168.1.0/24 }" > > > > gets me: > > > > ERROR: Only a single interface option (-i) is allowed. > > > > I didn't have this issue with 2. Any reason why only one interface is > > allowed now? Unless something radical has changed with the resources > > that zeekctl uses I have no desire to use it. I'm dead in the water > > with Zeek as of now. Thank you. > > > > James > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- *Stephen R. Smoot, PhD* VP, Customer Success Corelight -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200303/219edd5d/attachment-0001.html From jlay at slave-tothe-box.net Tue Mar 3 12:10:38 2020 From: jlay at slave-tothe-box.net (James Lay) Date: Tue, 03 Mar 2020 13:10:38 -0700 Subject: [Zeek] First attempt to upgrade to 3: Multiple interfaces In-Reply-To: References: <5C741D97-A6B8-4ECA-915B-3A6BA4D99E13@corelight.com> Message-ID: Appreciate the responses. These interfaces are an external on the internet, and an internal with a localnet (this devices is classified as router), so bonding them isn't an option. The only reason I'm running in this manner as apposed to just letting zeekctl handle it all is the process count and memory usage. I guess I'll test out zeekctl and see where I sit....might have to fallback to 3.0. Thank you. James On 2020-03-03 12:42, Steve Smoot wrote: > On Tue, Mar 3, 2020 at 11:30 AM Tim Wojtulewicz > wrote: > >> If you don?t really need the latest and greatest cutting edge >> changes to 3.1, version 3.0.x still supports multiple interfaces. >> That feature was removed in 3.1 due to the wide changes to the IO >> Loop architecture, and you?re honestly the first user I?ve heard >> from that has noticed it missing. It was removed to make that work >> easier to accomplish, but we can certainly investigate bringing it >> back if there?s enough of a use case for it. > > Another option, I think would be to bond/bridge the interfaces and > listen on that. If that would work for you, > > -s > >> Tim >> >>> On Mar 3, 2020, at 12:03 PM, James Lay >> wrote: >>> >>> Welp...out of luck so far: >>> >>> /opt/zeek/bin/zeek -C -i eth0 -i eth1 --filter '' local >>> "Site::local_nets += { 192.168.1.0/24 [1] }" >>> >>> gets me: >>> >>> ERROR: Only a single interface option (-i) is allowed. >>> >>> I didn't have this issue with 2. Any reason why only one >> interface is >>> allowed now? Unless something radical has changed with the >> resources >>> that zeekctl uses I have no desire to use it. I'm dead in the >> water >>> with Zeek as of now. Thank you. >>> >>> James >>> _______________________________________________ >>> Zeek mailing list >>> zeek at zeek.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > -- > > STEPHEN R. SMOOT, PHD > VP, Customer Success > Corelight > > > Links: > ------ > [1] http://192.168.1.0/24 From jlay at slave-tothe-box.net Tue Mar 3 17:50:51 2020 From: jlay at slave-tothe-box.net (James Lay) Date: Tue, 03 Mar 2020 18:50:51 -0700 Subject: [Zeek] First attempt to upgrade to 3: Multiple interfaces In-Reply-To: References: <5C741D97-A6B8-4ECA-915B-3A6BA4D99E13@corelight.com>

Message-ID: <43959c9db49e46e8ea5dbcaaec46d2e73a494424.camel@slave-tothe-box.net> All, I'm please to report that using zeekctl method of running is so far working well...resource usage is so far manageable. Thanks for the assistance. James On Tue, 2020-03-03 at 13:10 -0700, James Lay wrote: > Appreciate the responses. These interfaces are an external on the > internet, and an internal with a localnet (this devices is classified > as router), so bonding them isn't an option. The only reason I'm > running in this manner as apposed to just letting zeekctl handle it > all is the process count and memory usage. I guess I'll test out > zeekctl and see where I sit....might have to fallback to 3.0. Thank > you. > James > On 2020-03-03 12:42, Steve Smoot wrote: > On Tue, Mar 3, 2020 at 11:30 AM Tim Wojtulewicz wr > ote: > If you don?t really need the latest and greatest cutting edgechanges > to 3.1, version 3.0.x still supports multiple interfaces.That feature > was removed in 3.1 due to the wide changes to the IOLoop > architecture, and you?re honestly the first user I?ve heardfrom that > has noticed it missing. It was removed to make that workeasier to > accomplish, but we can certainly investigate bringing itback if > there?s enough of a use case for it. > Another option, I think would be to bond/bridge the interfaces > andlisten on that. If that would work for you, > -s > Tim > On Mar 3, 2020, at 12:03 PM, James Lay wrot > e: > > Welp...out of luck so far: > /opt/zeek/bin/zeek -C -i eth0 -i eth1 --filter '' > local"Site::local_nets += { 192.168.1.0/24 [1] }" > gets me: > ERROR: Only a single interface option (-i) is allowed. > I didn't have this issue with 2. Any reason why only oneinterface is > allowed now? Unless something radical has changed with theresources > that zeekctl uses I have no desire to use it. I'm dead in thewater > with Zeek as of now. Thank you. > James_______________________________________________Zeek mailing > listzeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > _______________________________________________Zeek mailing > listzeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > -- > STEPHEN R. SMOOT, PHDVP, Customer SuccessCorelight > > Links:------[1] > http://192.168.1.0/24_______________________________________________Zeek > mailing listzeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200303/e3fb8ac8/attachment.html From michalpurzynski1 at gmail.com Tue Mar 3 18:37:49 2020 From: michalpurzynski1 at gmail.com (=?utf-8?Q?Micha=C5=82_Purzy=C5=84ski?=) Date: Tue, 3 Mar 2020 18:37:49 -0800 Subject: [Zeek] First attempt to upgrade to 3: Multiple interfaces In-Reply-To: <43959c9db49e46e8ea5dbcaaec46d2e73a494424.camel@slave-tothe-box.net> References: <43959c9db49e46e8ea5dbcaaec46d2e73a494424.camel@slave-tothe-box.net> Message-ID: <29313A40-9D2A-4843-B9C0-2739CDB6822E@gmail.com> From what you?re describing, you?re running Zeek on a resource constraints device. You might want to actually use the newest version - not sure where Justin fixes for the packet processing loop went in, but they should help a lot. There are also some scripts to avoid, like the scan.zeek one and basically anything using SumStats. These can eat a lot of memory. BTW kill all unnecessary processes. I can take a look if you send a process tree. Good luck! > On Mar 3, 2020, at 5:59 PM, James Lay wrote: > > ? > All, > > I'm please to report that using zeekctl method of running is so far working well...resource usage is so far manageable. Thanks for the assistance. > > James > >> On Tue, 2020-03-03 at 13:10 -0700, James Lay wrote: >> Appreciate the responses. These interfaces are an external on the >> internet, and an internal with a localnet (this devices is classified as >> router), so bonding them isn't an option. The only reason I'm running >> in this manner as apposed to just letting zeekctl handle it all is the >> process count and memory usage. I guess I'll test out zeekctl and see >> where I sit....might have to fallback to 3.0. Thank you. >> >> James >> >>> On 2020-03-03 12:42, Steve Smoot wrote: >> >> On Tue, Mar 3, 2020 at 11:30 AM Tim Wojtulewicz >> wrote: >> >> >> If you don?t really need the latest and greatest cutting edge >> changes to 3.1, version 3.0.x still supports multiple interfaces. >> That feature was removed in 3.1 due to the wide changes to the IO >> Loop architecture, and you?re honestly the first user I?ve heard >> from that has noticed it missing. It was removed to make that work >> easier to accomplish, but we can certainly investigate bringing it >> back if there?s enough of a use case for it. >> >> Another option, I think would be to bond/bridge the interfaces and >> listen on that. If that would work for you, >> >> -s >> >> >> Tim >> >> >> On Mar 3, 2020, at 12:03 PM, James Lay >> wrote: >> >> >> Welp...out of luck so far: >> >> /opt/zeek/bin/zeek -C -i eth0 -i eth1 --filter '' local >> "Site::local_nets += { 192.168.1.0/24 [1] }" >> >> gets me: >> >> ERROR: Only a single interface option (-i) is allowed. >> >> I didn't have this issue with 2. Any reason why only one >> interface is >> >> allowed now? Unless something radical has changed with the >> resources >> >> that zeekctl uses I have no desire to use it. I'm dead in the >> water >> >> with Zeek as of now. Thank you. >> >> James >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> -- >> >> STEPHEN R. SMOOT, PHD >> VP, Customer Success >> Corelight >> >> >> Links: >> ------ >> [1] http://192.168.1.0/24 >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200303/aad611a2/attachment-0001.html From justin at corelight.com Tue Mar 3 18:50:05 2020 From: justin at corelight.com (Justin Azoff) Date: Tue, 3 Mar 2020 21:50:05 -0500 Subject: [Zeek] First attempt to upgrade to 3: Multiple interfaces In-Reply-To: <29313A40-9D2A-4843-B9C0-2739CDB6822E@gmail.com> References: <43959c9db49e46e8ea5dbcaaec46d2e73a494424.camel@slave-tothe-box.net> <29313A40-9D2A-4843-B9C0-2739CDB6822E@gmail.com> Message-ID: On Tue, Mar 3, 2020 at 9:39 PM Micha? Purzy?ski wrote: > From what you?re describing, you?re running Zeek on a resource constraints > device. > > You might want to actually use the newest version - not sure where Justin > fixes for the packet processing loop went in, but they should help a lot. > Oh hah, I don't need any credit for all of that work. I had an old patch against 2.4/5/6 that would relax the polling loop interval so it wouldn't eat up a lot of cpu on smaller devices, but it wasn't a fix. Tim completely rewrote the IO loop so now zeek on a raspberry pi should use 0% cpu when there's no traffic. -- Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200303/4d139aeb/attachment.html From doug.burks at gmail.com Wed Mar 4 08:35:54 2020 From: doug.burks at gmail.com (Doug Burks) Date: Wed, 4 Mar 2020 11:35:54 -0500 Subject: [Zeek] Workers occasionally using 102% CPU In-Reply-To: References:

Message-ID: I've been able to duplicate this issue so I'm passing along some notes in the hope that others are able to duplicate the issue as well and perhaps pinpoint what's going on. - I've seen this issue on both physical boxes and virtual machines and on both single CPU socket and multiple CPU socket systems - I've been able to trigger this issue fairly consistently using VMware Workstation with the VM set to 4 processors (seems easier to duplicate when using processors rather than cores) - 8GB RAM and 2 NICs (one set to NAT for management and the other set to a custom network and configured for sniffing) - running our latest Security Onion ISO image which contains Zeek 3.0.1 (I've also duplicated this behavior using Zeek 3.0.2 compiled manually): https://blog.securityonion.net/2020/02/security-onion-160464-iso-image-now.html - run sosetup-minimal and choose Evaluation Mode - once Setup is complete, create some traffic on the sniffing interface: while :; do sudo so-replay; done - on my box, Zeek normally runs at about 10% to 20% CPU usage when running so-replay but after a certain period of time (seems inconsistent, could be minutes or over an hour), Zeek will go to 100% CPU usage and remain there even if you kill the so-replay while loop from above - you can restart Zeek with "sudo so-zeek-restart" and it will go back to normal operation and normal CPU usage, but after a while of processing traffic it will go back to 100% CPU usage - as mentioned above, you can also download Zeek 3.0.2 and compile it manually according to https://docs.zeek.org/en/v3.0.2/install/install.html and duplicate the issue there, so this would seem to rule out any possible issues with our Zeek package or scripts Please let me know if I can provide any further information to assist in duplicating and pinpointing this issue. Thanks! On Tue, Feb 25, 2020 at 6:41 PM Pete Nelson wrote: > Thanks, Jon. > > I'll try to digest those links and dig into the code. Unfortunately, > it seems running strace on the process keeps it from occurring... I > may try to get dtrace working in place, but I need to improve my lab > setup first before I go too crazy. > -- > Pete > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > -- Doug Burks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200304/1c3ea34e/attachment.html From akgraner at corelight.com Wed Mar 4 08:37:42 2020 From: akgraner at corelight.com (Amber Graner) Date: Wed, 4 Mar 2020 11:37:42 -0500 Subject: [Zeek] Zeek Slack Workspace Now available!! Message-ID: Hi all, Thank you so much for your patience as we set up the Workspace and the administrative items that go with these spaces in an open source community. * The space is called: zeekorg.slack.com * You can join using the following invitation link (There is also an invite link on the blog post): h ttps://join.slack.com/t/zeekorg/shared_invite/enQtOTc3MzMxNDI1NDYxLTA1NzhhMTgxNWI1OTk2NjlkMTdjNzY1Nzk5NDk2ZDY1MDBkYWIxOWNjNDE2NDc2MGI5OWM3ZDllYzBmZmNhNDM In addition to this space we are also introducing a Code of Conduct and Slack Channel Guidelines, links to both are listed below and on the blog post (*this links will also be listed on the website soon*). We'd also like to the Kubernetes Community as these are based on and modified from theirs. * Code of Conduct - https://www.dropbox.com/s/yh3xku3sflhs4ry/Final-%20%20Zeek%20Community%20Code%20of%20Conduct.pdf?dl=0 * Slack Channel Guidelines - https://www.dropbox.com/s/f47mb0ywvilu41g/Final%20-%20Zeek%20Community%20Slack%20Guidelines%20%281%29.pdf?dl=0 Below is the link to the blog post: https://blog.zeek.org/2020/03/zeek-slack-channel-announced.html As mentioned in the blog post, "We?re thrilled that more than 20 people have volunteered to admin the workspace. And we would like to thank everyone who has offered to help. The Zeek Leadership Team (LT) is currently working on the policy for adding admins." Those who volunteered should hear more about those roles and responsibilities by the end of the month. Please let me know if you have any questions. Thanks, ~Amber -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200304/abe7bfe8/attachment.html From tlarson.hiscorp at gmail.com Wed Mar 4 09:32:25 2020 From: tlarson.hiscorp at gmail.com (Tim Larson) Date: Wed, 4 Mar 2020 11:32:25 -0600 Subject: [Zeek] Authentication data available in zeek logs Message-ID: I am not aware of Zeek having an authoritative list of all authentication data so from your experience which Zeek logs would provide *useful event data* when authenticating to each of the following: 1) web applications 2) API's 3) SSO 4) SSH 5) Windows authentication 6) FTP Kind regards, tim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200304/315123f6/attachment-0001.html From petr.medonos at etnetera.cz Wed Mar 4 11:57:03 2020 From: petr.medonos at etnetera.cz (Petr Medonos) Date: Wed, 4 Mar 2020 20:57:03 +0100 Subject: [Zeek] Workers occasionally using 102% CPU In-Reply-To: References:

Message-ID: <95f56d8d-9791-c86f-716c-098ad2423d7a@etnetera.cz> Hi all, not sure yet, but looks very similar to issue I started here https://github.com/zeek/zeek/issues/838. I will take a look what Zeek scripts are enabled by default in SO to correlate these issues. Petr On 04. 03. 20 17:35, Doug Burks wrote: > I've been able to duplicate this issue so I'm passing along some notes > in the hope that others are able to duplicate the issue as well and > perhaps pinpoint what's going on. > > - I've seen this issue on both physical boxes and virtual machines and > on both single CPU socket and multiple CPU socket systems > > - I've been able to trigger this issue fairly consistently using VMware > Workstation with the VM set to 4 processors (seems easier to duplicate > when using processors rather than cores) > > - 8GB RAM and 2 NICs (one set to NAT for management and the other set to > a custom network and configured for sniffing) > > - running our latest Security Onion ISO image which contains Zeek 3.0.1 > (I've also duplicated this behavior using Zeek 3.0.2 compiled manually): > https://blog.securityonion.net/2020/02/security-onion-160464-iso-image-now.html > > - run sosetup-minimal and choose Evaluation Mode > > - once Setup is complete, create some traffic on the sniffing interface: > while :; do sudo so-replay; done > > - on my box, Zeek normally runs at about 10% to 20% CPU usage when > running so-replay but after a certain period of time (seems > inconsistent, could be minutes or over an hour), Zeek will go to 100% > CPU usage and remain there even if you kill the so-replay while loop > from above > > - you can restart Zeek with "sudo so-zeek-restart" and it will go back > to normal operation and normal CPU usage, but after a while of > processing traffic it will go back to 100% CPU usage > > - as mentioned above, you can also download Zeek 3.0.2 and compile it > manually according > to?https://docs.zeek.org/en/v3.0.2/install/install.html and duplicate > the issue there, so this would seem to rule out any possible issues with > our Zeek package or scripts > > Please let me know if I can provide any further information to assist in > duplicating and pinpointing this issue. > > Thanks! > > > On Tue, Feb 25, 2020 at 6:41 PM Pete Nelson > wrote: > > Thanks, Jon. > > I'll try to digest those links and dig into the code.? Unfortunately, > it seems running strace on the process keeps it from occurring...? I > may try to get dtrace working in place, but I need to improve my lab > setup first before I go too crazy. > -- > Pete > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > -- > Doug Burks > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200304/a1dec9f5/attachment.bin From doug.burks at gmail.com Wed Mar 4 12:03:40 2020 From: doug.burks at gmail.com (Doug Burks) Date: Wed, 4 Mar 2020 15:03:40 -0500 Subject: [Zeek] Workers occasionally using 102% CPU In-Reply-To: <95f56d8d-9791-c86f-716c-098ad2423d7a@etnetera.cz> References:

<95f56d8d-9791-c86f-716c-098ad2423d7a@etnetera.cz> Message-ID: Hi Petr, It does sound similar to issue 838. However, please note that I was able to duplicate this issue on a manual compile of Zeek 3.0.2 with no additional scripts loaded. On Wed, Mar 4, 2020 at 2:57 PM Petr Medonos wrote: > Hi all, > not sure yet, but looks very similar to issue I started here > https://github.com/zeek/zeek/issues/838. I will take a look what Zeek > scripts are enabled by default in SO to correlate these issues. > > > Petr > > > On 04. 03. 20 17:35, Doug Burks wrote: > > I've been able to duplicate this issue so I'm passing along some notes > > in the hope that others are able to duplicate the issue as well and > > perhaps pinpoint what's going on. > > > > - I've seen this issue on both physical boxes and virtual machines and > > on both single CPU socket and multiple CPU socket systems > > > > - I've been able to trigger this issue fairly consistently using VMware > > Workstation with the VM set to 4 processors (seems easier to duplicate > > when using processors rather than cores) > > > > - 8GB RAM and 2 NICs (one set to NAT for management and the other set to > > a custom network and configured for sniffing) > > > > - running our latest Security Onion ISO image which contains Zeek 3.0.1 > > (I've also duplicated this behavior using Zeek 3.0.2 compiled manually): > > > https://blog.securityonion.net/2020/02/security-onion-160464-iso-image-now.html > > > > - run sosetup-minimal and choose Evaluation Mode > > > > - once Setup is complete, create some traffic on the sniffing interface: > > while :; do sudo so-replay; done > > > > - on my box, Zeek normally runs at about 10% to 20% CPU usage when > > running so-replay but after a certain period of time (seems > > inconsistent, could be minutes or over an hour), Zeek will go to 100% > > CPU usage and remain there even if you kill the so-replay while loop > > from above > > > > - you can restart Zeek with "sudo so-zeek-restart" and it will go back > > to normal operation and normal CPU usage, but after a while of > > processing traffic it will go back to 100% CPU usage > > > > - as mentioned above, you can also download Zeek 3.0.2 and compile it > > manually according > > to https://docs.zeek.org/en/v3.0.2/install/install.html and duplicate > > the issue there, so this would seem to rule out any possible issues with > > our Zeek package or scripts > > > > Please let me know if I can provide any further information to assist in > > duplicating and pinpointing this issue. > > > > Thanks! > > > > > > On Tue, Feb 25, 2020 at 6:41 PM Pete Nelson > > wrote: > > > > Thanks, Jon. > > > > I'll try to digest those links and dig into the code. Unfortunately, > > it seems running strace on the process keeps it from occurring... I > > may try to get dtrace working in place, but I need to improve my lab > > setup first before I go too crazy. > > -- > > Pete > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > > > > > -- > > Doug Burks > > > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > -- Doug Burks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200304/f16dbf0d/attachment.html From jsiwek at corelight.com Wed Mar 4 12:06:11 2020 From: jsiwek at corelight.com (Jon Siwek) Date: Wed, 4 Mar 2020 12:06:11 -0800 Subject: [Zeek] Workers occasionally using 102% CPU In-Reply-To: References:

Message-ID: On Wed, Mar 4, 2020 at 8:36 AM Doug Burks wrote: > - I've been able to trigger this issue fairly consistently using VMware Workstation with the VM set to 4 processors (seems easier to duplicate when using processors rather than cores) Thanks, I've reproduced with a similar configuration. First thing I notice is `perf top` showing much time spent in `threading::Manager::NextTimestamp`, so now off to try and understand how it can get into that state. > (I've also duplicated this behavior using Zeek 3.0.2 compiled manually): I'm expecting to have to go this way either to add more instrumentation or test potential patches, so for consistency, can you provide the exact commands used from the point of ./configure until point of running/restarting zeek ? - Jon From doug.burks at gmail.com Wed Mar 4 12:15:49 2020 From: doug.burks at gmail.com (Doug Burks) Date: Wed, 4 Mar 2020 15:15:49 -0500 Subject: [Zeek] Workers occasionally using 102% CPU In-Reply-To: References:

Message-ID: Hi Jon, Replies inline. On Wed, Mar 4, 2020 at 3:06 PM Jon Siwek wrote: > On Wed, Mar 4, 2020 at 8:36 AM Doug Burks wrote: > > > - I've been able to trigger this issue fairly consistently using VMware > Workstation with the VM set to 4 processors (seems easier to duplicate when > using processors rather than cores) > > Thanks, I've reproduced with a similar configuration. First thing I > notice is `perf top` showing much time spent in > `threading::Manager::NextTimestamp`, so now off to try and understand > how it can get into that state. > I'm glad you were able to reproduce this! > > > (I've also duplicated this behavior using Zeek 3.0.2 compiled manually): > > I'm expecting to have to go this way either to add more > instrumentation or test potential patches, so for consistency, can you > provide the exact commands used from the point of ./configure until > point of running/restarting zeek ? > > > - Jon > Going off of memory, but it should have been rather standard: sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev ./configure make sudo make install modify /usr/local/zeek/etc/node.cfg and configure the standalone stanza to sniff from the sniffing interface sudo /usr/local/zeek/bin/zeekctl deploy Please let me know if you need anything else. Thanks! -- Doug Burks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200304/1965c949/attachment.html From doug.burks at gmail.com Wed Mar 4 12:43:52 2020 From: doug.burks at gmail.com (Doug Burks) Date: Wed, 4 Mar 2020 15:43:52 -0500 Subject: [Zeek] Workers occasionally using 102% CPU In-Reply-To: References:

Message-ID: On Wed, Mar 4, 2020 at 3:15 PM Doug Burks wrote: > Hi Jon, > > Replies inline. > > On Wed, Mar 4, 2020 at 3:06 PM Jon Siwek wrote: > >> On Wed, Mar 4, 2020 at 8:36 AM Doug Burks wrote: >> >> > - I've been able to trigger this issue fairly consistently using VMware >> Workstation with the VM set to 4 processors (seems easier to duplicate when >> using processors rather than cores) >> >> Thanks, I've reproduced with a similar configuration. First thing I >> notice is `perf top` showing much time spent in >> `threading::Manager::NextTimestamp`, so now off to try and understand >> how it can get into that state. > > Just a quick note to confirm that I'm seeing much time spent in `threading::Manager::NextTimestamp` here as well. -- Doug Burks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200304/96f3b136/attachment-0001.html From michalpurzynski1 at gmail.com Wed Mar 4 13:48:19 2020 From: michalpurzynski1 at gmail.com (=?UTF-8?B?TWljaGHFgiBQdXJ6ecWEc2tp?=) Date: Wed, 4 Mar 2020 13:48:19 -0800 Subject: [Zeek] Workers occasionally using 102% CPU In-Reply-To: References:

Message-ID: Can we disable scripts and run Zeek with a minimalist configuration and see if result changes? The timestamp thing looks like a packet timestamp? Do use you libpcap by chance? On Wed, Mar 4, 2020 at 12:46 PM Doug Burks wrote: > On Wed, Mar 4, 2020 at 3:15 PM Doug Burks wrote: > >> Hi Jon, >> >> Replies inline. >> >> On Wed, Mar 4, 2020 at 3:06 PM Jon Siwek wrote: >> >>> On Wed, Mar 4, 2020 at 8:36 AM Doug Burks wrote: >>> >>> > - I've been able to trigger this issue fairly consistently using >>> VMware Workstation with the VM set to 4 processors (seems easier to >>> duplicate when using processors rather than cores) >>> >>> Thanks, I've reproduced with a similar configuration. First thing I >>> notice is `perf top` showing much time spent in >>> `threading::Manager::NextTimestamp`, so now off to try and understand >>> how it can get into that state. >> >> > Just a quick note to confirm that I'm seeing much time spent in > `threading::Manager::NextTimestamp` here as well. > > -- > Doug Burks > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200304/311834f7/attachment.html From jlay at slave-tothe-box.net Wed Mar 4 14:04:06 2020 From: jlay at slave-tothe-box.net (James Lay) Date: Wed, 04 Mar 2020 15:04:06 -0700 Subject: [Zeek] First attempt to upgrade to 3: Multiple interfaces In-Reply-To: References: <43959c9db49e46e8ea5dbcaaec46d2e73a494424.camel@slave-tothe-box.net> <29313A40-9D2A-4843-B9C0-2739CDB6822E@gmail.com> Message-ID: <1bb195d7377c3de42abc148360ff20e0@slave-tothe-box.net> Thanks again...resources look great: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 11360 root 20 0 830360 258148 151156 S 0.3 3.2 7:42.42 zeek 11362 root 20 0 827852 254540 150568 S 0.3 3.2 10:19.57 zeek Also pleased to note that the trickle of traffic cpu usage has been fixed so thumbs up to that. James On 2020-03-03 19:50, Justin Azoff wrote: > On Tue, Mar 3, 2020 at 9:39 PM Micha? Purzy?ski > wrote: > >> From what you?re describing, you?re running Zeek on a resource >> constraints device. >> >> You might want to actually use the newest version - not sure where >> Justin fixes for the packet processing loop went in, but they should >> help a lot. > > Oh hah, I don't need any credit for all of that work. I had an old > patch against 2.4/5/6 that would relax the polling loop interval so it > wouldn't eat up a lot of cpu on smaller devices, but it wasn't a fix. > Tim completely rewrote the IO loop so now zeek on a raspberry pi > should use 0% cpu when there's no traffic. > -- > > Justin From don.thomas.cissp at gmail.com Wed Mar 4 16:08:53 2020 From: don.thomas.cissp at gmail.com (Don Thomas) Date: Wed, 4 Mar 2020 16:08:53 -0800 Subject: [Zeek] First attempt to upgrade to 3: Multiple interfaces In-Reply-To: <5C741D97-A6B8-4ECA-915B-3A6BA4D99E13@corelight.com> References: <5C741D97-A6B8-4ECA-915B-3A6BA4D99E13@corelight.com> Message-ID: Please bring back the multiple interface option. I have two Gigamon's (each has a 10 G interface ) Feeding Zeek on our IDS. Or else Zeek is a No Go for me as well. Yes... I need the multiple interface option ! Thank you, *Don Thomas, CISSP, CISA* On Tue, Mar 3, 2020 at 11:30 AM Tim Wojtulewicz wrote: > If you don?t really need the latest and greatest cutting edge changes to > 3.1, version 3.0.x still supports multiple interfaces. That feature was > removed in 3.1 due to the wide changes to the IO Loop architecture, and > you?re honestly the first user I?ve heard from that has noticed it missing. > It was removed to make that work easier to accomplish, but we can certainly > investigate bringing it back if there?s enough of a use case for it. > > Tim > > > On Mar 3, 2020, at 12:03 PM, James Lay wrote: > > > > Welp...out of luck so far: > > > > /opt/zeek/bin/zeek -C -i eth0 -i eth1 --filter '' local > > "Site::local_nets += { 192.168.1.0/24 }" > > > > gets me: > > > > ERROR: Only a single interface option (-i) is allowed. > > > > I didn't have this issue with 2. Any reason why only one interface is > > allowed now? Unless something radical has changed with the resources > > that zeekctl uses I have no desire to use it. I'm dead in the water > > with Zeek as of now. Thank you. > > > > James > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200304/d11dd862/attachment.html From johanna at icir.org Wed Mar 4 17:18:21 2020 From: johanna at icir.org (Johanna Amann) Date: Wed, 04 Mar 2020 17:18:21 -0800 Subject: [Zeek] First attempt to upgrade to 3: Multiple interfaces In-Reply-To: References: <5C741D97-A6B8-4ECA-915B-3A6BA4D99E13@corelight.com> Message-ID: <1837831E-946D-41D1-8FC1-B2E6D0C164F6@icir.org> Hi Don, just to pull over the questions from Slack here: could you please detail a little bit how you are currently running Zeek. Since it sounds like you are handling a lot of traffic - you typically should already have to run zeek in cluster mode using zeekctl/broctl. At which point this problem does not apply anymore - since in a cluster you can have a zeek process (or - typically - several zeek processes) for each interface. If you are currently running a single standalone zeek process on several 10G interfaces - did you check your packet loss? Because it seems unlikely to me that this setup is not loosing a ton of traffic. Thank you :) Johanna On 4 Mar 2020, at 16:08, Don Thomas wrote: > Please bring back the multiple interface option. I have two > Gigamon's > (each has a 10 G interface ) Feeding Zeek on our IDS. > > Or else Zeek is a No Go for me as well. > > Yes... I need the multiple interface option ! > > Thank you, > *Don Thomas, CISSP, CISA* > > > > On Tue, Mar 3, 2020 at 11:30 AM Tim Wojtulewicz > wrote: > >> If you don?t really need the latest and greatest cutting edge >> changes to >> 3.1, version 3.0.x still supports multiple interfaces. That feature >> was >> removed in 3.1 due to the wide changes to the IO Loop architecture, >> and >> you?re honestly the first user I?ve heard from that has noticed >> it missing. >> It was removed to make that work easier to accomplish, but we can >> certainly >> investigate bringing it back if there?s enough of a use case for >> it. >> >> Tim >> >>> On Mar 3, 2020, at 12:03 PM, James Lay >>> wrote: >>> >>> Welp...out of luck so far: >>> >>> /opt/zeek/bin/zeek -C -i eth0 -i eth1 --filter '' local >>> "Site::local_nets += { 192.168.1.0/24 }" >>> >>> gets me: >>> >>> ERROR: Only a single interface option (-i) is allowed. >>> >>> I didn't have this issue with 2. Any reason why only one interface >>> is >>> allowed now? Unless something radical has changed with the >>> resources >>> that zeekctl uses I have no desire to use it. I'm dead in the water >>> with Zeek as of now. Thank you. >>> >>> James >>> _______________________________________________ >>> Zeek mailing list >>> zeek at zeek.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From jsiwek at corelight.com Wed Mar 4 20:48:15 2020 From: jsiwek at corelight.com (Jon Siwek) Date: Wed, 4 Mar 2020 20:48:15 -0800 Subject: [Zeek] Workers occasionally using 102% CPU In-Reply-To: References:

Message-ID: On Wed, Mar 4, 2020 at 12:44 PM Doug Burks wrote: > Just a quick note to confirm that I'm seeing much time spent in `threading::Manager::NextTimestamp` here as well. That didn't turn out to be directly related, but I did ultimately hunt down a race condition in Broker as explanation for it getting stuck at full CPU load. This is the incoming patch: https://github.com/zeek/broker/pull/97 Thanks for the assists in tracking this down. Any further help in verifying the patch would also be great. - Jon From robin at corelight.com Thu Mar 5 00:10:25 2020 From: robin at corelight.com (Robin Sommer) Date: Thu, 5 Mar 2020 08:10:25 +0000 Subject: [Zeek] First attempt to upgrade to 3: Multiple interfaces In-Reply-To: <1837831E-946D-41D1-8FC1-B2E6D0C164F6@icir.org> References: <5C741D97-A6B8-4ECA-915B-3A6BA4D99E13@corelight.com> <1837831E-946D-41D1-8FC1-B2E6D0C164F6@icir.org> Message-ID: <20200305081025.GA16330@corelight.com> Btw, just for the record, before doing such breaking changes we tend to ask here on mailing list for feedback. In this case, see here: http://mailman.icsi.berkeley.edu/pipermail/zeek/2019-August/014484.html. I don't think I heard any concerns in response to that. Robin On Wed, Mar 04, 2020 at 17:18 -0800, Johanna Amann wrote: > Hi Don, > > just to pull over the questions from Slack here: > > could you please detail a little bit how you are currently running Zeek. > > Since it sounds like you are handling a lot of traffic - you typically > should already have to run zeek in cluster mode using zeekctl/broctl. At > which point this problem does not apply anymore - since in a cluster you > can have a zeek process (or - typically - several zeek processes) for > each interface. > > If you are currently running a single standalone zeek process on several > 10G interfaces - did you check your packet loss? Because it seems > unlikely to me that this setup is not loosing a ton of traffic. > > Thank you :) > Johanna > > On 4 Mar 2020, at 16:08, Don Thomas wrote: > > > Please bring back the multiple interface option. I have two > > Gigamon's > > (each has a 10 G interface ) Feeding Zeek on our IDS. > > > > Or else Zeek is a No Go for me as well. > > > > Yes... I need the multiple interface option ! > > > > Thank you, > > *Don Thomas, CISSP, CISA* > > > > > > > > On Tue, Mar 3, 2020 at 11:30 AM Tim Wojtulewicz > > wrote: > > > >> If you don?t really need the latest and greatest cutting edge > >> changes to > >> 3.1, version 3.0.x still supports multiple interfaces. That feature > >> was > >> removed in 3.1 due to the wide changes to the IO Loop architecture, > >> and > >> you?re honestly the first user I?ve heard from that has noticed > >> it missing. > >> It was removed to make that work easier to accomplish, but we can > >> certainly > >> investigate bringing it back if there?s enough of a use case for > >> it. > >> > >> Tim > >> > >>> On Mar 3, 2020, at 12:03 PM, James Lay > >>> wrote: > >>> > >>> Welp...out of luck so far: > >>> > >>> /opt/zeek/bin/zeek -C -i eth0 -i eth1 --filter '' local > >>> "Site::local_nets += { 192.168.1.0/24 }" > >>> > >>> gets me: > >>> > >>> ERROR: Only a single interface option (-i) is allowed. > >>> > >>> I didn't have this issue with 2. Any reason why only one interface > >>> is > >>> allowed now? Unless something radical has changed with the > >>> resources > >>> that zeekctl uses I have no desire to use it. I'm dead in the water > >>> with Zeek as of now. Thank you. > >>> > >>> James > >>> _______________________________________________ > >>> Zeek mailing list > >>> zeek at zeek.org > >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > >> > >> > >> _______________________________________________ > >> Zeek mailing list > >> zeek at zeek.org > >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com From doug.burks at gmail.com Thu Mar 5 06:44:04 2020 From: doug.burks at gmail.com (Doug Burks) Date: Thu, 5 Mar 2020 09:44:04 -0500 Subject: [Zeek] Workers occasionally using 102% CPU In-Reply-To: References:

Message-ID: Good morning Jon, I applied the relevant patch to the Zeek 3.0.2 tarball, compiled, and have been running for the last 3 hours or so with the same pcap replay loop described previously. Zeek still seems to be averaging 10% to 20% CPU usage, so the patch is looking good so far. Would you recommend that we apply the patch to our Zeek 3.0.2 package OR hold off on 3.0.2 and wait for 3.0.3 assuming it will be included there? Thanks! On Wed, Mar 4, 2020 at 11:48 PM Jon Siwek wrote: > On Wed, Mar 4, 2020 at 12:44 PM Doug Burks wrote: > > > Just a quick note to confirm that I'm seeing much time spent in > `threading::Manager::NextTimestamp` here as well. > > That didn't turn out to be directly related, but I did ultimately hunt > down a race condition in Broker as explanation for it getting stuck at > full CPU load. This is the incoming patch: > > https://github.com/zeek/broker/pull/97 > > Thanks for the assists in tracking this down. Any further help in > verifying the patch would also be great. > > - Jon > -- Doug Burks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200305/448be63e/attachment.html From akgraner at corelight.com Thu Mar 5 08:31:30 2020 From: akgraner at corelight.com (Amber Graner) Date: Thu, 5 Mar 2020 11:31:30 -0500 Subject: [Zeek] Zeek Events Calendar Invites and Reminders Opt-In Message-ID: Hi all, Since we will no longer be adding the Zeek mailing list to the calendar invites, I've created a form for folks to opt-in to receiving calendar invites and reminders. If you would like to continue to receive the calendar invites and reminders for the ASK THE ZEEKSPERTS webinars and/or the Monthly Community calls please take a moment to add your information to the form (Link below) https://www.surveymonkey.com/r/X5W5YQZ If you've already accepted the current invites then you'll continue to get them. I'll remove everyone else. Thanks in advance. With gratitude, ~Amber -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200305/766800b4/attachment.html From jsiwek at corelight.com Thu Mar 5 10:23:27 2020 From: jsiwek at corelight.com (Jon Siwek) Date: Thu, 5 Mar 2020 10:23:27 -0800 Subject: [Zeek] Workers occasionally using 102% CPU In-Reply-To: References:

Message-ID: On Thu, Mar 5, 2020 at 6:44 AM Doug Burks wrote: > Would you recommend that we apply the patch to our Zeek 3.0.2 package OR hold off on 3.0.2 and wait for 3.0.3 assuming it will be included there? Hi Doug, I do now have this on the schedule for fixing in a Zeek 3.0.3 (and 3.1.1), but not sure what time frame to expect those releases. I'll suggest to the team to aim at doing one in ~2-3 weeks. If you'd like to patch ASAP, you may still want to wait at least until that Pull Request gets a code review and merged into the master branch. - Jon From Kayode_Enwerem at ao.uscourts.gov Thu Mar 5 10:43:16 2020 From: Kayode_Enwerem at ao.uscourts.gov (Kayode Enwerem) Date: Thu, 5 Mar 2020 18:43:16 +0000 Subject: [Zeek] Errors trying to implement the detection on CVE-2020-0601 Message-ID: Hello, I am trying to implement the detection of CVE-2020-0601 with zeek (https://blog.zeek.org/2020/01/detecting-cve-2020-0601-with-zeek.html) using the first package (https://github.com/0xxon/cve-2020-0601) but I keep encountering some errors. Version for bro in my environment: bro version 2.5.5 First thing I did was add this to our local.bro file: redef CVE_2020_0601::log_certs = T; But when I ran "broctl check" I got the following error message: error in /usr/local/bro/share/bro/site/local.bro, line 13: "redef" used but not previously defined (CVE_ 2020_0601::log_certs) So I created the following file in "share/bro/base/frameworks/notice/cve-2020-0601.bro" and added the script from: https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-0601.bro And also edited the following file "share/bro/base/frameworks/notice/__load__.bro" and added: @load ./cve-2020-0601 Now when I run "broctl check" I am getting the following error message: error in /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, line 5: syntax error, at or near "option" When I comment out line 5 line I get: error in /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, line 26: unknown identifier Version::at_least, at or near "Version::at_least" When I comment out line 26 I get: error in /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, line 35: unknown identifier f, at or near "f" Can someone please help me with this? Am I setting it up right? Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200305/bff62660/attachment.html From doug.burks at gmail.com Thu Mar 5 10:57:17 2020 From: doug.burks at gmail.com (Doug Burks) Date: Thu, 5 Mar 2020 13:57:17 -0500 Subject: [Zeek] Workers occasionally using 102% CPU In-Reply-To: References:

Message-ID: OK, thanks Jon. On Thu, Mar 5, 2020 at 1:23 PM Jon Siwek wrote: > On Thu, Mar 5, 2020 at 6:44 AM Doug Burks wrote: > > > Would you recommend that we apply the patch to our Zeek 3.0.2 package OR > hold off on 3.0.2 and wait for 3.0.3 assuming it will be included there? > > Hi Doug, I do now have this on the schedule for fixing in a Zeek 3.0.3 > (and 3.1.1), but not sure what time frame to expect those releases. > I'll suggest to the team to aim at doing one in ~2-3 weeks. If you'd > like to patch ASAP, you may still want to wait at least until that > Pull Request gets a code review and merged into the master branch. > > - Jon > -- Doug Burks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200305/25e04eb4/attachment.html From johanna at icir.org Thu Mar 5 14:50:42 2020 From: johanna at icir.org (Johanna Amann) Date: Thu, 05 Mar 2020 14:50:42 -0800 Subject: [Zeek] Errors trying to implement the detection on CVE-2020-0601 In-Reply-To: References: Message-ID: Hi Kayode, the script does, out of the box, not support anything below bro 2.6. You can probably make it run by changing the option to a ?const log_certs = F &redef? and changing the @if (Version::) to @if ( 0 ). However, note that while it should work it has not been tested on these systems. Also - please consider updating your Zeek installation. You are missing important security and performance fixes. Johanna On 5 Mar 2020, at 10:43, Kayode Enwerem wrote: > Hello, > > I am trying to implement the detection of CVE-2020-0601 with zeek > (https://blog.zeek.org/2020/01/detecting-cve-2020-0601-with-zeek.html) > using the first package (https://github.com/0xxon/cve-2020-0601) but I > keep encountering some errors. > > Version for bro in my environment: bro version 2.5.5 > > First thing I did was add this to our local.bro file: redef > CVE_2020_0601::log_certs = T; > > But when I ran "broctl check" I got the following error message: error > in /usr/local/bro/share/bro/site/local.bro, line 13: "redef" used but > not previously defined (CVE_ 2020_0601::log_certs) > > So I created the following file in > "share/bro/base/frameworks/notice/cve-2020-0601.bro" and added the > script from: > https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-0601.bro > > And also edited the following file > "share/bro/base/frameworks/notice/__load__.bro" and added: @load > ./cve-2020-0601 > > Now when I run "broctl check" I am getting the following error > message: > error in > /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, > line 5: syntax error, at or near "option" > > When I comment out line 5 line I get: > error in > /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, > line 26: unknown identifier Version::at_least, at or near > "Version::at_least" > > When I comment out line 26 I get: > error in > /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, > line 35: unknown identifier f, at or near "f" > > Can someone please help me with this? Am I setting it up right? > > Thanks in advance. > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From undicizeri at gmail.com Fri Mar 6 02:15:47 2020 From: undicizeri at gmail.com (Federico Foschini) Date: Fri, 6 Mar 2020 11:15:47 +0100 Subject: [Zeek] Capture packet loss discrepancy Message-ID: Hello, I?m using Zeek 3.0.1 and I?m seeing very high zeek capture loss even if the system load is very low (I?m analyzing 50-100mbps of traffic with a Xeon 8C-16T and 32GiB of ram, the system load is barely rearching 1). This is what https://docs.zeek.org/en/stable/scripts/policy/misc/capture-loss.zeek.html is reporting: {"_path":"capture_loss","_write_ts":"2020-03-06T10:00:28.080623Z","ts":"2020-03-06T10:00:28.080623Z","ts_delta":900.0000138282776,"peer":"worker-1-1","gaps":980763,"acks":3451717,"percent_lost":28.4137720444 6367} {"_path":"capture_loss","_write_ts":"2020-03-06T09:45:28.080609Z","ts":"2020-03-06T09:45:28.080609Z","ts_delta":900.0000011920929,"peer":"worker-1-1","gaps":775832,"acks":3944662,"percent_lost":19.6678955002 98886} But in Zeek stats logs I cannot see any drops: {"_path":"stats","_write_ts":"2020-03-06T10:00:25.184307Z","ts":"2020-03-06T10:00:25.184307Z","peer":"manager","mem":99,"pkts_proc":0,"bytes_recv":0,"events_proc":2171,"events_queued":2175,"active_tcp_conns" :0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1097,"active_timers":77,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size ":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0} {"_path":"stats","_write_ts":"2020-03-06T10:00:26.676726Z","ts":"2020-03-06T10:00:26.676726Z","peer":"proxy-1","mem":95,"pkts_proc":0,"bytes_recv":0,"events_proc":1579,"events_queued":1579,"active_tcp_conns" :0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":939,"active_timers":39,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size" :0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0} {"_path":"stats","_write_ts":"2020-03-06T10:00:28.087807Z","ts":"2020-03-06T10:00:28.087807Z","peer":"worker-1-1","mem":494,"pkts_proc":4342283,"bytes_recv":3395272841,"pkts_dropped":0,"pkts_link":4347989,"p kt_lag":0.010818004608154297,"events_proc":894955,"events_queued":894955,"active_tcp_conns":2944,"active_udp_conns":473,"active_icmp_conns":70,"tcp_conns":9036,"udp_conns":7376,"icmp_conns":383,"timers":2168 06,"active_timers":11468,"files":10693,"active_files":10,"dns_requests":2,"active_dns_requests":0,"reassem_tcp_size":500680,"reassem_file_size":451064,"reassem_frag_size":0,"reassem_unknown_size":0} {"_path":"stats","_write_ts":"2020-03-06T10:05:25.185129Z","ts":"2020-03-06T10:05:25.185129Z","peer":"manager","mem":99,"pkts_proc":0,"bytes_recv":0,"events_proc":3573,"events_queued":3569,"active_tcp_conns" :0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1063,"active_timers":77,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size ":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0} {"_path":"stats","_write_ts":"2020-03-06T10:05:26.677296Z","ts":"2020-03-06T10:05:26.677296Z","peer":"proxy-1","mem":95,"pkts_proc":0,"bytes_recv":0,"events_proc":2101,"events_queued":2101,"active_tcp_conns" :0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":933,"active_timers":39,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size" :0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0} {"_path":"stats","_write_ts":"2020-03-06T10:05:28.087831Z","ts":"2020-03-06T10:05:28.087831Z","peer":"worker-1-1","mem":494,"pkts_proc":4024429,"bytes_recv":3075761558,"pkts_dropped":0,"pkts_link":4029762,"p kt_lag":0.012360095977783203,"events_proc":860917,"events_queued":860919,"active_tcp_conns":3043,"active_udp_conns":505,"active_icmp_conns":149,"tcp_conns":10006,"udp_conns":7298,"icmp_conns":483,"timers":23 2394,"active_timers":12492,"files":11763,"active_files":13,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":60920,"reassem_file_size":955592,"reassem_frag_size":0,"reassem_unknown_size":0} My network interface reports 0 drops: NIC statistics: rx_packets: 57185146109 tx_packets: 118236 rx_bytes: 51106679706383 tx_bytes: 12060072 rx_broadcast: 28116614 tx_broadcast: 0 rx_multicast: 430062675 tx_multicast: 0 multicast: 430062675 collisions: 0 rx_crc_errors: 0 rx_no_buffer_count: 0 rx_missed_errors: 0 tx_aborted_errors: 0 tx_carrier_errors: 0 tx_window_errors: 0 tx_abort_late_coll: 0 tx_deferred_ok: 0 tx_single_coll_ok: 0 tx_multi_coll_ok: 0 tx_timeout_count: 0 rx_long_length_errors: 0 rx_short_length_errors: 0 rx_align_errors: 0 tx_tcp_seg_good: 0 tx_tcp_seg_failed: 0 rx_flow_control_xon: 0 rx_flow_control_xoff: 0 tx_flow_control_xon: 0 tx_flow_control_xoff: 0 rx_long_byte_count: 51106679706383 tx_dma_out_of_sync: 0 tx_smbus: 0 rx_smbus: 0 dropped_smbus: 0 os2bmc_rx_by_bmc: 0 os2bmc_tx_by_bmc: 0 os2bmc_tx_by_host: 0 os2bmc_rx_by_host: 0 tx_hwtstamp_timeouts: 0 rx_hwtstamp_cleared: 0 rx_errors: 0 tx_errors: 0 tx_dropped: 0 rx_length_errors: 0 rx_over_errors: 0 rx_frame_errors: 0 rx_fifo_errors: 0 tx_fifo_errors: 0 tx_heartbeat_errors: 0 tx_queue_0_packets: 0 tx_queue_0_restart: 0 tx_queue_1_packets: 118236 tx_queue_1_bytes: 11587128 tx_queue_1_restart: 0 tx_queue_2_packets: 0 tx_queue_2_bytes: 0 tx_queue_2_restart: 0 tx_queue_3_packets: 0 tx_queue_3_bytes: 0 tx_queue_3_restart: 0 tx_queue_4_packets: 0 tx_queue_4_bytes: 0 tx_queue_4_restart: 0 tx_queue_5_packets: 0 tx_queue_5_bytes: 0 tx_queue_5_restart: 0 tx_queue_6_packets: 0 tx_queue_6_bytes: 0 tx_queue_6_restart: 0 tx_queue_7_packets: 0 tx_queue_7_bytes: 0 tx_queue_7_restart: 0 rx_queue_0_packets: 7309311690 rx_queue_0_bytes: 6672057827542 rx_queue_0_drops: 0 rx_queue_0_csum_err: 0 rx_queue_0_alloc_failed: 0 rx_queue_1_packets: 7067404359 rx_queue_1_bytes: 5978548722708 rx_queue_1_drops: 0 rx_queue_1_csum_err: 0 rx_queue_1_alloc_failed: 0 rx_queue_2_packets: 6936589456 rx_queue_2_bytes: 5816850955623 rx_queue_2_drops: 0 rx_queue_2_csum_err: 0 rx_queue_2_alloc_failed: 0 rx_queue_3_packets: 7560820836 rx_queue_3_bytes: 7177372551363 rx_queue_3_drops: 0 rx_queue_3_csum_err: 0 rx_queue_3_alloc_failed: 0 rx_queue_4_packets: 6665690657 rx_queue_4_bytes: 5815406197188 rx_queue_4_drops: 0 rx_queue_4_csum_err: 0 rx_queue_4_alloc_failed: 0 rx_queue_5_packets: 7245905157 rx_queue_5_bytes: 6640952714842 rx_queue_5_drops: 0 rx_queue_5_csum_err: 0 tx_queue_5_restart: 0 tx_queue_6_packets: 0 tx_queue_6_bytes: 0 tx_queue_6_restart: 0 tx_queue_7_packets: 0 tx_queue_7_bytes: 0 tx_queue_7_restart: 0 rx_queue_0_packets: 7309311690 rx_queue_0_bytes: 6672057827542 rx_queue_0_drops: 0 rx_queue_0_csum_err: 0 rx_queue_0_alloc_failed: 0 rx_queue_1_packets: 7067404359 rx_queue_1_bytes: 5978548722708 rx_queue_1_drops: 0 rx_queue_1_csum_err: 0 rx_queue_1_alloc_failed: 0 rx_queue_2_packets: 6936589456 rx_queue_2_bytes: 5816850955623 rx_queue_2_drops: 0 rx_queue_2_csum_err: 0 rx_queue_2_alloc_failed: 0 rx_queue_3_packets: 7560820836 rx_queue_3_bytes: 7177372551363 rx_queue_3_drops: 0 rx_queue_3_csum_err: 0 rx_queue_3_alloc_failed: 0 rx_queue_4_packets: 6665690657 rx_queue_4_bytes: 5815406197188 rx_queue_4_drops: 0 rx_queue_4_csum_err: 0 rx_queue_4_alloc_failed: 0 rx_queue_5_packets: 7245905157 rx_queue_5_bytes: 6640952714842 rx_queue_5_drops: 0 rx_queue_5_csum_err: 0 rx_queue_5_alloc_failed: 0 rx_queue_6_packets: 7693400503 rx_queue_6_bytes: 6803443308105 rx_queue_6_drops: 0 rx_queue_6_csum_err: 0 rx_queue_6_alloc_failed: 0 rx_queue_7_packets: 6706023451 rx_queue_7_bytes: 5768995611822 rx_queue_7_drops: 0 rx_queue_7_csum_err: 0 rx_queue_7_alloc_failed: 0 Is there something am I missing? Is it a way to further analyze the problem? By looking in zeek logs everything looks fine. -- Federico Foschini. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200306/4b786dae/attachment-0001.html From michalpurzynski1 at gmail.com Fri Mar 6 02:39:07 2020 From: michalpurzynski1 at gmail.com (=?UTF-8?B?TWljaGHFgiBQdXJ6ecWEc2tp?=) Date: Fri, 6 Mar 2020 02:39:07 -0800 Subject: [Zeek] Capture packet loss discrepancy In-Reply-To: References: Message-ID: You either drop data before it reaches Zeek sensors or you have an offloading missconfiguration on the card or you have a load-balancing problem. That might be a good news. The capture.log file is based on heuristics "I have seen some ACKs without matching data packets" - but won't tell you where the problem is. Justin calls it a "check engine light". You don't seem to have drops in stats.log and in ethtool stats. That's great. Stats.log meaning is different for each capture method and it's never enough without some ethtool stats. Can you tell us more about your setup? - how are you feeding your sensor (taps, span ports, etc) - what's your capture mechanism? - can you share all commands for interface's configuration? - can you share the node.cfg - output of ethtool -c ethtool -l ethtool -x ethtool -a ethtool -g On Fri, Mar 6, 2020 at 2:19 AM Federico Foschini wrote: > Hello, > I?m using Zeek 3.0.1 and I?m seeing very high zeek capture loss even if > the system load is very low (I?m analyzing 50-100mbps of traffic with a > Xeon 8C-16T and 32GiB of ram, the system load is barely rearching 1). > > This is what > https://docs.zeek.org/en/stable/scripts/policy/misc/capture-loss.zeek.html > is reporting: > > {"_path":"capture_loss","_write_ts":"2020-03-06T10:00:28.080623Z","ts":"2020-03-06T10:00:28.080623Z","ts_delta":900.0000138282776,"peer":"worker-1-1","gaps":980763,"acks":3451717,"percent_lost":28.4137720444 > 6367} > {"_path":"capture_loss","_write_ts":"2020-03-06T09:45:28.080609Z","ts":"2020-03-06T09:45:28.080609Z","ts_delta":900.0000011920929,"peer":"worker-1-1","gaps":775832,"acks":3944662,"percent_lost":19.6678955002 > 98886} > > But in Zeek stats logs I cannot see any drops: > > {"_path":"stats","_write_ts":"2020-03-06T10:00:25.184307Z","ts":"2020-03-06T10:00:25.184307Z","peer":"manager","mem":99,"pkts_proc":0,"bytes_recv":0,"events_proc":2171,"events_queued":2175,"active_tcp_conns" > :0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1097,"active_timers":77,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size > ":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0} > {"_path":"stats","_write_ts":"2020-03-06T10:00:26.676726Z","ts":"2020-03-06T10:00:26.676726Z","peer":"proxy-1","mem":95,"pkts_proc":0,"bytes_recv":0,"events_proc":1579,"events_queued":1579,"active_tcp_conns" > :0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":939,"active_timers":39,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size" > :0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0} > {"_path":"stats","_write_ts":"2020-03-06T10:00:28.087807Z","ts":"2020-03-06T10:00:28.087807Z","peer":"worker-1-1","mem":494,"pkts_proc":4342283,"bytes_recv":3395272841,"pkts_dropped":0,"pkts_link":4347989,"p > kt_lag":0.010818004608154297,"events_proc":894955,"events_queued":894955,"active_tcp_conns":2944,"active_udp_conns":473,"active_icmp_conns":70,"tcp_conns":9036,"udp_conns":7376,"icmp_conns":383,"timers":2168 > 06,"active_timers":11468,"files":10693,"active_files":10,"dns_requests":2,"active_dns_requests":0,"reassem_tcp_size":500680,"reassem_file_size":451064,"reassem_frag_size":0,"reassem_unknown_size":0} > {"_path":"stats","_write_ts":"2020-03-06T10:05:25.185129Z","ts":"2020-03-06T10:05:25.185129Z","peer":"manager","mem":99,"pkts_proc":0,"bytes_recv":0,"events_proc":3573,"events_queued":3569,"active_tcp_conns" > :0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1063,"active_timers":77,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size > ":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0} > {"_path":"stats","_write_ts":"2020-03-06T10:05:26.677296Z","ts":"2020-03-06T10:05:26.677296Z","peer":"proxy-1","mem":95,"pkts_proc":0,"bytes_recv":0,"events_proc":2101,"events_queued":2101,"active_tcp_conns" > :0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":933,"active_timers":39,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size" > :0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0} > {"_path":"stats","_write_ts":"2020-03-06T10:05:28.087831Z","ts":"2020-03-06T10:05:28.087831Z","peer":"worker-1-1","mem":494,"pkts_proc":4024429,"bytes_recv":3075761558,"pkts_dropped":0,"pkts_link":4029762,"p > kt_lag":0.012360095977783203,"events_proc":860917,"events_queued":860919,"active_tcp_conns":3043,"active_udp_conns":505,"active_icmp_conns":149,"tcp_conns":10006,"udp_conns":7298,"icmp_conns":483,"timers":23 > 2394,"active_timers":12492,"files":11763,"active_files":13,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":60920,"reassem_file_size":955592,"reassem_frag_size":0,"reassem_unknown_size":0} > > My network interface reports 0 drops: > > NIC statistics: > rx_packets: 57185146109 > tx_packets: 118236 > rx_bytes: 51106679706383 > tx_bytes: 12060072 > rx_broadcast: 28116614 > tx_broadcast: 0 > rx_multicast: 430062675 > tx_multicast: 0 > multicast: 430062675 > collisions: 0 > rx_crc_errors: 0 > rx_no_buffer_count: 0 > rx_missed_errors: 0 > tx_aborted_errors: 0 > tx_carrier_errors: 0 > tx_window_errors: 0 > tx_abort_late_coll: 0 > tx_deferred_ok: 0 > tx_single_coll_ok: 0 > tx_multi_coll_ok: 0 > tx_timeout_count: 0 > rx_long_length_errors: 0 > rx_short_length_errors: 0 > rx_align_errors: 0 > tx_tcp_seg_good: 0 > tx_tcp_seg_failed: 0 > rx_flow_control_xon: 0 > rx_flow_control_xoff: 0 > tx_flow_control_xon: 0 > tx_flow_control_xoff: 0 > rx_long_byte_count: 51106679706383 > tx_dma_out_of_sync: 0 > tx_smbus: 0 > rx_smbus: 0 > dropped_smbus: 0 > os2bmc_rx_by_bmc: 0 > os2bmc_tx_by_bmc: 0 > os2bmc_tx_by_host: 0 > os2bmc_rx_by_host: 0 > tx_hwtstamp_timeouts: 0 > rx_hwtstamp_cleared: 0 > rx_errors: 0 > tx_errors: 0 > tx_dropped: 0 > rx_length_errors: 0 > rx_over_errors: 0 > rx_frame_errors: 0 > rx_fifo_errors: 0 > tx_fifo_errors: 0 > tx_heartbeat_errors: 0 > tx_queue_0_packets: 0 > tx_queue_0_restart: 0 > tx_queue_1_packets: 118236 > tx_queue_1_bytes: 11587128 > tx_queue_1_restart: 0 > tx_queue_2_packets: 0 > tx_queue_2_bytes: 0 > tx_queue_2_restart: 0 > tx_queue_3_packets: 0 > tx_queue_3_bytes: 0 > tx_queue_3_restart: 0 > tx_queue_4_packets: 0 > tx_queue_4_bytes: 0 > tx_queue_4_restart: 0 > tx_queue_5_packets: 0 > tx_queue_5_bytes: 0 > tx_queue_5_restart: 0 > tx_queue_6_packets: 0 > tx_queue_6_bytes: 0 > tx_queue_6_restart: 0 > tx_queue_7_packets: 0 > tx_queue_7_bytes: 0 > tx_queue_7_restart: 0 > rx_queue_0_packets: 7309311690 > rx_queue_0_bytes: 6672057827542 > rx_queue_0_drops: 0 > rx_queue_0_csum_err: 0 > rx_queue_0_alloc_failed: 0 > rx_queue_1_packets: 7067404359 > rx_queue_1_bytes: 5978548722708 > rx_queue_1_drops: 0 > rx_queue_1_csum_err: 0 > rx_queue_1_alloc_failed: 0 > rx_queue_2_packets: 6936589456 > rx_queue_2_bytes: 5816850955623 > rx_queue_2_drops: 0 > rx_queue_2_csum_err: 0 > rx_queue_2_alloc_failed: 0 > rx_queue_3_packets: 7560820836 > rx_queue_3_bytes: 7177372551363 > rx_queue_3_drops: 0 > rx_queue_3_csum_err: 0 > rx_queue_3_alloc_failed: 0 > rx_queue_4_packets: 6665690657 > rx_queue_4_bytes: 5815406197188 > rx_queue_4_drops: 0 > rx_queue_4_csum_err: 0 > rx_queue_4_alloc_failed: 0 > rx_queue_5_packets: 7245905157 > rx_queue_5_bytes: 6640952714842 > rx_queue_5_drops: 0 > rx_queue_5_csum_err: 0 > tx_queue_5_restart: 0 > tx_queue_6_packets: 0 > tx_queue_6_bytes: 0 > tx_queue_6_restart: 0 > tx_queue_7_packets: 0 > tx_queue_7_bytes: 0 > tx_queue_7_restart: 0 > rx_queue_0_packets: 7309311690 > rx_queue_0_bytes: 6672057827542 > rx_queue_0_drops: 0 > rx_queue_0_csum_err: 0 > rx_queue_0_alloc_failed: 0 > rx_queue_1_packets: 7067404359 > rx_queue_1_bytes: 5978548722708 > rx_queue_1_drops: 0 > rx_queue_1_csum_err: 0 > rx_queue_1_alloc_failed: 0 > rx_queue_2_packets: 6936589456 > rx_queue_2_bytes: 5816850955623 > rx_queue_2_drops: 0 > rx_queue_2_csum_err: 0 > rx_queue_2_alloc_failed: 0 > rx_queue_3_packets: 7560820836 > rx_queue_3_bytes: 7177372551363 > rx_queue_3_drops: 0 > rx_queue_3_csum_err: 0 > rx_queue_3_alloc_failed: 0 > rx_queue_4_packets: 6665690657 > rx_queue_4_bytes: 5815406197188 > rx_queue_4_drops: 0 > rx_queue_4_csum_err: 0 > rx_queue_4_alloc_failed: 0 > rx_queue_5_packets: 7245905157 > rx_queue_5_bytes: 6640952714842 > rx_queue_5_drops: 0 > rx_queue_5_csum_err: 0 > rx_queue_5_alloc_failed: 0 > rx_queue_6_packets: 7693400503 > rx_queue_6_bytes: 6803443308105 > rx_queue_6_drops: 0 > rx_queue_6_csum_err: 0 > rx_queue_6_alloc_failed: 0 > rx_queue_7_packets: 6706023451 > rx_queue_7_bytes: 5768995611822 > rx_queue_7_drops: 0 > rx_queue_7_csum_err: 0 > rx_queue_7_alloc_failed: 0 > > Is there something am I missing? Is it a way to further analyze the > problem? By looking in zeek logs everything looks fine. > -- > Federico Foschini. > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200306/2cbaa6be/attachment-0001.html From undicizeri at gmail.com Fri Mar 6 02:47:33 2020 From: undicizeri at gmail.com (Federico Foschini) Date: Fri, 6 Mar 2020 11:47:33 +0100 Subject: [Zeek] Capture packet loss discrepancy In-Reply-To: References: Message-ID: Hello, thank you for your help. I?m configured a span port on the switch. In Zeek I?ve configured the AF_Packet plugin. This is my node.cfg: [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=bond0 lb_method=custom lb_procs=1 af_packet_fanout_id=21 af_packet_fanout_mode=AF_Packet::FANOUT_HASH af_packet_buffer_size=128*1024*1024 This is the ethtool output: ethtool -c eno2 Coalesce parameters for eno2: Adaptive RX: off TX: off stats-block-usecs: 0 sample-interval: 0 pkt-rate-low: 0 pkt-rate-high: 0 rx-usecs: 3 rx-frames: 0 rx-usecs-irq: 0 rx-frames-irq: 0 tx-usecs: 0 tx-frames: 0 tx-usecs-irq: 0 tx-frames-irq: 0 rx-usecs-low: 0 rx-frame-low: 0 tx-usecs-low: 0 tx-frame-low: 0 rx-usecs-high: 0 rx-frame-high: 0 tx-usecs-high: 0 tx-frame-high: 0 ethtool -l eno2 Channel parameters for eno2: Pre-set maximums: RX: 0 TX: 0 Other: 1 Combined: 8 Current hardware settings: RX: 0 TX: 0 Other: 1 Combined: 8 ethtool -x eno2 RX flow hash indirection table for eno2 with 8 RX ring(s): 0: 0 0 0 0 0 0 0 0 8: 0 0 0 0 0 0 0 0 16: 1 1 1 1 1 1 1 1 24: 1 1 1 1 1 1 1 1 32: 2 2 2 2 2 2 2 2 40: 2 2 2 2 2 2 2 2 48: 3 3 3 3 3 3 3 3 56: 3 3 3 3 3 3 3 3 64: 4 4 4 4 4 4 4 4 72: 4 4 4 4 4 4 4 4 80: 5 5 5 5 5 5 5 5 88: 5 5 5 5 5 5 5 5 96: 6 6 6 6 6 6 6 6 104: 6 6 6 6 6 6 6 6 112: 7 7 7 7 7 7 7 7 120: 7 7 7 7 7 7 7 7 RSS hash key: Operation not supported ethtool -a eno2 Pause parameters for eno2: Autonegotiate: on RX: on TX: off ethtool -g eno2 Ring parameters for eno2: Pre-set maximums: RX: 4096 RX Mini: 0 RX Jumbo: 0 TX: 4096 Current hardware settings: RX: 4096 RX Mini: 0 RX Jumbo: 0 TX: 256 Il giorno ven 6 mar 2020 alle ore 11:39 Micha? Purzy?ski < michalpurzynski1 at gmail.com> ha scritto: > You either drop data before it reaches Zeek sensors or you have an > offloading missconfiguration on the card or you have a load-balancing > problem. That might be a good news. > > The capture.log file is based on heuristics "I have seen some ACKs without > matching data packets" - but won't tell you where the problem is. Justin > calls it a "check engine light". > > You don't seem to have drops in stats.log and in ethtool stats. That's > great. Stats.log meaning is different for each capture method and it's > never enough without some ethtool stats. > > Can you tell us more about your setup? > - how are you feeding your sensor (taps, span ports, etc) > - what's your capture mechanism? > - can you share all commands for interface's configuration? > - can you share the node.cfg > - output of > > ethtool -c > ethtool -l > ethtool -x > ethtool -a > ethtool -g > > On Fri, Mar 6, 2020 at 2:19 AM Federico Foschini > wrote: > >> Hello, >> I?m using Zeek 3.0.1 and I?m seeing very high zeek capture loss even if >> the system load is very low (I?m analyzing 50-100mbps of traffic with a >> Xeon 8C-16T and 32GiB of ram, the system load is barely rearching 1). >> >> This is what >> https://docs.zeek.org/en/stable/scripts/policy/misc/capture-loss.zeek.html >> is reporting: >> >> {"_path":"capture_loss","_write_ts":"2020-03-06T10:00:28.080623Z","ts":"2020-03-06T10:00:28.080623Z","ts_delta":900.0000138282776,"peer":"worker-1-1","gaps":980763,"acks":3451717,"percent_lost":28.4137720444 >> 6367} >> {"_path":"capture_loss","_write_ts":"2020-03-06T09:45:28.080609Z","ts":"2020-03-06T09:45:28.080609Z","ts_delta":900.0000011920929,"peer":"worker-1-1","gaps":775832,"acks":3944662,"percent_lost":19.6678955002 >> 98886} >> >> But in Zeek stats logs I cannot see any drops: >> >> {"_path":"stats","_write_ts":"2020-03-06T10:00:25.184307Z","ts":"2020-03-06T10:00:25.184307Z","peer":"manager","mem":99,"pkts_proc":0,"bytes_recv":0,"events_proc":2171,"events_queued":2175,"active_tcp_conns" >> :0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1097,"active_timers":77,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size >> ":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0} >> {"_path":"stats","_write_ts":"2020-03-06T10:00:26.676726Z","ts":"2020-03-06T10:00:26.676726Z","peer":"proxy-1","mem":95,"pkts_proc":0,"bytes_recv":0,"events_proc":1579,"events_queued":1579,"active_tcp_conns" >> :0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":939,"active_timers":39,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size" >> :0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0} >> {"_path":"stats","_write_ts":"2020-03-06T10:00:28.087807Z","ts":"2020-03-06T10:00:28.087807Z","peer":"worker-1-1","mem":494,"pkts_proc":4342283,"bytes_recv":3395272841,"pkts_dropped":0,"pkts_link":4347989,"p >> kt_lag":0.010818004608154297,"events_proc":894955,"events_queued":894955,"active_tcp_conns":2944,"active_udp_conns":473,"active_icmp_conns":70,"tcp_conns":9036,"udp_conns":7376,"icmp_conns":383,"timers":2168 >> 06,"active_timers":11468,"files":10693,"active_files":10,"dns_requests":2,"active_dns_requests":0,"reassem_tcp_size":500680,"reassem_file_size":451064,"reassem_frag_size":0,"reassem_unknown_size":0} >> {"_path":"stats","_write_ts":"2020-03-06T10:05:25.185129Z","ts":"2020-03-06T10:05:25.185129Z","peer":"manager","mem":99,"pkts_proc":0,"bytes_recv":0,"events_proc":3573,"events_queued":3569,"active_tcp_conns" >> :0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1063,"active_timers":77,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size >> ":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0} >> {"_path":"stats","_write_ts":"2020-03-06T10:05:26.677296Z","ts":"2020-03-06T10:05:26.677296Z","peer":"proxy-1","mem":95,"pkts_proc":0,"bytes_recv":0,"events_proc":2101,"events_queued":2101,"active_tcp_conns" >> :0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":933,"active_timers":39,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size" >> :0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0} >> {"_path":"stats","_write_ts":"2020-03-06T10:05:28.087831Z","ts":"2020-03-06T10:05:28.087831Z","peer":"worker-1-1","mem":494,"pkts_proc":4024429,"bytes_recv":3075761558,"pkts_dropped":0,"pkts_link":4029762,"p >> kt_lag":0.012360095977783203,"events_proc":860917,"events_queued":860919,"active_tcp_conns":3043,"active_udp_conns":505,"active_icmp_conns":149,"tcp_conns":10006,"udp_conns":7298,"icmp_conns":483,"timers":23 >> 2394,"active_timers":12492,"files":11763,"active_files":13,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":60920,"reassem_file_size":955592,"reassem_frag_size":0,"reassem_unknown_size":0} >> >> My network interface reports 0 drops: >> >> NIC statistics: >> rx_packets: 57185146109 >> tx_packets: 118236 >> rx_bytes: 51106679706383 >> tx_bytes: 12060072 >> rx_broadcast: 28116614 >> tx_broadcast: 0 >> rx_multicast: 430062675 >> tx_multicast: 0 >> multicast: 430062675 >> collisions: 0 >> rx_crc_errors: 0 >> rx_no_buffer_count: 0 >> rx_missed_errors: 0 >> tx_aborted_errors: 0 >> tx_carrier_errors: 0 >> tx_window_errors: 0 >> tx_abort_late_coll: 0 >> tx_deferred_ok: 0 >> tx_single_coll_ok: 0 >> tx_multi_coll_ok: 0 >> tx_timeout_count: 0 >> rx_long_length_errors: 0 >> rx_short_length_errors: 0 >> rx_align_errors: 0 >> tx_tcp_seg_good: 0 >> tx_tcp_seg_failed: 0 >> rx_flow_control_xon: 0 >> rx_flow_control_xoff: 0 >> tx_flow_control_xon: 0 >> tx_flow_control_xoff: 0 >> rx_long_byte_count: 51106679706383 >> tx_dma_out_of_sync: 0 >> tx_smbus: 0 >> rx_smbus: 0 >> dropped_smbus: 0 >> os2bmc_rx_by_bmc: 0 >> os2bmc_tx_by_bmc: 0 >> os2bmc_tx_by_host: 0 >> os2bmc_rx_by_host: 0 >> tx_hwtstamp_timeouts: 0 >> rx_hwtstamp_cleared: 0 >> rx_errors: 0 >> tx_errors: 0 >> tx_dropped: 0 >> rx_length_errors: 0 >> rx_over_errors: 0 >> rx_frame_errors: 0 >> rx_fifo_errors: 0 >> tx_fifo_errors: 0 >> tx_heartbeat_errors: 0 >> tx_queue_0_packets: 0 >> tx_queue_0_restart: 0 >> tx_queue_1_packets: 118236 >> tx_queue_1_bytes: 11587128 >> tx_queue_1_restart: 0 >> tx_queue_2_packets: 0 >> tx_queue_2_bytes: 0 >> tx_queue_2_restart: 0 >> tx_queue_3_packets: 0 >> tx_queue_3_bytes: 0 >> tx_queue_3_restart: 0 >> tx_queue_4_packets: 0 >> tx_queue_4_bytes: 0 >> tx_queue_4_restart: 0 >> tx_queue_5_packets: 0 >> tx_queue_5_bytes: 0 >> tx_queue_5_restart: 0 >> tx_queue_6_packets: 0 >> tx_queue_6_bytes: 0 >> tx_queue_6_restart: 0 >> tx_queue_7_packets: 0 >> tx_queue_7_bytes: 0 >> tx_queue_7_restart: 0 >> rx_queue_0_packets: 7309311690 >> rx_queue_0_bytes: 6672057827542 >> rx_queue_0_drops: 0 >> rx_queue_0_csum_err: 0 >> rx_queue_0_alloc_failed: 0 >> rx_queue_1_packets: 7067404359 >> rx_queue_1_bytes: 5978548722708 >> rx_queue_1_drops: 0 >> rx_queue_1_csum_err: 0 >> rx_queue_1_alloc_failed: 0 >> rx_queue_2_packets: 6936589456 >> rx_queue_2_bytes: 5816850955623 >> rx_queue_2_drops: 0 >> rx_queue_2_csum_err: 0 >> rx_queue_2_alloc_failed: 0 >> rx_queue_3_packets: 7560820836 >> rx_queue_3_bytes: 7177372551363 >> rx_queue_3_drops: 0 >> rx_queue_3_csum_err: 0 >> rx_queue_3_alloc_failed: 0 >> rx_queue_4_packets: 6665690657 >> rx_queue_4_bytes: 5815406197188 >> rx_queue_4_drops: 0 >> rx_queue_4_csum_err: 0 >> rx_queue_4_alloc_failed: 0 >> rx_queue_5_packets: 7245905157 >> rx_queue_5_bytes: 6640952714842 >> rx_queue_5_drops: 0 >> rx_queue_5_csum_err: 0 >> tx_queue_5_restart: 0 >> tx_queue_6_packets: 0 >> tx_queue_6_bytes: 0 >> tx_queue_6_restart: 0 >> tx_queue_7_packets: 0 >> tx_queue_7_bytes: 0 >> tx_queue_7_restart: 0 >> rx_queue_0_packets: 7309311690 >> rx_queue_0_bytes: 6672057827542 >> rx_queue_0_drops: 0 >> rx_queue_0_csum_err: 0 >> rx_queue_0_alloc_failed: 0 >> rx_queue_1_packets: 7067404359 >> rx_queue_1_bytes: 5978548722708 >> rx_queue_1_drops: 0 >> rx_queue_1_csum_err: 0 >> rx_queue_1_alloc_failed: 0 >> rx_queue_2_packets: 6936589456 >> rx_queue_2_bytes: 5816850955623 >> rx_queue_2_drops: 0 >> rx_queue_2_csum_err: 0 >> rx_queue_2_alloc_failed: 0 >> rx_queue_3_packets: 7560820836 >> rx_queue_3_bytes: 7177372551363 >> rx_queue_3_drops: 0 >> rx_queue_3_csum_err: 0 >> rx_queue_3_alloc_failed: 0 >> rx_queue_4_packets: 6665690657 >> rx_queue_4_bytes: 5815406197188 >> rx_queue_4_drops: 0 >> rx_queue_4_csum_err: 0 >> rx_queue_4_alloc_failed: 0 >> rx_queue_5_packets: 7245905157 >> rx_queue_5_bytes: 6640952714842 >> rx_queue_5_drops: 0 >> rx_queue_5_csum_err: 0 >> rx_queue_5_alloc_failed: 0 >> rx_queue_6_packets: 7693400503 >> rx_queue_6_bytes: 6803443308105 >> rx_queue_6_drops: 0 >> rx_queue_6_csum_err: 0 >> rx_queue_6_alloc_failed: 0 >> rx_queue_7_packets: 6706023451 >> rx_queue_7_bytes: 5768995611822 >> rx_queue_7_drops: 0 >> rx_queue_7_csum_err: 0 >> rx_queue_7_alloc_failed: 0 >> >> Is there something am I missing? Is it a way to further analyze the >> problem? By looking in zeek logs everything looks fine. >> -- >> Federico Foschini. >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > -- Federico Foschini. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200306/f1d18a36/attachment-0001.html From undicizeri at gmail.com Fri Mar 6 02:53:42 2020 From: undicizeri at gmail.com (Federico Foschini) Date: Fri, 6 Mar 2020 11:53:42 +0100 Subject: [Zeek] Capture packet loss discrepancy In-Reply-To: References:

Message-ID: I?m also adding my /etc/network/interfaces: auto eno2 iface eno2 inet manual up ip link set $IFACE promisc on arp off up down ip link set $IFACE promisc off down post-up ethtool -G $IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K $IFACE $i off; done post-up echo 1 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6 bond-master bond0 auto bond0 iface bond0 inet manual bond-mode balance-rr bond-slaves eno2 mtu 1500 up ip link set bond0 promisc on arp off up down ip link set bond0 promisc off down post-up ethtool -G bond0 rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K bond0 $i off; done post-up echo 1 > /proc/sys/net/ipv6/conf/bond0/disable_ipv6 I?ve configured a bond interface because I?m planning to add another span port. I?ve copied this configuration from SecurityOnion github: https://github.com/Security-Onion-Solutions/securityonion-saltstack/blob/d3826bc605a22e090bc7cf07309bce76a2f12623/setup/so-functions#L298 Il giorno ven 6 mar 2020 alle ore 11:47 Federico Foschini < undicizeri at gmail.com> ha scritto: > Hello, > thank you for your help. > I?m configured a span port on the switch. > > In Zeek I?ve configured the AF_Packet plugin. > > This is my node.cfg: > > [manager] > type=manager > host=localhost > > [proxy-1] > type=proxy > host=localhost > > [worker-1] > type=worker > host=localhost > interface=bond0 > lb_method=custom > lb_procs=1 > af_packet_fanout_id=21 > af_packet_fanout_mode=AF_Packet::FANOUT_HASH > af_packet_buffer_size=128*1024*1024 > > This is the ethtool output: > > ethtool -c eno2 > Coalesce parameters for eno2: > Adaptive RX: off TX: off > stats-block-usecs: 0 > sample-interval: 0 > pkt-rate-low: 0 > pkt-rate-high: 0 > > rx-usecs: 3 > rx-frames: 0 > rx-usecs-irq: 0 > rx-frames-irq: 0 > > tx-usecs: 0 > tx-frames: 0 > tx-usecs-irq: 0 > tx-frames-irq: 0 > > rx-usecs-low: 0 > rx-frame-low: 0 > tx-usecs-low: 0 > tx-frame-low: 0 > > rx-usecs-high: 0 > rx-frame-high: 0 > tx-usecs-high: 0 > tx-frame-high: 0 > > ethtool -l eno2 > Channel parameters for eno2: > Pre-set maximums: > RX: 0 > TX: 0 > Other: 1 > Combined: 8 > Current hardware settings: > RX: 0 > TX: 0 > Other: 1 > Combined: 8 > > ethtool -x eno2 > RX flow hash indirection table for eno2 with 8 RX ring(s): > 0: 0 0 0 0 0 0 0 0 > 8: 0 0 0 0 0 0 0 0 > 16: 1 1 1 1 1 1 1 1 > 24: 1 1 1 1 1 1 1 1 > 32: 2 2 2 2 2 2 2 2 > 40: 2 2 2 2 2 2 2 2 > 48: 3 3 3 3 3 3 3 3 > 56: 3 3 3 3 3 3 3 3 > 64: 4 4 4 4 4 4 4 4 > 72: 4 4 4 4 4 4 4 4 > 80: 5 5 5 5 5 5 5 5 > 88: 5 5 5 5 5 5 5 5 > 96: 6 6 6 6 6 6 6 6 > 104: 6 6 6 6 6 6 6 6 > 112: 7 7 7 7 7 7 7 7 > 120: 7 7 7 7 7 7 7 7 > RSS hash key: > Operation not supported > > ethtool -a eno2 > Pause parameters for eno2: > Autonegotiate: on > RX: on > TX: off > > ethtool -g eno2 > Ring parameters for eno2: > Pre-set maximums: > RX: 4096 > RX Mini: 0 > RX Jumbo: 0 > TX: 4096 > Current hardware settings: > RX: 4096 > RX Mini: 0 > RX Jumbo: 0 > TX: 256 > > > Il giorno ven 6 mar 2020 alle ore 11:39 Micha? Purzy?ski < > michalpurzynski1 at gmail.com> ha scritto: > >> You either drop data before it reaches Zeek sensors or you have an >> offloading missconfiguration on the card or you have a load-balancing >> problem. That might be a good news. >> >> The capture.log file is based on heuristics "I have seen some ACKs >> without matching data packets" - but won't tell you where the problem is. >> Justin calls it a "check engine light". >> >> You don't seem to have drops in stats.log and in ethtool stats. That's >> great. Stats.log meaning is different for each capture method and it's >> never enough without some ethtool stats. >> >> Can you tell us more about your setup? >> - how are you feeding your sensor (taps, span ports, etc) >> - what's your capture mechanism? >> - can you share all commands for interface's configuration? >> - can you share the node.cfg >> - output of >> >> ethtool -c >> ethtool -l >> ethtool -x >> ethtool -a >> ethtool -g >> >> On Fri, Mar 6, 2020 at 2:19 AM Federico Foschini >> wrote: >> >>> Hello, >>> I?m using Zeek 3.0.1 and I?m seeing very high zeek capture loss even if >>> the system load is very low (I?m analyzing 50-100mbps of traffic with a >>> Xeon 8C-16T and 32GiB of ram, the system load is barely rearching 1). >>> >>> This is what >>> https://docs.zeek.org/en/stable/scripts/policy/misc/capture-loss.zeek.html >>> is reporting: >>> >>> {"_path":"capture_loss","_write_ts":"2020-03-06T10:00:28.080623Z","ts":"2020-03-06T10:00:28.080623Z","ts_delta":900.0000138282776,"peer":"worker-1-1","gaps":980763,"acks":3451717,"percent_lost":28.4137720444 >>> 6367} >>> {"_path":"capture_loss","_write_ts":"2020-03-06T09:45:28.080609Z","ts":"2020-03-06T09:45:28.080609Z","ts_delta":900.0000011920929,"peer":"worker-1-1","gaps":775832,"acks":3944662,"percent_lost":19.6678955002 >>> 98886} >>> >>> But in Zeek stats logs I cannot see any drops: >>> >>> {"_path":"stats","_write_ts":"2020-03-06T10:00:25.184307Z","ts":"2020-03-06T10:00:25.184307Z","peer":"manager","mem":99,"pkts_proc":0,"bytes_recv":0,"events_proc":2171,"events_queued":2175,"active_tcp_conns" >>> :0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1097,"active_timers":77,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size >>> ":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0} >>> {"_path":"stats","_write_ts":"2020-03-06T10:00:26.676726Z","ts":"2020-03-06T10:00:26.676726Z","peer":"proxy-1","mem":95,"pkts_proc":0,"bytes_recv":0,"events_proc":1579,"events_queued":1579,"active_tcp_conns" >>> :0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":939,"active_timers":39,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size" >>> :0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0} >>> {"_path":"stats","_write_ts":"2020-03-06T10:00:28.087807Z","ts":"2020-03-06T10:00:28.087807Z","peer":"worker-1-1","mem":494,"pkts_proc":4342283,"bytes_recv":3395272841,"pkts_dropped":0,"pkts_link":4347989,"p >>> kt_lag":0.010818004608154297,"events_proc":894955,"events_queued":894955,"active_tcp_conns":2944,"active_udp_conns":473,"active_icmp_conns":70,"tcp_conns":9036,"udp_conns":7376,"icmp_conns":383,"timers":2168 >>> 06,"active_timers":11468,"files":10693,"active_files":10,"dns_requests":2,"active_dns_requests":0,"reassem_tcp_size":500680,"reassem_file_size":451064,"reassem_frag_size":0,"reassem_unknown_size":0} >>> {"_path":"stats","_write_ts":"2020-03-06T10:05:25.185129Z","ts":"2020-03-06T10:05:25.185129Z","peer":"manager","mem":99,"pkts_proc":0,"bytes_recv":0,"events_proc":3573,"events_queued":3569,"active_tcp_conns" >>> :0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":1063,"active_timers":77,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size >>> ":0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0} >>> {"_path":"stats","_write_ts":"2020-03-06T10:05:26.677296Z","ts":"2020-03-06T10:05:26.677296Z","peer":"proxy-1","mem":95,"pkts_proc":0,"bytes_recv":0,"events_proc":2101,"events_queued":2101,"active_tcp_conns" >>> :0,"active_udp_conns":0,"active_icmp_conns":0,"tcp_conns":0,"udp_conns":0,"icmp_conns":0,"timers":933,"active_timers":39,"files":0,"active_files":0,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size" >>> :0,"reassem_file_size":0,"reassem_frag_size":0,"reassem_unknown_size":0} >>> {"_path":"stats","_write_ts":"2020-03-06T10:05:28.087831Z","ts":"2020-03-06T10:05:28.087831Z","peer":"worker-1-1","mem":494,"pkts_proc":4024429,"bytes_recv":3075761558,"pkts_dropped":0,"pkts_link":4029762,"p >>> kt_lag":0.012360095977783203,"events_proc":860917,"events_queued":860919,"active_tcp_conns":3043,"active_udp_conns":505,"active_icmp_conns":149,"tcp_conns":10006,"udp_conns":7298,"icmp_conns":483,"timers":23 >>> 2394,"active_timers":12492,"files":11763,"active_files":13,"dns_requests":0,"active_dns_requests":0,"reassem_tcp_size":60920,"reassem_file_size":955592,"reassem_frag_size":0,"reassem_unknown_size":0} >>> >>> My network interface reports 0 drops: >>> >>> NIC statistics: >>> rx_packets: 57185146109 >>> tx_packets: 118236 >>> rx_bytes: 51106679706383 >>> tx_bytes: 12060072 >>> rx_broadcast: 28116614 >>> tx_broadcast: 0 >>> rx_multicast: 430062675 >>> tx_multicast: 0 >>> multicast: 430062675 >>> collisions: 0 >>> rx_crc_errors: 0 >>> rx_no_buffer_count: 0 >>> rx_missed_errors: 0 >>> tx_aborted_errors: 0 >>> tx_carrier_errors: 0 >>> tx_window_errors: 0 >>> tx_abort_late_coll: 0 >>> tx_deferred_ok: 0 >>> tx_single_coll_ok: 0 >>> tx_multi_coll_ok: 0 >>> tx_timeout_count: 0 >>> rx_long_length_errors: 0 >>> rx_short_length_errors: 0 >>> rx_align_errors: 0 >>> tx_tcp_seg_good: 0 >>> tx_tcp_seg_failed: 0 >>> rx_flow_control_xon: 0 >>> rx_flow_control_xoff: 0 >>> tx_flow_control_xon: 0 >>> tx_flow_control_xoff: 0 >>> rx_long_byte_count: 51106679706383 >>> tx_dma_out_of_sync: 0 >>> tx_smbus: 0 >>> rx_smbus: 0 >>> dropped_smbus: 0 >>> os2bmc_rx_by_bmc: 0 >>> os2bmc_tx_by_bmc: 0 >>> os2bmc_tx_by_host: 0 >>> os2bmc_rx_by_host: 0 >>> tx_hwtstamp_timeouts: 0 >>> rx_hwtstamp_cleared: 0 >>> rx_errors: 0 >>> tx_errors: 0 >>> tx_dropped: 0 >>> rx_length_errors: 0 >>> rx_over_errors: 0 >>> rx_frame_errors: 0 >>> rx_fifo_errors: 0 >>> tx_fifo_errors: 0 >>> tx_heartbeat_errors: 0 >>> tx_queue_0_packets: 0 >>> tx_queue_0_restart: 0 >>> tx_queue_1_packets: 118236 >>> tx_queue_1_bytes: 11587128 >>> tx_queue_1_restart: 0 >>> tx_queue_2_packets: 0 >>> tx_queue_2_bytes: 0 >>> tx_queue_2_restart: 0 >>> tx_queue_3_packets: 0 >>> tx_queue_3_bytes: 0 >>> tx_queue_3_restart: 0 >>> tx_queue_4_packets: 0 >>> tx_queue_4_bytes: 0 >>> tx_queue_4_restart: 0 >>> tx_queue_5_packets: 0 >>> tx_queue_5_bytes: 0 >>> tx_queue_5_restart: 0 >>> tx_queue_6_packets: 0 >>> tx_queue_6_bytes: 0 >>> tx_queue_6_restart: 0 >>> tx_queue_7_packets: 0 >>> tx_queue_7_bytes: 0 >>> tx_queue_7_restart: 0 >>> rx_queue_0_packets: 7309311690 >>> rx_queue_0_bytes: 6672057827542 >>> rx_queue_0_drops: 0 >>> rx_queue_0_csum_err: 0 >>> rx_queue_0_alloc_failed: 0 >>> rx_queue_1_packets: 7067404359 >>> rx_queue_1_bytes: 5978548722708 >>> rx_queue_1_drops: 0 >>> rx_queue_1_csum_err: 0 >>> rx_queue_1_alloc_failed: 0 >>> rx_queue_2_packets: 6936589456 >>> rx_queue_2_bytes: 5816850955623 >>> rx_queue_2_drops: 0 >>> rx_queue_2_csum_err: 0 >>> rx_queue_2_alloc_failed: 0 >>> rx_queue_3_packets: 7560820836 >>> rx_queue_3_bytes: 7177372551363 >>> rx_queue_3_drops: 0 >>> rx_queue_3_csum_err: 0 >>> rx_queue_3_alloc_failed: 0 >>> rx_queue_4_packets: 6665690657 >>> rx_queue_4_bytes: 5815406197188 >>> rx_queue_4_drops: 0 >>> rx_queue_4_csum_err: 0 >>> rx_queue_4_alloc_failed: 0 >>> rx_queue_5_packets: 7245905157 >>> rx_queue_5_bytes: 6640952714842 >>> rx_queue_5_drops: 0 >>> rx_queue_5_csum_err: 0 >>> tx_queue_5_restart: 0 >>> tx_queue_6_packets: 0 >>> tx_queue_6_bytes: 0 >>> tx_queue_6_restart: 0 >>> tx_queue_7_packets: 0 >>> tx_queue_7_bytes: 0 >>> tx_queue_7_restart: 0 >>> rx_queue_0_packets: 7309311690 >>> rx_queue_0_bytes: 6672057827542 >>> rx_queue_0_drops: 0 >>> rx_queue_0_csum_err: 0 >>> rx_queue_0_alloc_failed: 0 >>> rx_queue_1_packets: 7067404359 >>> rx_queue_1_bytes: 5978548722708 >>> rx_queue_1_drops: 0 >>> rx_queue_1_csum_err: 0 >>> rx_queue_1_alloc_failed: 0 >>> rx_queue_2_packets: 6936589456 >>> rx_queue_2_bytes: 5816850955623 >>> rx_queue_2_drops: 0 >>> rx_queue_2_csum_err: 0 >>> rx_queue_2_alloc_failed: 0 >>> rx_queue_3_packets: 7560820836 >>> rx_queue_3_bytes: 7177372551363 >>> rx_queue_3_drops: 0 >>> rx_queue_3_csum_err: 0 >>> rx_queue_3_alloc_failed: 0 >>> rx_queue_4_packets: 6665690657 >>> rx_queue_4_bytes: 5815406197188 >>> rx_queue_4_drops: 0 >>> rx_queue_4_csum_err: 0 >>> rx_queue_4_alloc_failed: 0 >>> rx_queue_5_packets: 7245905157 >>> rx_queue_5_bytes: 6640952714842 >>> rx_queue_5_drops: 0 >>> rx_queue_5_csum_err: 0 >>> rx_queue_5_alloc_failed: 0 >>> rx_queue_6_packets: 7693400503 >>> rx_queue_6_bytes: 6803443308105 >>> rx_queue_6_drops: 0 >>> rx_queue_6_csum_err: 0 >>> rx_queue_6_alloc_failed: 0 >>> rx_queue_7_packets: 6706023451 >>> rx_queue_7_bytes: 5768995611822 >>> rx_queue_7_drops: 0 >>> rx_queue_7_csum_err: 0 >>> rx_queue_7_alloc_failed: 0 >>> >>> Is there something am I missing? Is it a way to further analyze the >>> problem? By looking in zeek logs everything looks fine. >>> -- >>> Federico Foschini. >>> _______________________________________________ >>> Zeek mailing list >>> zeek at zeek.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> > > -- > Federico Foschini. > -- Federico Foschini. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200306/6638b46c/attachment-0001.html From Kayode_Enwerem at ao.uscourts.gov Fri Mar 6 05:13:03 2020 From: Kayode_Enwerem at ao.uscourts.gov (Kayode Enwerem) Date: Fri, 6 Mar 2020 13:13:03 +0000 Subject: [Zeek] Errors trying to implement the detection on CVE-2020-0601 In-Reply-To: References:

Message-ID: Thanks Johanna for your response. I set it up and tested it out on another bro instance we have running bro version 2.6.3 and got this same error message: error in /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, line 26: unknown identifier Version::at_least, at or near "Version::at_least" -----Original Message----- From: Johanna Amann Sent: Thursday, March 5, 2020 5:51 PM To: Kayode Enwerem Cc: zeek at zeek.org Subject: Re: [Zeek] Errors trying to implement the detection on CVE-2020-0601 Hi Kayode, the script does, out of the box, not support anything below bro 2.6. You can probably make it run by changing the option to a ?const log_certs = F &redef? and changing the @if (Version::) to @if ( 0 ). However, note that while it should work it has not been tested on these systems. Also - please consider updating your Zeek installation. You are missing important security and performance fixes. Johanna On 5 Mar 2020, at 10:43, Kayode Enwerem wrote: > Hello, > > I am trying to implement the detection of CVE-2020-0601 with zeek > (https://blog.zeek.org/2020/01/detecting-cve-2020-0601-with-zeek.html) > using the first package (https://github.com/0xxon/cve-2020-0601) but I > keep encountering some errors. > > Version for bro in my environment: bro version 2.5.5 > > First thing I did was add this to our local.bro file: redef > CVE_2020_0601::log_certs = T; > > But when I ran "broctl check" I got the following error message: error > in /usr/local/bro/share/bro/site/local.bro, line 13: "redef" used but > not previously defined (CVE_ 2020_0601::log_certs) > > So I created the following file in > "share/bro/base/frameworks/notice/cve-2020-0601.bro" and added the > script from: > https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-06 > 01.bro > > And also edited the following file > "share/bro/base/frameworks/notice/__load__.bro" and added: @load > ./cve-2020-0601 > > Now when I run "broctl check" I am getting the following error > message: > error in > /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, > line 5: syntax error, at or near "option" > > When I comment out line 5 line I get: > error in > /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, > line 26: unknown identifier Version::at_least, at or near > "Version::at_least" > > When I comment out line 26 I get: > error in > /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, > line 35: unknown identifier f, at or near "f" > > Can someone please help me with this? Am I setting it up right? > > Thanks in advance. > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From johanna at icir.org Fri Mar 6 08:52:58 2020 From: johanna at icir.org (Johanna Amann) Date: Fri, 06 Mar 2020 08:52:58 -0800 Subject: [Zeek] Errors trying to implement the detection on CVE-2020-0601 In-Reply-To: References:

Message-ID: Oh, sorry - I did not quite thoroughly enough parse all of your first email. The reason for this is load ordering. You added the script to somewhere in /share/bro/base. You should never add scripts to base (or change scripts in base). We always assume that things in base are untouched - they will be overwritten on updates/upgrades. And if you change things in base you will also have to make sure that you don?t break things because of ordering issues. In any case - just move the script to share/bro/site and @load it from your local.bro, before the line in which you perform the redef - and everything should work :) Alternatively you can also install it via the package manager. I hope this helps, Johanna On 6 Mar 2020, at 5:13, Kayode Enwerem wrote: > Thanks Johanna for your response. > > I set it up and tested it out on another bro instance we have running > bro version 2.6.3 and got this same error message: > > error in > /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, > line 26: unknown identifier Version::at_least, at or near > "Version::at_least" > > > -----Original Message----- > From: Johanna Amann > Sent: Thursday, March 5, 2020 5:51 PM > To: Kayode Enwerem > Cc: zeek at zeek.org > Subject: Re: [Zeek] Errors trying to implement the detection on > CVE-2020-0601 > > Hi Kayode, > > the script does, out of the box, not support anything below bro 2.6. > > You can probably make it run by changing the option to a ?const > log_certs = F &redef? and changing the @if (Version::) to @if ( 0 ). > However, note that while it should work it has not been tested on > these systems. > > Also - please consider updating your Zeek installation. You are > missing important security and performance fixes. > > Johanna > > On 5 Mar 2020, at 10:43, Kayode Enwerem wrote: > >> Hello, >> >> I am trying to implement the detection of CVE-2020-0601 with zeek >> (https://blog.zeek.org/2020/01/detecting-cve-2020-0601-with-zeek.html) >> using the first package (https://github.com/0xxon/cve-2020-0601) but >> I >> keep encountering some errors. >> >> Version for bro in my environment: bro version 2.5.5 >> >> First thing I did was add this to our local.bro file: redef >> CVE_2020_0601::log_certs = T; >> >> But when I ran "broctl check" I got the following error message: >> error >> in /usr/local/bro/share/bro/site/local.bro, line 13: "redef" used but >> not previously defined (CVE_ 2020_0601::log_certs) >> >> So I created the following file in >> "share/bro/base/frameworks/notice/cve-2020-0601.bro" and added the >> script from: >> https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-06 >> 01.bro >> >> And also edited the following file >> "share/bro/base/frameworks/notice/__load__.bro" and added: @load >> ./cve-2020-0601 >> >> Now when I run "broctl check" I am getting the following error >> message: >> error in >> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, >> line 5: syntax error, at or near "option" >> >> When I comment out line 5 line I get: >> error in >> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, >> line 26: unknown identifier Version::at_least, at or near >> "Version::at_least" >> >> When I comment out line 26 I get: >> error in >> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, >> line 35: unknown identifier f, at or near "f" >> >> Can someone please help me with this? Am I setting it up right? >> >> Thanks in advance. >> >> >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From Kayode_Enwerem at ao.uscourts.gov Fri Mar 6 10:29:58 2020 From: Kayode_Enwerem at ao.uscourts.gov (Kayode Enwerem) Date: Fri, 6 Mar 2020 18:29:58 +0000 Subject: [Zeek] Errors trying to implement the detection on CVE-2020-0601 In-Reply-To: References:

Message-ID: Thanks again for your response. How do I test that the openssl version we have installed automatically converts explicit curves to names while the certificate is parsed? We currently have this version of openssl installed: openssl-1.0.2k-19.el7.x86_64 Thanks. Kayode Enwerem (CTR) Security Tools Linux Admin ITSO/SOC Administrative Office of the U.S. Courts (202) 227-1530 -----Original Message----- From: Johanna Amann Sent: Friday, March 6, 2020 11:53 AM To: Kayode Enwerem Cc: zeek at zeek.org Subject: Re: [Zeek] Errors trying to implement the detection on CVE-2020-0601 Oh, sorry - I did not quite thoroughly enough parse all of your first email. The reason for this is load ordering. You added the script to somewhere in /share/bro/base. You should never add scripts to base (or change scripts in base). We always assume that things in base are untouched - they will be overwritten on updates/upgrades. And if you change things in base you will also have to make sure that you don?t break things because of ordering issues. In any case - just move the script to share/bro/site and @load it from your local.bro, before the line in which you perform the redef - and everything should work :) Alternatively you can also install it via the package manager. I hope this helps, Johanna On 6 Mar 2020, at 5:13, Kayode Enwerem wrote: > Thanks Johanna for your response. > > I set it up and tested it out on another bro instance we have running > bro version 2.6.3 and got this same error message: > > error in > /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, > line 26: unknown identifier Version::at_least, at or near > "Version::at_least" > > > -----Original Message----- > From: Johanna Amann > Sent: Thursday, March 5, 2020 5:51 PM > To: Kayode Enwerem > Cc: zeek at zeek.org > Subject: Re: [Zeek] Errors trying to implement the detection on > CVE-2020-0601 > > Hi Kayode, > > the script does, out of the box, not support anything below bro 2.6. > > You can probably make it run by changing the option to a ?const > log_certs = F &redef? and changing the @if (Version::) to @if ( 0 ). > However, note that while it should work it has not been tested on > these systems. > > Also - please consider updating your Zeek installation. You are > missing important security and performance fixes. > > Johanna > > On 5 Mar 2020, at 10:43, Kayode Enwerem wrote: > >> Hello, >> >> I am trying to implement the detection of CVE-2020-0601 with zeek >> (https://blog.zeek.org/2020/01/detecting-cve-2020-0601-with-zeek.html) >> using the first package (https://github.com/0xxon/cve-2020-0601) but >> I >> keep encountering some errors. >> >> Version for bro in my environment: bro version 2.5.5 >> >> First thing I did was add this to our local.bro file: redef >> CVE_2020_0601::log_certs = T; >> >> But when I ran "broctl check" I got the following error message: >> error >> in /usr/local/bro/share/bro/site/local.bro, line 13: "redef" used but >> not previously defined (CVE_ 2020_0601::log_certs) >> >> So I created the following file in >> "share/bro/base/frameworks/notice/cve-2020-0601.bro" and added the >> script from: >> https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-06 >> 01.bro >> >> And also edited the following file >> "share/bro/base/frameworks/notice/__load__.bro" and added: @load >> ./cve-2020-0601 >> >> Now when I run "broctl check" I am getting the following error >> message: >> error in >> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, >> line 5: syntax error, at or near "option" >> >> When I comment out line 5 line I get: >> error in >> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, >> line 26: unknown identifier Version::at_least, at or near >> "Version::at_least" >> >> When I comment out line 26 I get: >> error in >> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, >> line 35: unknown identifier f, at or near "f" >> >> Can someone please help me with this? Am I setting it up right? >> >> Thanks in advance. >> >> >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From clopmz at outlook.com Sat Mar 7 13:57:04 2020 From: clopmz at outlook.com (Carlos Lopez) Date: Sat, 7 Mar 2020 21:57:04 +0000 Subject: [Zeek] No packets captured by Zeek under OpenBSD Message-ID: Hi all, I just installed Zeek 3.0.3-dev.3 under two OpenBSD 6.6 amd64 vms (one as worker and another as a manager). All seems to work ok but no packet is captured by Zeek worker. In logs directory, there are only the following files: total 100 drwxr-xr-x 2 root wheel 512 Mar 7 21:50 ./ drwxr-xr-x 7 root wheel 512 Mar 7 21:50 ../ -rw-r--r-- 1 root wheel 137 Mar 7 21:42 .cmdline -rw-r--r-- 1 root wheel 350 Mar 7 21:42 .env_vars -rw-r--r-- 1 root wheel 6 Mar 7 21:42 .pid -rw-r--r-- 1 root wheel 58 Mar 7 21:42 .startup -rwx------ 1 root wheel 18 Mar 7 21:42 .status* -rw-r--r-- 1 root wheel 401 Mar 7 21:43 cluster.log -rw-r--r-- 1 root wheel 30276 Mar 7 21:43 loaded_scripts.log -rw-r--r-- 1 root wheel 856 Mar 7 21:53 stats.log -rw-r--r-- 1 root wheel 0 Mar 7 21:42 stderr.log -rw-r--r-- 1 root wheel 140 Mar 7 21:43 stdout.log No one shows any error. Same for the spool directory ? Running tcpdump in worker node works without problem and I can see all the traffic ? Any idea? -- Regards, C. L. Martinez -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200307/8f781c8c/attachment.html From clopmz at outlook.com Sun Mar 8 04:48:58 2020 From: clopmz at outlook.com (Carlos Lopez) Date: Sun, 8 Mar 2020 11:48:58 +0000 Subject: [Zeek] No packets captured by Zeek under OpenBSD Message-ID: <5C6645FC-453D-495C-A228-B3BCC243C569@outlook.com> This problem only appears when Zeek is configured as a cluster and using a distrusted installation or configuring several network interfaces like for example: [manager] type=manager host=127.0.0.1 [logger] type=logger host=127.0.0.1 [proxy] type=proxy host=127.0.0.1 [worker-1] type=worker host=127.0.0.1 interface=vio2 [worker-2] type=worker host=127.0.0.1 interface=vio3 When Zeek is configured in standalone mode everything works correctly. Among the hosts I'm testing, network communications are working perfectly between them and PF is disabled. Maybe is it a bug? I am using Zeek 3.0.3-dev.3 under OpenBSD 6.6 (fully patched). -- Regards, C. L. Martinez From: on behalf of Carlos Lopez Date: Saturday, 7 March 2020 at 23:00 To: "zeek at zeek.org" Subject: [Zeek] No packets captured by Zeek under OpenBSD Hi all, I just installed Zeek 3.0.3-dev.3 under two OpenBSD 6.6 amd64 vms (one as worker and another as a manager). All seems to work ok but no packet is captured by Zeek worker. In logs directory, there are only the following files: total 100 drwxr-xr-x 2 root wheel 512 Mar 7 21:50 ./ drwxr-xr-x 7 root wheel 512 Mar 7 21:50 ../ -rw-r--r-- 1 root wheel 137 Mar 7 21:42 .cmdline -rw-r--r-- 1 root wheel 350 Mar 7 21:42 .env_vars -rw-r--r-- 1 root wheel 6 Mar 7 21:42 .pid -rw-r--r-- 1 root wheel 58 Mar 7 21:42 .startup -rwx------ 1 root wheel 18 Mar 7 21:42 .status* -rw-r--r-- 1 root wheel 401 Mar 7 21:43 cluster.log -rw-r--r-- 1 root wheel 30276 Mar 7 21:43 loaded_scripts.log -rw-r--r-- 1 root wheel 856 Mar 7 21:53 stats.log -rw-r--r-- 1 root wheel 0 Mar 7 21:42 stderr.log -rw-r--r-- 1 root wheel 140 Mar 7 21:43 stdout.log No one shows any error. Same for the spool directory ? Running tcpdump in worker node works without problem and I can see all the traffic ? Any idea? -- Regards, C. L. Martinez -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200308/27603a1e/attachment-0001.html From johanna at icir.org Sun Mar 8 08:55:11 2020 From: johanna at icir.org (Johanna Amann) Date: Sun, 08 Mar 2020 08:55:11 -0700 Subject: [Zeek] Errors trying to implement the detection on CVE-2020-0601 In-Reply-To: References:

Message-ID: <023F3ACD-1CEA-404D-83FD-3BD3B876A7F9@icir.org> Hi Kayode, you can test it by running the test suite included with the package (git clone it and then run btest in the testing directory - or try installing it with the zeek package manager). That will run it automatically. Also - it is not really all that important - you just increase your probability of false positives a bit. That being said - I have not actually heard of anyone encountering a false positives - certificates with explicit curves are exceedingly rare. Johanna On 6 Mar 2020, at 10:29, Kayode Enwerem wrote: > Thanks again for your response. > > How do I test that the openssl version we have installed automatically > converts explicit curves to names while the certificate is parsed? > > We currently have this version of openssl installed: > openssl-1.0.2k-19.el7.x86_64 > > Thanks. > > Kayode Enwerem (CTR) > Security Tools Linux Admin > ITSO/SOC > Administrative Office of the U.S. Courts > (202) 227-1530 > > -----Original Message----- > From: Johanna Amann > Sent: Friday, March 6, 2020 11:53 AM > To: Kayode Enwerem > Cc: zeek at zeek.org > Subject: Re: [Zeek] Errors trying to implement the detection on > CVE-2020-0601 > > Oh, sorry - I did not quite thoroughly enough parse all of your first > email. > > The reason for this is load ordering. You added the script to > somewhere in /share/bro/base. You should never add scripts to base (or > change scripts in base). We always assume that things in base are > untouched - they will be overwritten on updates/upgrades. And if you > change things in base you will also have to make sure that you don?t > break things because of ordering issues. > > In any case - just move the script to share/bro/site and @load it from > your local.bro, before the line in which you perform the redef - and > everything should work :) > > Alternatively you can also install it via the package manager. > > I hope this helps, > Johanna > > On 6 Mar 2020, at 5:13, Kayode Enwerem wrote: > >> Thanks Johanna for your response. >> >> I set it up and tested it out on another bro instance we have running >> bro version 2.6.3 and got this same error message: >> >> error in >> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, >> line 26: unknown identifier Version::at_least, at or near >> "Version::at_least" >> >> >> -----Original Message----- >> From: Johanna Amann >> Sent: Thursday, March 5, 2020 5:51 PM >> To: Kayode Enwerem >> Cc: zeek at zeek.org >> Subject: Re: [Zeek] Errors trying to implement the detection on >> CVE-2020-0601 >> >> Hi Kayode, >> >> the script does, out of the box, not support anything below bro 2.6. >> >> You can probably make it run by changing the option to a ?const >> log_certs = F &redef? and changing the @if (Version::) to @if ( 0 >> ). >> However, note that while it should work it has not been tested on >> these systems. >> >> Also - please consider updating your Zeek installation. You are >> missing important security and performance fixes. >> >> Johanna >> >> On 5 Mar 2020, at 10:43, Kayode Enwerem wrote: >> >>> Hello, >>> >>> I am trying to implement the detection of CVE-2020-0601 with zeek >>> (https://blog.zeek.org/2020/01/detecting-cve-2020-0601-with-zeek.html) >>> using the first package (https://github.com/0xxon/cve-2020-0601) but >>> I >>> keep encountering some errors. >>> >>> Version for bro in my environment: bro version 2.5.5 >>> >>> First thing I did was add this to our local.bro file: redef >>> CVE_2020_0601::log_certs = T; >>> >>> But when I ran "broctl check" I got the following error message: >>> error >>> in /usr/local/bro/share/bro/site/local.bro, line 13: "redef" used >>> but >>> not previously defined (CVE_ 2020_0601::log_certs) >>> >>> So I created the following file in >>> "share/bro/base/frameworks/notice/cve-2020-0601.bro" and added the >>> script from: >>> https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-06 >>> 01.bro >>> >>> And also edited the following file >>> "share/bro/base/frameworks/notice/__load__.bro" and added: @load >>> ./cve-2020-0601 >>> >>> Now when I run "broctl check" I am getting the following error >>> message: >>> error in >>> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, >>> line 5: syntax error, at or near "option" >>> >>> When I comment out line 5 line I get: >>> error in >>> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, >>> line 26: unknown identifier Version::at_least, at or near >>> "Version::at_least" >>> >>> When I comment out line 26 I get: >>> error in >>> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, >>> line 35: unknown identifier f, at or near "f" >>> >>> Can someone please help me with this? Am I setting it up right? >>> >>> Thanks in advance. >>> >>> >>> _______________________________________________ >>> Zeek mailing list >>> zeek at zeek.org >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From humantargetjoe at hotmail.com Mon Mar 9 11:12:36 2020 From: humantargetjoe at hotmail.com (Joseph C Marion) Date: Mon, 9 Mar 2020 18:12:36 +0000 Subject: [Zeek] Avro Schema Availability for Zeek Logs Message-ID: In an effort to save myself a lot of typing, and potentially missing fields, does anyone have a current set of Avro schemas that map to the current built-in logs in Zeek version (3.0.0+)? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200309/3d3938c4/attachment.html From jsiwek at corelight.com Mon Mar 9 11:56:34 2020 From: jsiwek at corelight.com (Jon Siwek) Date: Mon, 9 Mar 2020 11:56:34 -0700 Subject: [Zeek] Workers occasionally using 102% CPU In-Reply-To: References:

Message-ID: Just a FYI / heads-up: I'm planning to make 3.0.3 and 3.1.1 releases tomorrow that will include the patch for this issue. - Jon On Thu, Mar 5, 2020 at 10:57 AM Doug Burks wrote: > > OK, thanks Jon. > > On Thu, Mar 5, 2020 at 1:23 PM Jon Siwek wrote: >> >> On Thu, Mar 5, 2020 at 6:44 AM Doug Burks wrote: >> >> > Would you recommend that we apply the patch to our Zeek 3.0.2 package OR hold off on 3.0.2 and wait for 3.0.3 assuming it will be included there? >> >> Hi Doug, I do now have this on the schedule for fixing in a Zeek 3.0.3 >> (and 3.1.1), but not sure what time frame to expect those releases. >> I'll suggest to the team to aim at doing one in ~2-3 weeks. If you'd >> like to patch ASAP, you may still want to wait at least until that >> Pull Request gets a code review and merged into the master branch. >> >> - Jon > > > > -- > Doug Burks From doug.burks at gmail.com Mon Mar 9 12:00:58 2020 From: doug.burks at gmail.com (Doug Burks) Date: Mon, 9 Mar 2020 15:00:58 -0400 Subject: [Zeek] Workers occasionally using 102% CPU In-Reply-To: References:

Message-ID: Sounds great, thanks Jon! On Mon, Mar 9, 2020 at 2:56 PM Jon Siwek wrote: > Just a FYI / heads-up: I'm planning to make 3.0.3 and 3.1.1 releases > tomorrow that will include the patch for this issue. > > - Jon > > On Thu, Mar 5, 2020 at 10:57 AM Doug Burks wrote: > > > > OK, thanks Jon. > > > > On Thu, Mar 5, 2020 at 1:23 PM Jon Siwek wrote: > >> > >> On Thu, Mar 5, 2020 at 6:44 AM Doug Burks wrote: > >> > >> > Would you recommend that we apply the patch to our Zeek 3.0.2 package > OR hold off on 3.0.2 and wait for 3.0.3 assuming it will be included there? > >> > >> Hi Doug, I do now have this on the schedule for fixing in a Zeek 3.0.3 > >> (and 3.1.1), but not sure what time frame to expect those releases. > >> I'll suggest to the team to aim at doing one in ~2-3 weeks. If you'd > >> like to patch ASAP, you may still want to wait at least until that > >> Pull Request gets a code review and merged into the master branch. > >> > >> - Jon > > > > > > > > -- > > Doug Burks > -- Doug Burks -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200309/89578fe7/attachment.html From smitra at ucn.ca Mon Mar 9 13:19:59 2020 From: smitra at ucn.ca (Mitra, Shaibal) Date: Mon, 9 Mar 2020 20:19:59 +0000 Subject: [Zeek] SMTP Message-ID: <7ce89d08b8dc4124b6f5de06627b2e75@ucn.ca> Is there any package that detects SMTP MITM certificate attacks?We are not yet configured for DANE. Thanks [signature] IT Network Systems Administrator The Pas Campus Ph:204-627-8593(Office) Ph:204-620-1221(Cell) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200309/0d00c9d0/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 12170 bytes Desc: image001.png Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200309/0d00c9d0/attachment-0001.bin From jsiwek at corelight.com Mon Mar 9 20:25:28 2020 From: jsiwek at corelight.com (Jon Siwek) Date: Mon, 9 Mar 2020 20:25:28 -0700 Subject: [Zeek] No packets captured by Zeek under OpenBSD In-Reply-To: <5C6645FC-453D-495C-A228-B3BCC243C569@outlook.com> References: <5C6645FC-453D-495C-A228-B3BCC243C569@outlook.com> Message-ID: A cluster seems to be working for me on OpenBSD after the following couple tricks: * echo "redef Broker::disable_ssl=T;" >> /usr/local/zeek/share/zeek/site/local.zeek * ZEEK_DEFAULT_LISTEN_ADDRESS=127.0.0.1 zeekctl deploy The first one is because SSL between Zeek processes isn't currently working on OpenBSD (likely due to use some particularity of libressl usage instead of openssl). The second one may be a bug, or just general configuration issue with Zeek processes trying to listen/connect to each other over IPv6 on OpenBSD. You can verify what it's trying to listen on via `netstat -lp tcp` (should find things around 47761+ using "tcp" rather than "tcp6"). Generally, OpenBSD is not an officially supported platform: doesn't receive as much testing as others and so more prone to bugs/breakages, but patches that make things work better on OpenBSD are welcome. - Jon On Sun, Mar 8, 2020 at 4:57 AM Carlos Lopez wrote: > > This problem only appears when Zeek is configured as a cluster and using a distrusted installation or configuring several network interfaces like for example: > > > > [manager] > > type=manager > > host=127.0.0.1 > > > > [logger] > > type=logger > > host=127.0.0.1 > > > > [proxy] > > type=proxy > > host=127.0.0.1 > > > > [worker-1] > > type=worker > > host=127.0.0.1 > > interface=vio2 > > > > [worker-2] > > type=worker > > host=127.0.0.1 > > interface=vio3 > > > > When Zeek is configured in standalone mode everything works correctly. > > > > Among the hosts I'm testing, network communications are working perfectly between them and PF is disabled. Maybe is it a bug? I am using Zeek 3.0.3-dev.3 under OpenBSD 6.6 (fully patched). > > > > -- > > Regards, > > C. L. Martinez > > > > From: on behalf of Carlos Lopez > Date: Saturday, 7 March 2020 at 23:00 > To: "zeek at zeek.org" > Subject: [Zeek] No packets captured by Zeek under OpenBSD > > > > Hi all, > > > > I just installed Zeek 3.0.3-dev.3 under two OpenBSD 6.6 amd64 vms (one as worker and another as a manager). All seems to work ok but no packet is captured by Zeek worker. In logs directory, there are only the following files: > > > > total 100 > > drwxr-xr-x 2 root wheel 512 Mar 7 21:50 ./ > > drwxr-xr-x 7 root wheel 512 Mar 7 21:50 ../ > > -rw-r--r-- 1 root wheel 137 Mar 7 21:42 .cmdline > > -rw-r--r-- 1 root wheel 350 Mar 7 21:42 .env_vars > > -rw-r--r-- 1 root wheel 6 Mar 7 21:42 .pid > > -rw-r--r-- 1 root wheel 58 Mar 7 21:42 .startup > > -rwx------ 1 root wheel 18 Mar 7 21:42 .status* > > -rw-r--r-- 1 root wheel 401 Mar 7 21:43 cluster.log > > -rw-r--r-- 1 root wheel 30276 Mar 7 21:43 loaded_scripts.log > > -rw-r--r-- 1 root wheel 856 Mar 7 21:53 stats.log > > -rw-r--r-- 1 root wheel 0 Mar 7 21:42 stderr.log > > -rw-r--r-- 1 root wheel 140 Mar 7 21:43 stdout.log > > > > No one shows any error. Same for the spool directory ? Running tcpdump in worker node works without problem and I can see all the traffic ? > > > > Any idea? > > > > -- > > Regards, > > C. L. Martinez > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From smitra at ucn.ca Tue Mar 10 07:47:08 2020 From: smitra at ucn.ca (Mitra, Shaibal) Date: Tue, 10 Mar 2020 14:47:08 +0000 Subject: [Zeek] DNS Message-ID: <095fcc9427d9485bb54be6407f00365d@ucn.ca> Now that firefox has adopted dns over https will this require changes to the zeek dns and http modules? Thanks [signature] IT Network Systems Administrator The Pas Campus Ph:204-627-8593(Office) Ph:204-620-1221(Cell) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200310/99cb1f9b/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 12170 bytes Desc: image001.png Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200310/99cb1f9b/attachment-0001.bin From mail at staging.zeek.org Tue Mar 10 08:24:44 2020 From: mail at staging.zeek.org (Amber Graner) Date: Tue, 10 Mar 2020 15:24:44 +0000 Subject: [Zeek] New Message From The Zeek Network Security Monitor Message-ID: <102135976ee0bae6d68e4bd96a64e3aa@staging.zeek.org> This is a test and only a test. If this had been an actual emergency.... From akgraner at corelight.com Tue Mar 10 08:34:27 2020 From: akgraner at corelight.com (Amber Graner) Date: Tue, 10 Mar 2020 11:34:27 -0400 Subject: [Zeek] New Message From The Zeek Network Security Monitor In-Reply-To: <102135976ee0bae6d68e4bd96a64e3aa@staging.zeek.org> References: <102135976ee0bae6d68e4bd96a64e3aa@staging.zeek.org> Message-ID: Hi all, Just testing contact boxes. ~Amber On Tue, Mar 10, 2020 at 11:27 AM Amber Graner wrote: > This is a test and only a test. If this had been an actual emergency.... > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > -- *Amber Graner* Director of Community Corelight, Inc 828.582.9469 Schedule time on my calendar here. * Ask me about how you can participate in the Zeek (formerly Bro) community. * Remember - ZEEK AND YOU SHALL FIND!! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200310/01cf0b76/attachment.html From jsiwek at corelight.com Tue Mar 10 12:21:14 2020 From: jsiwek at corelight.com (Jon Siwek) Date: Tue, 10 Mar 2020 12:21:14 -0700 Subject: [Zeek] Zeek 3.0.3 and 3.1.1 released (bug fixes) Message-ID: Downloads for Zeek 3.0.3 and 3.1.1 are available: https://www.zeek.org/download/index.html They address a couple bugs that may commonly lead to cpu or memory overuse. Release notes with further details are here: https://github.com/zeek/zeek/releases/tag/v3.0.3 https://github.com/zeek/zeek/releases/tag/v3.1.1 From jawren at cisco.com Tue Mar 10 12:31:15 2020 From: jawren at cisco.com (Jay Wren (jawren)) Date: Tue, 10 Mar 2020 19:31:15 +0000 Subject: [Zeek] DNS In-Reply-To: <095fcc9427d9485bb54be6407f00365d@ucn.ca> References: <095fcc9427d9485bb54be6407f00365d@ucn.ca> Message-ID: AFAIK, there isn't anything zeek can do to peek into those dns over https requests because it is encrypted in a TLS session. I suppose something could be updated with a list of known DNS over HTTPS providers and traffic to those IP addresses somehow flagged as such. I don't trust the DNS over HTTPS providers any more than I trust my own DNS servers and so I've blocked them on my network. ________________________________ From: zeek-bounces at zeek.org on behalf of Mitra, Shaibal Sent: Tuesday, March 10, 2020 10:47 AM To: zeek at zeek.org Subject: [Zeek] DNS Now that firefox has adopted dns over https will this require changes to the zeek dns and http modules? Thanks [signature] IT Network Systems Administrator The Pas Campus Ph:204-627-8593(Office) Ph:204-620-1221(Cell) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200310/f21a20f3/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 12170 bytes Desc: image001.png Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200310/f21a20f3/attachment-0001.bin From michalpurzynski1 at gmail.com Tue Mar 10 13:27:12 2020 From: michalpurzynski1 at gmail.com (=?UTF-8?B?TWljaGHFgiBQdXJ6ecWEc2tp?=) Date: Tue, 10 Mar 2020 13:27:12 -0700 Subject: [Zeek] DNS In-Reply-To: References: <095fcc9427d9485bb54be6407f00365d@ucn.ca> Message-ID: The best thing to do is to disable the whole thing, at the network level. https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet Or on every Firefox, in network.trr.mode=5 How sending all of my DNS data by default to cloudflare is good for privacy is beyond me. On Tue, Mar 10, 2020 at 12:33 PM Jay Wren (jawren) wrote: > AFAIK, there isn't anything zeek can do to peek into those dns over https > requests because it is encrypted in a TLS session. I suppose something > could be updated with a list of known DNS over HTTPS providers and traffic > to those IP addresses somehow flagged as such. > > I don't trust the DNS over HTTPS providers any more than I trust my own > DNS servers and so I've blocked them on my network. > ------------------------------ > *From:* zeek-bounces at zeek.org on behalf of Mitra, > Shaibal > *Sent:* Tuesday, March 10, 2020 10:47 AM > *To:* zeek at zeek.org > *Subject:* [Zeek] DNS > > > Now that firefox has adopted dns over https will this require changes to > the zeek dns and http modules? > > > > Thanks > > > > [image: signature] > > IT Network Systems Administrator > > The Pas Campus > > Ph:204-627-8593(Office) > > Ph:204-620-1221(Cell) > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200310/f7351990/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 12170 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200310/f7351990/attachment.bin From michalpurzynski1 at gmail.com Tue Mar 10 16:14:05 2020 From: michalpurzynski1 at gmail.com (=?UTF-8?B?TWljaGHFgiBQdXJ6ecWEc2tp?=) Date: Tue, 10 Mar 2020 16:14:05 -0700 Subject: [Zeek] Capture packet loss discrepancy In-Reply-To: References:

Message-ID: So it does not look like that's Zeek dropping traffic here. Something else must be going on. What's your data rate? What's the MTU? Something that worries me - rx_long_byte_count: 51106679706383 Not sure what these are, as it pretty much always requires reading network card's driver source (these fields are by no means standarized and even if they happen to have the same name accross vendors they can mean something else). Can you share statistics from the switch? Something like show int stats or similar. On Fri, Mar 6, 2020 at 2:53 AM Federico Foschini