[Zeek] Errors trying to implement the detection on CVE-2020-0601

Johanna Amann johanna at icir.org
Thu Mar 5 14:50:42 PST 2020 

Hi Kayode,

the script does, out of the box, not support anything below bro 2.6.

You can probably make it run by changing the option to a “const 
log_certs = F &redef” and changing the @if (Version::) to @if ( 0 ). 
However, note that while it should work it has not been tested on these 
systems.

Also - please consider updating your Zeek installation. You are missing 
important security and performance fixes.

Johanna

On 5 Mar 2020, at 10:43, Kayode Enwerem wrote:

> Hello,
>
> I am trying to implement the detection of CVE-2020-0601 with zeek 
> (https://blog.zeek.org/2020/01/detecting-cve-2020-0601-with-zeek.html) 
> using the first package (https://github.com/0xxon/cve-2020-0601) but I 
> keep encountering some errors.
>
> Version for bro in my environment: bro version 2.5.5
>
> First thing I did was add this to our local.bro file: redef 
> CVE_2020_0601::log_certs = T;
>
> But when I ran "broctl check" I got the following error message: error 
> in /usr/local/bro/share/bro/site/local.bro, line 13: "redef" used but 
> not previously defined (CVE_             2020_0601::log_certs)
>
> So I created the following file in 
> "share/bro/base/frameworks/notice/cve-2020-0601.bro" and added the 
> script from: 
> https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-0601.bro
>
> And also edited the following file 
> "share/bro/base/frameworks/notice/__load__.bro" and added: @load 
> ./cve-2020-0601
>
> Now when I run "broctl check" I am getting the following error 
> message:
> error in 
> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, 
> line 5: syntax error, at or near "option"
>
> When I comment out line 5 line I get:
> error in 
> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, 
> line 26: unknown identifier Version::at_least, at or near 
> "Version::at_least"
>
> When I comment out line 26 I get:
> error in 
> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, 
> line 35: unknown identifier f, at or near "f"
>
> Can someone please help me with this? Am I setting it up right?
>
> Thanks in advance.
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

More information about the Zeek mailing list