[Zeek] Errors trying to implement the detection on CVE-2020-0601

Kayode Enwerem Kayode_Enwerem at ao.uscourts.gov
Fri Mar 6 05:13:03 PST 2020 

Thanks Johanna for your response. 

I set it up and tested it out on another bro instance we have running bro version 2.6.3 and got this same error message:

error in /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro, line 26: unknown identifier Version::at_least, at or near "Version::at_least"


-----Original Message-----
From: Johanna Amann <johanna at icir.org> 
Sent: Thursday, March 5, 2020 5:51 PM
To: Kayode Enwerem <Kayode_Enwerem at ao.uscourts.gov>
Cc: zeek at zeek.org
Subject: Re: [Zeek] Errors trying to implement the detection on CVE-2020-0601

Hi Kayode,

the script does, out of the box, not support anything below bro 2.6.

You can probably make it run by changing the option to a “const log_certs = F &redef” and changing the @if (Version::) to @if ( 0 ). 
However, note that while it should work it has not been tested on these systems.

Also - please consider updating your Zeek installation. You are missing important security and performance fixes.

Johanna

On 5 Mar 2020, at 10:43, Kayode Enwerem wrote:

> Hello,
>
> I am trying to implement the detection of CVE-2020-0601 with zeek
> (https://blog.zeek.org/2020/01/detecting-cve-2020-0601-with-zeek.html)
> using the first package (https://github.com/0xxon/cve-2020-0601) but I 
> keep encountering some errors.
>
> Version for bro in my environment: bro version 2.5.5
>
> First thing I did was add this to our local.bro file: redef 
> CVE_2020_0601::log_certs = T;
>
> But when I ran "broctl check" I got the following error message: error 
> in /usr/local/bro/share/bro/site/local.bro, line 13: "redef" used but
> not previously defined (CVE_             2020_0601::log_certs)
>
> So I created the following file in
> "share/bro/base/frameworks/notice/cve-2020-0601.bro" and added the 
> script from:
> https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-06
> 01.bro
>
> And also edited the following file
> "share/bro/base/frameworks/notice/__load__.bro" and added: @load
> ./cve-2020-0601
>
> Now when I run "broctl check" I am getting the following error
> message:
> error in
> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro,
> line 5: syntax error, at or near "option"
>
> When I comment out line 5 line I get:
> error in
> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro,
> line 26: unknown identifier Version::at_least, at or near 
> "Version::at_least"
>
> When I comment out line 26 I get:
> error in
> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro,
> line 35: unknown identifier f, at or near "f"
>
> Can someone please help me with this? Am I setting it up right?
>
> Thanks in advance.
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

More information about the Zeek mailing list