[Zeek] Errors trying to implement the detection on CVE-2020-0601

Kayode Enwerem Kayode_Enwerem at ao.uscourts.gov
Fri Mar 6 10:29:58 PST 2020


Thanks again for your response. 

How do I test that the openssl version we have installed automatically converts explicit curves to names while the certificate is parsed?

We currently have this version of openssl installed: openssl-1.0.2k-19.el7.x86_64

Thanks.

Kayode Enwerem (CTR)
Security Tools Linux Admin 
ITSO/SOC
Administrative Office of the U.S. Courts
(202) 227-1530

-----Original Message-----
From: Johanna Amann <johanna at icir.org> 
Sent: Friday, March 6, 2020 11:53 AM
To: Kayode Enwerem <Kayode_Enwerem at ao.uscourts.gov>
Cc: zeek at zeek.org
Subject: Re: [Zeek] Errors trying to implement the detection on CVE-2020-0601

Oh, sorry - I did not quite thoroughly enough parse all of your first email.

The reason for this is load ordering. You added the script to somewhere in /share/bro/base. You should never add scripts to base (or change scripts in base). We always assume that things in base are untouched - they will be overwritten on updates/upgrades. And if you change things in base you will also have to make sure that you don’t break things because of ordering issues.

In any case - just move the script to share/bro/site and @load it from your local.bro, before the line in which you perform the redef - and everything should work :)

Alternatively you can also install it via the package manager.

I hope this helps,
  Johanna

On 6 Mar 2020, at 5:13, Kayode Enwerem wrote:

> Thanks Johanna for your response.
>
> I set it up and tested it out on another bro instance we have running 
> bro version 2.6.3 and got this same error message:
>
> error in
> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro,
> line 26: unknown identifier Version::at_least, at or near 
> "Version::at_least"
>
>
> -----Original Message-----
> From: Johanna Amann <johanna at icir.org>
> Sent: Thursday, March 5, 2020 5:51 PM
> To: Kayode Enwerem <Kayode_Enwerem at ao.uscourts.gov>
> Cc: zeek at zeek.org
> Subject: Re: [Zeek] Errors trying to implement the detection on 
> CVE-2020-0601
>
> Hi Kayode,
>
> the script does, out of the box, not support anything below bro 2.6.
>
> You can probably make it run by changing the option to a “const 
> log_certs = F &redef” and changing the @if (Version::) to @if ( 0 ).
> However, note that while it should work it has not been tested on 
> these systems.
>
> Also - please consider updating your Zeek installation. You are 
> missing important security and performance fixes.
>
> Johanna
>
> On 5 Mar 2020, at 10:43, Kayode Enwerem wrote:
>
>> Hello,
>>
>> I am trying to implement the detection of CVE-2020-0601 with zeek
>> (https://blog.zeek.org/2020/01/detecting-cve-2020-0601-with-zeek.html)
>> using the first package (https://github.com/0xxon/cve-2020-0601) but 
>> I
>> keep encountering some errors.
>>
>> Version for bro in my environment: bro version 2.5.5
>>
>> First thing I did was add this to our local.bro file: redef
>> CVE_2020_0601::log_certs = T;
>>
>> But when I ran "broctl check" I got the following error message: 
>> error
>> in /usr/local/bro/share/bro/site/local.bro, line 13: "redef" used but
>> not previously defined (CVE_             2020_0601::log_certs)
>>
>> So I created the following file in
>> "share/bro/base/frameworks/notice/cve-2020-0601.bro" and added the
>> script from:
>> https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-06
>> 01.bro
>>
>> And also edited the following file
>> "share/bro/base/frameworks/notice/__load__.bro" and added: @load
>> ./cve-2020-0601
>>
>> Now when I run "broctl check" I am getting the following error
>> message:
>> error in
>> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro,
>> line 5: syntax error, at or near "option"
>>
>> When I comment out line 5 line I get:
>> error in
>> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro,
>> line 26: unknown identifier Version::at_least, at or near
>> "Version::at_least"
>>
>> When I comment out line 26 I get:
>> error in
>> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro,
>> line 35: unknown identifier f, at or near "f"
>>
>> Can someone please help me with this? Am I setting it up right?
>>
>> Thanks in advance.
>>
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



More information about the Zeek mailing list