[Zeek] Errors trying to implement the detection on CVE-2020-0601
Kayode Enwerem
Kayode_Enwerem at ao.uscourts.gov
Fri Mar 6 10:29:58 PST 2020
Thanks again for your response.
How do I test that the openssl version we have installed automatically converts explicit curves to names while the certificate is parsed?
We currently have this version of openssl installed: openssl-1.0.2k-19.el7.x86_64
Thanks.
Kayode Enwerem (CTR)
Security Tools Linux Admin
ITSO/SOC
Administrative Office of the U.S. Courts
(202) 227-1530
-----Original Message-----
From: Johanna Amann <johanna at icir.org>
Sent: Friday, March 6, 2020 11:53 AM
To: Kayode Enwerem <Kayode_Enwerem at ao.uscourts.gov>
Cc: zeek at zeek.org
Subject: Re: [Zeek] Errors trying to implement the detection on CVE-2020-0601
Oh, sorry - I did not quite thoroughly enough parse all of your first email.
The reason for this is load ordering. You added the script to somewhere in /share/bro/base. You should never add scripts to base (or change scripts in base). We always assume that things in base are untouched - they will be overwritten on updates/upgrades. And if you change things in base you will also have to make sure that you don’t break things because of ordering issues.
In any case - just move the script to share/bro/site and @load it from your local.bro, before the line in which you perform the redef - and everything should work :)
Alternatively you can also install it via the package manager.
I hope this helps,
Johanna
On 6 Mar 2020, at 5:13, Kayode Enwerem wrote:
> Thanks Johanna for your response.
>
> I set it up and tested it out on another bro instance we have running
> bro version 2.6.3 and got this same error message:
>
> error in
> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro,
> line 26: unknown identifier Version::at_least, at or near
> "Version::at_least"
>
>
> -----Original Message-----
> From: Johanna Amann <johanna at icir.org>
> Sent: Thursday, March 5, 2020 5:51 PM
> To: Kayode Enwerem <Kayode_Enwerem at ao.uscourts.gov>
> Cc: zeek at zeek.org
> Subject: Re: [Zeek] Errors trying to implement the detection on
> CVE-2020-0601
>
> Hi Kayode,
>
> the script does, out of the box, not support anything below bro 2.6.
>
> You can probably make it run by changing the option to a “const
> log_certs = F &redef” and changing the @if (Version::) to @if ( 0 ).
> However, note that while it should work it has not been tested on
> these systems.
>
> Also - please consider updating your Zeek installation. You are
> missing important security and performance fixes.
>
> Johanna
>
> On 5 Mar 2020, at 10:43, Kayode Enwerem wrote:
>
>> Hello,
>>
>> I am trying to implement the detection of CVE-2020-0601 with zeek
>> (https://blog.zeek.org/2020/01/detecting-cve-2020-0601-with-zeek.html)
>> using the first package (https://github.com/0xxon/cve-2020-0601) but
>> I
>> keep encountering some errors.
>>
>> Version for bro in my environment: bro version 2.5.5
>>
>> First thing I did was add this to our local.bro file: redef
>> CVE_2020_0601::log_certs = T;
>>
>> But when I ran "broctl check" I got the following error message:
>> error
>> in /usr/local/bro/share/bro/site/local.bro, line 13: "redef" used but
>> not previously defined (CVE_ 2020_0601::log_certs)
>>
>> So I created the following file in
>> "share/bro/base/frameworks/notice/cve-2020-0601.bro" and added the
>> script from:
>> https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-06
>> 01.bro
>>
>> And also edited the following file
>> "share/bro/base/frameworks/notice/__load__.bro" and added: @load
>> ./cve-2020-0601
>>
>> Now when I run "broctl check" I am getting the following error
>> message:
>> error in
>> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro,
>> line 5: syntax error, at or near "option"
>>
>> When I comment out line 5 line I get:
>> error in
>> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro,
>> line 26: unknown identifier Version::at_least, at or near
>> "Version::at_least"
>>
>> When I comment out line 26 I get:
>> error in
>> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro,
>> line 35: unknown identifier f, at or near "f"
>>
>> Can someone please help me with this? Am I setting it up right?
>>
>> Thanks in advance.
>>
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
More information about the Zeek
mailing list