[Zeek] Errors trying to implement the detection on CVE-2020-0601

Johanna Amann johanna at icir.org
Sun Mar 8 08:55:11 PDT 2020


Hi Kayode,

you can test it by running the test suite included with the package (git 
clone it and then run btest in the testing directory - or try installing 
it with the zeek package manager). That will run it automatically.

Also - it is not really all that important - you just increase your 
probability of false positives a bit. That being said - I have not 
actually heard of anyone encountering a false positives - certificates 
with explicit curves are exceedingly rare.

Johanna

On 6 Mar 2020, at 10:29, Kayode Enwerem wrote:

> Thanks again for your response.
>
> How do I test that the openssl version we have installed automatically 
> converts explicit curves to names while the certificate is parsed?
>
> We currently have this version of openssl installed: 
> openssl-1.0.2k-19.el7.x86_64
>
> Thanks.
>
> Kayode Enwerem (CTR)
> Security Tools Linux Admin
> ITSO/SOC
> Administrative Office of the U.S. Courts
> (202) 227-1530
>
> -----Original Message-----
> From: Johanna Amann <johanna at icir.org>
> Sent: Friday, March 6, 2020 11:53 AM
> To: Kayode Enwerem <Kayode_Enwerem at ao.uscourts.gov>
> Cc: zeek at zeek.org
> Subject: Re: [Zeek] Errors trying to implement the detection on 
> CVE-2020-0601
>
> Oh, sorry - I did not quite thoroughly enough parse all of your first 
> email.
>
> The reason for this is load ordering. You added the script to 
> somewhere in /share/bro/base. You should never add scripts to base (or 
> change scripts in base). We always assume that things in base are 
> untouched - they will be overwritten on updates/upgrades. And if you 
> change things in base you will also have to make sure that you don’t 
> break things because of ordering issues.
>
> In any case - just move the script to share/bro/site and @load it from 
> your local.bro, before the line in which you perform the redef - and 
> everything should work :)
>
> Alternatively you can also install it via the package manager.
>
> I hope this helps,
>   Johanna
>
> On 6 Mar 2020, at 5:13, Kayode Enwerem wrote:
>
>> Thanks Johanna for your response.
>>
>> I set it up and tested it out on another bro instance we have running
>> bro version 2.6.3 and got this same error message:
>>
>> error in
>> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro,
>> line 26: unknown identifier Version::at_least, at or near
>> "Version::at_least"
>>
>>
>> -----Original Message-----
>> From: Johanna Amann <johanna at icir.org>
>> Sent: Thursday, March 5, 2020 5:51 PM
>> To: Kayode Enwerem <Kayode_Enwerem at ao.uscourts.gov>
>> Cc: zeek at zeek.org
>> Subject: Re: [Zeek] Errors trying to implement the detection on
>> CVE-2020-0601
>>
>> Hi Kayode,
>>
>> the script does, out of the box, not support anything below bro 2.6.
>>
>> You can probably make it run by changing the option to a “const
>> log_certs = F &redef” and changing the @if (Version::) to @if ( 0 
>> ).
>> However, note that while it should work it has not been tested on
>> these systems.
>>
>> Also - please consider updating your Zeek installation. You are
>> missing important security and performance fixes.
>>
>> Johanna
>>
>> On 5 Mar 2020, at 10:43, Kayode Enwerem wrote:
>>
>>> Hello,
>>>
>>> I am trying to implement the detection of CVE-2020-0601 with zeek
>>> (https://blog.zeek.org/2020/01/detecting-cve-2020-0601-with-zeek.html)
>>> using the first package (https://github.com/0xxon/cve-2020-0601) but
>>> I
>>> keep encountering some errors.
>>>
>>> Version for bro in my environment: bro version 2.5.5
>>>
>>> First thing I did was add this to our local.bro file: redef
>>> CVE_2020_0601::log_certs = T;
>>>
>>> But when I ran "broctl check" I got the following error message:
>>> error
>>> in /usr/local/bro/share/bro/site/local.bro, line 13: "redef" used 
>>> but
>>> not previously defined (CVE_             2020_0601::log_certs)
>>>
>>> So I created the following file in
>>> "share/bro/base/frameworks/notice/cve-2020-0601.bro" and added the
>>> script from:
>>> https://github.com/0xxon/cve-2020-0601/blob/master/scripts/cve-2020-06
>>> 01.bro
>>>
>>> And also edited the following file
>>> "share/bro/base/frameworks/notice/__load__.bro" and added: @load
>>> ./cve-2020-0601
>>>
>>> Now when I run "broctl check" I am getting the following error
>>> message:
>>> error in
>>> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro,
>>> line 5: syntax error, at or near "option"
>>>
>>> When I comment out line 5 line I get:
>>> error in
>>> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro,
>>> line 26: unknown identifier Version::at_least, at or near
>>> "Version::at_least"
>>>
>>> When I comment out line 26 I get:
>>> error in
>>> /usr/local/bro/share/bro/base/frameworks/notice/./cve-2020-0601.bro,
>>> line 35: unknown identifier f, at or near "f"
>>>
>>> Can someone please help me with this? Am I setting it up right?
>>>
>>> Thanks in advance.
>>>
>>>
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek


More information about the Zeek mailing list