Questions tagged [zeek]

Appropriate Zeek related questions could include things such as:

Installation issues
Operational issues
Script writing difficulties
"How would I detected...?" questions related to event correlation

From the Zeek website:

Adaptable

Zeek's domain-specific scripting language enables site-specific monitoring policies.

Efficient

Zeek targets high-performance networks and is used operationally at a variety of large sites.

Flexible

Zeek is not restricted to any particular detection approach and does not rely on traditional signatures.

Forensics

Zeek comprehensively logs what it sees and provides a high-level archive of a network's activity.

In-depth Analysis

Zeek comes with analyzers for many protocols, enabling high-level semantic analysis at the application layer.

Highly Stateful

Zeek keeps extensive application-layer state about the network it monitors.

Open Interfaces

Zeek interfaces with other applications for real-time exchange of information.

Open Source

Zeek comes with a BSD license, allowing for free use with virtually no restrictions.

References:

37 questions

votes

0 answers

BRO doesn't log ssh when user is found by PAM

Hydra's output using hydra -L ~/Documents/wordlists/Aliases.txt -P ~/Documents/wordlists/shortlist.txt -M servers.txt ssh -t 4 -V sharp67 is a user in PAM and aaron1 is not. [ATTEMPT] target 172.xx.x.12 - login "sharp67" - pass "aaaaaaaz" - 26 of…

asked Jul 31 '18 at 19:22

Jacob Sharp

votes

1 answer

Bro IDS signature_match trigger

I am new to BRO and just started to test signature on BRO. I have one script, main.bro, and a signature file, protosigs.sig. The idea is to compare the signature and do something within the rewritten event function - signature_match. I tried to use…

signature bro zeek

asked Jun 27 '18 at 10:17

Xifeng

votes

1 answer

Bro: Disable reading and writing of .state/state.bst

I'm using Bro to crunch a whole lot of pcap files, so I want to run a bunch of instances in parallel, but I'm worried that they will trip over each other accessing the persistent state file (.state/state.bst). Is there any way to tell Bro that it…

bro zeek

asked Jun 20 '18 at 00:26

zwol

135,547
38
252
361

votes

1 answer

Sematext Logagent Elasticsearch - Indexes not being created?

I'm trying to send data to Elasticsearch using logagent but while there doesn't seem to be any error sending the data, the index isn't being created in ELK. I'm trying to find the index by creating a new index pattern via the Kibana GUI but the…

elasticsearch kibana bro zeek

asked May 01 '18 at 21:31

V. Zed

votes

1 answer

Errors when running /scripts/base/protocols/conn/

When trying to run the main.bro file in the conn directory using the following command: bro -i [interface] /location/to/bro/file/ I get the following errors: error in /home/ec2-user/bro/bro-2.5.1/scripts/base/protocols/conn/main.bro, line 14:…

logging bro zeek

asked Nov 15 '17 at 16:49

David

votes

1 answer

Collect statistics on current traffic with Bro

I want to collect statistics on traffic every 10 seconds and the only tool that I found is connection_state_remove event, event connection_state_remove(c: connection) { SumStats::observe( "traffic", [$str="all"] [$num=c$orig$num_bytes_ip]…

bro traffic-measurement zeek

asked Oct 19 '17 at 08:58

nnovzver

-1

votes

1 answer

Zeek (Bro) goes crashed after interface gets restarted

I have some issues with the zeek software. After the network interface eth0 gets restarted the zeekctl goes crashed. Is there any way of restart the zeekctl process automatically after a network interface gets restarted? Thanks in advance. tail -f…

zeek

asked Oct 17 '21 at 05:47

Renier Collazo

Prev 1 2