[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: [Zeek] Zeek conn.log questions
From: "Brett D. Rasmussen via zeek" <zeek () lists ! zeek ! org>
Date: 2020-11-03 5:49:16
Message-ID: SA0PR09MB6587CF50B7A7B9837E612BB3E9110 () SA0PR09MB6587 ! namprd09 ! prod ! outlook ! com
[Download RAW message or body]
Hello.
I'm currently developing a 'protocol analyzer plugin' for Zeek.
When I feed a pcap file to the plugin for testing, the UDP packets that are=
captured by the plugin
(and logged by the plugin)
do 'not' appear in the Zeek "conn.log" log file.
(I do see other UDP based entries in the conn.log file..mostly for DNS quer=
ies..but not for my plugin's
protocol.
Any ideas on how to log 'all' TCP/IP and UDP traffic in the conn.log file?
I'm also analyzing the pcap file with Wireshark..so I know what packets I '=
should' see. Thanks!)
2nd question.
Is there any way to log/capture which UDP packets Zeek sent to a given 'pro=
tocol analyzer'?
(I've got some UDP packets that are not being logged by my plugin. Perhaps=
an 'exception' is occurring
during the protocol analysis? I've seen a couple of terse 'binpac exceptio=
n' error messages in the dpg.log log
file.)
3rd question.
Is there any way to log all traffic between a pair of UDP ports? (either =
in the conn.log or other log file)
Thanks!
Brett Rasmussen
Cyber Security Researcher
Supporting the DHS CIOCC Advanced Analytical Lab
Phone: (208) 526-5486
Fax: (208) 526-6173
Email: Brett.Rasmussen@inl.gov<mailto:Jan.Wright@inl.gov>
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} \
</style> </head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> Hello.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> I'm currently developing \
a 'protocol analyzer plugin' for Zeek.</div> <div style="font-family: Calibri, Arial, \
Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: \
rgb(255, 255, 255);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> When I feed a pcap file \
to the plugin for testing, the UDP packets that are captured by the plugin</div> <div \
style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> (and logged by the \
plugin)</div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; \
font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> do \
'not' appear in the Zeek "conn.log" log file.</div> <div \
style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: \
rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> (I do see other UDP \
based entries in the conn.log file..mostly for DNS queries..but not for my \
plugin's</div> <div style="font-family: Calibri, Arial, Helvetica, sans-serif; \
font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"> \
protocol. </div> <div style="font-family: Calibri, Arial, Helvetica, \
sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, \
255);"> Any ideas on how to log 'all' TCP/IP and UDP traffic in the conn.log \
file? </div> <div style="font-family: Calibri, Arial, Helvetica, \
sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, \
255);"> I'm also analyzing the <span style="font-family: Calibri, Arial, \
Helvetica, sans-serif; font-size: 12pt;">pcap file with Wireshark..so I know what \
packets I 'should' see. Thanks!)</span></div> <div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> 2nd question.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> Is there any way to log/capture which UDP packets Zeek sent to \
a given 'protocol analyzer'?</div> <div style="font-family: Calibri, Arial, \
Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> (I've got some UDP packets that are not being logged by my \
plugin. Perhaps an 'exception' is occurring</div> <div style="font-family: \
Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> during \
the protocol analysis? I've seen a couple of terse 'binpac exception' error \
messages in the dpg.log log</div> <div style="font-family: Calibri, Arial, Helvetica, \
sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"> file.)</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> 3rd question.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> <span style="font-family: Calibri, Arial, Helvetica, \
sans-serif; font-size: 12pt;">Is there any way to log all traffic between a \
pair of UDP ports? (either in the conn.log or other log file)</span><br> </div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> Thanks!</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> <br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; \
color: rgb(0, 0, 0);"> <br>
</div>
<div id="Signature">
<div>
<meta content="text/html; charset=UTF-8">
<div id="divtagdefaultwrapper" dir="ltr" style="font-size: 12pt; font-family: \
Calibri, Helvetica, sans-serif; color: rgb(0, 0, 0);"> <p style="margin-top: 0px; \
margin-bottom: 0px;margin-top:0; margin-bottom:0"><span \
id="ms-rterangepaste-start"></span><span style="color: rgb(33, 33, 33); font-family: \
wf_segoe-ui_normal, "Segoe UI", "Segoe WP", Tahoma, Arial, \
sans-serif, serif, EmojiFont; font-size: 15px;">Brett Rasmussen </span><br \
style="color: rgb(33, 33, 33); font-family: wf_segoe-ui_normal, "Segoe UI", \
"Segoe WP", Tahoma, Arial, sans-serif, serif, EmojiFont; font-size: 15px;"> \
<span style="color: rgb(33, 33, 33); font-family: wf_segoe-ui_normal, "Segoe \
UI", "Segoe WP", Tahoma, Arial, sans-serif, serif, EmojiFont; \
font-size: 15px;">Cyber Security Researcher</span><br style="color: rgb(33, 33, 33); \
font-family: wf_segoe-ui_normal, "Segoe UI", "Segoe WP", Tahoma, \
Arial, sans-serif, serif, EmojiFont; font-size: 15px;"> <span style="color: rgb(33, \
33, 33); font-family: wf_segoe-ui_normal, "Segoe UI", "Segoe WP", \
Tahoma, Arial, sans-serif, serif, EmojiFont; font-size: 15px;">Supporting the DHS \
CIOCC Advanced Analytical Lab</span><br style="color: rgb(33, 33, 33); font-family: \
wf_segoe-ui_normal, "Segoe UI", "Segoe WP", Tahoma, Arial, \
sans-serif, serif, EmojiFont; font-size: 15px;"> </p>
<p style="margin-top: 0px; color: rgb(33, 33, 33); font-family: wf_segoe-ui_normal, \
"Segoe UI", "Segoe WP", Tahoma, Arial, sans-serif, serif, \
EmojiFont; font-size: 15px; margin-bottom: 0in;">
Phone: (208) 526-5486<br>
Fax: (208) 526-6173<br>
Email: <a href="mailto:Jan.Wright@inl.gov" target="_blank" rel="noopener \
noreferrer" title="mailto:Jan.Wright@inl.gov Ctrl+Click or tap to follow the \
link">Brett.Rasmussen@inl.gov</a></p> <span id="ms-rterangepaste-end"></span><br>
<p style="margin-top: 0px; margin-bottom: 0px;"></p>
</div>
</div>
</div>
</div>
</body>
</html>
--
zeek mailing list -- zeek@lists.zeek.org
To unsubscribe send an email to zeek-leave@lists.zeek.org
--===============2857357890968368781==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic