Bro/Zeek ATT&CK-based Analytics and Reporting (BZAR), by MITRE

Zeek
1

Hi Gary,

Is this developed for Bro/Zeek 2.5.5? I'm getting errors when attempting

to load this in Bro/Zeek 2.6.1.

Yes, I used v2.5.x. What types of errors are you getting? Is it @load
errors with SMB, by chance?

One thing I know changed with v2.6 is that the SMB analyzer was previously
disabled by default in v2.5.x and I believe it is enable by default in v2.6.
In main.bro line 10:
@load policy/protocols/smb. This should be backward compatible with older
versions of Bro/Zeek. But if you are getting @laod SMB errors, you could
try changing line 10 to this: @load base/protocols/smb.

Mark

2

I did change the SMB load directive but continued getting errors such as

Error in /opt/bro/share/bro/base/gif/plugins/./Bro_DCE_RPC.events.bif.bro, line 125 and /opt/bro/share/bro/policy/bzar/./bzar_dce-rpc.bro, line 224: incompatible types (event(c:connection; fid:count; ctx_id:count; opnum:count; stub_len:count;) and event(c:connection: fid:count; opnum:count; stud_len:count))

And after trying to reconcile that

Error in /opt/bro/share/bro/policy/bzar/./bzar_smb.bro, line 39: "redef" used but not previously defined (SMB::write_cmd_log)
Error in /opt/bro/share/bro/base/bif/plugins/./Bro_SMB.smb2_com_create.bif.bro, line 17 and /opt/bro/share/bro/policy/bzar/./bzar_smb.bro, line 252: incompatible types (event(c:connection; hdr:SMB2::Header; request:SMB2::CreateRequest;) and event(c:connection; hdr:SMB2::Header; name:string;))

I stopped attempting to resolve on my own at that point.

v/r
Gary W. Weasel, Jr. | Computer Engineer
Incident Response and Recovery Team, RE62
COM: 717.267.5777

3

Gary,

I see the problem. There are rather significant changes between v2.5x and
v2.6.x, as follows:

DCE-RPC Event Differences:
v2.5.x: event dce_rpc_response(c: connection, fid: count, opnum: count,
stub_len: count);
v2.6.x: event dce_rpc_response(c: connection, fid: count, ctx_id: count,
opnum: count, stub_len: count);

SMB Event Differences:
v2.5.x: event smb2_create_request(c: connection, hdr: SMB2::Header, name:
string);
v2.6.x: event smb2_create_request(c: connection, hdr: SMB2::Header, request:
SMB2::CreateRequest);

Mark