Hi Everyone,
I upgraded our external zeek cluster right before ThanksGiving to zeek 3.0, and have started noticing a fair amount of following warnings in reporter.log file:
“SumStat key request for the 7PJNSqZOUs8 SumStat uid took longer than 1 minute and was automatically cancelled.”
Also, interesting thing is that after the upgrade, generation of software.log file has become pretty sporadic (no software.log file for last one week)…
Anyone else noticing this behavior? Any thoughts? Something needs to get back ported for software.log to work correctly again in zeek 3.0?
Thanks!
Fatema
I upgraded our external zeek cluster right before ThanksGiving to zeek 3.0, and have started noticing a fair amount of following warnings in reporter.log file:
"SumStat key request for the 7PJNSqZOUs8 SumStat uid took longer than 1 minute and was automatically cancelled."
Did you happen to copy over a previous local.bro that still has "@load
misc/scan" in it? The new local.zeek has that commented out due to it
being frequent cause of performance issues.
Also, interesting thing is that after the upgrade, generation of software.log file has become pretty sporadic (no software.log file for last one week)..
One reason for that may be if you don't have any proxy nodes in your
cluster config (or they aren't reachable for some reason).
- Jon
Hi Jon,
Thanks for the insights.
I don’t have the misc/scan enabled in local.zeek, actually using Justin’s simple scan detection script.
Also, checked the local scripts that are currently enabled in local.zeek and found two scripts - detect-ms15-034.bro and http-basic-auth-bruteforce.bro that use SumStat framework. I have disabled them to see if the SumStat warnings are reduced in the reporter.log.
Thanks!
Fatema