152 lines
5.2 KiB
ReStructuredText
152 lines
5.2 KiB
ReStructuredText
========================
|
|
weird.log and notice.log
|
|
========================
|
|
|
|
Zeek offers two logs for activities that seem out of the ordinary:
|
|
:file:`weird.log` and :file:`notice.log`.
|
|
|
|
There's a distinction between them:
|
|
|
|
* :file:`weird.log` is various random stuff where analyzers
|
|
ran into trouble understanding the traffic in terms of their protocols;
|
|
basically whenever there's something unexpected at the protocol level, that's a
|
|
weird (for a lack of anything better to do with it). That means that "weirds"
|
|
are also essentially hardcoded by whoever wrote that analyzer. They
|
|
can also be generated by scripts, but that's rarer.
|
|
|
|
* :file:`notice.log` on the other hand are situations explicitly detected and
|
|
reported by Zeek scripts as inspection-worthy. It's usually not protocol
|
|
errors, but something semantically higher (like a self-signed cert). Notices
|
|
are part of the script-level analysis and can be raised by Zeek packages as
|
|
well.
|
|
|
|
Weirds can often be ignored because of volume, but notices are much more
|
|
interesting, they are the closest Zeek is coming to IDS alerts.
|
|
|
|
For details on the fields, please refer to :zeek:see:`Weird::Info` and
|
|
:zeek:see:`Notice::Info`.
|
|
|
|
:file:`weird.log`
|
|
=================
|
|
|
|
The best references on the contents of the weird.log appear in the briefings
|
|
and writings by Fatema Bannat Wala, such as What Is Weird in Zeek, published 13
|
|
November 2019.
|
|
|
|
https://zeek.org/2019/11/13/what-is-weird-in-zeek/
|
|
|
|
She spoke on the topic in 2018:
|
|
|
|
https://www.youtube.com/watch?v=XeJcBBZjaVA
|
|
|
|
She spoke on the topic in 2020 as well:
|
|
|
|
https://www.youtube.com/watch?v=s4VSYwfHP0s
|
|
|
|
For example, the following is a count of individual :file:`weird.log` entries
|
|
over a 24 hour period on a home network::
|
|
|
|
553 ["window_recision",false]
|
|
129 ["unknown_protocol",false]
|
|
1 ["truncated_IP",false]
|
|
5 ["TCP_seq_underflow_or_misorder",false]
|
|
4 ["TCP_ack_underflow_or_misorder",false]
|
|
2 ["SYN_seq_jump",false]
|
|
1 ["SYN_inside_connection",false]
|
|
1 ["SYN_after_close",false]
|
|
128 ["non_ip_packet_in_ethernet",false]
|
|
23 ["line_terminated_with_single_CR",false]
|
|
1 ["DNS_RR_unknown_type",false]
|
|
3 ["data_after_reset",false]
|
|
1 ["bad_TCP_header_len",false]
|
|
21 ["bad_HTTP_request",false]
|
|
2 ["above_hole_data_without_any_acks",false]
|
|
|
|
We will look at one of these entries below.
|
|
|
|
:file:`notice.log`
|
|
==================
|
|
|
|
The :file:`notice.log` does not have as much documentation as
|
|
:file:`weird.log`. For an example of :file:`notice.log` entries over a 24 hour
|
|
period from a home network, consider the following::
|
|
|
|
654 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (unable to get local issuer certificate)"]
|
|
48 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (self signed certificate in certificate chain)"]
|
|
13 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (self signed certificate)"]
|
|
|
|
We will look at one of these entries below.
|
|
|
|
Investigating a :file:`weird.log` and :file:`notice.log` Entry
|
|
==============================================================
|
|
|
|
Taking a look at two entries in the :file:`weird.log`, we see they reference
|
|
the same connection:
|
|
|
|
.. literal-emph::
|
|
|
|
{
|
|
"ts": "2021-01-04T04:59:21.582639Z",
|
|
"uid": "**CxdbSa2KGTlMl3PPB2**",
|
|
"id.orig_h": "192.168.4.129",
|
|
"id.orig_p": 51020,
|
|
"id.resp_h": "40.71.25.43",
|
|
"id.resp_p": 8080,
|
|
**"name": "bad_HTTP_request",**
|
|
"notice": false,
|
|
"peer": "so16-enp0s8-1"
|
|
}
|
|
{
|
|
"ts": "2021-01-04T04:59:21.582639Z",
|
|
"uid": "**CxdbSa2KGTlMl3PPB2**",
|
|
"id.orig_h": "192.168.4.129",
|
|
"id.orig_p": 51020,
|
|
"id.resp_h": "40.71.25.43",
|
|
"id.resp_p": 8080,
|
|
**"name": "line_terminated_with_single_CR",**
|
|
"notice": false,
|
|
"peer": "so16-enp0s8-1"
|
|
}
|
|
|
|
We see a ``bad_HTTP_request`` and a ``line_terminated_with_single_CR``. We
|
|
happen to also have an entry for this connection in the :file:`notice.log`:
|
|
|
|
.. literal-emph::
|
|
|
|
{
|
|
"ts": "2021-01-04T04:59:23.038713Z",
|
|
"uid": "CxdbSa2KGTlMl3PPB2",
|
|
"id.orig_h": "192.168.4.129",
|
|
"id.orig_p": 51020,
|
|
"id.resp_h": "40.71.25.43",
|
|
"id.resp_p": 8080,
|
|
"fuid": "FtEE2txjFBxLDbffi",
|
|
"proto": "tcp",
|
|
**"note": "SSL::Invalid_Server_Cert",**
|
|
**"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",**
|
|
"sub": "CN=*.cloudapp.net,OU=Smart Controller Development,O=GTO Access Systems\\, LLC,DC=smartcontroller,DC=local",
|
|
"src": "192.168.4.129",
|
|
"dst": "40.71.25.43",
|
|
"p": 8080,
|
|
"peer_descr": "so16-enp0s8-1",
|
|
"actions": [
|
|
"Notice::ACTION_LOG"
|
|
],
|
|
"suppress_for": 3600
|
|
}
|
|
|
|
We see a ``SSL::Invalid_Server_Cert`` message here.
|
|
|
|
This is truly an odd connection. It appears to involve an IoT device. There is
|
|
no :file:`conn.log` entry for the activity, which could indicate it is a
|
|
long-running connection that did not terminate during the period for which we
|
|
have logs.
|
|
|
|
Conclusion
|
|
==========
|
|
|
|
The :file:`weird.log` and :file:`notice.log` files can be used for more than
|
|
just odd behavior, but that is one of their main uses in current Zeek
|
|
implementations. Analysts can find activity that may reveal something
|
|
suspicious, malicious, or simply software/devices operating oddly.
|