pmphry / netbase Goto Github PK

Hi!
First I'll thank a lot for this project, which I need it to use in Zeek 4
but when I put this framework in the following directory, I have got the error below:

zeek -C -r /home/mohammad/Downloads/mypackets.trace /opt/zeek/share/zeek/base/frameworks/netbase-master/main.bro

error in /opt/zeek/share/zeek/base/frameworks/netbase-master/main.bro, line 112: &default is not valid for global variables except for tables (&default=set())

can you help me please to solve this issue?
Thank a lot :)

Hello,

Great project. I would like to communicate a known issue with using orig$bytes/resp$bytes or the use_conn_size_analyzer for tracking tx/rx. The issue is that for TCP these use sequence numbers to calculate the metric. For long or large connections the TCP seq can wrap which will lead to unreliable results:

From https://docs.zeek.org/en/current/scripts/base/protocols/conn/main.zeek.html

orig_bytes: count&log&optional
The number of payload bytes the originator sent. For TCP this is taken from sequence numbers and might be inaccurate (e.g., due to large connections).

resp_bytes: count&log&optional
The number of payload bytes the responder sent. See orig_bytes.

In my and others testing this has been confirmed to cause ridiculously large flow tx/rx reports. Instead it is recommended to use orig/resp_ip_bytes which utilize the len header of the ip frame.

orig_ip_bytes: count&log&optional
Number of IP level bytes that the originator sent (as seen on the wire, taken from the IP total_length header field). Only set if use_conn_size_analyzer = T.

Using the *_ip_bytes field on our sensors to calculate PCR and comparing that to the PCR calculated on firewall logs reported tx/rx bytes counts has confirmed accuracy for myself.