Incompatible with Bro/Zeek v2.6.1

[petiepooo]

This is great; thanks for releasing it, but I'm running into a zeek/bzar compatibility issue. Bzar loads successfully for me on zeek 2.5.5, but after an upgrade to v2.6.1, I'm getting type and redef errors like:

error in /opt/bro/share/bro/base/bif/plugins/./Bro_DCE_RPC.events.bif.bro, line 125 and /opt/bro/share/bro/bzar/./bzar_dce-rpc.bro, line 224: incompatible types (event(c:connection; fid:count; ctx_id:count; opnum:count; stub_len:count;) and event(c:connection; fid:count; opnum:count; stub_len:count;))

error in /opt/bro/share/bro/bzar/./bzar_smb.bro, line 39: "redef" used but not previously defined (SMB::write_cmd_log)

error in /opt/bro/share/bro/base/bif/plugins/./Bro_SMB.smb2_com_create.bif.bro, line 17 and /opt/bro/share/bro/bzar/./bzar_smb.bro, line 252: incompatible types (event(c:connection; hdr:SMB2::Header; request:SMB2::CreateRequest;) and event(c:connection; hdr:SMB2::Header; name:string;))

That's not a complete list, but I don't know broscript (zeekscript?) well enough to attempt a fix and get it running on the later version. I also see a deprecation warning:

warning in /opt/bro/share/bro/policy/protocols/smb/load.bro, line 1: deprecated script loaded from /opt/bro/share/bro/bzar/./main.bro:10 "Use '@load base/protocols/smb' instead"

FWIW, this is on SecurityOnion, but I don't think it's specific to that platform's zeek installation. That makes duplicating this issue easy, though, as you can boot the SecurityOnion ISO in live mode to test it out.

[johnwunder]

Yes, we heard this from the Zeek list too and have taken a note...this is what you get for testing on an older version. There are a few known incompatibilities with Zeek 2.6.x that we need to work through.

This is in our plans to fix but it won't be immediate -- though we'll certainly add it to the README ASAP. In the meantime, here's a list of the areas we noted were incompatible in case anyone is in the mood for a pull request:

DCE-RPC Event Handler:

• v2.5: event dce_rpc_response(c: connection, fid: count, opnum: count, stub_len: count)
• v2.6: event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, stub_len: count)

SMB Flags:

• v2.5: SMB::write_cmd_log
• v2.6: Does not exist.

SMBv1 Event Handler, smb1_tree_connect_andx_request:

• v2.5: event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: string, svc: string)
• v2.6: event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: string, service: string)

SMBv1 Event Handler, smb1_nt_create_andx_request:

• v2.5: event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, name: string)
• v2.6: event smb1_nt_create_andx_request(c: connection, hdr: SMB1::Header, file_name: string)

SMBv2 Event Handler, smb2_create_request:

• v2.5: event smb2_create_request(c: connection, hdr: SMB2::Header, name: string)
• v2.6: event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest)

SMBv2 Event Handler, smb2_write_request:

• v2.5: event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, data_len: count)
• v2.6: event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count)

[kevross33]

Hi,

Here is a traceback from mine also:

broctl checkbro scripts failed.
warning in /usr/local/bro/share/bro/site/zipfilenames.bro, line 1: Discarded extraneous Broxygen comment: 0-day malware script detection
warning in /usr/local/bro/share/bro/site/vt.bro, line 54: deprecated (split1)
warning in /usr/local/bro/share/bro/policy/protocols/smb/load.bro, line 1: deprecated script loaded from /usr/local/bro/share/bro/site/./bzar/./main.bro:10 "Use '@load base/protocols/smb' instead"
error in /usr/local/bro/share/bro/base/bif/plugins/./Bro_DCE_RPC.events.bif.bro, line 125 and /usr/local/bro/share/bro/site/./bzar/./bzar_dce-rpc.bro, line 224: incompatible types (event(c:connection; fid:count; ctx_id:count; opnum:count; stub_len:count;) and event(c:connection; fid:count; opnum:count; stub_len:count;))

[petiepooo]

Ok, thanks. I'd love to be able to submit a PR for you, but I'd need time for a tutorial on broscript first.. those warnings and errors are Greek to me.

[peasead]

Additionally, I had to change the following to get broctl check to return all aces.

/usr/share/bro/policy/frameworks/mitre-attack/./bzar_smb.bro
Orig: c$smb_state$current_file$data_len_req = data_len;
New: c$smb_state$current_file$data_len_req = length;

Orig:event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=-7
New:event smb2_write_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count)

It should be noted that for smb2_write_request you hadn't included the priority=-7 in your solution above, so this was just me trying to change exactly what you shared above...so this could have been an error on my part, but I wanted to share in the event anyone else had gone that way.