search

corelight / detect-ransomware-filenames

BSD 3-Clause "New" or "Revised" License
16 stars 9 forks source link

Unable to load in Zeek 5.1.1 #3

Closed canarieids closed 1 year ago

canarieids commented 1 year ago

We installed on Zeek version 5.1.1 using Zeek Package Manager (zkg install zeek/corelight/detect-ransomware-filenames).

When we try to load the package we get the following error:

"

...
error in /opt/zeek/share/zeek/site/packages/./detect-ransomware-filenames/./check-for-ransomware-filenames.zeek, line 74: no such field in record (checkforransomwarefilenames::rec$tx_hosts)
error in /opt/zeek/share/zeek/site/packages/./detect-ransomware-filenames/./check-for-ransomware-filenames.zeek, line 74: target to iterate over must be a table, set, vector, or string (checkforransomwarefilenames::rec$<error>)
error in /opt/zeek/share/zeek/site/packages/./detect-ransomware-filenames/./check-for-ransomware-filenames.zeek, line 76: no such field in record (checkforransomwarefilenames::rec$conn_uids)
error in /opt/zeek/share/zeek/site/packages/./detect-ransomware-filenames/./check-for-ransomware-filenames.zeek, line 76: target to iterate over must be a table, set, vector, or string (checkforransomwarefilenames::rec$<error>)
error in /opt/zeek/share/zeek/site/packages/./detect-ransomware-filenames/./check-for-ransomware-filenames.zeek, line 78: no such field in record (checkforransomwarefilenames::rec$rx_hosts)
error in /opt/zeek/share/zeek/site/packages/./detect-ransomware-filenames/./check-for-ransomware-filenames.zeek, line 78: target to iterate over must be a table, set, vector, or string (checkforransomwarefilenames::rec$<error>)
error in /opt/zeek/share/zeek/site/packages/./detect-ransomware-filenames/./check-for-ransomware-filenames.zeek, line 74: undeclared variable (checkforransomwarefilenames::tx_host)
error in /opt/zeek/share/zeek/site/packages/./detect-ransomware-filenames/./check-for-ransomware-filenames.zeek, line 78: undeclared variable (checkforransomwarefilenames::rx_host)
error in /opt/zeek/share/zeek/site/packages/./detect-ransomware-filenames/./check-for-ransomware-filenames.zeek, line 76: undeclared variable (checkforransomwarefilenames::cuid)
...

"

markoverholser commented 1 year ago

I was able to reproduce this locally, I'll see if I can figure out what changed in 5.x that is causing this.

markoverholser commented 1 year ago

It's related to the changes in Zeek 5 to move from using the tx_hosts, rx_hosts, and conn_uids fields in files.log and to standardize on the uid and id.[orig|resp] fields, instead.

markoverholser commented 1 year ago

As a short-term workaround, you can try also inserting the following in your local.zeek to return those fields and remove the errors:

@load policy/frameworks/files/deprecated-txhosts-rxhosts-connuids.zeek

https://docs.zeek.org/en/master/scripts/policy/frameworks/files/deprecated-txhosts-rxhosts-connuids.zeek.html

canarieids commented 1 year ago

Thank you we are testing this on our side shortly.

canarieids commented 1 year ago

Thank you this solution worked!

markoverholser commented 11 months ago

FYI, I have updated the script to be able to run in Zeek 4, 5, and 6. The hack described above for Zeek 5 should not be necessary with this new version. Also, that hack does not work for Zeek 6, so for Zeek 6 or newer, the new script will be necessary.