search

corelight / detect-ransomware-filenames

BSD 3-Clause "New" or "Revised" License
16 stars 9 forks source link

Error on deployment using Zeek version 7.0.4 #4

Open canarieids opened 3 days ago

canarieids commented 3 days ago

Thank you for your support and contributions to the Zeek community. We've been using this Ransomware detection plugin for a few years now. However, we've run into an issue recently.

When deploying on Zeek version 7+, we are receiving the following error.

error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 88: no such field in record (checkforransomwarefilenames::rec?$tx_hosts)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 88: no such field in record (checkforransomwarefilenames::rec?$rx_hosts)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 90: no such field in record (checkforransomwarefilenames::rec$tx_hosts)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 90: target to iterate over must be a table, set, vector, or string (checkforransomwarefilenames::rec$<error>)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 92: no such field in record (checkforransomwarefilenames::rec$conn_uids)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 92: target to iterate over must be a table, set, vector, or string (checkforransomwarefilenames::rec$<error>)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 94: no such field in record (checkforransomwarefilenames::rec$rx_hosts)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 94: target to iterate over must be a table, set, vector, or string (checkforransomwarefilenames::rec$<error>)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 90: undeclared variable (checkforransomwarefilenames::tx_host)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 94: undeclared variable (checkforransomwarefilenames::rx_host)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 92: undeclared variable (checkforransomwarefilenames::cuid)
error in /opt/zeek/share/zeek/base/frameworks/notice/main.zeek, lines 67-179 and /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, lines 96-98: incompatible record types (Notice::Info and [$note=Ransomware::KnownBadFilename, $msg=fmt(Detected potential ransomware! Known bad file name: %s in use by client %s on file server %s, checkforransomwarefilenames::rec$filename, checkforransomwarefilenames::tx_host, checkforransomwarefilenames::rx_host), $src=checkforransomwarefilenames::tx_host, $dst=checkforransomwarefilenames::rx_host, $uid=checkforransomwarefilenames::cuid])
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, lines 96-98 and /opt/zeek/share/zeek/base/frameworks/notice/main.zeek, lines 67-179: type mismatch ([$note=Ransomware::KnownBadFilename, $msg=fmt(Detected potential ransomware! Known bad file name: %s in use by client %s on file server %s, checkforransomwarefilenames::rec$filename, checkforransomwarefilenames::tx_host, checkforransomwarefilenames::rx_host), $src=checkforransomwarefilenames::tx_host, $dst=checkforransomwarefilenames::rx_host, $uid=checkforransomwarefilenames::cuid] and Notice::Info)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, lines 96-98: argument type mismatch in function call (NOTICE([$note=Ransomware::KnownBadFilename, $msg=fmt(Detected potential ransomware! Known bad file name: %s in use by client %s on file server %s, checkforransomwarefilenames::rec$filename, checkforransomwarefilenames::tx_host, checkforransomwarefilenames::rx_host), $src=checkforransomwarefilenames::tx_host, $dst=checkforransomwarefilenames::rx_host, $uid=checkforransomwarefilenames::cuid]))

manager scripts failed.
warning in /opt/zeek/share/zeek/policy/tuning/defaults/__load__.zeek, line 1: deprecated script loaded from /opt/zeek/share/zeek/site/local.zeek:13 "Remove in v7.1 The policy/tuning/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 88: no such field in record (checkforransomwarefilenames::rec?$tx_hosts)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 88: no such field in record (checkforransomwarefilenames::rec?$rx_hosts)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 90: no such field in record (checkforransomwarefilenames::rec$tx_hosts)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 90: target to iterate over must be a table, set, vector, or string (checkforransomwarefilenames::rec$<error>)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 92: no such field in record (checkforransomwarefilenames::rec$conn_uids)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 92: target to iterate over must be a table, set, vector, or string (checkforransomwarefilenames::rec$<error>)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 94: no such field in record (checkforransomwarefilenames::rec$rx_hosts)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 94: target to iterate over must be a table, set, vector, or string (checkforransomwarefilenames::rec$<error>)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 90: undeclared variable (checkforransomwarefilenames::tx_host)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 94: undeclared variable (checkforransomwarefilenames::rx_host)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 92: undeclared variable (checkforransomwarefilenames::cuid)
error in /opt/zeek/share/zeek/base/frameworks/notice/main.zeek, lines 67-179 and /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, lines 96-98: incompatible record types (Notice::Info and [$note=Ransomware::KnownBadFilename, $msg=fmt(Detected potential ransomware! Known bad file name: %s in use by client %s on file server %s, checkforransomwarefilenames::rec$filename, checkforransomwarefilenames::tx_host, checkforransomwarefilenames::rx_host), $src=checkforransomwarefilenames::tx_host, $dst=checkforransomwarefilenames::rx_host, $uid=checkforransomwarefilenames::cuid])
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, lines 96-98 and /opt/zeek/share/zeek/base/frameworks/notice/main.zeek, lines 67-179: type mismatch ([$note=Ransomware::KnownBadFilename, $msg=fmt(Detected potential ransomware! Known bad file name: %s in use by client %s on file server %s, checkforransomwarefilenames::rec$filename, checkforransomwarefilenames::tx_host, checkforransomwarefilenames::rx_host), $src=checkforransomwarefilenames::tx_host, $dst=checkforransomwarefilenames::rx_host, $uid=checkforransomwarefilenames::cuid] and Notice::Info)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, lines 96-98: argument type mismatch in function call (NOTICE([$note=Ransomware::KnownBadFilename, $msg=fmt(Detected potential ransomware! Known bad file name: %s in use by client %s on file server %s, checkforransomwarefilenames::rec$filename, checkforransomwarefilenames::tx_host, checkforransomwarefilenames::rx_host), $src=checkforransomwarefilenames::tx_host, $dst=checkforransomwarefilenames::rx_host, $uid=checkforransomwarefilenames::cuid]))

proxy-1 scripts failed.
warning in /opt/zeek/share/zeek/policy/tuning/defaults/__load__.zeek, line 1: deprecated script loaded from /opt/zeek/share/zeek/site/local.zeek:13 "Remove in v7.1 The policy/tuning/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 88: no such field in record (checkforransomwarefilenames::rec?$tx_hosts)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 88: no such field in record (checkforransomwarefilenames::rec?$rx_hosts)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 90: no such field in record (checkforransomwarefilenames::rec$tx_hosts)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 90: target to iterate over must be a table, set, vector, or string (checkforransomwarefilenames::rec$<error>)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 92: no such field in record (checkforransomwarefilenames::rec$conn_uids)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 92: target to iterate over must be a table, set, vector, or string (checkforransomwarefilenames::rec$<error>)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 94: no such field in record (checkforransomwarefilenames::rec$rx_hosts)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 94: target to iterate over must be a table, set, vector, or string (checkforransomwarefilenames::rec$<error>)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 90: undeclared variable (checkforransomwarefilenames::tx_host)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 94: undeclared variable (checkforransomwarefilenames::rx_host)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 92: undeclared variable (checkforransomwarefilenames::cuid)
error in /opt/zeek/share/zeek/base/frameworks/notice/main.zeek, lines 67-179 and /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, lines 96-98: incompatible record types (Notice::Info and [$note=Ransomware::KnownBadFilename, $msg=fmt(Detected potential ransomware! Known bad file name: %s in use by client %s on file server %s, checkforransomwarefilenames::rec$filename, checkforransomwarefilenames::tx_host, checkforransomwarefilenames::rx_host), $src=checkforransomwarefilenames::tx_host, $dst=checkforransomwarefilenames::rx_host, $uid=checkforransomwarefilenames::cuid])
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, lines 96-98 and /opt/zeek/share/zeek/base/frameworks/notice/main.zeek, lines 67-179: type mismatch ([$note=Ransomware::KnownBadFilename, $msg=fmt(Detected potential ransomware! Known bad file name: %s in use by client %s on file server %s, checkforransomwarefilenames::rec$filename, checkforransomwarefilenames::tx_host, checkforransomwarefilenames::rx_host), $src=checkforransomwarefilenames::tx_host, $dst=checkforransomwarefilenames::rx_host, $uid=checkforransomwarefilenames::cuid] and Notice::Info)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, lines 96-98: argument type mismatch in function call (NOTICE([$note=Ransomware::KnownBadFilename, $msg=fmt(Detected potential ransomware! Known bad file name: %s in use by client %s on file server %s, checkforransomwarefilenames::rec$filename, checkforransomwarefilenames::tx_host, checkforransomwarefilenames::rx_host), $src=checkforransomwarefilenames::tx_host, $dst=checkforransomwarefilenames::rx_host, $uid=checkforransomwarefilenames::cuid]))

worker-ens192-1-1 scripts failed.
warning in /opt/zeek/share/zeek/policy/tuning/defaults/__load__.zeek, line 1: deprecated script loaded from /opt/zeek/share/zeek/site/local.zeek:13 "Remove in v7.1 The policy/tuning/defaults package is deprecated. The options set here are now the defaults for Zeek in general.";
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 88: no such field in record (checkforransomwarefilenames::rec?$tx_hosts)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 88: no such field in record (checkforransomwarefilenames::rec?$rx_hosts)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 90: no such field in record (checkforransomwarefilenames::rec$tx_hosts)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 90: target to iterate over must be a table, set, vector, or string (checkforransomwarefilenames::rec$<error>)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 92: no such field in record (checkforransomwarefilenames::rec$conn_uids)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 92: target to iterate over must be a table, set, vector, or string (checkforransomwarefilenames::rec$<error>)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 94: no such field in record (checkforransomwarefilenames::rec$rx_hosts)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 94: target to iterate over must be a table, set, vector, or string (checkforransomwarefilenames::rec$<error>)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 90: undeclared variable (checkforransomwarefilenames::tx_host)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 94: undeclared variable (checkforransomwarefilenames::rx_host)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, line 92: undeclared variable (checkforransomwarefilenames::cuid)
error in /opt/zeek/share/zeek/base/frameworks/notice/main.zeek, lines 67-179 and /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, lines 96-98: incompatible record types (Notice::Info and [$note=Ransomware::KnownBadFilename, $msg=fmt(Detected potential ransomware! Known bad file name: %s in use by client %s on file server %s, checkforransomwarefilenames::rec$filename, checkforransomwarefilenames::tx_host, checkforransomwarefilenames::rx_host), $src=checkforransomwarefilenames::tx_host, $dst=checkforransomwarefilenames::rx_host, $uid=checkforransomwarefilenames::cuid])
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, lines 96-98 and /opt/zeek/share/zeek/base/frameworks/notice/main.zeek, lines 67-179: type mismatch ([$note=Ransomware::KnownBadFilename, $msg=fmt(Detected potential ransomware! Known bad file name: %s in use by client %s on file server %s, checkforransomwarefilenames::rec$filename, checkforransomwarefilenames::tx_host, checkforransomwarefilenames::rx_host), $src=checkforransomwarefilenames::tx_host, $dst=checkforransomwarefilenames::rx_host, $uid=checkforransomwarefilenames::cuid] and Notice::Info)
error in /opt/zeek/share/zeek/site/packages/detect-ransomware-filenames/check-for-ransomware-filenames.zeek, lines 96-98: argument type mismatch in function call (NOTICE([$note=Ransomware::KnownBadFilename, $msg=fmt(Detected potential ransomware! Known bad file name: %s in use by client %s on file server %s, checkforransomwarefilenames::rec$filename, checkforransomwarefilenames::tx_host, checkforransomwarefilenames::rx_host), $src=checkforransomwarefilenames::tx_host, $dst=checkforransomwarefilenames::rx_host, $uid=checkforransomwarefilenames::cuid]))
markoverholser commented 3 days ago

Thanks for pointing this out. The issue is in line 73, originally @if ( Version::info$major >= 5 && Version::info$minor >= 1 ) It will need to be changed to @if ( ( Version::info$major >= 5 && Version::info$minor >= 1 ) || ( Version::info$major >= 6 ) )

The issue is that (my silly mistake) only adjusts the default behavior for version 5 and up if the minor version is 1 or higher, so any x.0 release would still have the old behavior requiring tx_hosts and rx_hosts, which doesn't make sense. With the above information, you should be able to patch in place pretty quickly, if you want, while I work out the release process.