tylabs / dovehawk Goto Github PK

Hello,

im using dovehawk and it seems, that its working when i use TI service offenders in MISP, so that i see 12k Indicators+
but when i try to create my own ioc, it will just put the ip in the signatures.sig file and is saying "syntax error there".

Question 1: Is signatures.sig just for my own ioc's or also for the automatically created ones?

Question 2: How to fix that syntax problem? i saw your testsignature file in git, do i need to create it manually with that syntax and not from MISP ?

Thanks for any soon help!

Best regards

Good morning,

After updating my zeek nodes from 4.0.4 to 4.0.5, I am receiving the following errors when I try to retrieve events from my internal MISP instance:

{"ts":"2022-01-31T08:51:05.607207Z","level":"Reporter::ERROR","message":"curl --header "Authorization: "HZt3bmlDstJZq7Wuy0NUARfGLCKAjFF8zogCA9oa"" -s -g -o ""/tmp/zeek-activehttp-FNJSb0Kya4_body"" -D ""/tmp/zeek-activehttp-FNJSb0Kya4_headers"" -X ""GET"" -m 60 -k ""https://iceland.lab.uxdom.org/attributes/bro/download/all\"\" && touch "/tmp/zeek-activehttp-FNJSb0Kya4_body" |/Input::READER_RAW: Child process exited with non-zero return code 28","location":""}
{"ts":"2022-01-31T08:51:05.607661Z","level":"Reporter::ERROR","message":"/tmp/zeek-activehttp-FNJSb0Kya4_body/Input::READER_RAW: Init: cannot open /tmp/zeek-activehttp-FNJSb0Kya4_body","location":""}
{"ts":"2022-01-31T08:51:05.607661Z","level":"Reporter::ERROR","message":"/tmp/zeek-activehttp-FNJSb0Kya4_body/Input::READER_RAW: Init failed","location":""}
{"ts":"2022-01-31T08:51:05.607661Z","level":"Reporter::ERROR","message":"/tmp/zeek-activehttp-FNJSb0Kya4_body/Input::READER_RAW: terminating thread","location":""}

Auth key is valid for sure (retrieving events using curl works without problems).

Any idea?

It would be awesome if I could configure the value for the source in MISP for different zeek clusters. :-)

Have you encountered this error when starting.

root@soc-bro-s01:/nsm/bro/bin# /nsm/bro/bin/zeek -i ens192 /nsm/bro/dovehawk/
error in /nsm/bro/dovehawk/./scripts/./dovehawk.zeek, line 369: unknown identifier signature_refresh_period, at or near "signature_refresh_period"

i try download with URL : MISP_URL + "attributes/text/download/zeek" , i got a empty file . How to enable this . Help me!!

Hey, awesome package, i was keen to try it out so i built 2 new vm's one with bro 2.5.4 and latest misp with a dummy dataset. first issue is i couldnt install dovehawk via bro-pkg, the package doesnt exist on the cli or web interface to bro packages.

Once i downloaded it and installed manually i could get it to invoke fine and i was able to define my misp api key and IP address. Then if i run bro on a pcap file or on a network interface i receive the below error

bro -C -i ens33 /usr/local/bro/share/bro/site/packages/dovehawk/ listening on ens33

Downloading Signatures 2018/08/29 03:40:20 [1.00.002]
Local Directory: /usr/local/bro/share/bro/site/packages/dovehawk/./scripts
MISP Server: https://192.168.247.130/
Downloading Indicators...
Downloading Signatures...
1535539221.640420 error: curl --header "Authorization: APIKEY" -s -g -o "/tmp/bro-activehttp-C0OBIAJA1Me_body" -D "/tmp/bro-activehttp-C0OBIAJA1Me_headers" -X "GET" -m 60 "https://192.168.247.130/attributes/bro/download/all" && touch /tmp/bro-activehttp-C0OBIAJA1Me_body |/Input::READER_RAW: Child process exited with non-zero return code 60
1535539221.640420 error: curl --header "Authorization: APIKEY" -s -g -o "/tmp/bro-activehttp-hqdYPmgmf7i_body" -D "/tmp/bro-activehttp-hqdYPmgmf7i_headers" -X "GET" -m 60 "https://192.168.247.130/attributes/text/download/bro" && touch /tmp/bro-activehttp-hqdYPmgmf7i_body |/Input::READER_RAW: Child process exited with non-zero return code 60
1535539221.643126 error: /tmp/bro-activehttp-C0OBIAJA1Me_body/Input::READER_RAW: Init: cannot open /tmp/bro-activehttp-C0OBIAJA1Me_body
1535539221.643126 error: /tmp/bro-activehttp-C0OBIAJA1Me_body/Input::READER_RAW: Init failed
1535539221.643126 error: /tmp/bro-activehttp-C0OBIAJA1Me_body/Input::READER_RAW: terminating thread
1535539221.643126 error: /tmp/bro-activehttp-hqdYPmgmf7i_body/Input::READER_RAW: Init: cannot open /tmp/bro-activehttp-hqdYPmgmf7i_body
1535539221.643126 error: /tmp/bro-activehttp-hqdYPmgmf7i_body/Input::READER_RAW: Init failed
1535539221.643126 error: /tmp/bro-activehttp-hqdYPmgmf7i_body/Input::READER_RAW: terminating thread

If i curl my url with the correct authorization api key i can download all the bro signatures i need so the data is definitely coming down from misp. the command i tested api with was a little different

curl -k --header "Authorization: APIKEY" https://192.168.247.130/attributes/bro/download/all >> /tmp/bro-test.intel

That command downloads everything i need into bro-test.intel file. im skipping SSL check and -s -g -o options and not building a tmp-dir etc.

I can just wait until the bro-pkg version is put back up and test again or happy to debug this if you want to know any more info?

Thanks again!

Receiving this error when running zeekctl deploy:

warning in /opt/zeek/spool/installed-scripts-do-not-touch/site/dovehawk/./scripts/./dovehawk.zeek, lines 73-84: "when" statement referring to locals without an explicit [] capture is deprecated: dovehawk::req, dovehawk::cmd, dovehawk::bodyfile, dovehawk::headersfile, dovehawk::stdin_data (when (dovehawk::result = Exec::run((coerce [$cmd=dovehawk::cmd, $stdin=dovehawk::stdin_data, $read_files=set(dovehawk::bodyfile, dovehawk::headersfile)] to Exec::Command))) { if (!(dovehawk::result?$files && dovehawk::headersfile in dovehawk::result$files)) { print download error 1Reporter::error(fmt(There was a failure when requesting "%s" with ActiveHTTP., dovehawk::req$url))return (to_any_coercevector())}return (to_any_coercedovehawk::result$files[dovehawk::bodyfile])})

We can generate a file w/ bro indicators from Home > Export, but trying to curl https://$MISP_URL/attributes/bro/download/all does not return anything.

Hello, i got an error while downloading resources from misp, here is the full log:

`[root@bro eshaafs]# zeek -i ens192 -C dovehawk/
listening on ens192

Downloading Signatures 2020/08/12 11:17:37 [1.02.001]
NETSTATS: pkts_dropped=0 pkts_recvd=1 pkts_link=1 bytes_recvd=134
Local Directory: /home/eshaafs/./dovehawk/./scripts/.
MISP Server: https://192.168.105.234/
Downloading Indicators...
Downloading Signatures...
1597205858.245483 error: curl --header "Authorization: "DkqPVMDGEo9HrrT8BJDytiwWBpVHuZ3zqZFm79pj"" -s -g -o ""/tmp/zeek-activehttp-ekmpsMUTCl6_body"" -D ""/tmp/zeek-activehttp-ekmpsMUTCl6_headers"" -X ""GET"" -m 60 ""https://192.168.105.234/attributes/bro/download/all"" && touch "/tmp/zeek-activehttp-ekmpsMUTCl6_body" |/Input::READER_RAW: Child process exited with non-zero return code 60
1597205858.245483 error: curl --header "Authorization: "DkqPVMDGEo9HrrT8BJDytiwWBpVHuZ3zqZFm79pj"" -s -g -o ""/tmp/zeek-activehttp-qdsHIduAQDl_body"" -D ""/tmp/zeek-activehttp-qdsHIduAQDl_headers"" -X ""GET"" -m 60 ""https://192.168.105.234/attributes/text/download/zeek"" && touch "/tmp/zeek-activehttp-qdsHIduAQDl_body" |/Input::READER_RAW: Child process exited with non-zero return code 60
1597205858.246415 error: /tmp/zeek-activehttp-qdsHIduAQDl_body/Input::READER_RAW: Init: cannot open /tmp/zeek-activehttp-qdsHIduAQDl_body
1597205858.246415 error: /tmp/zeek-activehttp-qdsHIduAQDl_body/Input::READER_RAW: Init failed
1597205858.246415 error: /tmp/zeek-activehttp-qdsHIduAQDl_body/Input::READER_RAW: terminating thread
1597205858.246415 error: /tmp/zeek-activehttp-ekmpsMUTCl6_body/Input::READER_RAW: Init: cannot open /tmp/zeek-activehttp-ekmpsMUTCl6_body
1597205858.246415 error: /tmp/zeek-activehttp-ekmpsMUTCl6_body/Input::READER_RAW: Init failed
1597205858.246415 error: /tmp/zeek-activehttp-ekmpsMUTCl6_body/Input::READER_RAW: terminating thread
`

I follow the mentioned steps in INSTALL.md, then added the API Key, URL but No Luck
Am using bro version 2.6.4
please update the tool to work with zkg install instead of broctl.
Thanks

global signature_refresh_period missing from config.zeek in latest version with zeek 4. I pulled using zkg. Error goes away after adding to the config file.