Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

directory creation race condition starting up zeek on sensor which may cause zeekctl to fail #76

Closed
mmguero opened this issue Feb 4, 2022 · 1 comment · Fixed by cisagov/Malcolm#188
Closed

directory creation race condition starting up zeek on sensor which may cause zeekctl to fail #76

mmguero opened this issue Feb 4, 2022 · 1 comment · Fixed by cisagov/Malcolm#188
Assignees
@mmguero
Labels
bug Something isn't working carving Relating to carving (extraction) of files from traffic and the scanning of those files sensor For issues dealing with the Hedgehog OS capture sensor zeek Relating to Malcolm's use of Zeek

Comments

@mmguero
Copy link
Collaborator

mmguero commented Feb 4, 2022

This morning I discovered an issue where the zeek_carve_logger.py script (which logs hits for files scanned by zeek into signatures(_carved).log). This script would end up creating the $ZEEK_LOG_PATH/logs/current directory before zeekctl can get to it. zeekctl wants the current directory to be a symlink to whatever the current logs directory is, but zeek_carve_logger.py has already created it. This causes zeekctl to abort on startup because it can't update the current symlink.

The solution is to not try to hijack that directory for use by my fakey signatures log file. Instead, I'll put it in a static directory under $ZEEK_LOG_PATH and point filebeat to look there as well.
@mmguero mmguero added bug Something isn't working carving Relating to carving (extraction) of files from traffic and the scanning of those files zeek Relating to Malcolm's use of Zeek sensor For issues dealing with the Hedgehog OS capture sensor labels Feb 4, 2022
@mmguero mmguero self-assigned this Feb 4, 2022
mmguero added a commit to mmguero-dev/Malcolm that referenced this issue Feb 4, 2022
@mmguero
fix idaholab#76, directory creation race condition starting up zeek o…
7fda08c 
…n sensor which may cause zeekctl to fail
mmguero added a commit to cisagov/Malcolm that referenced this issue Feb 4, 2022
@mmguero
fix idaholab#76, directory creation race condition starting up zeek o…
cc50137 
…n sensor which may cause zeekctl to fail
mmguero added a commit that referenced this issue Feb 7, 2022
@mmguero
fix #76, directory creation race condition starting up zeek on sensor…
0a05f9d 
… which may cause zeekctl to fail
@mmguero
Copy link
Collaborator Author

mmguero commented Feb 7, 2022

fixed in v5.2.4

@mmguero mmguero closed this as completed Feb 7, 2022
@mmguero mmguero mentioned this issue Feb 7, 2022
Merged
mmguero added a commit to cisagov/Malcolm that referenced this issue Feb 7, 2022
@mmguero
Merge pull request #188 from cisagov/v524_merge
db122ba 
v5.2.4 development

- New features
  - idaholab#74 (automatically generate Zeek intelligence indicators from STIX/TAXII)

- Improvements
  - group MAC addresses and OUI (vendors) into `related.mac` and `related.oui` for easier searching across all fields
  - improvements to default anomaly detectors

- Bug fixes
  - Fix idaholab#75 (OpenSearch Dashboards loads slowly without network connectivity)
  - Fix idaholab#76 (directory creation race condition starting up zeek on sensor which may cause zeekctl to fail)
@mmguero mmguero mentioned this issue Feb 15, 2022
Merged
@mmguero mmguero added this to Malcolm Oct 14, 2024
@mmguero mmguero moved this to Released in Malcolm Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmguero mmguero

Labels
bug Something isn't working carving Relating to carving (extraction) of files from traffic and the scanning of those files sensor For issues dealing with the Hedgehog OS capture sensor zeek Relating to Malcolm's use of Zeek
Projects
Malcolm
Status: Released
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

v5.2.4 development cisagov/Malcolm
1 participant
@mmguero