Security Onion 16.04.6.4 - Zeek custom script error

[Gordon Wallum]

Hello,

I am attempting to implement custom scripts into my SO environment. I am following the SO instructions to load custom scripts.

The script I am trying to load is the bro-simple-scan script (https://github.com/ncsa/bro-simple-scan), but i get the error below when running

• error in /opt/bro/share/zeek/policy/custom-scripts/./scan.bro, line 12: syntax error, at or near "module"

If i use the integrated scan script in local.bro it does not error out.

• # Load the scan detection script.  It's disabled by default because
• # it often causes performance issues.
• @load misc/scan

The misc/scan.bro file uses the same module Scan; line but runs with with no error. I only have one script active at a time, have tried moving the custom script to the misc directory, but nothing works.

Any advice would be appreciated. Sostats-redacted is attached

Thank you,

[Wes Lambert]

Hi Gordon,

Have you tried simply renaming the module in the custom script?

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/48ebe12f-3e25-43b0-8866-2a2c94844157%40googlegroups.com.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[Gordon Wallum]

Hi Wes,

I have tried renaming the module with no luck, it still throws the same error. I've ran the script on an older SO version with no issue.

Thank you,

You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/aYD3qf5FcE4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAHjBB6G%2BVv9rSf-LgPi87By%2BVDJP40b_4ifku77cCEwMZ2rmMA%40mail.gmail.com.

[Wes Lambert]

HI Gordon,

I'll have to test it myself when I get a chance and get back with you.

I'll let you know what I find.

Thanks,

Wes

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAHs9D0t3Cb95WG77xiOutVWD7KiohFkRGwNiXrHeZycNz4XKXw%40mail.gmail.com.

[Wes Lambert]

Hi Gordon,

I got this to work (to not throw errors, not fully tested).

I've created a gist for you to try out (simply copy into a script on the master, chmod +x the file, then execute it).

Ex.

On the master server:

wget -O simple_scan_setup https://gist.github.com/weslambert/8e910a192530638c0ba2334af9179bd6

chmod +x simple_scan_setup

Then run as user w/ sudo prvis:

sudo ./simple_scan_setup

Please try this out (on a test machine if possible), and let me know if it works for you.

Thanks,

Wes 

[Gordon Wallum]

Hi Wes,

This got the script working thank you for the help. Should this be how all custom scripts are loaded in the new version?

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAHjBB6EJxed1V5bRvCV%2BxhPZZ5end-CFEYM107cAzDx9dMPwQA%40mail.gmail.com.

[Wes Lambert]

Hi Gordon,

Script name extensions should be converted from .bro to .zeek, bro_init to zeek_init, and modules should be referenced in /opt/zeek/share/zeek/site/local.zeek

Thanks,

Wes

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAHs9D0vQcovgUhipVs8J6edHUZra2XzA3DxXAnncvwiBFeShOA%40mail.gmail.com.