weird.log and notice.log¶
Zeek offers two logs for activities that seem out of the ordinary:
weird.log
and notice.log
.
There’s a distinction between them:
weird.log
is various random stuff where analyzers ran into trouble understanding the traffic in terms of their protocols; basically whenever there’s something unexpected at the protocol level, that’s a weird (for a lack of anything better to do with it). That means that “weirds” are also essentially hardcoded by whoever wrote that analyzer. They can also be generated by scripts, but that’s rarer.notice.log
on the other hand are situations explicitly detected and reported by Zeek scripts as inspection-worthy. It’s usually not protocol errors, but something semantically higher (like a self-signed cert). Notices are part of the script-level analysis and can be raised by Zeek packages as well.
Weirds can often be ignored because of volume, but notices are much more interesting, they are the closest Zeek is coming to IDS alerts.
For details on the fields, please refer to Weird::Info
and
Notice::Info
.
weird.log
¶
The best references on the contents of the weird.log appear in the briefings and writings by Fatema Bannat Wala, such as What Is Weird in Zeek, published 13 November 2019.
https://zeek.org/2019/11/13/what-is-weird-in-zeek/
She spoke on the topic in 2018:
https://www.youtube.com/watch?v=XeJcBBZjaVA
She spoke on the topic in 2020 as well:
https://www.youtube.com/watch?v=s4VSYwfHP0s
For example, the following is a count of individual weird.log
entries
over a 24 hour period on a home network:
553 ["window_recision",false]
129 ["unknown_protocol",false]
1 ["truncated_IP",false]
5 ["TCP_seq_underflow_or_misorder",false]
4 ["TCP_ack_underflow_or_misorder",false]
2 ["SYN_seq_jump",false]
1 ["SYN_inside_connection",false]
1 ["SYN_after_close",false]
128 ["non_ip_packet_in_ethernet",false]
23 ["line_terminated_with_single_CR",false]
1 ["DNS_RR_unknown_type",false]
3 ["data_after_reset",false]
1 ["bad_TCP_header_len",false]
21 ["bad_HTTP_request",false]
2 ["above_hole_data_without_any_acks",false]
We will look at one of these entries below.
notice.log
¶
The notice.log
does not have as much documentation as
weird.log
. For an example of notice.log
entries over a 24 hour
period from a home network, consider the following:
654 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (unable to get local issuer certificate)"]
48 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (self signed certificate in certificate chain)"]
13 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (self signed certificate)"]
We will look at one of these entries below.
Investigating a weird.log
and notice.log
Entry¶
Taking a look at two entries in the weird.log
, we see they reference
the same connection:
{
"ts": "2021-01-04T04:59:21.582639Z",
"uid": "CxdbSa2KGTlMl3PPB2",
"id.orig_h": "192.168.4.129",
"id.orig_p": 51020,
"id.resp_h": "40.71.25.43",
"id.resp_p": 8080,
"name": "bad_HTTP_request",
"notice": false,
"peer": "so16-enp0s8-1"
}
{
"ts": "2021-01-04T04:59:21.582639Z",
"uid": "CxdbSa2KGTlMl3PPB2",
"id.orig_h": "192.168.4.129",
"id.orig_p": 51020,
"id.resp_h": "40.71.25.43",
"id.resp_p": 8080,
"name": "line_terminated_with_single_CR",
"notice": false,
"peer": "so16-enp0s8-1"
}
We see a bad_HTTP_request
and a line_terminated_with_single_CR
. We
happen to also have an entry for this connection in the notice.log
:
{
"ts": "2021-01-04T04:59:23.038713Z",
"uid": "CxdbSa2KGTlMl3PPB2",
"id.orig_h": "192.168.4.129",
"id.orig_p": 51020,
"id.resp_h": "40.71.25.43",
"id.resp_p": 8080,
"fuid": "FtEE2txjFBxLDbffi",
"proto": "tcp",
"note": "SSL::Invalid_Server_Cert",
"msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
"sub": "CN=*.cloudapp.net,OU=Smart Controller Development,O=GTO Access Systems\\, LLC,DC=smartcontroller,DC=local",
"src": "192.168.4.129",
"dst": "40.71.25.43",
"p": 8080,
"peer_descr": "so16-enp0s8-1",
"actions": [
"Notice::ACTION_LOG"
],
"suppress_for": 3600
}
We see a SSL::Invalid_Server_Cert
message here.
This is truly an odd connection. It appears to involve an IoT device. There is
no conn.log
entry for the activity, which could indicate it is a
long-running connection that did not terminate during the period for which we
have logs.
Conclusion¶
The weird.log
and notice.log
files can be used for more than
just odd behavior, but that is one of their main uses in current Zeek
implementations. Analysts can find activity that may reveal something
suspicious, malicious, or simply software/devices operating oddly.