weird.log and notice.log

Zeek offers two logs for activities that seem out of the ordinary: weird.log and notice.log.

There’s a distinction between them:

  • weird.log is various random stuff where analyzers ran into trouble understanding the traffic in terms of their protocols; basically whenever there’s something unexpected at the protocol level, that’s a weird (for a lack of anything better to do with it). That means that “weirds” are also essentially hardcoded by whoever wrote that analyzer. They can also be generated by scripts, but that’s rarer.

  • notice.log on the other hand are situations explicitly detected and reported by Zeek scripts as inspection-worthy. It’s usually not protocol errors, but something semantically higher (like a self-signed cert). Notices are part of the script-level analysis and can be raised by Zeek packages as well.

Weirds can often be ignored because of volume, but notices are much more interesting, they are the closest Zeek is coming to IDS alerts.

For details on the fields, please refer to Weird::Info and Notice::Info.

weird.log

The best references on the contents of the weird.log appear in the briefings and writings by Fatema Bannat Wala, such as What Is Weird in Zeek, published 13 November 2019.

https://zeek.org/2019/11/13/what-is-weird-in-zeek/

She spoke on the topic in 2018:

https://www.youtube.com/watch?v=XeJcBBZjaVA

She spoke on the topic in 2020 as well:

https://www.youtube.com/watch?v=s4VSYwfHP0s

For example, the following is a count of individual weird.log entries over a 24 hour period on a home network:

553 ["window_recision",false]
129 ["unknown_protocol",false]
  1 ["truncated_IP",false]
  5 ["TCP_seq_underflow_or_misorder",false]
  4 ["TCP_ack_underflow_or_misorder",false]
  2 ["SYN_seq_jump",false]
  1 ["SYN_inside_connection",false]
  1 ["SYN_after_close",false]
128 ["non_ip_packet_in_ethernet",false]
 23 ["line_terminated_with_single_CR",false]
  1 ["DNS_RR_unknown_type",false]
  3 ["data_after_reset",false]
  1 ["bad_TCP_header_len",false]
 21 ["bad_HTTP_request",false]
  2 ["above_hole_data_without_any_acks",false]

We will look at one of these entries below.

notice.log

The notice.log does not have as much documentation as weird.log. For an example of notice.log entries over a 24 hour period from a home network, consider the following:

654 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (unable to get local issuer certificate)"]
 48 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (self signed certificate in certificate chain)"]
 13 ["SSL::Invalid_Server_Cert","SSL certificate validation failed with (self signed certificate)"]

We will look at one of these entries below.

Investigating a weird.log and notice.log Entry

Taking a look at two entries in the weird.log, we see they reference the same connection:

{
  "ts": "2021-01-04T04:59:21.582639Z",
  "uid": "CxdbSa2KGTlMl3PPB2",
  "id.orig_h": "192.168.4.129",
  "id.orig_p": 51020,
  "id.resp_h": "40.71.25.43",
  "id.resp_p": 8080,
  "name": "bad_HTTP_request",
  "notice": false,
  "peer": "so16-enp0s8-1"
}
{
  "ts": "2021-01-04T04:59:21.582639Z",
  "uid": "CxdbSa2KGTlMl3PPB2",
  "id.orig_h": "192.168.4.129",
  "id.orig_p": 51020,
  "id.resp_h": "40.71.25.43",
  "id.resp_p": 8080,
  "name": "line_terminated_with_single_CR",
  "notice": false,
  "peer": "so16-enp0s8-1"
}

We see a bad_HTTP_request and a line_terminated_with_single_CR. We happen to also have an entry for this connection in the notice.log:

{
  "ts": "2021-01-04T04:59:23.038713Z",
  "uid": "CxdbSa2KGTlMl3PPB2",
  "id.orig_h": "192.168.4.129",
  "id.orig_p": 51020,
  "id.resp_h": "40.71.25.43",
  "id.resp_p": 8080,
  "fuid": "FtEE2txjFBxLDbffi",
  "proto": "tcp",
  "note": "SSL::Invalid_Server_Cert",
  "msg": "SSL certificate validation failed with (unable to get local issuer certificate)",
  "sub": "CN=*.cloudapp.net,OU=Smart Controller Development,O=GTO Access Systems\\, LLC,DC=smartcontroller,DC=local",
  "src": "192.168.4.129",
  "dst": "40.71.25.43",
  "p": 8080,
  "peer_descr": "so16-enp0s8-1",
  "actions": [
    "Notice::ACTION_LOG"
  ],
  "suppress_for": 3600
}

We see a SSL::Invalid_Server_Cert message here.

This is truly an odd connection. It appears to involve an IoT device. There is no conn.log entry for the activity, which could indicate it is a long-running connection that did not terminate during the period for which we have logs.

Conclusion

The weird.log and notice.log files can be used for more than just odd behavior, but that is one of their main uses in current Zeek implementations. Analysts can find activity that may reveal something suspicious, malicious, or simply software/devices operating oddly.