Zeek

https://www.zeek.org/
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.


環境準備

 

設定介面為promisc模式
ex:
#ip link set eth0 promisc on

檢視promisc模式是否設定成功
ex:
#ip a show eth0 | grep -i promisc
3: eth0: < BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP > mtu 1500 qdisc pfifo_fast state UP group default qlen 1000


相關套件安裝(選擇性)
Zeek Extension 

 

安裝zeek相關套件
#sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel gperftools jemalloc-devel kernel-devel kernel-headers
#sudo yum update
#sudo reboot


#############################################################

安裝zeek

 

下載和編譯zeek
#cd /root
#wget https://www.zeek.org/downloads/bro-2.6.1.tar.gz
#tar -xzvf bro-2.6.1.tar.gz
#cd bro-2.6.1

如果沒有安裝pf_ring可直接編譯
#./configure --prefix=/opt/bro --enable-jemalloc
如果有安裝pf_ring可加入pf_ring編譯
#./configure --prefix=/opt/bro --with-pcap=/opt/pfring-7.2.0/ --enable-jemalloc

#sudo make
#sudo make install

 

設定讀取封包的權限
#sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/bro
#sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/broctl

 

新增路徑
編輯/etc/profile.d/bro.sh
並新增pathmunge /opt/bro/bin

 

設定zeek
編輯/opt/bro/etc/node.cfg
預設standalone模式(1台機器運行),
參數檔可參考以下,但要將interface改為正確的界面位置
[bro]
type=standalone
host=localhost
interface=eth0

若要使用clsuter模式(多台同時運行),參數檔可參考以下(3台做cluster)
[logger]
type=logger
host=10.0.0.10

[manager]
type=manager
host=10.0.0.10

[proxy-1]
type=proxy
host=10.0.0.10

[worker-1]
type=worker
host=10.0.0.11
interface=eth0

[worker-2]
type=worker
host=10.0.0.12
interface=eth0

ps
如果有使用 pf_ring可參考以下,(假設側錄介面為ens34)
[logger]
type=logger
host=localhost

[manager]
type=manager
host=localhost

[proxy-1]
type=proxy
host=localhost

[worker-1]
type=worker
host=localhost
interface=ens34
lb_method=pf_ring
lb_procs=2
pin_cpus=0,1

[worker-2]
type=worker
host=localhost
interface=ens34
lb_method=pf_ring
lb_procs=2
pin_cpus=0,1

套用剛設定的組態檔並啟動zeek
#broctl deploy
checking configurations ...
installing ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/site ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating cluster-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
stopping ...
stopping workers ...
stopping proxy ...
stopping manager ...
stopping logger ...
starting ...
starting logger ...
starting manager ...
starting proxy ...
starting workers ...

檢視zeek運作狀態
#broctl status.
Name Type Host Status Pid Started
logger logger localhost running 1774 20 Oct 21:35:31
manager manager localhost running 1820 20 Oct 21:35:32
proxy-1 proxy localhost running 1865 20 Oct 21:35:33
worker-1-1 worker localhost running 1950 20 Oct 21:35:35
worker-1-2 worker localhost running 1951 20 Oct 21:35:35
worker-2-1 worker localhost running 1955 20 Oct 21:35:35
worker-2-2 worker localhost running 1954 20 Oct 21:35:35

檢視zeek是否有產生日誌
#ls /opt/bro/logs/current
-rw-rw-r--. 1 root root 2573 Oct 20 21:35 broker.log
-rw-rw-r--. 1 root root 193 Oct 20 21:55 capture_loss.log
-rw-rw-r--. 1 root root 2970 Oct 20 21:35 cluster.log
-rw-rw-r--. 1 root root 973435 Oct 20 21:52 conn.log
-rw-rw-r--. 1 root root 980865 Oct 20 21:52 dns.log
-rw-rw-r--. 1 root root 1830 Oct 20 21:49 dpd.log
-rw-rw-r--. 1 root root 2406 Oct 20 21:47 files.log
-rw-rw-r--. 1 root root 29108 Oct 20 21:48 http.log
-rw-rw-r--. 1 root root 29646 Oct 20 21:35 loaded_scripts.log
-rw-rw-r--. 1 root root 853 Oct 20 21:38 notice.log
-rw-rw-r--. 1 root root 287 Oct 20 21:35 packet_filter.log
-rw-rw-r--. 1 root root 943 Oct 20 21:46 software.log
-rw-rw-r--. 1 root root 86012 Oct 20 21:51 ssl.log
-rw-rw-r--. 1 root root 8446 Oct 20 21:50 stats.log
-rw-rw-r--. 1 root root 0 Oct 20 21:35 stderr.log
-rw-rw-r--. 1 root root 288 Oct 20 21:35 stdout.log
-rw-rw-r--. 1 root root 249866 Oct 20 21:51 weird.log
ps:
如果有發現異常,可用broctl diag指令做troubleshooting

加入排程自動檢查是否有crash並自動啟動
#vi /etc/crontab
*/5 * * * * /opt/bro/bin/broctl cron

ps:
zeek的log格式可以參考以下
https://docs.zeek.org/en/stable/examples/logs/index.html#working-with-log-files

 


refer
https://www.ericooi.com/zeekurity-zen-part-i-how-to-install-zeek-bro-on-centos-7/

2019-06-30 23:05:05發表 2019-07-01 20:31:15修改   

金融科技
數據分析
程式開發
計算機組織與結構
資料結構與演算法
Database and MySql
manage tool
windows
unix-like
linux service
network
network layer3
network layer2
network WAN
network service
作業系統
數位鑑識
資訊安全解決方案

資訊安全威脅
Cisco security
Cisco network
Cisco layer3
Cisco layer2



  登入      [牛的大腦] | [單字我朋友] Powered by systw.net