Zeek

發佈日期: 作者:

https://www.zeek.org/
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.

環境準備

設定介面為promisc模式

ex:  
#ip link set eth0 promisc on

 

檢視promisc模式是否設定成功

ex:  
#ip a show eth0 | grep -i promisc  
3: eth0: < BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP > mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

相關套件安裝(選擇性)
Zeek Extension

 

安裝zeek相關套件

#sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel gperftools jemalloc-devel kernel-devel kernel-headers  
#sudo yum update  
#sudo reboot

 

安裝zeek

下載和編譯zeek

#cd /root
#wget https://www.zeek.org/downloads/bro-2.6.1.tar.gz
#tar -xzvf bro-2.6.1.tar.gz
#cd bro-2.6.1

如果沒有安裝pf_ring可直接編譯
#./configure –prefix=/opt/bro –enable-jemalloc
如果有安裝pf_ring可加入pf_ring編譯
#./configure –prefix=/opt/bro –with-pcap=/opt/pfring-7.2.0/ –enable-jemalloc

#sudo make
#sudo make install

 

設定讀取封包的權限

#sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/bro
#sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/broctl

 

新增路徑

編輯/etc/profile.d/bro.sh
並新增pathmunge /opt/bro/bin

 

設定zeek

編輯/opt/bro/etc/node.cfg
預設standalone模式(1台機器運行),
參數檔可參考以下,但要將interface改為正確的界面位置

[bro]
type=standalone
host=localhost
interface=eth0

若要使用clsuter模式(多台同時運行),參數檔可參考以下(3台做cluster)

[logger]
type=logger
host=10.0.0.10

[manager]
type=manager
host=10.0.0.10

[proxy-1]
type=proxy
host=10.0.0.10

[worker-1]
type=worker
host=10.0.0.11
interface=eth0

[worker-2]
type=worker
host=10.0.0.12
interface=eth0

ps 如果有使用 pf_ring可參考以下,(假設側錄介面為ens34)

[logger]
type=logger
host=localhost

[manager]
type=manager
host=localhost

[proxy-1]
type=proxy
host=localhost

[worker-1]
type=worker
host=localhost
interface=ens34
lb_method=pf_ring
lb_procs=2
pin_cpus=0,1

[worker-2]
type=worker
host=localhost
interface=ens34
lb_method=pf_ring
lb_procs=2
pin_cpus=0,1

套用剛設定的組態檔並啟動zeek

#broctl deploy
checking configurations ...
installing ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/site ...
removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating cluster-layout.bro ...
generating local-networks.bro ...
generating broctl-config.bro ...
generating broctl-config.sh ...
stopping ...
stopping workers ...
stopping proxy ...
stopping manager ...
stopping logger ...
starting ...
starting logger ...
starting manager ...
starting proxy ...
starting workers ...

檢視zeek運作狀態

#broctl status.
Name Type Host Status Pid Started
logger logger localhost running 1774 20 Oct 21:35:31
manager manager localhost running 1820 20 Oct 21:35:32
proxy-1 proxy localhost running 1865 20 Oct 21:35:33
worker-1-1 worker localhost running 1950 20 Oct 21:35:35
worker-1-2 worker localhost running 1951 20 Oct 21:35:35
worker-2-1 worker localhost running 1955 20 Oct 21:35:35
worker-2-2 worker localhost running 1954 20 Oct 21:35:35

檢視zeek是否有產生日誌

#ls /opt/bro/logs/current
-rw-rw-r--. 1 root root 2573 Oct 20 21:35 broker.log
-rw-rw-r--. 1 root root 193 Oct 20 21:55 capture_loss.log
-rw-rw-r--. 1 root root 2970 Oct 20 21:35 cluster.log
-rw-rw-r--. 1 root root 973435 Oct 20 21:52 conn.log
-rw-rw-r--. 1 root root 980865 Oct 20 21:52 dns.log
-rw-rw-r--. 1 root root 1830 Oct 20 21:49 dpd.log
-rw-rw-r--. 1 root root 2406 Oct 20 21:47 files.log
-rw-rw-r--. 1 root root 29108 Oct 20 21:48 http.log
-rw-rw-r--. 1 root root 29646 Oct 20 21:35 loaded_scripts.log
-rw-rw-r--. 1 root root 853 Oct 20 21:38 notice.log
-rw-rw-r--. 1 root root 287 Oct 20 21:35 packet_filter.log
-rw-rw-r--. 1 root root 943 Oct 20 21:46 software.log
-rw-rw-r--. 1 root root 86012 Oct 20 21:51 ssl.log
-rw-rw-r--. 1 root root 8446 Oct 20 21:50 stats.log
-rw-rw-r--. 1 root root 0 Oct 20 21:35 stderr.log
-rw-rw-r--. 1 root root 288 Oct 20 21:35 stdout.log
-rw-rw-r--. 1 root root 249866 Oct 20 21:51 weird.log

ps:
如果有發現異常,可用broctl diag指令做troubleshooting

 

加入排程自動檢查是否有crash並自動啟動

#vi /etc/crontab  
*/5 * * * * /opt/bro/bin/broctl cron

ps:
zeek的log格式可以參考以下
https://docs.zeek.org/en/stable/examples/logs/index.html#working-with-log-files

 

refer
https://www.ericooi.com/zeekurity-zen-part-i-how-to-install-zeek-bro-on-centos-7/