{"id":306,"date":"2019-06-30T19:35:02","date_gmt":"2019-06-30T11:35:02","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=306"},"modified":"2025-07-27T18:25:38","modified_gmt":"2025-07-27T10:25:38","slug":"zeek","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/306","title":{"rendered":"Zeek"},"content":{"rendered":"\n<div class=\"wp-block-jetpack-markdown\"><p>https:\/\/www.zeek.org\/<br>\nZeek is a powerful network analysis framework that is much different from the typical IDS you may know.<\/p>\n<h2>\u74b0\u5883\u6e96\u5099<\/h2>\n<h3>\u8a2d\u5b9a\u4ecb\u9762\u70bapromisc\u6a21\u5f0f<\/h3>\n<pre><code>ex:  \n#ip link set eth0 promisc on\n<\/code><\/pre>\n<p>\u00a0<\/p>\n<h3>\u6aa2\u8996promisc\u6a21\u5f0f\u662f\u5426\u8a2d\u5b9a\u6210\u529f<\/h3>\n<pre><code>ex:  \n#ip a show eth0 | grep -i promisc  \n3: eth0: &lt; BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP &gt; mtu 1500 qdisc pfifo_fast state UP group default qlen 1000\n<\/code><\/pre>\n<p>\u76f8\u95dc\u5957\u4ef6\u5b89\u88dd(\u9078\u64c7\u6027)<br>\nZeek Extension<\/p>\n<p>\u00a0<\/p>\n<h3>\u5b89\u88ddzeek\u76f8\u95dc\u5957\u4ef6<\/h3>\n<pre><code>#sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel gperftools jemalloc-devel kernel-devel kernel-headers  \n#sudo yum update  \n#sudo reboot  \n<\/code><\/pre>\n<p>\u00a0<\/p>\n<hr>\n<h2>\u5b89\u88ddzeek<\/h2>\n<h3>\u4e0b\u8f09\u548c\u7de8\u8b6fzeek<\/h3>\n<p>#cd \/root<br>\n#wget https:\/\/www.zeek.org\/downloads\/bro-2.6.1.tar.gz<br>\n#tar -xzvf bro-2.6.1.tar.gz<br>\n#cd bro-2.6.1<\/p>\n<p>\u5982\u679c\u6c92\u6709\u5b89\u88ddpf_ring\u53ef\u76f4\u63a5\u7de8\u8b6f<br>\n#.\/configure &#8211;prefix=\/opt\/bro &#8211;enable-jemalloc<br>\n\u5982\u679c\u6709\u5b89\u88ddpf_ring\u53ef\u52a0\u5165pf_ring\u7de8\u8b6f<br>\n#.\/configure &#8211;prefix=\/opt\/bro &#8211;with-pcap=\/opt\/pfring-7.2.0\/ &#8211;enable-jemalloc<\/p>\n<p>#sudo make<br>\n#sudo make install<\/p>\n<p>\u00a0<\/p>\n<h3>\u8a2d\u5b9a\u8b80\u53d6\u5c01\u5305\u7684\u6b0a\u9650<\/h3>\n<p>#sudo setcap cap_net_raw,cap_net_admin=eip \/opt\/bro\/bin\/bro<br>\n#sudo setcap cap_net_raw,cap_net_admin=eip \/opt\/bro\/bin\/broctl<\/p>\n<p>\u00a0<\/p>\n<h3>\u65b0\u589e\u8def\u5f91<\/h3>\n<p>\u7de8\u8f2f\/etc\/profile.d\/bro.sh<br>\n\u4e26\u65b0\u589epathmunge \/opt\/bro\/bin<\/p>\n<p>\u00a0<\/p>\n<h3>\u8a2d\u5b9azeek<\/h3>\n<p>\u7de8\u8f2f\/opt\/bro\/etc\/node.cfg<br>\n\u9810\u8a2dstandalone\u6a21\u5f0f(1\u53f0\u6a5f\u5668\u904b\u884c),<br>\n\u53c3\u6578\u6a94\u53ef\u53c3\u8003\u4ee5\u4e0b,\u4f46\u8981\u5c07interface\u6539\u70ba\u6b63\u78ba\u7684\u754c\u9762\u4f4d\u7f6e<\/p>\n<pre><code>[bro]\ntype=standalone\nhost=localhost\ninterface=eth0\n<\/code><\/pre>\n<p>\u82e5\u8981\u4f7f\u7528clsuter\u6a21\u5f0f(\u591a\u53f0\u540c\u6642\u904b\u884c),\u53c3\u6578\u6a94\u53ef\u53c3\u8003\u4ee5\u4e0b(3\u53f0\u505acluster)<\/p>\n<pre><code>[logger]\ntype=logger\nhost=10.0.0.10\n\n[manager]\ntype=manager\nhost=10.0.0.10\n\n[proxy-1]\ntype=proxy\nhost=10.0.0.10\n\n[worker-1]\ntype=worker\nhost=10.0.0.11\ninterface=eth0\n\n[worker-2]\ntype=worker\nhost=10.0.0.12\ninterface=eth0\n<\/code><\/pre>\n<p>ps\n\u5982\u679c\u6709\u4f7f\u7528 pf_ring\u53ef\u53c3\u8003\u4ee5\u4e0b,(\u5047\u8a2d\u5074\u9304\u4ecb\u9762\u70baens34)<\/p>\n<pre><code>[logger]\ntype=logger\nhost=localhost\n\n[manager]\ntype=manager\nhost=localhost\n\n[proxy-1]\ntype=proxy\nhost=localhost\n\n[worker-1]\ntype=worker\nhost=localhost\ninterface=ens34\nlb_method=pf_ring\nlb_procs=2\npin_cpus=0,1\n\n[worker-2]\ntype=worker\nhost=localhost\ninterface=ens34\nlb_method=pf_ring\nlb_procs=2\npin_cpus=0,1\n<\/code><\/pre>\n<h3>\u5957\u7528\u525b\u8a2d\u5b9a\u7684\u7d44\u614b\u6a94\u4e26\u555f\u52d5zeek<\/h3>\n<pre><code>#broctl deploy\nchecking configurations ...\ninstalling ...\nremoving old policies in \/opt\/bro\/spool\/installed-scripts-do-not-touch\/site ...\nremoving old policies in \/opt\/bro\/spool\/installed-scripts-do-not-touch\/auto ...\ncreating policy directories ...\ninstalling site policies ...\ngenerating cluster-layout.bro ...\ngenerating local-networks.bro ...\ngenerating broctl-config.bro ...\ngenerating broctl-config.sh ...\nstopping ...\nstopping workers ...\nstopping proxy ...\nstopping manager ...\nstopping logger ...\nstarting ...\nstarting logger ...\nstarting manager ...\nstarting proxy ...\nstarting workers ...\n<\/code><\/pre>\n<h3>\u6aa2\u8996zeek\u904b\u4f5c\u72c0\u614b<\/h3>\n<pre><code>#broctl status.\nName Type Host Status Pid Started\nlogger logger localhost running 1774 20 Oct 21:35:31\nmanager manager localhost running 1820 20 Oct 21:35:32\nproxy-1 proxy localhost running 1865 20 Oct 21:35:33\nworker-1-1 worker localhost running 1950 20 Oct 21:35:35\nworker-1-2 worker localhost running 1951 20 Oct 21:35:35\nworker-2-1 worker localhost running 1955 20 Oct 21:35:35\nworker-2-2 worker localhost running 1954 20 Oct 21:35:35\n<\/code><\/pre>\n<h3>\u6aa2\u8996zeek\u662f\u5426\u6709\u7522\u751f\u65e5\u8a8c<\/h3>\n<pre><code>#ls \/opt\/bro\/logs\/current\n-rw-rw-r--. 1 root root 2573 Oct 20 21:35 broker.log\n-rw-rw-r--. 1 root root 193 Oct 20 21:55 capture_loss.log\n-rw-rw-r--. 1 root root 2970 Oct 20 21:35 cluster.log\n-rw-rw-r--. 1 root root 973435 Oct 20 21:52 conn.log\n-rw-rw-r--. 1 root root 980865 Oct 20 21:52 dns.log\n-rw-rw-r--. 1 root root 1830 Oct 20 21:49 dpd.log\n-rw-rw-r--. 1 root root 2406 Oct 20 21:47 files.log\n-rw-rw-r--. 1 root root 29108 Oct 20 21:48 http.log\n-rw-rw-r--. 1 root root 29646 Oct 20 21:35 loaded_scripts.log\n-rw-rw-r--. 1 root root 853 Oct 20 21:38 notice.log\n-rw-rw-r--. 1 root root 287 Oct 20 21:35 packet_filter.log\n-rw-rw-r--. 1 root root 943 Oct 20 21:46 software.log\n-rw-rw-r--. 1 root root 86012 Oct 20 21:51 ssl.log\n-rw-rw-r--. 1 root root 8446 Oct 20 21:50 stats.log\n-rw-rw-r--. 1 root root 0 Oct 20 21:35 stderr.log\n-rw-rw-r--. 1 root root 288 Oct 20 21:35 stdout.log\n-rw-rw-r--. 1 root root 249866 Oct 20 21:51 weird.log\n<\/code><\/pre>\n<p>ps:<br>\n\u5982\u679c\u6709\u767c\u73fe\u7570\u5e38,\u53ef\u7528broctl diag\u6307\u4ee4\u505atroubleshooting<\/p>\n<p>\u00a0<\/p>\n<h3>\u52a0\u5165\u6392\u7a0b\u81ea\u52d5\u6aa2\u67e5\u662f\u5426\u6709crash\u4e26\u81ea\u52d5\u555f\u52d5<\/h3>\n<pre><code>#vi \/etc\/crontab  \n*\/5 * * * * \/opt\/bro\/bin\/broctl cron  \n<\/code><\/pre>\n<p>ps:<br>\nzeek\u7684log\u683c\u5f0f\u53ef\u4ee5\u53c3\u8003\u4ee5\u4e0b<br>\nhttps:\/\/docs.zeek.org\/en\/stable\/examples\/logs\/index.html#working-with-log-files<\/p>\n<p>\u00a0<\/p>\n<p>refer<br>\nhttps:\/\/www.ericooi.com\/zeekurity-zen-part-i-how-to-install-zeek-bro-on-centos-7\/<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[370],"tags":[],"class_list":["post-306","post","type-post","status-publish","format-standard","hentry","category-blue-team"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/306","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=306"}],"version-history":[{"count":1,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/306\/revisions"}],"predecessor-version":[{"id":2417,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/306\/revisions\/2417"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}