{"id":311,"date":"2019-06-30T19:42:44","date_gmt":"2019-06-30T11:42:44","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=311"},"modified":"2025-07-27T18:25:29","modified_gmt":"2025-07-27T10:25:29","slug":"zeek-extensions","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/311","title":{"rendered":"Zeek Extensions"},"content":{"rendered":"\n<p><\/p>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><p>\u5e38\u898b\u7684Extensions\u6709\uff1a<\/p>\n<ul>\n<li>PF_RING \u63d0\u6607\u7db2\u8def\u5c01\u5305\u8b80\u53d6\u6548\u80fd<\/li>\n<li>GeoIP \u570b\u5bb6\u89e3\u6790<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<hr>\n<h2>PF_RING<\/h2>\n<h3>\u4e0b\u8f09<\/h3>\n<pre><code>#cd \/usr\/src\n#sudo wget https:\/\/github.com\/ntop\/PF_RING\/archive\/7.2.0-stable.zip\n#sudo unzip 7.2.0-stable.zip\n<\/code><\/pre>\n<p>\u00a0<\/p>\n<h3>\u5b89\u88dd<\/h3>\n<pre><code>cd PF_RING-X.Y.Z-stable\/userland\/lib\nsudo .\/configure --prefix=\/opt\/pfring-X.Y.Z\nsudo make\nsudo make install\n\n#cd ..\/libpcap\n#sudo .\/configure --prefix=\/opt\/pfring-X-Y-Z\n#sudo make\n#sudo make install\n\n#cd ..\/tcpdump-A.B.C\n#sudo .\/configure --prefix=\/opt\/pfring-X-Y-Z\n#sudo make\n#sudo make install\n\n#cd ..\/..\/kernel\n#sudo make\n#sudo make install\n<\/code><\/pre>\n<p>\u00a0<\/p>\n<h3>\u66f4\u65b0\u4e26\u91cd\u958b<\/h3>\n<pre><code>#sudo yum update\n#sudo reboot\n<\/code><\/pre>\n<p>\u00a0<\/p>\n<h3>\u8b80\u53d6pf_ring\u6a21\u7d44<\/h3>\n<pre><code>#sudo modprobe pf_ring enable_tx_capture=0 min_num_slots=65534\n<\/code><\/pre>\n<p>\u00a0<\/p>\n<h3>\u6aa2\u8996pf_ring\u6a21\u7d44\u8cc7\u8a0a<\/h3>\n<pre><code>#cat \/proc\/net\/pf_ring\/info\nPF_RING Version : 7.2.0 (unknown)\nTotal rings : 0\n\nStandard (non ZC) Options\nRing slots : 65534\nSlot version : 17\nCapture TX : No [RX only]\nIP Defragment : No\nSocket Mode : Standard\nCluster Fragment Queue : 0\nCluster Fragment Discard : 0\n<\/code><\/pre>\n<p>\u00a0<\/p>\n<h3>\u8a2d\u5b9a\u6bcf\u6b21\u958b\u6a5f\u81ea\u52d5\u8b80pf_ring\u6a21\u7d44<\/h3>\n<p>\u7de8\u8f2f\/etc\/modules-load.d\/pf_ring.conf\u4e26\u52a0\u5165\u4ee5\u4e0b\u8cc7\u8a0a<\/p>\n<pre><code># load pf_ring\npf_ring\n<\/code><\/pre>\n<p>\u7de8\u8f2f \/etc\/modprobe.d\/pf_ring.conf \u4e26\u52a0\u5165\u4ee5\u4e0b\u8cc7\u8a0a<\/p>\n<pre><code>options pf_ring enable_tx_capture=0 min_num_slots=65534\n<\/code><\/pre>\n<p>\u00a0<\/p>\n<h3>\u91cd\u958b\u6a5f\u6e2c\u8a66\u662f\u5426\u6709\u81ea\u52d5\u8b80\u5165pf_ring\u6a21\u7d44<\/h3>\n<pre><code>#sudo reboot\n#cat \/proc\/net\/pf_ring\/info\n\nPF_RING Version : 7.2.0 (unknown)\nTotal rings : 0\n\nStandard (non ZC) Options\nRing slots : 65534\nSlot version : 17\nCapture TX : No [RX only]\nIP Defragment : No\nSocket Mode : Standard\nCluster Fragment Queue : 0\nCluster Fragment Discard : 0 \n<\/code><\/pre>\n<p>\u00a0<\/p>\n<hr>\n<h2>GeoIP<\/h2>\n<h3>\u5b89\u88ddlibmaxminddb<\/h3>\n<pre><code>#sudo yum --enablerepo=extras install epel-release\n#sudo yum install libmaxminddb-devel\n<\/code><\/pre>\n<p>\u00a0<\/p>\n<h3>\u4e0b\u8f09GeoLite2 database<\/h3>\n<pre><code>#wget http:\/\/geolite.maxmind.com\/download\/geoip\/database\/GeoLite2-City.tar.gz\n#tar xzvf GeoLite2-City.tar.gz\n<\/code><\/pre>\n<p>\u00a0<\/p>\n<h3>\u5c07\u8cc7\u6599\u79fb\u5230\u6307\u5b9a\u7684\u4f4d\u7f6e<\/h3>\n<pre><code>#sudo mv GeoLite2-City_YYYYMMDD\/GeoLite2-City.mmdb \/usr\/share\/GeoIP\/GeoLite2-City.mmdb\n<\/code><\/pre>\n<\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[370],"tags":[],"class_list":["post-311","post","type-post","status-publish","format-standard","hentry","category-blue-team"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/311","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=311"}],"version-history":[{"count":1,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/311\/revisions"}],"predecessor-version":[{"id":2416,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/311\/revisions\/2416"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=311"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=311"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=311"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}