activecm / docker-zeek Goto Github PK

Make these errors in reporter.log go away.

/usr/local/zeek/share/zeek/policy/protocols/ssh/geo-data.zeek, line 30  Reporter::ERROR Failed to open GeoIP location database (lookup_location(SSH::lookup_ip))
/usr/local/zeek/share/zeek/policy/protocols/ssh/geo-data.zeek, line 30  Reporter::ERROR Failed to open GeoIP location database (lookup_location(SSH::lookup_ip))

The zeek-af_packet-plugin (https://github.com/J-Gras/zeek-af_packet-plugin/) has been updated to work with Zeek 4. These changes are no longer compatible with Zeek 3.x. This breaks the docker build.

• Default Zeekcfg version in Dockerfile (if changed)
  This an any other non-Zeek version changes only need to be made and pushed to master to trigger a new Docker image to be built and pushed.

If the Zeek version changes:

• Default Zeek version in Dockerfile (if changed)
• Readme.md (list of tags)
• Github workflow (zeek versions that actually get built)

If the Readme changes:
Update the Readme on Dockerhub manually. Due to using Github Actions to push images the readme there doesn't get automatically updated. And updating through an API is currently and anti-feature according to Docker.

Right now the Zeek script mounts specific folders and files into the container when it starts.
https://github.com/activecm/docker-zeek/blob/master/zeek#L97-L99

We should allow for adding other customizations in this script:

• local.zeek
• custom plugins (possibly a workflow that creates a volume for persistence and uses zkg to install them)

Maybe create a commented out block in the local.zeek file that lists all logs. Then you can uncomment the logs to disable.

event zeek_init()
    {
    Log::disable_stream(Syslog::LOG);
    }

In the zeek source code you can find the names of the logs with:

grep -R -F 'Log::create_stream(' scripts/

References:

• https://docs.zeek.org/en/master/frameworks/logging.html#disable-a-stream

Barnyard2::LOG
Broker::LOG
Cluster::LOG
Conn::LOG
DCE_RPC::LOG
DHCP::LOG
DNP3::LOG
DNS::LOG
DPD::LOG
Files::LOG
FTP::LOG
HTTP::LOG
IRC::LOG
Known::CERTS_LOG
Known::HOSTS_LOG
Known::MODBUS_LOG
Known::SERVICES_LOG
KRB::LOG
LoadedScripts::LOG
LOG
Modbus::LOG
Modbus::REGISTER_CHANGE_LOG
MQTT::CONNECT_LOG
MQTT::PUBLISH_LOG
MQTT::SUBSCRIBE_LOG
mysql::LOG
NetControl::DROP_LOG
NetControl::LOG
Notice::ALARM_LOG
Notice::LOG
NTLM::LOG
NTP::LOG
OpenFlow::LOG
PacketFilter::LOG
PRINTLOG
RADIUS::LOG
RDP::LOG
Reporter::LOG
RFB::LOG
Signatures::LOG
SIP::LOG
SMB::CMD_LOG
SMB::FILES_LOG
SMB::MAPPING_LOG
SMTP::LOG
SNMP::LOG
SOCKS::LOG
Software::LOG
SSH::LOG
SSL::LOG
Stats::LOG
Syslog::LOG
Traceroute::LOG
Tunnel::LOG
Unified2::LOG
Weird::LOG
WeirdStats::LOG
X509::LOG

The cache_froms lines in the github wrokflow is meant to speed up building by allowing docker to use the cache. However, this run should not have busted the cache and caused a full Zeek rebuild, but it did.

My current suspicion is that because we are using a multi-stage build the layers from the first stage are not being pushed to the docker repository and thus can't be used for caching. Look into the target config to see if we can push the builder stage to Dockerhub (e.g. activecm/zeek:builder) and then add that tag to the cache_froms config line.

When Zeek is stopped it doesn't restore the interface ethtool settings nor the MTU. It should ideally restore these, though a system reboot would work as well.

ifconfig to check the MTU
ethtool -k <interfacename> to check ethtool settings

https://packages.zeek.org/packages/view/ce1462d8-9348-11eb-81e7-0a598146b5c6

While Zeek will process vlan-tagged traffic, that traffic has to make it from the interface up to Zeek during the raw packet capture. This won't happen unless the 8021q module is loaded.
Requests:

1. load the 8021q module by hand during initial install:
   sudo modprobe 8021q || true
2. add the line "8021q" to /etc/modules so it's automatically loaded after following boots
   echo -e '\n8021q' | sudo tee -a /etc/modules >/dev/null
   The above change should have no effect on networks that do not use vlans.
   Should this be built into the kernel (as opposed to being a loadable module), step 1 may come back with a failure so we need to add "|| true" to the modprobe command line. (No change is needed for (2) )

Updates to make zeek-af_packet-plugin compatible with Zeek 4 have broken the build process for this plugin when using it with < Zeek 4

At the very least ensure that running zeek --version and zeekctl --version don't error. Another test would be to run zeekctl check to make sure no plugin has caused issues. But to do that we'll need to make a node.cfg file. Maybe a static one will work, otherwise use the "auto" feature of zeekcfg and generate one on the fly.

Any failures should prevent the zeek image from being pushed to Dockerhub.

PR #30 introduced a regression where the current symlink is linked to the wrong folder on the host. Before PR #30, the symlink would point to the host's manager spool directory. Now, it points to the container's manager spool directory.

The host's manager spool directory lies in /opt/zeek, while the container's manager spool directory lies in /usr/local/zeek. As a result the symlink can only work for either the host or the container. The symlink should be switched back to work for the host.

Include script for monitoring open connections as part of the docker image: https://github.com/activecm/zeek-open-connections