activecm / docker-zeek Goto Github PK
View Code? Open in Web Editor NEWRun zeek with zeekctl in docker
License: MIT License
Run zeek with zeekctl in docker
License: MIT License
Make these errors in reporter.log go away.
/usr/local/zeek/share/zeek/policy/protocols/ssh/geo-data.zeek, line 30 Reporter::ERROR Failed to open GeoIP location database (lookup_location(SSH::lookup_ip))
/usr/local/zeek/share/zeek/policy/protocols/ssh/geo-data.zeek, line 30 Reporter::ERROR Failed to open GeoIP location database (lookup_location(SSH::lookup_ip))
The zeek-af_packet-plugin (https://github.com/J-Gras/zeek-af_packet-plugin/) has been updated to work with Zeek 4. These changes are no longer compatible with Zeek 3.x. This breaks the docker build.
If the Zeek version changes:
If the Readme changes:
Update the Readme on Dockerhub manually. Due to using Github Actions to push images the readme there doesn't get automatically updated. And updating through an API is currently and anti-feature according to Docker.
Right now the Zeek script mounts specific folders and files into the container when it starts.
https://github.com/activecm/docker-zeek/blob/master/zeek#L97-L99
We should allow for adding other customizations in this script:
zkg
to install them)Maybe create a commented out block in the local.zeek file that lists all logs. Then you can uncomment the logs to disable.
event zeek_init()
{
Log::disable_stream(Syslog::LOG);
}
In the zeek source code you can find the names of the logs with:
grep -R -F 'Log::create_stream(' scripts/
References:
Barnyard2::LOG
Broker::LOG
Cluster::LOG
Conn::LOG
DCE_RPC::LOG
DHCP::LOG
DNP3::LOG
DNS::LOG
DPD::LOG
Files::LOG
FTP::LOG
HTTP::LOG
IRC::LOG
Known::CERTS_LOG
Known::HOSTS_LOG
Known::MODBUS_LOG
Known::SERVICES_LOG
KRB::LOG
LoadedScripts::LOG
LOG
Modbus::LOG
Modbus::REGISTER_CHANGE_LOG
MQTT::CONNECT_LOG
MQTT::PUBLISH_LOG
MQTT::SUBSCRIBE_LOG
mysql::LOG
NetControl::DROP_LOG
NetControl::LOG
Notice::ALARM_LOG
Notice::LOG
NTLM::LOG
NTP::LOG
OpenFlow::LOG
PacketFilter::LOG
PRINTLOG
RADIUS::LOG
RDP::LOG
Reporter::LOG
RFB::LOG
Signatures::LOG
SIP::LOG
SMB::CMD_LOG
SMB::FILES_LOG
SMB::MAPPING_LOG
SMTP::LOG
SNMP::LOG
SOCKS::LOG
Software::LOG
SSH::LOG
SSL::LOG
Stats::LOG
Syslog::LOG
Traceroute::LOG
Tunnel::LOG
Unified2::LOG
Weird::LOG
WeirdStats::LOG
X509::LOG
The cache_froms
lines in the github wrokflow is meant to speed up building by allowing docker to use the cache. However, this run should not have busted the cache and caused a full Zeek rebuild, but it did.
My current suspicion is that because we are using a multi-stage build the layers from the first stage are not being pushed to the docker repository and thus can't be used for caching. Look into the target
config to see if we can push the builder stage to Dockerhub (e.g. activecm/zeek:builder
) and then add that tag to the cache_froms
config line.
When Zeek is stopped it doesn't restore the interface ethtool settings nor the MTU. It should ideally restore these, though a system reboot would work as well.
ifconfig
to check the MTU
ethtool -k <interfacename>
to check ethtool settings
https://packages.zeek.org/packages/view/ce1462d8-9348-11eb-81e7-0a598146b5c6
While Zeek will process vlan-tagged traffic, that traffic has to make it from the interface up to Zeek during the raw packet capture. This won't happen unless the 8021q module is loaded.
Requests:
Updates to make zeek-af_packet-plugin compatible with Zeek 4 have broken the build process for this plugin when using it with < Zeek 4
At the very least ensure that running zeek --version
and zeekctl --version
don't error. Another test would be to run zeekctl check
to make sure no plugin has caused issues. But to do that we'll need to make a node.cfg file. Maybe a static one will work, otherwise use the "auto" feature of zeekcfg
and generate one on the fly.
Any failures should prevent the zeek image from being pushed to Dockerhub.
PR #30 introduced a regression where the current
symlink is linked to the wrong folder on the host. Before PR #30, the symlink would point to the host's manager spool directory. Now, it points to the container's manager spool directory.
The host's manager spool directory lies in /opt/zeek
, while the container's manager spool directory lies in /usr/local/zeek
. As a result the symlink can only work for either the host or the container. The symlink should be switched back to work for the host.
Include script for monitoring open connections as part of the docker image: https://github.com/activecm/zeek-open-connections
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.