curl -L https://nixos.org/nix/install | daemon
# reload shell env
exec bashgit clone https://github.com/hardenedlinux/zeek2nix
nix-build
# without clone
nix run github:hardenedlinux/zeek-nix#zeekTLS- deploy zeek with zeekctl
- enable Nix’s flakes feature( for commands such as
nix buildandnix develop,nix runetc. )
echo "experimental-features = nix-command flakes" | sudo tee -a /etc/nix/nix.confsh pre-run-zeekctl.sh
sudo ./result/bin/zeek deploy
# check status
./result/bin/zeek statusor Do a kafka topics test.
sudo zeek -i <enth> <hardnedlinux-zeek-script>/scirpts/local.zeek
- Kafka’s Zeek config files for Logstash zeek-logstash
taking test with zeek -i ens
sudo zeek -i enp1s0 -C ~/project/hardenedlinux-zeek-script/scripts/local.zeek- Quickly start with zkg
sudo pip install bro-pkg
##zeek installation is owned by "root" user that was stored in /root/.bro-pkg
sudo zkg autoconfig
sudo zkg config script_dir
sudo zkg config plugin_dir
sudo zkg install https://github.com/hardenedlinux/hardenedlinux-zeek-script
echo '@load packages' | sudo tee --append /usr/local/zeek/share/zeek/site/local.zeek
#or @load packages/hardenedlinux-zeek-script
sudo zeekctl deploy
- TEST Environment
zeek -v
zeek version 3.0.0-rc1
zeekctl status
Name Type Host Status Pid Started
manager manager 10.220.170.123 running 9214 12 Aug 02:49:28
proxy-1 proxy 10.220.170.123 running 9264 12 Aug 02:49:29
worker-1 worker 10.220.170.121 running 1784 12 Aug 02:49:31- [X] [public] scripts/files/known_hash.zeek
- [X] [VT_API] scripts/files/vt_check.zeek
- [X] [POSTGRESQL] scripts/files/virustotal.zeek
psql -h localhost -p 5432 -U myuser -d testdb -c 'SELECT * FROM known_hash;'
id | ts | host | hash | known_file_types
----+------------------+-------------+------------------------------------------+-----------------------
1 | 1570941985.53655 | 10.1.10.162 | 2dde1a34ac02478052b691bd18c89c7a13edc5f4 | application/x-dosexec
2 | 1570941985.53655 | 10.1.10.162 | 60ff5bfec4df9f809817423b23536601 | application/x-dosexec
3 | 1570941988.84281 | 10.1.10.162 | d25af249e01191f08f359b302db42414e0a4587e | application/x-dosexec
4 | 1570941988.84281 | 10.1.10.162 | 9cf60bd41e6f235e12e3c761f5d2ef11 | application/x-dosexec
(4 rows)
psql -h localhost -p 5432 -U myuser -d testdb -c 'SELECT permalink FROM virtustotal;'
permalink
----------------------------------------------------------------------------------------------------------------
https://www.virustotal.com/file/fc7eafb97431c3f45a0ced2c38e869f768234897874317ffb0755eb920316294/analysis/1565393170/
https://www.virustotal.com/file/8021b619c48d9017a2c3b0beddb1b48d067be75551a44a9d8b79c1daff78ede0/analysis/1560568105/
(2 rows)
- [X] [TEST_LOG] scripts/files/log
Please see Install POSTGRESQL-analyzers:
Debian-GNU-Linux-Profiles/analyzer.sh at master · hardenedlinux/Debian-GNU-Linux-Profiles
- [X] scripts/protocols/dns/known-domains.zeek :Cluster::worker <2019-08-10 Sat 02:36>
- [X] scripts/protocols/dns/manager-domains.zeek :Cluster::manager
- add TEST ignore_dns list
@unload protocols/conn/known-hosts
- setting/local_net_field.zeek [Host_tracking = LOCAL_HOSTS/ALL_HOSTS]
- [ ] [TODO] VLAN_INFO
- Add area and adapted to known-hosts[LOCAL_HOSTS]
IGNORE - Ignores the notice and won’t even log it.
SSL::Invalid_Server_Cert- [X] [15mins] TOP dns
- [ ] [] TOP Unknow HTTP request
- [ ] [] TOP metrics
:top_size count 20
:talker_bin_size = 10000;
- [ ] [10sec] TOP urls
- [ ] [10sec] [] TOP talks