#+AUTHOR: GTrunSec #+EMAIL: [email protected] #+DATE: 10 August 2019 #+DESCRIPTION: #+KEYWORDS: IDS Zeek #+LANGUAGE: en cn #+OPTIONS: H:3 num:t toc:t \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t

• Buding Zeek with Nix package manager

** Install Nix

#+begin_src sh :async t :exports both :results output curl -L https://nixos.org/nix/install | daemon

reload shell env

exec bash #+end_src

#+RESULTS:

** Building Zeek's binary by Nix #+begin_src sh :async t :exports both :results output git clone https://github.com/hardenedlinux/zeek2nix nix-build

without clone

nix run github:hardenedlinux/zeek-nix#zeekTLS #+end_src

• deploy zeek with zeekctl
• enable Nix's flakes feature( for commands such as ~nix build~ and ~nix develop~, ~nix run~ etc. )

#+begin_src sh :async t :exports both :results output echo "experimental-features = nix-command flakes" | sudo tee -a /etc/nix/nix.conf #+end_src

#+begin_src sh :async t :exports both :results output sh pre-run-zeekctl.sh sudo ./result/bin/zeek deploy

check status

./result/bin/zeek status #+end_src

• DONE Deploy Zeek kafka topics with NixOS => Disnix or Do a kafka topics test.

#+BEGIN_EXAMPLE sudo zeek -i /scirpts/local.zeek #+END_EXAMPLE

#+NAME: topics #+CAPTION: test #+ATTR_ORG: :width 500 #+ATTR_LATEX: :width 5in [[file:img/index.png]]

• Kafka's Zeek config files for Logstash [[https://github.com/hardenedlinux/debian-nix-manager/tree/master/elk/zeek-logstash][zeek-logstash]]

• CHANGES taking test with zeek -i ens

#+begin_src sh :async t :exports both :results output sudo zeek -i enp1s0 -C ~/project/hardenedlinux-zeek-script/scripts/local.zeek #+end_src

• Quickly start with zkg

#+begin_src sh :tangle yes sudo pip install bro-pkg ##zeek installation is owned by "root" user that was stored in /root/.bro-pkg sudo zkg autoconfig sudo zkg config script_dir sudo zkg config plugin_dir sudo zkg install https://github.com/hardenedlinux/hardenedlinux-zeek-script

echo '@load packages' | sudo tee --append /usr/local/zeek/share/zeek/site/local.zeek

#or @load packages/hardenedlinux-zeek-script sudo zeekctl deploy

#+end_src

• TEST Environment

#+begin_src shell :tangle yes zeek -v zeek version 3.0.0-rc1

zeekctl status Name Type Host Status Pid Started manager manager 10.220.170.123 running 9214 12 Aug 02:49:28 proxy-1 proxy 10.220.170.123 running 9264 12 Aug 02:49:29 worker-1 worker 10.220.170.121 running 1784 12 Aug 02:49:31 #+end_src

** VirusTotal-Check

• [X] [public] [[file:scripts/files/known_hash.zeek]]

  • [X] [VT_API] [[file:scripts/files/vt_check.zeek]]

  • [X] [POSTGRESQL] [[file:scripts/files/virustotal.zeek]]

#+BEGIN_EXAMPLE psql -h localhost -p 5432 -U myuser -d testdb -c 'SELECT * FROM known_hash;'

id | ts | host | hash | known_file_types
----+------------------+-------------+------------------------------------------+----------------------- 1 | 1570941985.53655 | 10.1.10.162 | 2dde1a34ac02478052b691bd18c89c7a13edc5f4 | application/x-dosexec 2 | 1570941985.53655 | 10.1.10.162 | 60ff5bfec4df9f809817423b23536601 | application/x-dosexec 3 | 1570941988.84281 | 10.1.10.162 | d25af249e01191f08f359b302db42414e0a4587e | application/x-dosexec 4 | 1570941988.84281 | 10.1.10.162 | 9cf60bd41e6f235e12e3c761f5d2ef11 | application/x-dosexec (4 rows)

psql -h localhost -p 5432 -U myuser -d testdb -c 'SELECT permalink FROM virtustotal;'

                                                   permalink                                                       

https://www.virustotal.com/file/fc7eafb97431c3f45a0ced2c38e869f768234897874317ffb0755eb920316294/analysis/1565393170/ https://www.virustotal.com/file/8021b619c48d9017a2c3b0beddb1b48d067be75551a44a9d8b79c1daff78ede0/analysis/1560568105/ (2 rows) #+END_EXAMPLE

• [X] [TEST_LOG] [[file:scripts/files/log]]

Please see Install POSTGRESQL-analyzers:

[[https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/NSM/INSTALL/analyzer.sh][Debian-GNU-Linux-Profiles/analyzer.sh at master · hardenedlinux/Debian-GNU-Linux-Profiles]]

** Known/hosts/domains

• [X] [[file:scripts/protocols/dns/known-domains.zeek]] :Cluster::worker <2019-08-10 Sat 02:36>

  • Test_log: [[file:scripts/protocols/dns/log/known_domain.log]]

• [X] [[file:scripts/protocols/dns/manager-domains.zeek]] :Cluster::manager

  • [[file:scripts/protocols/dns/log/manager_known_domain.log]]

  • add TEST ignore_dns list

• [X] [[file:scripts/protocols/conn/known-hosts-with-dns.zeek]]

  • [[https://github.com/dopheide-esnet/zeek-known-hosts-with-dns/tree/master/scripts][zeek-known-hosts-with-dns/scripts at master · dopheide-esnet/zeek-known-hosts-with-dns]]

  • ~@unload protocols/conn/known-hosts~

  • setting/local_net_field.zeek [Host_tracking = LOCAL_HOSTS/ALL_HOSTS]

** VXLAN

• [ ] [TODO] [[file:scripts/vlan-info/vlan-data.zeek][VLAN_INFO]]

  • Add area and adapted to known-hosts[LOCAL_HOSTS]

** Notice *** Setting IGNORE - Ignores the notice and won't even log it.

#+begin_src sh :async t SSL::Invalid_Server_Cert #+end_src

** Count & TOPK

• [X] [15mins] TOP dns

• [ ] [] TOP Unknow HTTP request

• [ ] [] TOP metrics :top_size count 20 :talker_bin_size = 10000;

  • [ ] [10sec] TOP urls

  • [ ] [10sec] [] TOP talks