GierBamder/hardenedlinux-zeek-script

1 CHANGES

• Quickly start

    sudo pip install bro-pkg
    ##zeek installation is owned by "root" user that was stored in /root/.bro-pkg
    sudo zkg autoconfig
    sudo zkg config script_dir
    sudo zkg config plugin_dir
    sudo zkg install https://github.com/hardenedlinux/hardenedlinux-zeek-script

echo '@load packages' | sudo tee --append /usr/local/zeek/share/zeek/site/local.zeek

#or @load packages/hardenedlinux-zeek-script
sudo zeekctl deploy

• TEST Environment

zeek -v
zeek version 3.0.0-rc1

zeekctl status
Name         Type    Host             Status    Pid    Started
manager      manager 10.220.170.123   running   9214   12 Aug 02:49:28
proxy-1      proxy   10.220.170.123   running   9264   12 Aug 02:49:29
worker-1     worker  10.220.170.121   running   1784   12 Aug 02:49:31

1.1 VirusTotal-Check

• [X] [public] scripts/files/known_hash.zeek
  • [X] [VT_API] scripts/files/vt_check.zeek
  • [X] [POSTGRESQL] scripts/files/virustotal.zeek
• [X] [TEST_LOG] scripts/files/log

Please see Install POSTGRESQL-analyzers:

Debian-GNU-Linux-Profiles/analyzer.sh at master · hardenedlinux/Debian-GNU-Linux-Profiles

1.2 Known/hosts/domains

• [X] scripts/protocols/dns/known-domains.zeek :Cluster::worker <2019-08-10 Sat 02:36>
  • Test_log: scripts/protocols/dns/log/known_domain.log
• [X] scripts/protocols/dns/manager-domains.zeek :Cluster::manager
  • scripts/protocols/dns/log/manager_known_domain.log
  • add TEST ignore_dns list
• [X] scripts/protocols/conn/known-hosts-with-dns.zeek
  • zeek-known-hosts-with-dns/scripts at master · dopheide-esnet/zeek-known-hosts-with-dns
  • @unload protocols/conn/known-hosts
  • setting/local_net_field.zeek [Host_tracking = LOCAL_HOSTS/ALL_HOSTS]

1.3 VXLAN

• [ ] [TODO] VLAN_INFO
  • Add area and adapted to known-hosts[LOCAL_HOSTS]