Home
Softono
hardenedlinux-zeek-scripts

hardenedlinux-zeek-scripts

Open source MIT Zeek
Website GitHub
39
Stars
13
Forks
2
Issues
7
Watchers
2 years
Last Commit
Vulnerability Scanning Terminal & CLI Tools

About hardenedlinux-zeek-scripts

hardenedlinux-zeek-scripts is a collection of Zeek (formerly Bro) IDS scripts and tooling for building and deploying Zeek using the Nix package manager. It supports installable Zeek packages through zkg, Nix flakes, and zeekctl deployment. Key scripts include VirusTotal hash checking via public API and PostgreSQL logging, known-hash detection for file analysis, and Kafka integration for forwarding Zeek logs to Logstash via crafted topics. The repository provides reproducible Nix builds, tested with Zeek 3.0.0-rc1, and supports cluster setups with manager, proxy, and worker nodes. It also includes quick-start instructions using bro-pkg and direct zeek-cli invocation against custom local.zeek scripts, making it suitable for threat detection, file-hash reputation lookups, and integrating Zeek into ELK-based security pipelines on hardened Linux environments.

Platforms

Web Self-hosted Linux

Languages

Zeek

Links

Website Source Code
h
Published by
hardenedlinux
Visit View Profile

README.md

View on GitHub

+AUTHOR: GTrunSec

+EMAIL: [email protected]

+DATE: 10 August 2019

+DESCRIPTION:

+KEYWORDS: IDS Zeek

+LANGUAGE: en cn

+OPTIONS: H:3 num:t toc:t \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t

  • Buding Zeek with Nix package manager

** Install Nix

+begin_src sh :async t :exports both :results output

curl -L https://nixos.org/nix/install | daemon

reload shell env

exec bash

+end_src

+RESULTS:

** Building Zeek's binary by Nix

+begin_src sh :async t :exports both :results output

git clone https://github.com/hardenedlinux/zeek2nix nix-build

without clone

nix run github:hardenedlinux/zeek-nix#zeekTLS

+end_src

  • deploy zeek with zeekctl
  • enable Nix's flakes feature( for commands such as ~nix build~ and ~nix develop~, ~nix run~ etc. )

+begin_src sh :async t :exports both :results output

echo "experimental-features = nix-command flakes" | sudo tee -a /etc/nix/nix.conf

+end_src

+begin_src sh :async t :exports both :results output

sh pre-run-zeekctl.sh sudo ./result/bin/zeek deploy

check status

./result/bin/zeek status

+end_src

  • DONE Deploy Zeek kafka topics with NixOS => Disnix or Do a kafka topics test.

+BEGIN_EXAMPLE

sudo zeek -i /scirpts/local.zeek

+END_EXAMPLE

+NAME: topics

+CAPTION: test

+ATTR_ORG: :width 500

+ATTR_LATEX: :width 5in

[[file:img/index.png]]

  • CHANGES taking test with zeek -i ens

+begin_src sh :async t :exports both :results output

sudo zeek -i enp1s0 -C ~/project/hardenedlinux-zeek-script/scripts/local.zeek

+end_src

  • Quickly start with zkg

+begin_src sh :tangle yes

sudo pip install bro-pkg
##zeek installation is owned by "root" user that was stored in /root/.bro-pkg
sudo zkg autoconfig
sudo zkg config script_dir
sudo zkg config plugin_dir
sudo zkg install https://github.com/hardenedlinux/hardenedlinux-zeek-script

echo '@load packages' | sudo tee --append /usr/local/zeek/share/zeek/site/local.zeek

or @load packages/hardenedlinux-zeek-script

sudo zeekctl deploy

+end_src

  • TEST Environment

+begin_src shell :tangle yes

zeek -v zeek version 3.0.0-rc1

zeekctl status Name Type Host Status Pid Started manager manager 10.220.170.123 running 9214 12 Aug 02:49:28 proxy-1 proxy 10.220.170.123 running 9264 12 Aug 02:49:29 worker-1 worker 10.220.170.121 running 1784 12 Aug 02:49:31

+end_src

** VirusTotal-Check

  • [X] [public] [[file:scripts/files/known_hash.zeek]]

    • [X] [VT_API] [[file:scripts/files/vt_check.zeek]]

    • [X] [POSTGRESQL] [[file:scripts/files/virustotal.zeek]]

+BEGIN_EXAMPLE

psql -h localhost -p 5432 -U myuser -d testdb -c 'SELECT * FROM known_hash;'

id | ts | host | hash | known_file_types
----+------------------+-------------+------------------------------------------+----------------------- 1 | 1570941985.53655 | 10.1.10.162 | 2dde1a34ac02478052b691bd18c89c7a13edc5f4 | application/x-dosexec 2 | 1570941985.53655 | 10.1.10.162 | 60ff5bfec4df9f809817423b23536601 | application/x-dosexec 3 | 1570941988.84281 | 10.1.10.162 | d25af249e01191f08f359b302db42414e0a4587e | application/x-dosexec 4 | 1570941988.84281 | 10.1.10.162 | 9cf60bd41e6f235e12e3c761f5d2ef11 | application/x-dosexec (4 rows)

psql -h localhost -p 5432 -U myuser -d testdb -c 'SELECT permalink FROM virtustotal;' 

                                                   permalink

https://www.virustotal.com/file/fc7eafb97431c3f45a0ced2c38e869f768234897874317ffb0755eb920316294/analysis/1565393170/ https://www.virustotal.com/file/8021b619c48d9017a2c3b0beddb1b48d067be75551a44a9d8b79c1daff78ede0/analysis/1560568105/ (2 rows)

+END_EXAMPLE

  • [X] [TEST_LOG] [[file:scripts/files/log]]

Please see Install POSTGRESQL-analyzers:

[[https://github.com/hardenedlinux/Debian-GNU-Linux-Profiles/blob/master/NSM/INSTALL/analyzer.sh][Debian-GNU-Linux-Profiles/analyzer.sh at master · hardenedlinux/Debian-GNU-Linux-Profiles]]

** Known/hosts/domains

  • [X] [[file:scripts/protocols/dns/known-domains.zeek]] :Cluster::worker <2019-08-10 Sat 02:36>

    • Test_log: [[file:scripts/protocols/dns/log/known_domain.log]]

  • [X] [[file:scripts/protocols/dns/manager-domains.zeek]] :Cluster::manager

    • [[file:scripts/protocols/dns/log/manager_known_domain.log]]

    • add TEST ignore_dns list

  • [X] [[file:scripts/protocols/conn/known-hosts-with-dns.zeek]]

** VXLAN

  • [ ] [TODO] [[file:scripts/vlan-info/vlan-data.zeek][VLAN_INFO]]

    • Add area and adapted to known-hosts[LOCAL_HOSTS]

** Notice *** Setting IGNORE - Ignores the notice and won't even log it.

+begin_src sh :async t

SSL::Invalid_Server_Cert

+end_src

** Count & TOPK

  • [X] [15mins] TOP dns

  • [ ] [] TOP Unknow HTTP request

  • [ ] [] TOP metrics :top_size count 20 :talker_bin_size = 10000;

    • [ ] [10sec] TOP urls

    • [ ] [10sec] [] TOP talks