Malcolm v1.7.0 development (#74)

* integrate MITRE ATT&CK BZAR into Malcolm's Zeek instance (#68)

* integrate MITRE ATT&CK BZAR into Malcolm's Zeek instance

idaholab#67

* use the cidr plugin to assign internal_source, external_source, internal_destination, external_destination tags based on srcIp and dstIp Zeek logs

* bump development version to 1.6.1

* UI tweaks for the iso

* tweaks to ISO for UI and STIG hardening

* added localepurge to trim ISO

* tweaks for ISO STIG

* iso tweaks

* stig script tweaks

* swap out pdf reader for iso

* tweak location of clamd socket file

* address issue #43; remove overly complicated duplicate checking in result cache

* zeek updates (#72)

- Zeek 3.0
- New parsers/analyzers, complete list:
  - Amazon.com, Inc.'s ICS protocol analyzers
  - Corelight's bro-xor-exe plugin
  - Corelight's community ID flow hashing plugin
  - J-Gras' Bro::AF_Packet plugin
  - Lexi Brent's EternalSafety plugin
  - MITRE Cyber Analytics Repository's Bro/Zeek ATT&CK-Based Analytics (BZAR) script
  - Salesforce's gQUIC analyzer
  - Salesforce's HASSH SSH fingerprinting plugin
  - Salesforce's JA3 TLS fingerprinting plugin
  - SoftwareConsultingEmporium's Bro::LDAP analyzer
- Dashboards for all new protocols
- Documentation updates


-------------------------------------------

* zeek updates:

- use Zeek 3.0
- install Amazon Zeek ICS plugins (https://github.com/amzn?utf8=%E2%9C%93&q=zeek&type=&language=)
- haven't yet looked at parsed fields list or built parsers/dashboards for new plugins, may be incomplete

* should have existing field tweaks done now, need to do new logs

* new logstash field definitions for the following:

bacnet
ethernet/ip
s7comm
known_certs
known_hosts
mqtt
ntp
profinet
tds

testing still in progress

* hopefully fix issue with zeek not running with the override file

* zeek-updates development (#69)

* add WISE views for new zeek fields, using new format to define most of them

https://molo.ch/wise#common-source-settings

* added links in comments for different log types

* working on new dashboards, not done yet

* more work on new dashboards

* more work on ICS stuff

* more work on new zeek log types

* updated navigation panel for new dashboards

* updated version for 1.7.0

* more work on new zeek log types

* more work on new zeek log types

* updated navigation panel for new dashboards

* sync sensor shared script with malcolm shared script

* fix dockerfile

* added patch for zeek pull #632 (zeek/zeek#632) Fix redef'ing a table with a new &default attribute

* update documentation

* documentation

* a few other plugins i've researched

* documentation

* fix building of plugin

* more work on new parsers (ldap)

* fix some stuff with the ldap parsing

* update dashboards

* use ZeroMQ-based approach for file scanning queue (#73)

* working on a new method for doing the file carving stuff

* maybe working now

* fix supervisor options

* comments

* fix dockerfile

* put a sleep in the main loopp so our CPUs don't melt

* fix annoying clipit history clear timeout in ISO

* sync sensor shared script with malcolm shared script

* added human-readable names to types created with Moloch WISE

* update elastic to 6.8.4

* Topic/htadmin fixes (#75)

* initial code, unchanged from time immemorial

* initial code, unchanged from time immemorial

* first pass at integrating changes

* first pass at integrating changes

* update auth_setup for htadmin changes

* seems to be workign now

* get htadmin from git

Dockerfiles/file-monitor.Dockerfile

@@ -9,7 +9,9 @@ ARG ZEEK_EXTRACTOR_PATH=/data/zeek/extract_files
 ARG ZEEK_LOG_DIRECTORY=/data/zeek/logs
 ARG EXTRACTED_FILE_IGNORE_EXISTING=false
 ARG EXTRACTED_FILE_PRESERVATION=quarantined
-ARG EXTRACTED_FILE_START_SLEEP=30
+ARG EXTRACTED_FILE_WATCHER_START_SLEEP=30
+ARG EXTRACTED_FILE_SCANNER_START_SLEEP=10
+ARG EXTRACTED_FILE_LOGGER_START_SLEEP=5
 ARG EXTRACTED_FILE_MIN_BYTES=64
 ARG EXTRACTED_FILE_MAX_BYTES=134217728
 ARG VTOT_API2_KEY=0
@@ -20,12 +22,15 @@ ARG MALASS_MAX_REQUESTS=20
 ARG EXTRACTED_FILE_ENABLE_CLAMAV=false
 ARG EXTRACTED_FILE_ENABLE_FRESHCLAM=false
 ARG EXTRACTED_FILE_VERBOSE=false
+ARG CLAMD_SOCKET_FILE=/tmp/clamd.ctl
 
 ENV ZEEK_EXTRACTOR_PATH $ZEEK_EXTRACTOR_PATH
 ENV ZEEK_LOG_DIRECTORY $ZEEK_LOG_DIRECTORY
 ENV EXTRACTED_FILE_IGNORE_EXISTING $EXTRACTED_FILE_IGNORE_EXISTING
 ENV EXTRACTED_FILE_PRESERVATION $EXTRACTED_FILE_PRESERVATION
-ENV EXTRACTED_FILE_START_SLEEP $EXTRACTED_FILE_START_SLEEP
+ENV EXTRACTED_FILE_WATCHER_START_SLEEP $EXTRACTED_FILE_WATCHER_START_SLEEP
+ENV EXTRACTED_FILE_SCANNER_START_SLEEP $EXTRACTED_FILE_SCANNER_START_SLEEP
+ENV EXTRACTED_FILE_LOGGER_START_SLEEP $EXTRACTED_FILE_LOGGER_START_SLEEP
 ENV EXTRACTED_FILE_MIN_BYTES $EXTRACTED_FILE_MIN_BYTES
 ENV EXTRACTED_FILE_MAX_BYTES $EXTRACTED_FILE_MAX_BYTES
 ENV VTOT_API2_KEY $VTOT_API2_KEY
@@ -36,6 +41,7 @@ ENV MALASS_MAX_REQUESTS $MALASS_MAX_REQUESTS
 ENV EXTRACTED_FILE_ENABLE_CLAMAV $EXTRACTED_FILE_ENABLE_CLAMAV
 ENV EXTRACTED_FILE_ENABLE_FRESHCLAM $EXTRACTED_FILE_ENABLE_FRESHCLAM
 ENV EXTRACTED_FILE_VERBOSE $EXTRACTED_FILE_VERBOSE
+ENV CLAMD_SOCKET_FILE $CLAMD_SOCKET_FILE
 
 RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list && \
     apt-get update && \
@@ -48,15 +54,16 @@ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list
       wget && \
     apt-get  -y -q install \
       inotify-tools \
+      libzmq5 \
       psmisc \
       python3 \
       python3-bs4 \
-      python3-cachetools \
       python3-dev \
       python3-pip \
       python3-pyinotify \
-      python3-requests && \
-    pip3 install clamd namedlist supervisor && \
+      python3-requests \
+      python3-zmq && \
+    pip3 install clamd supervisor && \
     mkdir -p /var/log/supervisor && \
     apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages --purge remove python3-dev build-essential && \
       apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages autoremove && \
@@ -67,11 +74,12 @@ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list
       wget -O /var/lib/clamav/bytecode.cvd http://database.clamav.net/bytecode.cvd && \
     groupadd --gid 1000 monitor && \
       useradd -M --uid 1000 --gid 1000 monitor && \
-    mkdir -p /var/run/clamav /var/log/clamav /var/lib/clamav && \
-      chown -R monitor:monitor /var/run/clamav /var/log/clamav  /var/lib/clamav && \
-      chmod -R 750 /var/run/clamav /var/log/clamav  /var/lib/clamav && \
+    mkdir -p /var/log/clamav /var/lib/clamav && \
+      chown -R monitor:monitor /var/log/clamav  /var/lib/clamav && \
+      chmod -R 750 /var/log/clamav  /var/lib/clamav && \
     sed -i 's/^Foreground .*$/Foreground true/g' /etc/clamav/clamd.conf && \
       sed -i 's/^User .*$/User monitor/g' /etc/clamav/clamd.conf && \
+      sed -i "s|^LocalSocket .*$|LocalSocket $CLAMD_SOCKET_FILE|g" /etc/clamav/clamd.conf && \
       sed -i 's/^LocalSocketGroup .*$/LocalSocketGroup monitor/g' /etc/clamav/clamd.conf && \
       sed -i "s/^MaxFileSize .*$/MaxFileSize $EXTRACTED_FILE_MAX_BYTES/g" /etc/clamav/clamd.conf && \
       sed -i "s/^MaxScanSize .*$/MaxScanSize $(echo "$EXTRACTED_FILE_MAX_BYTES * 4" | bc)/g" /etc/clamav/clamd.conf && \
@@ -81,9 +89,8 @@ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list
       sed -i 's/^Foreground .*$/Foreground true/g' /etc/clamav/freshclam.conf && \
       sed -i 's/^DatabaseOwner .*$/DatabaseOwner monitor/g' /etc/clamav/freshclam.conf
 
-ADD shared/bin/zeek-carve-monitor.py /usr/local/bin
-ADD shared/bin/malass_client.py /usr/local/bin
-ADD shared/bin/carveutils.py /usr/local/bin
+ADD shared/bin/zeek_carve_*.py /usr/local/bin/
+ADD shared/bin/malass_client.py /usr/local/bin/
 ADD file-monitor/supervisord.conf /etc/supervisord.conf
 
 WORKDIR /data/zeek/extract_files

Dockerfiles/filebeat.Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.elastic.co/beats/filebeat-oss:6.8.3
+FROM docker.elastic.co/beats/filebeat-oss:6.8.4
 
 # Copyright (c) 2019 Battelle Energy Alliance, LLC.  All rights reserved.
 LABEL maintainer="[email protected]"

Dockerfiles/htadmin.Dockerfile

@@ -37,7 +37,13 @@ RUN apt-get update && \
     ( yes '' | pecl install mcrypt-$MCRYPT_VERSION ) && \
     ln -s -r /usr/lib/php/20??????/*.so /usr/lib/php/$PHP_VERSION/ && \
     mkdir -p /run/php && \
-    git clone --depth 1 https://github.com/mmguero/htadmin /tmp/htadmin && \
+    apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages --purge remove \
+      make libmcrypt-dev php-pear php-dev && \
+    apt-get autoremove -y -q && \
+    apt-get clean -y -q && \
+    rm -rf /var/lib/apt/lists/* /var/cache/* /tmp/* /var/tmp/* /var/www/html
+
+  RUN git clone --depth 1 https://github.com/mmguero/htadmin /tmp/htadmin && \
       mv /tmp/htadmin/sites/html/htadmin /var/www/htadmin && \
       cd /var/www/htadmin && \
       ( grep -rhoPi "(src|href)=['\"]https?://.+?['\"]" ./includes/* | sed "s/^[a-zA-Z]*=['\"]*//" | sed "s/['\"]$//" | xargs -r -l curl -s -S -L -J -O ) && \
@@ -46,18 +52,17 @@ RUN apt-get update && \
       curl -s -S -L -J -O "https://maxcdn.bootstrapcdn.com/bootstrap/$BOOTSTRAP_VERSION/fonts/glyphicons-halflings-regular.ttf" && \
       curl -s -S -L -J -O "https://maxcdn.bootstrapcdn.com/bootstrap/$BOOTSTRAP_VERSION/fonts/glyphicons-halflings-regular.woff" && \
       curl -s -S -L -J -O "https://maxcdn.bootstrapcdn.com/bootstrap/$BOOTSTRAP_VERSION/fonts/glyphicons-halflings-regular.woff2" && \
-    cd /tmp && \
-    apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages --purge remove \
-      git make libmcrypt-dev php-pear php-dev && \
-    apt-get autoremove -y -q && \
-    apt-get clean -y -q && \
     usermod --non-unique --uid 1000 www-data && \
       groupmod --non-unique --gid 1000 www-data && \
       chown -R www-data:www-data /var/www && \
-    rm -rf /var/lib/apt/lists/* /var/cache/* /tmp/* /var/tmp/* /var/www/html
+      apt-get -y -q --allow-downgrades --allow-remove-essential --allow-change-held-packages --purge remove git && \
+        apt-get autoremove -y -q && \
+        apt-get clean -y -q && \
+        rm -rf /var/lib/apt/lists/* /var/cache/* /tmp/* /var/tmp/*
 
 ADD docs/images/favicon/favicon.ico /var/www/htadmin/
 ADD htadmin/supervisord.conf /supervisord.conf
+ADD htadmin/src /var/www/htadmin/
 ADD htadmin/php/php.ini /etc/php/$PHP_VERSION/fpm/php.ini
 ADD htadmin/nginx/sites-available/default /etc/nginx/sites-available/default
 

Dockerfiles/kibana.Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.elastic.co/kibana/kibana-oss:6.8.3
+FROM docker.elastic.co/kibana/kibana-oss:6.8.4
 
 # Copyright (c) 2019 Battelle Energy Alliance, LLC.  All rights reserved.
 LABEL maintainer="[email protected]"
@@ -63,25 +63,25 @@ RUN chmod 755 /data/*.sh /data/*.py && \
     cd /tmp && \
     echo "Installing ElastAlert plugin..." && \
       unzip elastalert-kibana-plugin.zip kibana/elastalert-kibana-plugin/package.json && \
-      sed -i "s/6\.8\.0/6\.8\.3/g" kibana/elastalert-kibana-plugin/package.json && \
+      sed -i "s/6\.8\.0/6\.8\.4/g" kibana/elastalert-kibana-plugin/package.json && \
       zip elastalert-kibana-plugin.zip kibana/elastalert-kibana-plugin/package.json && \
       /usr/share/kibana/bin/kibana-plugin install file:///tmp/elastalert-kibana-plugin.zip && \
       rm -f /tmp/elastalert-kibana-plugin.zip && \
     echo "Installing Swimlanes visualization..." && \
       unzip kibana-swimlane.zip kibana/prelert_swimlane_vis-6.8.1/package.json && \
-      sed -i "s/6\.8\.1/6\.8\.3/g" kibana/prelert_swimlane_vis-6.8.1/package.json && \
+      sed -i "s/6\.8\.1/6\.8\.4/g" kibana/prelert_swimlane_vis-6.8.1/package.json && \
       zip kibana-swimlane.zip kibana/prelert_swimlane_vis-6.8.1/package.json && \
       /usr/share/kibana/bin/kibana-plugin install file:///tmp/kibana-swimlane.zip && \
       rm -f /tmp/elastalert-kibana-plugin.zip && \
     echo "Installing Comments visualization..." && \
       unzip kibana-comments.zip kibana/kibana-comments-app-plugin/package.json && \
-      sed -i "s/6\.7\.1/6\.8\.3/g" kibana/kibana-comments-app-plugin/package.json && \
+      sed -i "s/6\.7\.1/6\.8\.4/g" kibana/kibana-comments-app-plugin/package.json && \
       zip kibana-comments.zip kibana/kibana-comments-app-plugin/package.json && \
       /usr/share/kibana/bin/kibana-plugin install file:///tmp/kibana-comments.zip && \
       rm -rf /tmp/kibana-comments.zip /tmp/kibana && \
     echo "Installing Milestones visualization..." && \
       unzip kibana-milestones.zip kibana/kibana-milestones-vis/package.json && \
-      sed -i "s/6\.8\.2/6\.8\.3/g" kibana/kibana-milestones-vis/package.json && \
+      sed -i "s/6\.8\.2/6\.8\.4/g" kibana/kibana-milestones-vis/package.json && \
       zip kibana-milestones.zip kibana/kibana-milestones-vis/package.json && \
       /usr/share/kibana/bin/kibana-plugin install file:///tmp/kibana-milestones.zip && \
       rm -rf /tmp/kibana-milestones.zip /tmp/kibana

Dockerfiles/logstash.Dockerfile

@@ -24,7 +24,7 @@ RUN /bin/bash -lc "command curl -sSL https://rvm.io/mpapis.asc | gpg2 --import -
     git clone --depth 1 https://github.com/mmguero/logstash-filter-ieee_oui.git /opt/logstash-filter-ieee_oui && \
     /bin/bash -lc "cd /opt/logstash-filter-ieee_oui && bundle install && gem build logstash-filter-ieee_oui.gemspec && bundle info logstash-filter-ieee_oui"
 
-FROM docker.elastic.co/logstash/logstash-oss:6.8.3 AS runtime
+FROM docker.elastic.co/logstash/logstash-oss:6.8.4 AS runtime
 
 USER root
 

Dockerfiles/moloch.Dockerfile

@@ -7,18 +7,23 @@ ENV DEBIAN_FRONTEND noninteractive
 
 ENV MOLOCH_VERSION "2.0.1"
 ENV MOLOCHDIR "/data/moloch"
-ENV ZEEK_VERSION "2.6.4"
-ENV ZEEK_DIR "/opt/bro"
-ENV ZEEK_CORELIGHT_COMMUNITY_ID_PLUGIN_VER "1.2"
+ENV SRC_BASE_DIR "/usr/local/src"
+ENV ZEEK_VERSION "3.0.0"
+ENV ZEEK_DIR "/opt/zeek"
+ENV ZEEK_SRC_DIR "${SRC_BASE_DIR}/zeek-${ZEEK_VERSION}"
+ENV ZEEK_PATCH_DIR "${SRC_BASE_DIR}/zeek-patches"
+ENV PATH="${ZEEK_DIR}/bin:${PATH}"
 
 ADD moloch/scripts/bs4_remove_div.py /data/
 ADD moloch/patch/* /data/patches/
 ADD README.md $MOLOCHDIR/doc/
 ADD doc.css $MOLOCHDIR/doc/
 ADD docs/images $MOLOCHDIR/doc/images/
 ADD https://github.com/aol/moloch/archive/v$MOLOCH_VERSION.tar.gz /data/moloch.tar.gz
-ADD https://www.zeek.org/downloads/bro-$ZEEK_VERSION.tar.gz /data/bro.tar.gz
-ADD https://github.com/corelight/bro-community-id/archive/$ZEEK_CORELIGHT_COMMUNITY_ID_PLUGIN_VER.tar.gz /data/bro-community-id.tar.gz
+ADD https://www.zeek.org/downloads/zeek-$ZEEK_VERSION.tar.gz $SRC_BASE_DIR/zeek.tar.gz
+# Fix redef'ing a table with a new &default attribute #632 -  https://github.com/zeek/zeek/pull/632/commits
+ADD https://github.com/zeek/zeek/commit/42b6040952030c44ce337704916cf89a065994b0.patch $ZEEK_PATCH_DIR/
+ADD shared/bin/zeek_install_plugins.sh /usr/local/bin/
 
 RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list && \
     apt-get -q update && \
@@ -35,7 +40,6 @@ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list
         groff-base \
         imagemagick \
         libcap-dev \
-        libgoogle-perftools-dev \
         libjson-perl \
         libkrb5-dev \
         libmaxminddb-dev \
@@ -51,51 +55,25 @@ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list
         python-dev \
         python3-dev \
         python3-pip \
+        python3-setuptools \
+        python3-wheel \
         rename \
         sudo \
         swig \
         wget \
         zlib1g-dev && \
-  pip3 install --no-cache-dir beautifulsoup4 && \
-  cd /data && \
-  tar -xvf "bro.tar.gz" && \
-    rm -f "bro.tar.gz" && \
-    cd "./bro-"$ZEEK_VERSION && \
-    ./configure --prefix=$ZEEK_DIR --generator=Ninja && \
+  pip3 install --no-cache-dir beautifulsoup4 zkg && \
+  cd "${SRC_BASE_DIR}" && \
+    tar -xvf "zeek.tar.gz" && \
+    cd "./zeek-${ZEEK_VERSION}" && \
+    bash -c "for i in ${ZEEK_PATCH_DIR}/* ; do patch -p 1 -r - --no-backup-if-mismatch < \$i || true; done" && \
+    ./configure --prefix="${ZEEK_DIR}" --generator=Ninja && \
     cd build && \
     ninja && \
     ninja install && \
-    strip --strip-unneeded \
-      $ZEEK_DIR/bin/bro \
-      $ZEEK_DIR/bin/bro-cut \
-      $ZEEK_DIR/bin/binpac \
-      $ZEEK_DIR/lib/libbroker.so.. \
-      $ZEEK_DIR/lib/libcaf_core.so.0.16.2 \
-      $ZEEK_DIR/lib/libcaf_io.so.0.16.2 \
-      $ZEEK_DIR/lib/libcaf_openssl.so.0.16.2 && \
-  git clone --depth 1 https://github.com/salesforce/ja3 /tmp/ja3 && \
-    mkdir -p $ZEEK_DIR/share/bro/site/ja3 && \
-    cp -v /tmp/ja3/bro/* $ZEEK_DIR/share/bro/site/ja3 && \
-    rm -rf /tmp/ja3 && \
-  git clone --depth 1 https://github.com/salesforce/hassh /tmp/hassh && \
-    mkdir -p $ZEEK_DIR/share/bro/site/hassh && \
-    cp -v /tmp/hassh/bro/* $ZEEK_DIR/share/bro/site/hassh && \
-    rm -rf /tmp/hassh && \
-  cd /data && \
-    tar -xvf "bro-community-id.tar.gz" && \
-    cd "bro-community-id-"$ZEEK_CORELIGHT_COMMUNITY_ID_PLUGIN_VER && \
-    ./configure --bro-dist="/data/bro-"$ZEEK_VERSION --install-root=$ZEEK_DIR/lib/bro/plugins && \
-    make && \
-    make install && \
-  git clone --depth 1 https://github.com/salesforce/GQUIC_Protocol_Analyzer /tmp/gquic && \
-    cd /data/bro-$ZEEK_VERSION/aux/bro-aux/plugin-support/ && \
-    ./init-plugin ./bro-quic Salesforce GQUIC && \
-    cd ./bro-quic && \
-    rm -rf CMakeLists.txt ./scripts ./src && \
-    cp -vr /tmp/gquic/CMakeLists.txt /tmp/gquic/scripts /tmp/gquic/src ./ && \
-    ./configure --bro-dist="/data/bro-"$ZEEK_VERSION --install-root=$ZEEK_DIR/lib/bro/plugins && \
-    make && \
-    make install && \
+    bash -c "file ${ZEEK_DIR}/{lib,bin}/* ${ZEEK_DIR}/lib/zeek/plugins/packages/*/lib/* ${ZEEK_DIR}/lib/zeek/plugins/*/lib/* | grep 'ELF 64-bit' | sed 's/:.*//' | xargs -l -r strip -v --strip-unneeded" && \
+    zkg autoconfig && \
+    bash /usr/local/bin/zeek_install_plugins.sh && \
   cd $MOLOCHDIR/doc/images && \
     find . -name "*.png" -exec bash -c 'convert "{}" -fuzz 2% -transparent white -background white -alpha remove -strip -interlace Plane -quality 85% "{}.jpg" && rename "s/\.png//" "{}.jpg"' \; && \
     cd $MOLOCHDIR/doc && \
@@ -106,9 +84,8 @@ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list
     pandoc -s --self-contained --metadata title="Malcolm README" --css $MOLOCHDIR/doc/doc.css -o $MOLOCHDIR/doc/README.html $MOLOCHDIR/doc/README.md && \
   cd /data && \
   tar -xvf "moloch.tar.gz" && \
-    rm -f "moloch.tar.gz" && \
     cd "./moloch-"$MOLOCH_VERSION && \
-    bash -c 'for i in /data/patches/*; do patch -p1 < $i; done' && \
+    bash -c 'for i in /data/patches/*; do patch -p 1 -r - --no-backup-if-mismatch < $i || true; done' && \
     cp -v $MOLOCHDIR/doc/images/moloch/moloch_155.png ./viewer/public/moloch_155.png && \
     cp -v $MOLOCHDIR/doc/images/moloch/moloch_77.png ./viewer/public/moloch_77.png && \
     cp -v $MOLOCHDIR/doc/images/moloch/header_logo.png ./parliament/vueapp/src/assets/header_logo.png && \
@@ -122,16 +99,7 @@ RUN sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list
     python3 /data/bs4_remove_div.py -i ./viewer/vueapp/src/components/users/Users.vue -o ./viewer/vueapp/src/components/users/Users.new -c "new-user-form" && \
     mv -vf ./viewer/vueapp/src/components/users/Users.new ./viewer/vueapp/src/components/users/Users.vue && \
     ./easybutton-build.sh --install && \
-    npm cache clean --force && \
-  apt-get clean && \
-  rm -rf $MOLOCHDIR"-"$MOLOCH_VERSION \
-         /data/bro.tar.gz \
-         "/data/bro-"$ZEEK_VERSION \
-         /data/bro-community-id.tar.gz \
-         "/data/bro-community-id-"$ZEEK_CORELIGHT_COMMUNITY_ID_PLUGIN_VER \
-         /var/lib/apt/lists/* \
-         /tmp/* \
-         /var/tmp/*
+    npm cache clean --force
 
 FROM debian:buster-slim AS runtime
 
@@ -152,7 +120,7 @@ ARG VIEWER=on
 ARG MANAGE_PCAP_FILES=false
 #Whether or not to auto-tag logs based on filename
 ARG AUTO_TAG=true
-#Whether or not to run "bro -r XXXXX.pcap local" on each pcap file
+#Whether or not to run "zeek -r XXXXX.pcap local" on each pcap file
 ARG ZEEK_AUTO_ANALYZE_PCAP_FILES=false
 ARG ZEEK_AUTO_ANALYZE_PCAP_THREADS=1
 ARG ZEEK_EXTRACTOR_MODE=none
@@ -177,7 +145,7 @@ ENV VIEWER $VIEWER
 ENV MANAGE_PCAP_FILES $MANAGE_PCAP_FILES
 ENV AUTO_TAG $AUTO_TAG
 ENV AUTOZEEK_DIR "/autozeek"
-ENV ZEEK_DIR "/opt/bro"
+ENV ZEEK_DIR "/opt/zeek"
 ENV ZEEK_AUTO_ANALYZE_PCAP_FILES $ZEEK_AUTO_ANALYZE_PCAP_FILES
 ENV ZEEK_AUTO_ANALYZE_PCAP_THREADS $ZEEK_AUTO_ANALYZE_PCAP_THREADS
 ENV ZEEK_EXTRACTOR_MODE $ZEEK_EXTRACTOR_MODE
@@ -196,7 +164,6 @@ RUN sed -i "s/buster main/buster main contrib non-free/" /etc/apt/sources.list &
       gettext \
       inotify-tools \
       libcap2-bin \
-      libgoogle-perftools4 \
       libjson-perl \
       libkrb5-3 \
       libmaxminddb0 \
@@ -237,7 +204,7 @@ ADD https://updates.maxmind.com/app/update_secure?edition_id=GeoLite2-Country /t
 ADD https://updates.maxmind.com/app/update_secure?edition_id=GeoLite2-ASN /tmp/GeoLite2-ASN.mmdb.gz
 ADD moloch/wise/source.*.js $MOLOCHDIR/wiseService/
 ADD moloch/supervisord.conf /etc/supervisord.conf
-ADD moloch/zeek/*.bro $ZEEK_DIR/share/bro/site/
+ADD moloch/zeek/*.zeek $ZEEK_DIR/share/zeek/site/
 
 RUN groupadd --gid 1000 $MOLOCHUSER && \
     useradd -M --uid 1000 --gid 1000 --home $MOLOCHDIR $MOLOCHUSER && \