diff --git a/container/Dockerfile b/container/Dockerfile index c86b719..dc0ad69 100644 --- a/container/Dockerfile +++ b/container/Dockerfile @@ -1,51 +1,56 @@ -FROM centos:latest AS build -RUN yum -y install epel-release + +FROM centos:8.1.1911 AS build + +#Version Number of Zeek +ENV VERSION="3.1.3" +RUN yum -y install epel-release dnf-plugins-core RUN yum -y update && \ - yum -y install sudo supervisor git cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel GeoIP-devel libpcap gperftools vim-minimal wget kernel-headers kernel-devel kernel hiredis-devel git python-pip cmake librdkafka librdkafka-devel sendmail -RUN pip install bro-pkg -RUN wget https://www.bro.org/downloads/bro-2.5.5.tar.gz && \ - tar xzf bro-2.5.5.tar.gz && \ - cd bro-2.5.5 && \ + yum config-manager --set-enabled PowerTools && \ + yum -y install sudo supervisor git cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python2-devel swig zlib-devel GeoIP-devel libpcap gperftools vim-minimal wget kernel-headers kernel-devel kernel hiredis-devel git python2-pip cmake librdkafka librdkafka-devel sendmail +RUN python2 -m pip install zkg +RUN wget https://download.zeek.org/zeek-$VERSION.tar.gz && \ + tar xzf zeek-$VERSION.tar.gz && \ + cd zeek-$VERSION && \ #split the configure and make \ ./configure && \ - make install - + make install +# Add location of zeek config-file to path +ENV PATH="${PATH}:/usr/local/zeek/bin/" #here is where you can add all your packages. Note that some packages require different build tools and therefore may require additional packages not otherwise found. Some packages require configuration as well. If this is the case it is best to modify the configurations maps accordingly. -RUN PATH="${PATH}:/usr/local/bro/bin/"; bro-pkg autoconfig && \ - bro-pkg install --force bro-af_packet-plugin - #bro-pkg install --force bro/sethhall/unknown-mime-type-discovery && \ - #bro-pkg install --force bro/apache/metron-bro-plugin-kafka +RUN zkg autoconfig && \ + git clone https://github.com/J-Gras/zeek-af_packet-plugin.git && cd zeek-af_packet-plugin && ./configure --with-kernel=/usr/src/kernels/4.18.0-147.8.1.el8_1.x86_64 && make && make install && cd .. + #zkg install --force zeek/sethhall/unknown-mime-type-discovery + #zkg install --force zeek/apache/metron-bro-plugin-kafka || true -RUN echo "********Log files for Bro Packages*********" && \ - if [ -d /root/.bro-pkg/logs/ ];then for i in $(find /root/.bro-pkg/logs/); do echo "***Bro Log file: $i"; cat $i; done;fi +RUN echo "********Log files for Zeek Packages*********" && \ + if [ -d /usr/.zkg/logs/ ];then for i in $(find /usr/.zkg/logs/); do echo "***Zeek Log file: $i"; cat $i; done;fi -FROM centos:latest +FROM centos:8.1.1911 RUN yum -y install epel-release RUN yum -y install supervisor git wget libpcap GeoIP gperftools tcpdump cmake librdkafka iproute sendmail && \ yum -y clean all && \ mkdir -p /conf/{plugins,site} -COPY --from=build /usr/local/bro/ /usr/local/bro +COPY --from=build /usr/local/zeek/ /usr/local/zeek ADD startbro.sh /startbro.sh ADD reset-network.sh /reset-network.sh ADD supervisord.conf /etc/supervisor/conf.d/supervisord.conf -ENV PATH="/usr/local/bro/bin/:${PATH}" +ENV PATH="/usr/local/zeek/bin/:${PATH}" ENV INTERFACE=eth0 RUN chmod +x /startbro.sh RUN chmod +x /reset-network.sh - -#Used for allowing Bro to run as a regular user -RUN /usr/local/bro/bin/broctl deploy -RUN groupadd -g 2001 bro && \ - useradd -u 2001 -g bro bro -d /usr/local/bro/logs/ && \ - chown -R bro:bro /usr/local/bro/logs/ /usr/local/bro/lib/bro/plugins /usr/local/bro/share/bro/site /usr/local/bro/etc/ +RUN /usr/local/zeek/bin/zeekctl deploy +RUN sed -i "s/eth0/${INTERFACE}/g" /usr/local/zeek/etc/node.cfg +RUN groupadd -g 2001 zeek && \ + useradd -u 2001 -g zeek zeek -d /usr/local/zeek/logs/ && \ + chown -R zeek:zeek /usr/local/zeek/logs/ /usr/local/zeek/lib/zeek/plugins /usr/local/zeek/share/zeek/site /usr/local/zeek/etc/ /usr/local/zeek/share/zeekctl/scripts/zeekctl-config.sh #Needed to run as a non-privileged user -RUN setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/bro +RUN setcap cap_net_raw,cap_net_admin=eip /usr/local/zeek/bin/zeek RUN setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump -WORKDIR /usr/local/bro/logs/ +WORKDIR /usr/local/zeek/logs/ CMD ["/usr/bin/supervisord","-c","/etc/supervisor/conf.d/supervisord.conf"] diff --git a/container/startbro.sh b/container/startbro.sh index 23113da..8617fd7 100755 --- a/container/startbro.sh +++ b/container/startbro.sh @@ -8,14 +8,14 @@ #CONTAINERINT is the interface within the Container CONTAINERINT=$INTERFACE -sed -i 's/${INTERFACE}/'$INTERFACE' /g' /usr/local/bro/etc/node.cfg +sed -i 's/${INTERFACE}/'$INTERFACE' /g' /usr/local/zeek/etc/node.cfg -sudo chgrp $USER $(bro-config --site_dir) $(bro-config --plugin_dir) -sudo chmod g+rwX $(bro-config --site_dir) $(bro-config --plugin_dir) +sudo chgrp $USER $(zeek-config --site_dir) $(zeek-config --plugin_dir) +sudo chmod g+rwX $(zeek-config --site_dir) $(zeek-config --plugin_dir) -sudo chgrp $USER $(bro-config --site_dir) $(bro-config --plugin_dir) -sudo chmod g+rwX $(bro-config --site_dir) $(bro-config --plugin_dir) +sudo chgrp $USER $(zeek-config --site_dir) $(zeek-config --plugin_dir) +sudo chmod g+rwX $(zeek-config --site_dir) $(zeek-config --plugin_dir) -sed -i "/const fanout_id/c\ \tconst fanout_id = $RANDOM &redef;" /usr/local/bro/lib/bro/plugins/Bro_AF_Packet/scripts/init.bro +sed -i "/const fanout_id/c\ \tconst fanout_id = $RANDOM &redef;" /usr/local/zeek/lib/zeek/plugins/Zeek_AF_Packet/scripts/init.zeek -/usr/local/bro/bin/bro -i $CONTAINERINT -e 'redef LogAscii::use_json=T;' +/usr/local/zeek/bin/zeek -i $CONTAINERINT -e 'redef LogAscii::use_json=T;' diff --git a/container/supervisord.conf b/container/supervisord.conf index 2e12b5b..2eec6a7 100644 --- a/container/supervisord.conf +++ b/container/supervisord.conf @@ -1,5 +1,5 @@ [supervisord] nodaemon=true -[program:bro] -command=/bin/bash -c "sed -i 's/${INTERFACE}/'$INTERFACE' /g' /usr/local/bro/etc/node.cfg && /usr/local/bro/bin/broctl deploy" +[program:zeek] +command=/bin/bash -c "sed -i 's/${INTERFACE}/'$INTERFACE' /g' /usr/local/zeek/etc/node.cfg && /usr/local/zeek/bin/zeekctl deploy"