pfSense Zeek (fka Bro) Package
-
@occamsrazor In the pfSense interface, you can "review" the logs, but honestly at the moment it's my opinion that functionality is only good for sanity checking the logs to make sure they're being generated and look roughly like you expect them to (if you know what you expect them to look like, of course).
The best way to review the data is to ship it out to something else. I think for most people that would be whatever SIEM they already have running. If you're starting from scratch, Elasticsearch is freely available, but there are many little gotchas that can trip someone up, so it's not "for the faint of heart." Humio Cloud is dead simple, but requires signing their EULA, and now requires a corporate email address to sign up. You could also consider running the free Splunk, which has a limit to the amount of data you can supply it, but is pretty powerful.
I should probably try to hack together a recipe for getting the Zeek data from pfSense to something (Elastic or Splunk, perhaps). Some of it has already been covered by Eric Ooi's blogs (https://www.ericooi.com/zeekurity-zen-zeries/), but the plumbing would be slightly different since most people would probably not run the log forwarding agent directly on pfSense, and instead would have the logs made available elsewhere via SMB or NFS, and then run the log forwarding agent on some external system consuming the logs remotely and then sending them to the SIEM.
Hope that helps!
-
@thiamata said in pfSense Zeek (fka Bro) Package:
zeekctl
Your info here helped me fix it.
The real question is why do we have to jump through this hoop for this package? -
After the last zeek-update (4.0.2) I cannot start zeek , ... .. .
trying to use the zeekctl deploy, shows the following result:
--- snipp ---
zeekctl deploy
checking configurations ...
zeek scripts failed.
fatal error in /usr/local/share/zeek/site/local.zeek, line 16: can't find misc/app-stats
--- snipp end ---also trying to delete and install the application newly shows the same behavior.
any ideas?
regards Thiamata
-
sorry I missed this:
--- snipp ---
more local.zeek
##! Local site policy. Customize as appropriate.
##!
##! This file will not be overwritten when upgrading or reinstalling!This script logs which scripts were loaded during each run.
@load misc/loaded-scripts
Apply the default tuning scripts for common tuning settings.
@load tuning/defaults
Load the scan detection script.
@load misc/scan
Log some information about web applications being used by users
on your network.
@load misc/app-stats
--- snipp end ---
last entry is line 16, ... .. .
regards Thiamata
PS
A reinstall and a remove and installing again does not helpduring installation I got some eorros relating some cfg files (zeekctl.cfg, node.cfg, networks.cfg) in /usr/local/etc
The first two I could identify as zeek related cfgs. So removing these files helps to bypass the these errors. But with networks.cfg I am not sure, if this file is only a zeek related cfg.Is there an option to completely remove zeek and install from scratch like a (nearly) fresh system, without knowing any information from the instance installed before?
regards Thiamata
-
@thiamata Can you comment out the line
@load misc/app-stats
(change it to# @load misc/app-stats
by adding the#
at the beginning) and try to load Zeek again?Did you install with
pkg install
or via the web UI? I think there shouldn't be much state kept between installations but if you are at the command line you couldrm -rf /usr/local/share/zeek
after uninstalling to remove the remaining elements (if there are any). -
This post is deleted! -
Hi
remarking helps zeek to come up again, but I need to run zeekctl deploy again on the shell.
I am still looking for howto implement custom scripts in the correct way.
secondly, what is needed to get this misc/appstat running in the correct way. This question is still open, ... .. .
For it seems that zeek is running for now in the known way, ... .. .
thanx 4 hlp
regards Thiamata
-
@thiamata I don't think it's necessary to run misc/appstat, I've never used that functionality. So, I think it's safe to just remove that from your
local.zeek
As for running other custom scripts, put them somewhere and use an
@load
directive in yourlocal.zeek
file to load them.For example, if you download and unzip the IcannTLD package (https://github.com/corelight/icannTLD) to a specific directory, you can add a line like
@load /opt/icanntld/scripts/
(assuming that's where it ends up) and it will load the script and use it when Zeek loads. -
This post is deleted! -
Hello,
This topic has quite a lot of views, so I 'm enticed to poste here.I would like to install some plug-ins (eg wireguard and openvpn).
I understand spicy is the way to go.
I compiled all of that thing on a separate FreeBSD vm. (Have seen a few errors during the tests, I think 2 tests failed but did not note any showstopper )
Now I must figure out which binaries/files/folders (of zeek, zeek plugins spicy) I need to copy on pfsense (I will have a try one day.) to activate these plug-ins
My question at this point is :
-would it be possible to create (like pfblocker) a zeek-devel package that would include spicy and openvpn / wg (or the full set of existing) plugins without having to compile elsewhere ?-or make the install of zeek like in the documentation, that is to say in a separate install folder (/usr/local/zeek/). That way it is easier not to mess with pfsense binaries while adding plug-ins manually, and more understandable for newbies.
Thank you for having brought this useful tool to pfsense.
-
@yellowrain I think the best place to get an answer for that would be to post in the Zeek Community Slack which you can find a link to on this page: https://zeek.org/community/
-
Are there any plans to update the package to the 5.x release series?
thanks,
Geoff -
Think it's there since 23.01.
23.05 shows :[23.05-RELEASE][ssh@pfSense.lan]/root: zeek -v zeek version 5.0.7