pfSense Zeek (fka Bro) Package

JGdgZPQatDDjpA

@thiamata said in pfSense Zeek (fka Bro) Package:

zeekctl

Your info here helped me fix it.
The real question is why do we have to jump through this hoop for this package?

thiamata

After the last zeek-update (4.0.2) I cannot start zeek , ... .. .

trying to use the zeekctl deploy, shows the following result:
--- snipp ---
zeekctl deploy
checking configurations ...
zeek scripts failed.
fatal error in /usr/local/share/zeek/site/local.zeek, line 16: can't find misc/app-stats
--- snipp end ---

also trying to delete and install the application newly shows the same behavior.

any ideas?

regards Thiamata

thiamata

sorry I missed this:

--- snipp ---
more local.zeek
##! Local site policy. Customize as appropriate.
##!
##! This file will not be overwritten when upgrading or reinstalling!

This script logs which scripts were loaded during each run.

@load misc/loaded-scripts

Apply the default tuning scripts for common tuning settings.

@load tuning/defaults

Load the scan detection script.

@load misc/scan

Log some information about web applications being used by users

on your network.

@load misc/app-stats

--- snipp end ---

last entry is line 16, ... .. .

regards Thiamata

PS
A reinstall and a remove and installing again does not help

during installation I got some eorros relating some cfg files (zeekctl.cfg, node.cfg, networks.cfg) in /usr/local/etc
The first two I could identify as zeek related cfgs. So removing these files helps to bypass the these errors. But with networks.cfg I am not sure, if this file is only a zeek related cfg.

Is there an option to completely remove zeek and install from scratch like a (nearly) fresh system, without knowing any information from the instance installed before?

regards Thiamata

markoverholser

@thiamata Can you comment out the line @load misc/app-stats (change it to # @load misc/app-stats by adding the # at the beginning) and try to load Zeek again?

Did you install with pkg install or via the web UI? I think there shouldn't be much state kept between installations but if you are at the command line you could rm -rf /usr/local/share/zeek after uninstalling to remove the remaining elements (if there are any).

lncc63

This post is deleted!

thiamata

Hi

remarking helps zeek to come up again, but I need to run zeekctl deploy again on the shell.

I am still looking for howto implement custom scripts in the correct way.

secondly, what is needed to get this misc/appstat running in the correct way. This question is still open, ... .. .

For it seems that zeek is running for now in the known way, ... .. .

thanx 4 hlp

regards Thiamata

markoverholser

@thiamata I don't think it's necessary to run misc/appstat, I've never used that functionality. So, I think it's safe to just remove that from your local.zeek

As for running other custom scripts, put them somewhere and use an @load directive in your local.zeek file to load them.

For example, if you download and unzip the IcannTLD package (https://github.com/corelight/icannTLD) to a specific directory, you can add a line like @load /opt/icanntld/scripts/ (assuming that's where it ends up) and it will load the script and use it when Zeek loads.

akamsremoteconnect

This post is deleted!

yellowRain

Hello,
This topic has quite a lot of views, so I 'm enticed to poste here.

I would like to install some plug-ins (eg wireguard and openvpn).

I understand spicy is the way to go.

I compiled all of that thing on a separate FreeBSD vm. (Have seen a few errors during the tests, I think 2 tests failed but did not note any showstopper )

Now I must figure out which binaries/files/folders (of zeek, zeek plugins spicy) I need to copy on pfsense (I will have a try one day.) to activate these plug-ins

My question at this point is :
-would it be possible to create (like pfblocker) a zeek-devel package that would include spicy and openvpn / wg (or the full set of existing) plugins without having to compile elsewhere ?

-or make the install of zeek like in the documentation, that is to say in a separate install folder (/usr/local/zeek/). That way it is easier not to mess with pfsense binaries while adding plug-ins manually, and more understandable for newbies.

Thank you for having brought this useful tool to pfsense.

markoverholser

@yellowrain I think the best place to get an answer for that would be to post in the Zeek Community Slack which you can find a link to on this page: https://zeek.org/community/

gnordli

Are there any plans to update the package to the 5.x release series?
thanks,
Geoff

yellowRain

@gnordli

Think it's there since 23.01.
23.05 shows :

[23.05-RELEASE][ssh@pfSense.lan]/root: zeek -v
zeek version 5.0.7