pfSense Zeek (fka Bro) Package
-
sorry I missed this:
--- snipp ---
more local.zeek
##! Local site policy. Customize as appropriate.
##!
##! This file will not be overwritten when upgrading or reinstalling!This script logs which scripts were loaded during each run.
@load misc/loaded-scripts
Apply the default tuning scripts for common tuning settings.
@load tuning/defaults
Load the scan detection script.
@load misc/scan
Log some information about web applications being used by users
on your network.
@load misc/app-stats
--- snipp end ---
last entry is line 16, ... .. .
regards Thiamata
PS
A reinstall and a remove and installing again does not helpduring installation I got some eorros relating some cfg files (zeekctl.cfg, node.cfg, networks.cfg) in /usr/local/etc
The first two I could identify as zeek related cfgs. So removing these files helps to bypass the these errors. But with networks.cfg I am not sure, if this file is only a zeek related cfg.Is there an option to completely remove zeek and install from scratch like a (nearly) fresh system, without knowing any information from the instance installed before?
regards Thiamata
-
@thiamata Can you comment out the line
@load misc/app-stats(change it to# @load misc/app-statsby adding the#at the beginning) and try to load Zeek again?Did you install with
pkg installor via the web UI? I think there shouldn't be much state kept between installations but if you are at the command line you couldrm -rf /usr/local/share/zeekafter uninstalling to remove the remaining elements (if there are any). -
This post is deleted! -
Hi
remarking helps zeek to come up again, but I need to run zeekctl deploy again on the shell.
I am still looking for howto implement custom scripts in the correct way.
secondly, what is needed to get this misc/appstat running in the correct way. This question is still open, ... .. .
For it seems that zeek is running for now in the known way, ... .. .
thanx 4 hlp
regards Thiamata
-
@thiamata I don't think it's necessary to run misc/appstat, I've never used that functionality. So, I think it's safe to just remove that from your
local.zeekAs for running other custom scripts, put them somewhere and use an
@loaddirective in yourlocal.zeekfile to load them.For example, if you download and unzip the IcannTLD package (https://github.com/corelight/icannTLD) to a specific directory, you can add a line like
@load /opt/icanntld/scripts/(assuming that's where it ends up) and it will load the script and use it when Zeek loads. -
This post is deleted! -
Hello,
This topic has quite a lot of views, so I 'm enticed to poste here.I would like to install some plug-ins (eg wireguard and openvpn).
I understand spicy is the way to go.
I compiled all of that thing on a separate FreeBSD vm. (Have seen a few errors during the tests, I think 2 tests failed but did not note any showstopper )
Now I must figure out which binaries/files/folders (of zeek, zeek plugins spicy) I need to copy on pfsense (I will have a try one day.) to activate these plug-ins
My question at this point is :
-would it be possible to create (like pfblocker) a zeek-devel package that would include spicy and openvpn / wg (or the full set of existing) plugins without having to compile elsewhere ?-or make the install of zeek like in the documentation, that is to say in a separate install folder (/usr/local/zeek/). That way it is easier not to mess with pfsense binaries while adding plug-ins manually, and more understandable for newbies.
Thank you for having brought this useful tool to pfsense.
-
@yellowrain I think the best place to get an answer for that would be to post in the Zeek Community Slack which you can find a link to on this page: https://zeek.org/community/
-
Are there any plans to update the package to the 5.x release series?
thanks,
Geoff -
Think it's there since 23.01.
23.05 shows :[23.05-RELEASE][ssh@pfSense.lan]/root: zeek -v zeek version 5.0.7