Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense Zeek (fka Bro) Package

    Scheduled Pinned Locked Moved
    Traffic Monitoring
    10
    27
    16.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thiamata
      last edited by

      Hi

      remarking helps zeek to come up again, but I need to run zeekctl deploy again on the shell.

      I am still looking for howto implement custom scripts in the correct way.

      secondly, what is needed to get this misc/appstat running in the correct way. This question is still open, ... .. .

      For it seems that zeek is running for now in the known way, ... .. .

      thanx 4 hlp

      regards Thiamata

      M 1 Reply Last reply Reply Quote 0
      • M
        markoverholser @thiamata
        last edited by

        @thiamata I don't think it's necessary to run misc/appstat, I've never used that functionality. So, I think it's safe to just remove that from your local.zeek

        As for running other custom scripts, put them somewhere and use an @load directive in your local.zeek file to load them.

        For example, if you download and unzip the IcannTLD package (https://github.com/corelight/icannTLD) to a specific directory, you can add a line like @load /opt/icanntld/scripts/ (assuming that's where it ends up) and it will load the script and use it when Zeek loads.

        1 Reply Last reply Reply Quote 0
        • A
          akamsremoteconnect
          last edited by

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • Y
            yellowRain
            last edited by

            Hello,
            This topic has quite a lot of views, so I 'm enticed to poste here.

            I would like to install some plug-ins (eg wireguard and openvpn).

            I understand spicy is the way to go.

            I compiled all of that thing on a separate FreeBSD vm. (Have seen a few errors during the tests, I think 2 tests failed but did not note any showstopper )

            Now I must figure out which binaries/files/folders (of zeek, zeek plugins spicy) I need to copy on pfsense (I will have a try one day.) to activate these plug-ins

            My question at this point is :
            -would it be possible to create (like pfblocker) a zeek-devel package that would include spicy and openvpn / wg (or the full set of existing) plugins without having to compile elsewhere ?

            -or make the install of zeek like in the documentation, that is to say in a separate install folder (/usr/local/zeek/). That way it is easier not to mess with pfsense binaries while adding plug-ins manually, and more understandable for newbies.

            Thank you for having brought this useful tool to pfsense.

            M 1 Reply Last reply Reply Quote 0
            • M
              markoverholser @yellowRain
              last edited by

              @yellowrain I think the best place to get an answer for that would be to post in the Zeek Community Slack which you can find a link to on this page: https://zeek.org/community/

              1 Reply Last reply Reply Quote 0
              • G
                gnordli
                last edited by

                Are there any plans to update the package to the 5.x release series?
                thanks,
                Geoff

                Y 1 Reply Last reply Reply Quote 0
                • Y
                  yellowRain @gnordli
                  last edited by

                  @gnordli

                  Think it's there since 23.01.
                  23.05 shows :

                  [23.05-RELEASE][ssh@pfSense.lan]/root: zeek -v
zeek version 5.0.7
                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post