search

Security-Onion-Solutions / security-onion

Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management
https://securityonion.net
3.06k stars 521 forks source link

Zeek 3.0.1 #1645

Closed dougburks closed 4 years ago

dougburks commented 4 years ago

https://blog.zeek.org/2019/09/zeek-300.html

dougburks commented 4 years ago

Zeek 3.0.0 has a performance regression when logging to JSON. Waiting for Zeek 3.0.1: https://github.com/zeek/zeek/projects/5 https://github.com/zeek/zeek/issues/595 https://github.com/zeek/zeek/issues/604

dougburks commented 4 years ago

Zeek 3.0.1 now available: https://github.com/zeek/zeek/releases/tag/v3.0.1

weslambert commented 4 years ago

No issues during my testing 👍

defensivedepth commented 4 years ago

No issues seen in my testing

chris-cuevas commented 4 years ago

No issues seen in my testing with more than 70,000,000 events per hour.

As per the checklist for testing...

dpkg -l |grep securityonion-bro ii securityonion-bro 3.0.1-1ubuntu1securityonion10 amd64 The Bro Network Security Monitor ii securityonion-bro-afpacket 1.3.0-1ubuntu1securityonion17 all Plugin providing native AF_Packet support for Bro. ii securityonion-bro-scripts 20121004-0ubuntu0securityonion100 all Bro scripts for Security Onion

root@test-host1:~# ls -l /opt/zeek lrwxrwxrwx 1 root root 3 Feb 4 13:06 /opt/zeek -> bro

root@test-host1:~# ls -l /nsm/zeek lrwxrwxrwx 1 root root 3 Feb 4 13:06 /nsm/zeek -> bro

root@test-host1:~# ls -l /opt/bro/etc/broctl.cfg lrwxrwxrwx 1 root root 11 Feb 4 13:06 /opt/bro/etc/broctl.cfg -> zeekctl.cfg

root@test-host1:~# ls -l /opt/bro/ total 0 drwxr-xr-x 2 root root 257 Feb 4 13:06 bin drwxr-xr-x 2 root root 101 Feb 4 13:13 etc drwxr-xr-x 2 root root 60 Sep 17 18:26 etc_pre-2.6.4 drwxr-xr-x 2 root root 60 Feb 4 13:04 etc_pre-3.0.1

root@test-host1:~# ls -l /opt/bro/share/ total 0 lrwxrwxrwx 1 root root 4 Feb 4 13:06 bro -> zeek drwxr-xr-x 4 root root 31 Feb 4 13:06 bro.pre-3.0.1

root@test-host1:~# grep StatusCmdShowAll /opt/zeek/etc/zeekctl.cfg StatusCmdShowAll = 0

root@test-host1:~# grep af_packet /opt/zeek/etc/zeekctl.cfg lb_custom.InterfacePrefix=af_packet::

root@test-host1:~# ls /etc/cron.d/ anacron capme mdadm netsniff-sync nsm-watchdog php salt-update sensor-clean sensor-newday sguil-db-purge so-sensor-backup-config so-server-backup-config squert-ip2c sysstat zeek

I have rebooted the system and things come up smoothly on reboot.

dougburks commented 4 years ago

Thanks @chris-cuevas !

dougburks commented 4 years ago

Published: https://blog.securityonion.net/2020/02/zeek-301-elastic-686-and-cyberchef-9120.html