Closed dougburks closed 4 years ago
dougburks
commented
4 years ago List of packages to be tested:
An overview of the testing process can be found in the comments below.
Please record all testing results via comments on this issue.
Thanks in advance for your time effort!
dougburks
commented
4 years ago How To Start Testing
install the current 16.04 ISO image
snapshot the VM if possible
add the test PPA:
sudo add-apt-repository -y ppa:securityonion/testupdate:
sudo soupPlease note that we also have Elastic packages and Docker images in testing right now, so if you want to test just this Zeek update, you should be able to replace that last command with:
sudo apt update && sudo apt install securityonion-bro securityonion-bro-afpacket securityonion-bro-scripts securityonion-samples-broHow To Verify Proper Zeek Operation
first, please note that Bro has been renamed to Zeek but the packages still adhere to the traditional bro naming convention
as the Zeek packages install, verify that the package installation scripts display a message about checking configuration and adding back any local customizations
verify that Bro packages were upgraded:
dpkg -l |grep securityonion-broverify that the new Zeek packages create symlinks as necessary so that the new zeek paths resolve to the traditional bro locations (for example: /opt/zeek is a symlink to /opt/bro, /nsm/zeek is a symlink to /nsm/bro, etc.)
verify that the new Zeek packages create symlinks as necessary so that well known bro files resolve to the new zeek locations (for example: /opt/bro/etc/broctl.cfg is a symlink to zeekctl.cfg, so it can be accessed via /opt/bro/etc/broctl.cfg or /opt/zeek/etc/zeekctl.cfg)
if new installation, run through Setup
verify that the package installation scripts backed up the following with a _pre-3.0.5 extension: /opt/bro/etc/ /opt/bro/share/bro/
verify that StatusCmdShowAll has been set to 0 in /opt/zeek/etc/zeekctl.cfg:
grep StatusCmdShowAll /opt/zeek/etc/zeekctl.cfgverify that "lb_custom.InterfacePrefix=af_packet::" has been added to /opt/zeek/etc/zeekctl.cfg:
grep af_packet /opt/zeek/etc/zeekctl.cfgRestart Zeek:
sudo so-zeek-restartcheck status:
sudo so-statuscheck Zeek startup logs for any warnings/errors out of the ordinary:
cat /nsm/zeek/logs/current/reporter.log
cat /nsm/zeek/logs/current/stdout.log
cat /nsm/zeek/logs/current/stderr.logreplay LOTS of traffic:
sudo so-testverify that files are extracted to /nsm/zeek/extracted:
ls -alh /nsm/zeek/extractedverify that /nsm/zeek/logs/current/conn.log contains the proper sensorname at the end of each log entry:
cat /nsm/zeek/logs/current/conn.logverify that Zeek logs are in the same format as they were pre-upgrade (should be JSON by default).
verify that the Elastic Stack is parsing and displaying Zeek logs properly (whether JSON or TSV format)
verify that you can pivot to CapMe for both TCP and UDP traffic
check sostat output for anything out of the ordinary (specifically, check the pf_ring and Zeek sections for packet loss)
verify that Zeek ja3 script is loaded and logging:
grep ja3 /nsm/zeek/logs/current/*verify that Zeek hassh script is loaded and logging:
grep hassh /nsm/zeek/logs/current/*verify that /etc/cron.d/bro has been moved to /etc/cron.d/zeek and that it works properly
verify that /opt/samples/zeek is a symlink to /opt/samples/bro
verify that everything else works properly with no regressions
reboot and make sure everything still works properly
Please test in as many different combinations as possible:
Evaluation Mode (Bro Standalone mode) vs Production Mode (Bro cluster mode)
single sniffing interface vs multiple sniffing interfaces
file extraction enabled or disabled
json-logs enabled or disabled
traffic without vlan tags vs traffic with vlan tags
new installation vs upgrade
Zeek cluster mode - PF_RING (lb_method=pf_ring) vs AF_PACKET (lb_method=custom)
weslambert
commented
4 years ago No issues during my testing 👍
dougburks
commented
4 years ago
https://github.com/zeek/zeek/releases/tag/v3.0.5