Closed 0nnyx closed 8 months ago
Posting the steps for people who want to install it manually from freebsd repo. Note that zeek might become broken if its dependencies gets upgraded.
Pkg order matters (top to bottom) due to dependencies
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-Digest-HMAC-1.04.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-Encode-Locale-1.05.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-Error-0.17029.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-GSSAPI-0.28_2.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-HTML-Tagset-3.20_1.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-TimeDate-2.33,1.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-Net-SSLeay-1.92.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-Clone-0.46.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-Authen-SASL-2.17.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/libssh2-1.11.0,3.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/lbl-cf-1.2.5.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/lbl-hf-1.9.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/ipsumdump-1.86.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-HTTP-Date-6.06.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-IO-HTML-1.004.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-IO-Socket-IP-0.42.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-Mozilla-CA-20230821.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-LWP-MediaTypes-6.04.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-IO-Socket-SSL-2.083_1.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-URI-5.21.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-HTTP-Message-6.45.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-HTML-Parser-3.81.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-CGI-4.59.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/py39-backports-1.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/py39-btest-1.1.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/py39-configparser-3.5.3_1,1.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/py39-smmap-5.0.1.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/py39-semantic-version-2.10.0.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/py39-gitdb-4.0.10.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/py39-gitpython-3.1.30.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/git-2.42.0.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/py39-zkg-2.14.0.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/c-ares-1.20.1.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/zeek-6.0.1.pkg
zkg autoconfig zeekctl install
ifconfig to get interface on which zeek should be enabled
Edit /usr/local/etc/node.cfg : change interface with interface from step above Edit /usr/local/etc/zeekctl.cfg : change local.zeek to be /usr/local/share/zeek/site/local.zeek , logs location & notifications if needed Edit /usr/local/share/zeek/site/local.zeek : tune zeek to your liking
zeekctl deploy to start it
The plugin should work now ... it not a good idea to use pkg add ..
FWIW, pkg-add is better than enabling the FreeBSD repo 😊
Being better than still isnt good :) Nonetheless, plugin works and dependencies fixed
Never mind me, thanks for your work ❤️
Thanks @mimugmail for adding it. I'll stick with the pkg add method for now. v6.0.1 is affected by some potentially nasty vulnerabilities fixed in 6.0.2 available on the freebsd repo. I'm not familiar at all with BSD, so excuse my ignorance. I don't really see how it's complicated to include the zeek port (or any port) as it is, meaning without webUI component, rc config and pkg configuration. Following the logic of other bare plugins, it looks like the Makefile requires the extra include plugins.mk then making the pkg.
Providing a binary package that has a bigger fingerprint will impact everyone. I haven’t checked zeek recently, but bro in the past and the decision was to not include it due to impact (build time, package size, download size increase on major upgrades, mirror throughput and space requirements). I will check again next week, but usually these things are almost never moving into a better direction (which is understandable).
All valid points and ultimately you and your team decision. Your choice won't change much as long as there is way to sideload freebsd pkg or build them if needed. It would be a nice to have.
Can't comment on the build time or its potential size increase across versions. Sizes are shown at https://freebsd.pkgs.org/13/freebsd-amd64/zeek-6.0.2.pkg.html. RAM usage with the default config is around 150MB for one interface.
Unrelated, sarg or lightsquid (squid stats viewer) and passivedns (historical dns resolutions logger) would also be nice additions imo, maybe kismet (wireless IDS) if a more recent bsd port becomes available.
Dont forget that zeek has quite a few dependencies which needs building and hosting too.
This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.
Important notices Before you add a new report, we ask you kindly to acknowledge the following:
Is your feature request related to a problem? Please describe. I would like Zeek to be supported on opnsense. It's a behavior-based IDS as opposed to Suricata which is signature-based IDS/IPS. Given almost all traffic is encrypted nowadays, Zeek is more relevant than Suricata. Its logs allow alerting on long connections, malware hashes, bruteforce attempts, C2 beacon behavior, suspicious DNS, lateral movement and more.
Describe the solution you'd like A working zeek pkg/plugin on opnsense to configure via shell. No need for any UI.
Describe alternatives you've considered Zeek plugin from mimugmail but not working, not maintained and not officially supported
Additional context For reference : https://github.com/opnsense/ports/tree/master/security/zeek Bro (zeek predecessor) support was requested in 2017 : https://github.com/opnsense/plugins/issues/453 Mimugmail managed to have Zeek working on a previous opnsense & zeek version - https://github.com/mimugmail/opn-repo Not to compare but pfsense supports Zeek for years