search

opnsense / plugins

OPNsense plugin collection
https://opnsense.org/
BSD 2-Clause "Simplified" License
838 stars 631 forks source link

Zeek IDS plugin #3594

Closed 0nnyx closed 7 months ago

0nnyx commented 1 year ago

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

Is your feature request related to a problem? Please describe. I would like Zeek to be supported on opnsense. It's a behavior-based IDS as opposed to Suricata which is signature-based IDS/IPS. Given almost all traffic is encrypted nowadays, Zeek is more relevant than Suricata. Its logs allow alerting on long connections, malware hashes, bruteforce attempts, C2 beacon behavior, suspicious DNS, lateral movement and more.

Describe the solution you'd like A working zeek pkg/plugin on opnsense to configure via shell. No need for any UI.

Describe alternatives you've considered Zeek plugin from mimugmail but not working, not maintained and not officially supported

Additional context For reference : https://github.com/opnsense/ports/tree/master/security/zeek Bro (zeek predecessor) support was requested in 2017 : https://github.com/opnsense/plugins/issues/453 Mimugmail managed to have Zeek working on a previous opnsense & zeek version - https://github.com/mimugmail/opn-repo Not to compare but pfsense supports Zeek for years

0nnyx commented 11 months ago

Posting the steps for people who want to install it manually from freebsd repo. Note that zeek might become broken if its dependencies gets upgraded.

Pkg order matters (top to bottom) due to dependencies

pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-Digest-HMAC-1.04.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-Encode-Locale-1.05.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-Error-0.17029.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-GSSAPI-0.28_2.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-HTML-Tagset-3.20_1.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-TimeDate-2.33,1.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-Net-SSLeay-1.92.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-Clone-0.46.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-Authen-SASL-2.17.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/libssh2-1.11.0,3.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/lbl-cf-1.2.5.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/lbl-hf-1.9.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/ipsumdump-1.86.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-HTTP-Date-6.06.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-IO-HTML-1.004.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-IO-Socket-IP-0.42.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-Mozilla-CA-20230821.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-LWP-MediaTypes-6.04.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-IO-Socket-SSL-2.083_1.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-URI-5.21.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-HTTP-Message-6.45.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-HTML-Parser-3.81.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/p5-CGI-4.59.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/py39-backports-1.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/py39-btest-1.1.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/py39-configparser-3.5.3_1,1.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/py39-smmap-5.0.1.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/py39-semantic-version-2.10.0.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/py39-gitdb-4.0.10.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/py39-gitpython-3.1.30.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/git-2.42.0.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/py39-zkg-2.14.0.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/c-ares-1.20.1.pkg
pkg add https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/zeek-6.0.1.pkg

zkg autoconfig zeekctl install

ifconfig to get interface on which zeek should be enabled

Edit /usr/local/etc/node.cfg : change interface with interface from step above Edit /usr/local/etc/zeekctl.cfg : change local.zeek to be /usr/local/share/zeek/site/local.zeek , logs location & notifications if needed Edit /usr/local/share/zeek/site/local.zeek : tune zeek to your liking

zeekctl deploy to start it

mimugmail commented 11 months ago

The plugin should work now ... it not a good idea to use pkg add ..

fichtner commented 11 months ago

FWIW, pkg-add is better than enabling the FreeBSD repo 😊

mimugmail commented 11 months ago

Being better than still isnt good :) Nonetheless, plugin works and dependencies fixed

fichtner commented 11 months ago

Never mind me, thanks for your work ❤️

0nnyx commented 11 months ago

Thanks @mimugmail for adding it. I'll stick with the pkg add method for now. v6.0.1 is affected by some potentially nasty vulnerabilities fixed in 6.0.2 available on the freebsd repo. I'm not familiar at all with BSD, so excuse my ignorance. I don't really see how it's complicated to include the zeek port (or any port) as it is, meaning without webUI component, rc config and pkg configuration. Following the logic of other bare plugins, it looks like the Makefile requires the extra include plugins.mk then making the pkg.

fichtner commented 11 months ago

Providing a binary package that has a bigger fingerprint will impact everyone. I haven’t checked zeek recently, but bro in the past and the decision was to not include it due to impact (build time, package size, download size increase on major upgrades, mirror throughput and space requirements). I will check again next week, but usually these things are almost never moving into a better direction (which is understandable).

0nnyx commented 11 months ago

All valid points and ultimately you and your team decision. Your choice won't change much as long as there is way to sideload freebsd pkg or build them if needed. It would be a nice to have.

Can't comment on the build time or its potential size increase across versions. Sizes are shown at https://freebsd.pkgs.org/13/freebsd-amd64/zeek-6.0.2.pkg.html. RAM usage with the default config is around 150MB for one interface.

Unrelated, sarg or lightsquid (squid stats viewer) and passivedns (historical dns resolutions logger) would also be nice additions imo, maybe kismet (wireless IDS) if a more recent bsd port becomes available.

mimugmail commented 11 months ago

Dont forget that zeek has quite a few dependencies which needs building and hosting too.

OPNsense-bot commented 7 months ago

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.