Zeek (BRO) NIDS Kurulumu ve Rsyslog ile SIEM Entegrasyonu
4 min readFeb 5, 2020
Selamlar,
CentOs 7 (1810 or 1910 ) sisteminde Zeek kurulum adımlarını anlatıyor olacağım.
Hazırlık Aşaması ve Gereklilikler;
- Monitor edilecek Ağın Mirror’ının Zeek yüklenecek makinemize yönlendirilmesi
- Yönlendirilen trafiğin makinemize Interface oluşturularak eklenmesi
Ardından aşağıdaki adımları takip edelim;
- Network interface’indeki servis ayarlarını kontrol etmek için;
sudo -s
yum install network-scripts
sudo ethtool -g EKLENEN_INTERFACEParametre çıktısı aşağıdaki gibi olması beklenir. RX değerlerini düzenlemek için; Örneğin “ethtool -G eth0 rx 256 tx 256 “ kullanılır.
Ring parameters for enp2s0:
Pre-set maximums:
RX: 4096
RX Mini: 0
RX Jumbo: 0
TX: 4096
Current hardware settings:
RX: 256
RX Mini: 0
RX Jumbo: 0
TX: 256- Ardından “ /etc/sysconfig/network-scripts/ifcfg-<inteface_adı> “ ile editleme sağlayın. Ve aşağıdaki parametreleri ekleyerek interface’i tamamen dinleme modunda ayarlayın.
NM_CONTROLLED=no
BOOTPROTO=none
ONBOOT=yes
IPV6INIT=no
ETHTOOL_OPTS="-G ${DEVICE} rx <max ring parameter determined from step 1 above>; -K ${DEVICE} rx off; -K ${DEVICE} tx off; -K ${DEVICE} sg off; -K ${DEVICE} tso off; -K ${DEVICE} ufo off; -K ${DEVICE} gso off; -K ${DEVICE} gro off; -K ${DEVICE} lro off"- Ardından;
systemctl enable network
systemctl restart network- SNIFFING yapan network interface’ini promiscuous mode’a almak için;
nano /etc/systemd/system/promisc.service- Ve aşağıdaki gibi yapılandırın;
[Unit]
Description=Makes an interface run in promiscuous mode at boot
After=network.target[Service]
Type=oneshot
ExecStart=/usr/sbin/ip link set dev <inteferface_ismin> promisc on
TimeoutStartSec=0
RemainAfterExit=yes[Install]
WantedBy=default.target
- Kaydedip nano’yu kapattıktan sonra;
chmod u+x /etc/systemd/system/promisc.service
systemctl start promisc.service
systemctl enable promisc.servicereboot
- Ardından Promisc modu kontrol edin;
ip a show <interface_ismin> | grep -i promisc- Zeek Kurma Adımlarına Başlamak için;
yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel platform-python-devel swig zlib-devel kernel-devel kernel-headers
yum install python-devel
yum groupinstall 'development tools'- Kurulum aşamalarında sık sık Python Kütüphane hatası alınıyor emin olmak için;
sudo yum install -y python36u python36u-libs python36u-devel python36u-pip
sudo yum updatesudo reboot
sudo yum --enablerepo=extras install epel-release
sudo yum install libmaxminddb-devel
- Sonra GeoLite adımlarında;
cd ~
wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
tar xzvf GeoLite2-City.tar.gzsudo mv (TAB ILE BUL YERINI) GeoLite2-City_YYYYMMDD/GeoLite2-City.mmdb (TAB ILE BUL YERINI) /usr/share/GeoIP/GeoLite2-City.mmdb
- Monitoring icin kullanici acalim;
sudo groupadd zeek
sudo useradd zeek -g zeek
sudo usermod -aG wheel zeek
sudo passwd zeek (sifre belirle)
su zeek (zeek’e gecelim)
cd ~
wget https://www.zeek.org/downloads/zeek-3.0.0.tar.gz
tar -xzvf zeek-3.0.0.tar.gz
cd zeek-3.0.0
./configure --prefix=/opt/zeek
sudo make
sudo make install
sudo setcap cap_net_raw,cap_net_admin=eip /opt/zeek/bin/zeek
sudo setcap cap_net_raw,cap_net_admin=eip /opt/zeek/bin/zeekctl
sudo chown -R zeek:zeek /opt/zeek
nano /etc/profile.d/zeek.shpathmunge /opt/zeek/bin
- Zeek Yapılandırması için;
nano /opt/zeek/etc/node.cfg- Içindeki Default ayarları silip, yönlendirilen interface başına bir worker ekleyebilirsiniz. Worker sayınıza oranla sanal makinenize CPU Core eklemeyi unutmayın;
[logger]
type=logger
host=localhost[manager]
type=manager
host=localhost[worker-1]
type=worker
host=localhost
interface=EKLENEN_INTERFACE1
- SIEM’ine uygun Parser Conf’unu ekleyin.Orneğin JSON Parser için;
nano /opt/zeek/share/zeek/site/local.zeekAşağıdaki içeriği ekleyin;
@load tuning/json-logs.zeek
redef LogAscii::json_timestamps = JSON::TS_ISO8601;
redef LogAscii::use_json = T;Ardindan, rsyslog_00-bro.conf dosyasını oluşturalım;
sudo su
nano /etc/rsyslog.d/rsyslog_00-bro.confArdından SIEM IP’nizi içeriğe yazarak kaydedin;
#### BRO IDS configuration file ####
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
# If selinux is enabled run semanage port -a -t syslogd_port_t -p udp 514#### MODULES ####
module(load="imfile")#### Templates ####
template (name="BRO_Logs" type="string"
string="<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %$!msg%\n"
)#### RULES for where to send Log Files ####
# Send messages over TCP using the BRO_Logs template
ruleset(name="sendBROLogs") {
if $msg startswith not "#" then {
set $!msg = replace($msg, "|", "%7C"); # Handle existing pipe char
set $!msg = replace($!msg, "\t", "|"); action (
type="omfwd"
protocol="udp"
target=“SIEM IP”
port="514"
template="BRO_Logs"
)
}
}#### Inputs ####
# Comment out sections to not send specifc logs
input (
type="imfile"
File="/opt/zeek/logs/current/notice.log"
Tag="bro_notice"
Facility="local0"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/weird.log"
Tag="bro_weird"
Facility="local0"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/conn.log"
Tag="bro_conn"
Facility="local0"
Severity="info"
# RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/dns.log"
Tag="bro_dns"
Facility="local0"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/dhcp.log"
Tag="bro_dhcp"
Facility="local0"
Severity="info"
RuleSet="sendBROLogs"
)
input (
type="imfile"
File="/opt/zeek/logs/current/http.log"
Tag="bro_http"
Facility="local0"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/software.log"
Tag="bro_software"
Facility="local0"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/tunnel.log"
Tag="bro_tunnel"
Facility="local0"
Severity="info"
RuleSet="sendBROLogs"
)
input (
type="imfile"
File="/opt/zeek/logs/current/smtp.log"
Tag="bro_smtp"
Facility="local0"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/broker.log"
Tag="bro_broker"
Facility="local0"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/capture_loss.log"
Tag="bro_capture_loss"
Facility="local0"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/cluster.log"
Tag="bro_cluster"
Facility="local0"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/dce_rpc.log"
Tag="bro_dce_rpc"
Facility="local0"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/files.log"
Tag="bro_files"
Facility="local0"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/ftp.log"
Tag="bro_ftp"
Facility="local0"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/irc.log"
Tag="bro_irc"
Facility="local7"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/kerberos.log"
Tag="bro_kerberos"
Facility="local7"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/mysql.log"
Tag="bro_mysql"
Facility="local7"
Severity="info"
RuleSet="sendBROLogs"
)
input (
type="imfile"
File="/opt/zeek/logs/current/ntlm.log"
Tag="bro_ntlm"
Facility="local7"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/packet_filter.log"
Tag="bro_packet_filter"
Facility="local7"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/pe.log"
Tag="bro_pe"
Facility="local7"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/radius.log"
Tag="bro_radius"
Facility="local7"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/reporter.log"
Tag="bro_reporter"
Facility="local7"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/rdp.log"
Tag="bro_rdp"
Facility="local7"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/sip.log"
Tag="bro_sip"
Facility="local7"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/smb_files.log"
Tag="bro_smb_files"
Facility="local7"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/smb_mapping.log"
Tag="bro_smb_mapping"
Facility="local7"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/snmp.log"
Tag="bro_snmp"
Facility="local7"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/ssh.log"
Tag="bro_ssh"
Facility="local0"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/ssl.log"
Tag="bro_ssl"
Facility="local7"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/stats.log"
Tag="bro_stats"
Facility="local7"
Severity="info"
RuleSet="sendBROLogs"
)input (
type="imfile"
File="/opt/zeek/logs/current/x509.log"
Tag="bro_x509"
Facility="local7"
Severity="info"
RuleSet="sendBROLogs"
)
- Ile oluşturun. Ve Rsyslog’u bastan baslatin. Zeek’i derleyin ve Kontrol edin. Hata alirsaniz “ zeekctl diag “ ile kontrol edin;
service rsyslog restart
zeekctl deploy
zeekctl status