Zeek IDS install - duckwed/my-learning-road-of-security GitHub Wiki
本次实战为测试环境,安装过程使用root,若生产环境,请使用非root账户!
一.系统环境 Linux 4.4.0-170-generic #199-Ubuntu SMP Thu Nov 14 01:45:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux 16.04 LTS
二.初步更新系统
- sudo su
- apt-get update -y
- apt-get upgrade -y
- apt-get dist-upgrade -y
- reboot
- sudo apt-mark hold linux-image-generic linux-headers-generic
三.安装pf_ring 网卡需要该功能,用于高流量的抓包,我这里使用源代码编译安装
-
apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libgeoip-dev build-essential libelf-dev gdb sendmail -y
-
cd /opt
-
git clone https://github.com/ntop/PF_RING.git
-
cd PF_RING/kernel
-
make
-
insmod ./pf_ring.ko
-
cd ../userland
-
make
-
cd lib
-
./configure –prefix=/opt/PF_RING[/shell]
-
make install
-
cd ../libpcap
-
./configure --prefix=/opt/PF_RING/
-
make install
-
cd ../tcpdump-*
-
./configure --prefix=/opt/PF_RING/
-
make install
-
cd ../../kernel
-
make
-
make install
-
echo "pf_ring" >> /etc/modules
-
reboot
-
lsmod | grep pf_ring 查看是否加载成功
四.源代码安装Zeek/Bro
- sudo su
- apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev git -y
- cd /tmp
- git clone --recursive https://github.com/zeek/zeek
- cd zeek
- ./configure --with-pcap=/opt/PF_RING --prefix=/opt/bro/
- make
- make install
- echo "$PATH:/opt/bro/bin" >/etc/environment
- export PATH=/opt/bro/bin:$PATH
备注:在安装zeek过程中遇到gcc默认的版本过低,需要升级,具体升级步骤请看本文档最后部分
五.与ZeekControl管理zeek 本文档实战主要以单台实例为准,若是安装集群版本,请至官网查看; 编辑安装后文件目录在/opt/bro/...
zeek运行需要3个配置文件,node.cfg,networks.cfg,zeekctl.cfg node.cfg 里设置正确监听的网卡,以及监听的进程数量; networks.cfg 里设置本地监听的网段,也就是生产内网或局域网内的网段; zeekctl.cfg 内定义了日志、邮件等目录,可以不做调整。
各类可执行工具的目录所在为/opt/bro/bin 配置文件在/opt/bro/etc
1.cd /opt/bro/bin
2../zeekctl [ZeekControl] > check [ZeekControl] > install [ZeekControl] > start 然后自动启动