Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Homebrew-installed Zeek v4.0.0 on macOS lacks GeoIP support #15

Closed
philrz opened this issue Apr 2, 2021 · 2 comments
Closed

Homebrew-installed Zeek v4.0.0 on macOS lacks GeoIP support #15

philrz opened this issue Apr 2, 2021 · 2 comments
Assignees

Comments

@philrz
Copy link
Contributor

philrz commented Apr 2, 2021

For the Zeek artifacts we build ourselves, we've been linking against libmaxminddb so we can include the https://github.com/brimdata/geoip-conn package and hence provide some geolocation data in the Zeek logs generated from pcaps. However, part of what we're trying to achieve with Brimcap is to make it easier for users to bring their own custom Zeek/Suricata, so we're likely to provide some per-platform guidance regarding this (#14).

One problem I've noticed in this area is that the Homebrew-installed Zeek v4.0.0 currently lacks the ability to run the geoip-conn package via zkg install. It installs ok, but when run:

1583774873.399273 error in /usr/local/Cellar/zeek/4.0.0_1/share/zeek/site/packages/./geoip-conn/./geoip-conn.zeek, line 37: Zeek was not configured for GeoIP support (lookup_location(Conn::c$id$orig_h))

I bumped into this same problem a while back with the Zeek installs for Linux and managed to see it addressed via zeek/zeek#1086. I just hadn't thought to check/pursue the macOS angle at the time. I'm actually uncertain who even has influence over those Homebrew installs, so for now I've just revived a thread on the Zeek public Slack with the Devs that helped last time to see if they have a recommendation for how to proceed. If it can't be addressed in a timely manner, we can just highlight it in the guidance proposed in #14.

@philrz
Copy link
Contributor Author

philrz commented Apr 3, 2021

The Zeek devs confirmed they had no control over the Homebrew build, so I've taken my shot with a PR at Homebrew/homebrew-core#74498. 🤞

@philrz philrz self-assigned this Apr 3, 2021
@philrz
Copy link
Contributor Author

philrz commented Apr 5, 2021

The issue was, indeed, addressed via Homebrew/homebrew-core#74498. Now that new bottles are available that include this fix, here's a run through setting up a Homebrew-installed Zeek with zkg-installed geoip-conn and getting back GoeIP data on a scratch macOS host.

Mac-1617657383719:~ runner$ brew update
Mac-1617657383719:~ runner$ brew install zeek
Mac-1617657383719:~ runner$ wget https://archive.wrccdc.org/pcaps/2018/wrccdc.2018-03-23.010014000000000.pcap.gz
Mac-1617657383719:~ runner$ gunzip wrccdc.2018-03-23.010014000000000.pcap.gz 
Mac-1617657383719:~ runner$ sudo pip3 install zkg
Mac-1617657383719:~ runner$ sudo zkg autoconfig
Mac-1617657383719:~ runner$ sudo zkg install --force geoip-conn
Mac-1617657383719:~ runner$ zeek -C -r wrccdc.2018-03-23.010014000000000.pcap --exec "@load packages" local
Mac-1617657383719:~ runner$ zq -f table 'count() by geo | sort -r' conn.log
GEO.ORIG.COUNTRY_CODE GEO.ORIG.REGION GEO.ORIG.CITY GEO.ORIG.LATITUDE GEO.ORIG.LONGITUDE GEO.RESP.COUNTRY_CODE GEO.RESP.REGION GEO.RESP.CITY GEO.RESP.LATITUDE GEO.RESP.LONGITUDE COUNT
-                     -               -             -                 -                  -                     -               -             -                 -                  394590
-                     -               -             -                 -                  US                    -               -             37.751            -97.822            707
-                     -               -             -                 -                  US                    UT              Bluffdale     40.4953           -111.9439          76
-                     -               -             -                 -                  US                    CA              San Jose      37.1807           -121.787           33
-                     -               -             -                 -                  US                    CA              Marina        36.6841           -121.7886          17
-                     -               -             -                 -                  US                    VA              Ashburn       39.0481           -77.4728           16
-                     -               -             -                 -                  US                    CA              Santa Clara   37.353            -121.9544          15
-                     -               -             -                 -                  US                    OR              Boardman      45.8491           -119.7143          14
-                     -               -             -                 -                  US                    CA              Los Angeles   34.0544           -118.244           13
-                     -               -             -                 -                  US                    WA              Seattle       47.6032           -122.3412          8
-                     -               -             -                 -                  US                    WY              Cheyenne      41.1437           -104.8117          7
-                     -               -             -                 -                  DE                    -               -             51.2993           9.491              6
-                     -               -             -                 -                  US                    CA              Fremont       37.5097           -121.9021          4
-                     -               -             -                 -                  US                    IA              Des Moines    41.6015           -93.6127           3
-                     -               -             -                 -                  IE                    L               Dublin        53.3379           -6.2591            3
-                     -               -             -                 -                  AT                    9               Vienna        48.1951           16.3483            2
-                     -               -             -                 -                  SK                    BL              Bratislava    48.1833           17.0379            2
-                     -               -             -                 -                  GB                    ENG             Durham        54.7699           -1.559             2
-                     -               -             -                 -                  FR                    -               -             48.8582           2.3387             2
-                     -               -             -                 -                  JP                    13              Tokyo         35.6865           139.7458           2
-                     -               -             -                 -                  UA                    56              Rivne         50.6223           26.2396            2
-                     -               -             -                 -                  US                    NV              Reno          39.3809           -119.6859          2
-                     -               -             -                 -                  GB                    -               -             51.4964           -0.1224            2
-                     -               -             -                 -                  US                    IL              Chicago       41.8483           -87.6517           2
-                     -               -             -                 -                  US                    VA              Washington    38.7095           -78.1539           2
-                     -               -             -                 -                  US                    VA              Chantilly     38.8879           -77.4448           1
-                     -               -             -                 -                  US                    PA              Easton        40.7449           -75.2217           1
-                     -               -             -                 -                  US                    GA              Atlanta       33.7697           -84.3754           1
-                     -               -             -                 -                  SG                    -               Singapore     1.3029            103.857            1
-                     -               -             -                 -                  FR                    IDF             Paris         48.8607           2.3281             1
-                     -               -             -                 -                  NL                    -               -             52.3824           4.8995             1
-                     -               -             -                 -                  RU                    -               -             55.7386           37.6068            1
-                     -               -             -                 -                  LV                    RIX             Riga          56.9496           24.0978            1
-                     -               -             -                 -                  US                    VA              -             38.6583           -77.2481           1
-                     -               -             -                 -                  US                    NY              New York      40.7316           -73.9985           1
-                     -               -             -                 -                  KR                    -               -             37.5112           126.9741           1
-                     -               -             -                 -                  US                    MN              Alvarado      48.202            -96.9915           1
-                     -               -             -                 -                  FR                    GES             Strasbourg    48.5855           7.7418             1
-                     -               -             -                 -                  US                    TX              Richardson    32.9473           -96.7028           1
-                     -               -             -                 -                  NL                    NH              Amsterdam     52.3006           4.9479             1
-                     -               -             -                 -                  US                    CA              Santee        32.8466           -116.977           1
-                     -               -             -                 -                  KR                    11              Seoul         37.5985           126.9783           1
-                     -               -             -                 -                  US                    NJ              Cedar Knolls  40.8229           -74.4592           1
-                     -               -             -                 -                  JP                    27              Osaka         34.6851           135.5136           1
-                     -               -             -                 -                  IN                    MH              Pune          18.6161           73.7286            1

@philrz philrz closed this as completed Apr 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant