updated for zeek 3.1.1

tylabs · Mar 20, 2020 · 5608a42 · 5608a42
1 parent 42e72ea
commit 5608a42
Show file tree

Hide file tree

Showing 11 changed files with 122 additions and 142 deletions.
diff --git a/CLUSTER.md b/CLUSTER.md
@@ -19,7 +19,7 @@ Zeek requires the same OS type, dependent libraries and Zeek version across the
 
 ### On manager:
 
-bro-manager# ssh-keygen 
+zeek-manager# ssh-keygen 
  Generating public/private rsa key pair. 
  Enter file in which to save the key (/root/.ssh/id_rsa): [ Press Enter ] 
  Enter passphrase (empty for no passphrase): [ Press Enter ] 
@@ -51,9 +51,9 @@ See INSTALL.md
 
 ## Setup your cluster:
 
-Note: to use a single standalone server and still use broctl, leave this file unchanged.
+Note: to use a single standalone server and still use zeekctl, leave this file unchanged.
 
-Edit /usr/local/bro/etc/node.cfg::
+Edit /usr/local/zeek/etc/node.cfg::
 [manager]
 type=manager
 host=10.100.1.69
@@ -92,29 +92,29 @@ interface=eth0
 
 ## All:  Deploy and Run Dovehawk on workers:
 
-/usr/local/bro/bin/broctl deploy
+/usr/local/zeek/bin/zeekctl deploy
 
 Check status:
 
-/usr/local/bro/bin/broctl status
+/usr/local/zeek/bin/zeekctl status
 
 Stop:
 
-/usr/local/bro/bin/broctl stop
+/usr/local/zeek/bin/zeekctl stop
 
 Restart / read latest signatures:
 
-/usr/local/bro/bin/broctl restart
+/usr/local/zeek/bin/zeekctl restart
 
 
 ## All: Logs viewing:
 
-/usr/local/bro/logs or /usr/local/bro/spool
+/usr/local/zeek/logs or /usr/local/zeek/spool
 
 ## All: Cron
 
 To keep everything running and also force the reimport of content signatures:
 
-*/5 * * * * /usr/local/bro/bin/broctl cron
-1 22 * * * /usr/local/bro/bin/broctl deploy  > /dev/null 2>&1
+*/5 * * * * /usr/local/zeek/bin/zeekctl cron
+1 22 * * * /usr/local/zeek/bin/zeekctl deploy  > /dev/null 2>&1
 
diff --git a/INSTALL.md b/INSTALL.md
@@ -7,7 +7,7 @@ Adversary Threat Hunting with Zeek (formerly Bro IDS) and MISP.
 
 MISP: Version 2.5 includes the Zeek datamodel required to handle content signatures.
 
-Zeek NSM: tested with version version >2.5.3.
+Zeek NSM: tested with version version >= 3.1.1.
 
 Curl: command line tool for accessing web content, tested with curl 7.54.0.
 
@@ -16,68 +16,68 @@ Curl: command line tool for accessing web content, tested with curl 7.54.0.
 
 Download latest release from GitHub
 
-Edit config.bro and add your MISP API key, your MISP_URL and optional Slack Web Hook URL.
+Edit config.zeek and add your MISP API key, your MISP_URL and optional Slack Web Hook URL.
 
-Locally launch Zeek: bro -i en0 path_to_dovehawk
+Locally launch Zeek: zeek -i en0 path_to_dovehawk
 
 
-## Quick Start - Install package using bro package manager.
+## Quick Start - Install package using zeek package manager.
 
-bro-pkg install https://github.com/tylabs/dovehawk
+zpkg install https://github.com/tylabs/dovehawk
 
-Run package to get local directory: bro -i en0 dovehawk
+Run package to get local directory: zeek -i en0 dovehawk
 
-Edit config.bro and add your MISP API key, your MISP_URL and optional Slack Web Hook URL.
+Edit config.zeek and add your MISP API key, your MISP_URL and optional Slack Web Hook URL.
 
-Run: bro -i en0 dovehawk
+Run: zeek -i en0 dovehawk
 
 
 
 ## Detailed Install
 
-Install bro: brew install bro / yum install bro
+Install zeek: brew install zeek / yum install zeek
 
-Install bro-pkg: sudo pip install bro-pkg
+Install zkg (Zeek package manager): sudo pip install zkg
 
-Setup bro-pkg: bro-pkg autoconfig
+Setup zkg: zkg autoconfig
 
-bro-pkg install https://github.com/tylabs/dovehawk
+zkg install https://github.com/tylabs/dovehawk
 
-check the install: bro -i en0 dovehawk
+check the install: zeek -i en0 dovehawk
 
-edit misp_config.bro to include your MISP API key, MISP URL and optional Slack Web Hook.
+edit config.zeek to include your MISP API key, MISP URL and optional Slack Web Hook.
 
-edit broctl local config: /usr/local/share/bro/site/local.bro:
+edit zeekctl local config: /usr/local/share/zeek/site/local.zeek:
 
-add: @load [FULL PATH]/dovehawk #ie  /usr/local/Cellar/bro/2.5.4/share/bro/site/dovehawk/
+add: @load [FULL PATH]/dovehawk #ie  /usr/local/Cellar/zeek/3.1.1/share/zeek/site/dovehawk/
 
 check eth interface setting: /usr/local/etc/node.cfg
 
-run: broctl deploy
+run: zeekctl deploy
 
-cronjob add: */5 * * * * /usr/local/bin/broctl cron
+cronjob add: */5 * * * * /usr/local/bin/zeekctl cron
 
-restart bro: /usr/local/bin/broctl restart
+restart zeek: /usr/local/bin/zeekctl restart
 
-cronjob to restart bro to reimport signatures: 1 */4 * * * /usr/local/bin/broctl restart
+cronjob to restart zeek to reimport signatures: 1 */4 * * * /usr/local/bin/zeekctl restart
 
 
 ## Monitoring and context
 
-The bro module outputs hits to the console, logs to file, and could send metadata to another web hook.
+The zeek module outputs hits to the console, logs to file, and could send metadata to another web hook.
 
 
 ## Usage
 
-If running bro directly, reference the dovehawk folder:
+If running zeek directly, reference the dovehawk folder:
 
-sudo bro -i en1 [FULL PATH]/dovehawk
+sudo zeek -i en1 [FULL PATH]/dovehawk
 
-If running using the broctl interface, edit the local.bro configuration file in /usr/local/bro/share/bro/site and, at the bottom, add the line:
+If running using the zeekctl interface, edit the local.zeek configuration file in /usr/local/zeek/share/zeek/site and, at the bottom, add the line:
 
 @load [FULL PATH]/dovehawk
 
-then run the broctl deploy sequence to have the scripts installed.
+then run the zeekctl deploy sequence to have the scripts installed.
 
 
 ## Zeek Tips
@@ -89,7 +89,7 @@ When running locally (ie running Zeek on the same system you are generating traf
 
 Add "Log::default_writer=Log::WRITER_NONE" to the command.
 
-bro -i en0 dovehawk Log::default_writer=Log::WRITER_NONE
+zeek -i en0 dovehawk Log::default_writer=Log::WRITER_NONE
 
 
 ## Zeek Health and Clusters
@@ -99,7 +99,7 @@ Depending on the bandwidth - the NETSTATS info will show if dropped packets are
 
 ## Maintenance
 
-For long term monitoring, if not disabling logs as above, use broctl to launch, rotate logs, and restart after crashes.
+For long term monitoring, if not disabling logs as above, use zeekctl to launch, rotate logs, and restart after crashes.
 
 
 
diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright 2018, 2019 Cancyber Inc., Michael Kortekaas @mrkortek, Tyler McLellan @tylabs
+Copyright 2018, 2019 Cancyber Inc., Michael Kortekaas @mrkortek, Copyright 2020 Tyler McLellan @tylabs
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@ Threat Hunting with Zeek (Bro) and MISP
 This module uses Zeek's built-in Intelligence Framework to load and monitor signatures from MISP automatically. Indicators are downloaded from MISP every 4 hours and hits, called sightings, are reported back to MISP immediately. The module also includes a customized version of Jan Grashoefer's expiration code to remove indicators after they are deleted from MISP.
 
 
-Indicators are downloaded and read into memory.  Content signatures in signatures.sig are MISP Network Activity->zeek items downloaded from MISP.  The event text should start with "MISP:" (see Sample Content Signature section for an example).  Zeek must be restarted to ingest the content signatures.  To do this automatically we recommend restarting Zeek using broctl and a restart cron described in included file [INSTALL.md](INSTALL.md)
+Indicators are downloaded and read into memory.  Content signatures in signatures.sig are MISP Network Activity->zeek items downloaded from MISP.  The event text should start with "MISP:" (see Sample Content Signature section for an example).  Zeek must be restarted to ingest the content signatures.  To do this automatically we recommend restarting Zeek using zeekctl and a restart cron described in included file [INSTALL.md](INSTALL.md)
 
 
 Optional Slack.com web hook reporting.
@@ -42,65 +42,65 @@ Optional Slack.com web hook reporting.
 
 ## Sample Content Signature
 
-```bro
+```zeek
 signature eicar_test_content {
   ip-proto == tcp
   payload /.*X5O\!P%@AP\[4\\PZX54\(P\^\)7CC\)7\}\$EICAR\-STANDARD\-ANTIVIRUS\-TEST\-FILE\!\$H\+H\*/
   event "MISP: eicar test file in TCP plain text"
 }
 ```
-*Note: Zeek's default setting is to buffer the [first 1024 bytes of a TCP connection](https://www.bro.org/sphinx-git/frameworks/signatures.html) so signature's should be written with that in mind.*
+*Note: Zeek's default setting is to buffer the [first 1024 bytes of a TCP connection](https://www.zeek.org/sphinx-git/frameworks/signatures.html) so signature's should be written with that in mind.*
 
 ## Indicator Expiration
 
 Indicators are downloaded automatically every 4 hours and are assigned an expiry of 4.5 hours.  A check for expired indicators occurs every 4.5 hours to cleanup any expired indicators between downloads.  As indicators are reingested the expiration time is reset to 4.5 hours.  A message is now printed for each expired indicator.
 
 If an indicator is hit after expiration but before the cleanup, it will trigger a hit/sighting, but the indicator is then deleted immediately so no further hits will occur.
 
-Intervals are set in config.bro.
+Intervals are set in config.zeek.
 
 ### Setting for expired indicator cleanup (should be less then signature_refresh_period)
 
-```bro
+```zeek
 redef Intel::item_expiration = 4.5 hr
 ```
 
 
 ### Setting for MISP download interval
 
-```bro
+```zeek
 global signature_refresh_period = 4hr &redef;
 ```
 
 
 ### Setting for indicator expiration: (should be slightly more than signature_refresh_period)
 
-```bro
+```zeek
 redef Intel::item_expiration = 4.5 hr;
 ```
 
 
 ### Maximum number of hits for an individual item per refresh period
 
-```bro
+```zeek
 global MAX_HITS: int = 100;
 ```
 
 ### Maximum number of DNS hits for an individual item per refresh period
 
-```bro
+```zeek
 global MAX_DNS_HITS: int = 2;
 ```
 
 ### Maximum number of inbound IP hits for an individual item per refresh period
 
-```bro
+```zeek
 global MAX_SCAN_HITS: int = 2;
 ```
 
 ### Ignore hits in SSL certificate when domains don't match the sni host
 
-```bro
+```zeek
 global IGNORE_SNI_MISMATCH: bool = T;
 ```
 

diff --git a/__load__.bro b/__load__.bro
diff --git a/__load__.zeek b/__load__.zeek
@@ -0,0 +1,3 @@
+@load ./scripts/dovehawk_expire
+@load ./scripts/dovehawk
+
diff --git a/config.bro → config.zeek b/config.bro → config.zeek
@@ -5,8 +5,10 @@ redef Intel::item_expiration = 4.5 hr;
 export { 
 
 	global APIKEY = "===your misp key from Event Actions->Automation==="; 
-	global MISP_URL = "https://yourmispsite.com/"; #attributes/bro/download/all
+	global MISP_URL = "https://yourmispsite.com/"; #script will append attributes/text/download/zeek
 	global SLACK_URL = ""; #optional web hook for Slack
+	global SIG_PREFIX = "MISP:"; #prefix for our signatures to hook alerts
+
 
 	# Maximum number of hits per indicator item before suppressing remote alerts
 	global MAX_HITS: int = 100;
@@ -18,6 +20,10 @@ export {
 	#ignore hits in SSL certificate when domains don't match the sni host
 	global IGNORE_SNI_MISMATCH: bool = T;
 
+	#skip signature download if recent
+	global SKIP_SIGNATURE_DOWNLOAD: bool = T;
+
+
 	global signature_refresh_period = 4hr  &redef;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		@load ./scripts/dovehawk_expire
		@load ./scripts/dovehawk