如何在 Zeek/Bro 中设置 mmdb_dir
How to set mmdb_dir in Zeek/Bro
我尝试在 Bro/Zeek 中使用 GeoIp 功能。
来自官方Zeek Documentation:
If you see an error message similar to “Failed to open GeoIP location database”, then you may need to either rename or move your GeoIP location database file. If the mmdb_dir value is set to a directory pathname (it is not set by default), then Zeek looks for location database files in that directory.
好的,mmdb_dir没有设置:
/pcap # zeek -e "print mmdb_dir;"
/pcap #
我从 Maxmind 下载了 mmdb 文件并将它们复制到 pcap 文件夹中。
我不想将它们添加到默认路径中,而是永久配置 mmdb_dir。这可能吗?如何实现?
额外信息:我是 运行 版本 3.0.1,在 docker 容器中,使用以下命令启动:
# on host system
Host:~$ docker run --rm -it \
-v `pwd`/pcap:/pcap \
-v `pwd`/local.zeek:/usr/local/zeek/share/zeek/site/local.zeek \
--entrypoint /bin/sh \
blacktop/zeek
# now in docker container
/pcap # zeek --version
zeek version 3.0.1
/pcap # zeek -e "print lookup_location(8.8.8.8);"
error in <command line>, line 1: Failed to open GeoIP location database (lookup_location(8.8.8.8))
[country_code=<uninitialized>, region=<uninitialized>, city=<uninitialized>, latitude=<uninitialized>, longitude=<uninitialized>]
fatal error in <command line>, line 3: errors occurred while initializing
Link 到 GitHub 上的容器描述:https://github.com/blacktop/docker-zeek.
当 copying/mounting *.mmdb 文件到 /usr/local/share/GeoIP 时,它工作正常。
更新:
我添加了 redef (thx to ) /usr/local/zeek/share/zeek/site/local.zeek:
##! Local site policy. Customize as appropriate.
##!
##! This file will not be overwritten when upgrading or reinstalling!
# This script logs which scripts were loaded during each run.
@load misc/loaded-scripts
# Apply the default tuning scripts for common tuning settings.
@load tuning/defaults
# Estimate and log capture loss.
@load misc/capture-loss
# Enable logging of memory, packet and lag statistics.
@load misc/stats
# Load the scan detection script. It's disabled by default because
# it often causes performance issues.
#@load misc/scan
# Detect traceroute being run on the network. This could possibly cause
# performance trouble when there are a lot of traceroutes on your network.
# Enable cautiously.
#@load misc/detect-traceroute
# Generate notices when vulnerable versions of software are discovered.
# The default is to only monitor software found in the address space defined
# as "local". Refer to the software framework's documentation for more
# information.
@load frameworks/software/vulnerable
# Detect software changing (e.g. attacker installing hacked SSHD).
@load frameworks/software/version-changes
# This adds signatures to detect cleartext forward and reverse windows shells.
@load-sigs frameworks/signatures/detect-windows-shells
# Load all of the scripts that detect software in various protocols.
@load protocols/ftp/software
@load protocols/smtp/software
@load protocols/ssh/software
@load protocols/http/software
# The detect-webapps script could possibly cause performance trouble when
# running on live traffic. Enable it cautiously.
#@load protocols/http/detect-webapps
# This script detects DNS results pointing toward your Site::local_nets
# where the name is not part of your local DNS zone and is being hosted
# externally. Requires that the Site::local_zones variable is defined.
@load protocols/dns/detect-external-names
# Script to detect various activity in FTP sessions.
@load protocols/ftp/detect
# Scripts that do asset tracking.
@load protocols/conn/known-hosts
@load protocols/conn/known-services
@load protocols/ssl/known-certs
# This script enables SSL/TLS certificate validation.
@load protocols/ssl/validate-certs
# This script prevents the logging of SSL CA certificates in x509.log
@load protocols/ssl/log-hostcerts-only
# Uncomment the following line to check each SSL certificate hash against the ICSI
# certificate notary service; see http://notary.icsi.berkeley.edu .
# @load protocols/ssl/notary
# If you have GeoIP support built in, do some geographic detections and
# logging for SSH traffic.
@load protocols/ssh/geo-data
# Detect hosts doing SSH bruteforce attacks.
@load protocols/ssh/detect-bruteforcing
# Detect logins using "interesting" hostnames.
@load protocols/ssh/interesting-hostnames
# Detect SQL injection attacks.
@load protocols/http/detect-sqli
#### Network File Handling ####
# Enable MD5 and SHA1 hashing for all files.
@load frameworks/files/hash-all-files
# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
@load frameworks/files/detect-MHR
# Extend email alerting to include hostnames
@load policy/frameworks/notice/extend-email/hostnames
# Uncomment the following line to enable detection of the heartbleed attack. Enabling
# this might impact performance a bit.
# @load policy/protocols/ssl/heartbleed
# Uncomment the following line to enable logging of connection VLANs. Enabling
# this adds two VLAN fields to the conn.log file.
# @load policy/protocols/conn/vlan-logging
# Uncomment the following line to enable logging of link-layer addresses. Enabling
# this adds the link-layer address for each connection endpoint to the conn.log file.
# @load policy/protocols/conn/mac-logging
# I added this line:
redef mmdb_dir = "/pcap";
但数据库仍未加载,除非我告诉 zeek 使用 local 配置 (RTFM)。
/pcap # zeek -e "print lookup_location(8.8.8.8);" local "Site::local_nets += { 192.168.0.0/24 }"
[country_code=US, region=<uninitialized>, city=<uninitialized>, latitude=37.751, longitude=-97.822]
该变量在发行版随附的 init-bare.zeek 文件中定义(具有空字符串值)为可重新定义的常量。所以就说
redef mmdb_dir = "/pcap";
(或任何最终目的地)在您的 local.zeek 文件中,您应该已经准备就绪。
我尝试在 Bro/Zeek 中使用 GeoIp 功能。
来自官方Zeek Documentation:
If you see an error message similar to “Failed to open GeoIP location database”, then you may need to either rename or move your GeoIP location database file. If the mmdb_dir value is set to a directory pathname (it is not set by default), then Zeek looks for location database files in that directory.
好的,mmdb_dir没有设置:
/pcap # zeek -e "print mmdb_dir;"
/pcap #
我从 Maxmind 下载了 mmdb 文件并将它们复制到 pcap 文件夹中。
我不想将它们添加到默认路径中,而是永久配置 mmdb_dir。这可能吗?如何实现?
额外信息:我是 运行 版本 3.0.1,在 docker 容器中,使用以下命令启动:
# on host system
Host:~$ docker run --rm -it \
-v `pwd`/pcap:/pcap \
-v `pwd`/local.zeek:/usr/local/zeek/share/zeek/site/local.zeek \
--entrypoint /bin/sh \
blacktop/zeek
# now in docker container
/pcap # zeek --version
zeek version 3.0.1
/pcap # zeek -e "print lookup_location(8.8.8.8);"
error in <command line>, line 1: Failed to open GeoIP location database (lookup_location(8.8.8.8))
[country_code=<uninitialized>, region=<uninitialized>, city=<uninitialized>, latitude=<uninitialized>, longitude=<uninitialized>]
fatal error in <command line>, line 3: errors occurred while initializing
Link 到 GitHub 上的容器描述:https://github.com/blacktop/docker-zeek.
当 copying/mounting *.mmdb 文件到 /usr/local/share/GeoIP 时,它工作正常。
更新:
我添加了 redef (thx to /usr/local/zeek/share/zeek/site/local.zeek:
##! Local site policy. Customize as appropriate.
##!
##! This file will not be overwritten when upgrading or reinstalling!
# This script logs which scripts were loaded during each run.
@load misc/loaded-scripts
# Apply the default tuning scripts for common tuning settings.
@load tuning/defaults
# Estimate and log capture loss.
@load misc/capture-loss
# Enable logging of memory, packet and lag statistics.
@load misc/stats
# Load the scan detection script. It's disabled by default because
# it often causes performance issues.
#@load misc/scan
# Detect traceroute being run on the network. This could possibly cause
# performance trouble when there are a lot of traceroutes on your network.
# Enable cautiously.
#@load misc/detect-traceroute
# Generate notices when vulnerable versions of software are discovered.
# The default is to only monitor software found in the address space defined
# as "local". Refer to the software framework's documentation for more
# information.
@load frameworks/software/vulnerable
# Detect software changing (e.g. attacker installing hacked SSHD).
@load frameworks/software/version-changes
# This adds signatures to detect cleartext forward and reverse windows shells.
@load-sigs frameworks/signatures/detect-windows-shells
# Load all of the scripts that detect software in various protocols.
@load protocols/ftp/software
@load protocols/smtp/software
@load protocols/ssh/software
@load protocols/http/software
# The detect-webapps script could possibly cause performance trouble when
# running on live traffic. Enable it cautiously.
#@load protocols/http/detect-webapps
# This script detects DNS results pointing toward your Site::local_nets
# where the name is not part of your local DNS zone and is being hosted
# externally. Requires that the Site::local_zones variable is defined.
@load protocols/dns/detect-external-names
# Script to detect various activity in FTP sessions.
@load protocols/ftp/detect
# Scripts that do asset tracking.
@load protocols/conn/known-hosts
@load protocols/conn/known-services
@load protocols/ssl/known-certs
# This script enables SSL/TLS certificate validation.
@load protocols/ssl/validate-certs
# This script prevents the logging of SSL CA certificates in x509.log
@load protocols/ssl/log-hostcerts-only
# Uncomment the following line to check each SSL certificate hash against the ICSI
# certificate notary service; see http://notary.icsi.berkeley.edu .
# @load protocols/ssl/notary
# If you have GeoIP support built in, do some geographic detections and
# logging for SSH traffic.
@load protocols/ssh/geo-data
# Detect hosts doing SSH bruteforce attacks.
@load protocols/ssh/detect-bruteforcing
# Detect logins using "interesting" hostnames.
@load protocols/ssh/interesting-hostnames
# Detect SQL injection attacks.
@load protocols/http/detect-sqli
#### Network File Handling ####
# Enable MD5 and SHA1 hashing for all files.
@load frameworks/files/hash-all-files
# Detect SHA1 sums in Team Cymru's Malware Hash Registry.
@load frameworks/files/detect-MHR
# Extend email alerting to include hostnames
@load policy/frameworks/notice/extend-email/hostnames
# Uncomment the following line to enable detection of the heartbleed attack. Enabling
# this might impact performance a bit.
# @load policy/protocols/ssl/heartbleed
# Uncomment the following line to enable logging of connection VLANs. Enabling
# this adds two VLAN fields to the conn.log file.
# @load policy/protocols/conn/vlan-logging
# Uncomment the following line to enable logging of link-layer addresses. Enabling
# this adds the link-layer address for each connection endpoint to the conn.log file.
# @load policy/protocols/conn/mac-logging
# I added this line:
redef mmdb_dir = "/pcap";
但数据库仍未加载,除非我告诉 zeek 使用 local 配置 (RTFM)。
/pcap # zeek -e "print lookup_location(8.8.8.8);" local "Site::local_nets += { 192.168.0.0/24 }"
[country_code=US, region=<uninitialized>, city=<uninitialized>, latitude=37.751, longitude=-97.822]
该变量在发行版随附的 init-bare.zeek 文件中定义(具有空字符串值)为可重新定义的常量。所以就说
redef mmdb_dir = "/pcap";
(或任何最终目的地)在您的 local.zeek 文件中,您应该已经准备就绪。