Zeek - from yesterday's meeting
Guys, I'm looking into Zeek and unfortunately I don't have a second ethernet port on my main system, so it's not clear how I'd run a span port off my main switch to grab traffic. What hardware do people recommend for a zeek data collection node? I guess I could spin up my old WRAP board (http://www.pcengines.ch) which I used as my main router for years before I replaced it recently. But it's not super fast. It's got three 1gb ports, and 4gb of RAM with a 1Ghz single core AMD CPU. So it might do the job, esp since I can install Debian Buster on there without too much trouble. Sweet! John
From time to time I used a USB Ethernet port: https://www.bestbuy.com/site/shop/usb-to-ethernet-adapter Generally they are about 25 USD. You might be able to find them on Ebay or other places for less than that. You might as well get a USB 3.0, since it will work with USB 2.0 ports, but USB 2.0 will not support 1 Gbit/second, whereas USB 3.0 will. On the other hand if the networking flow is not 1 Gbit/second then USB 2.0 might work fine. I have found the Linux support for these generic USB Ethernet devices to be generally good. md On Fri, Apr 9, 2021 at 5:09 PM John Stoffel via WLUG <wlug@lists.wlug.org> wrote:
Guys, I'm looking into Zeek and unfortunately I don't have a second ethernet port on my main system, so it's not clear how I'd run a span port off my main switch to grab traffic.
What hardware do people recommend for a zeek data collection node? I guess I could spin up my old WRAP board (http://www.pcengines.ch) which I used as my main router for years before I replaced it recently. But it's not super fast. It's got three 1gb ports, and 4gb of RAM with a 1Ghz single core AMD CPU. So it might do the job, esp since I can install Debian Buster on there without too much trouble. Sweet!
John _______________________________________________ WLUG mailing list -- wlug@lists.wlug.org To unsubscribe send an email to wlug-leave@lists.wlug.org Create Account: https://wlug.mailman3.com/accounts/signup/ Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/ Web Forum/Archive: https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/HCS2LZ...
"Jon" == Jon \"maddog\" Hall <jon.maddog.hall@gmail.com> writes:
Jon> From time to time I used a USB Ethernet port: Jon> https://www.bestbuy.com/site/shop/usb-to-ethernet-adapter I used to have one of those kicking around, but for now I'm going to go with the APU2 dedicated hardware box, it should have enough oomph once I get Debian Buster (10.10) installed on it. Jon> Generally they are about 25 USD. You might be able to find them Jon> on Ebay or other places for less than that. You might as well Jon> get a USB 3.0, since it will work with USB 2.0 ports, but USB 2.0 Jon> will not support 1 Gbit/second, whereas USB 3.0 will. On the Jon> other hand if the networking flow is not 1 Gbit/second then USB Jon> 2.0 might work fine. Jon> I have found the Linux support for these generic USB Ethernet Jon> devices to be generally good. Thanks for the feedback! You missed a fun meeting last night. Jon> md Jon> On Fri, Apr 9, 2021 at 5:09 PM John Stoffel via WLUG <wlug@lists.wlug.org> wrote: Jon> Guys, Jon> I'm looking into Zeek and unfortunately I don't have a second ethernet Jon> port on my main system, so it's not clear how I'd run a span port off Jon> my main switch to grab traffic. Jon> What hardware do people recommend for a zeek data collection node? I Jon> guess I could spin up my old WRAP board (http://www.pcengines.ch) Jon> which I used as my main router for years before I replaced it Jon> recently. But it's not super fast. It's got three 1gb ports, and 4gb Jon> of RAM with a 1Ghz single core AMD CPU. So it might do the job, esp Jon> since I can install Debian Buster on there without too much trouble. Jon> Sweet! Jon> John Jon> _______________________________________________ Jon> WLUG mailing list -- wlug@lists.wlug.org Jon> To unsubscribe send an email to wlug-leave@lists.wlug.org Jon> Create Account: https://wlug.mailman3.com/accounts/signup/ Jon> Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/ Jon> Web Forum/Archive: Jon> https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/HCS2LZ...
You missed a fun meeting last night.
I am sure I did. Unfortunately I am in Rio de Janeiro and was tied up with another meeting. Warmest regards, maddog On Fri, Apr 9, 2021 at 7:21 PM John Stoffel <john@stoffel.org> wrote:
"Jon" == Jon \"maddog\" Hall <jon.maddog.hall@gmail.com> writes:
Jon> From time to time I used a USB Ethernet port: Jon> https://www.bestbuy.com/site/shop/usb-to-ethernet-adapter
I used to have one of those kicking around, but for now I'm going to go with the APU2 dedicated hardware box, it should have enough oomph once I get Debian Buster (10.10) installed on it.
Jon> Generally they are about 25 USD. You might be able to find them Jon> on Ebay or other places for less than that. You might as well Jon> get a USB 3.0, since it will work with USB 2.0 ports, but USB 2.0 Jon> will not support 1 Gbit/second, whereas USB 3.0 will. On the Jon> other hand if the networking flow is not 1 Gbit/second then USB Jon> 2.0 might work fine.
Jon> I have found the Linux support for these generic USB Ethernet Jon> devices to be generally good.
Thanks for the feedback! You missed a fun meeting last night.
Jon> md
Jon> On Fri, Apr 9, 2021 at 5:09 PM John Stoffel via WLUG < wlug@lists.wlug.org> wrote:
Jon> Guys, Jon> I'm looking into Zeek and unfortunately I don't have a second ethernet Jon> port on my main system, so it's not clear how I'd run a span port off Jon> my main switch to grab traffic.
Jon> What hardware do people recommend for a zeek data collection node? I Jon> guess I could spin up my old WRAP board (http://www.pcengines.ch) Jon> which I used as my main router for years before I replaced it Jon> recently. But it's not super fast. It's got three 1gb ports, and 4gb Jon> of RAM with a 1Ghz single core AMD CPU. So it might do the job, esp Jon> since I can install Debian Buster on there without too much trouble. Jon> Sweet!
Jon> John Jon> _______________________________________________ Jon> WLUG mailing list -- wlug@lists.wlug.org Jon> To unsubscribe send an email to wlug-leave@lists.wlug.org Jon> Create Account: https://wlug.mailman3.com/accounts/signup/ Jon> Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/ Jon> Web Forum/Archive: Jon> https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/HCS2LZ...
"Jon" == Jon \"maddog\" Hall <jon.maddog.hall@gmail.com> writes:
You missed a fun meeting last night.
Jon> I am sure I did. Unfortunately I am in Rio de Janeiro and was Jon> tied up with another meeting. Have a great time down there. Brazil is definitely on my list of places to visit some day. Along with Argentina, Chile, Peru.... lots of places in the world to see still.
Guys, Now that I have zeek up and running... what's the best tool/process for viewing the data? Looking at the hourly emailed logs is sorta interesting, but honestly not a great way to see trends over time. I've looked over the zeek.org website, and there's no real discussion there on how to summarize and get a good high level view of what's going on. Even just a daily report would be better, I think. So what I'm doing is setting up my core switch to mirror all the traffic between the switch and the router, while I also have the zeek box on another port on the switch for management. This seems to be working well so far, it's seeing all my traffic to/from the internet and the various devices connected. Cheers, John
On Tue, Apr 13, 2021 at 09:16:10AM -0400, John Stoffel via WLUG wrote:
Now that I have zeek up and running... what's the best tool/process for viewing the data? Looking at the hourly emailed logs is sorta interesting, but honestly not a great way to see trends over time.
I know people use $$$$$plunk (Splunk) for that sort of thing. Perhaps ELK (Elasticsearch, Logstash, and Kibana) would work. Oh look, someone has a recipe for how to do that: https://logz.io/blog/bro-elk-part-1/
On Apr 13, 2021, at 4:26 PM, Chuck Anderson via WLUG <wlug@lists.wlug.org> wrote:
On Tue, Apr 13, 2021 at 09:16:10AM -0400, John Stoffel via WLUG wrote:
Now that I have zeek up and running... what's the best tool/process for viewing the data? Looking at the hourly emailed logs is sorta interesting, but honestly not a great way to see trends over time.
I know people use $$$$$plunk (Splunk) for that sort of thing. Perhaps ELK (Elasticsearch, Logstash, and Kibana) would work. Oh look, someone has a recipe for how to do that:
I am one of the $plunk users. Their free tier is fine, though it has less features (authentication being one of them) so I’d put something in front of it. The Splunk Zeek app is really good; if you go the Splunk route let me know.
_______________________________________________ WLUG mailing list -- wlug@lists.wlug.org To unsubscribe send an email to wlug-leave@lists.wlug.org Create Account: https://wlug.mailman3.com/accounts/signup/ Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/ Web Forum/Archive: https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/SXYJZI...
participants (4)
-
Chuck Anderson -
Eric Martin -
John Stoffel -
Jon "maddog" Hall