When you install an IDPS Sensor in an environment with a high traffic rate, it is preferred to run your sensor with AF-Packet.
UPDATE: There is no need in the latest versions of Zeek(5.2 or greater) to install any af_packet plugin because now it is a built-in functionality. More info at (https://github.com/zeek/zeek-af_packet-plugin)
Installation
First, we must install the Zeek plugin for AF-Packet (https://github.com/J-Gras/zeek-af_packet-plugin). We will use the default package manager of Zeek, the ZKG.
zkg install zeek/j-gras/zeek-af_packet-plugin
The successful installation can be checked by running the following command
root@ubuntu:~# zkg list zeek/j-gras/zeek-af_packet-plugin (installed: 3.0.2) - This plugin provides native AF_Packet support for Zeek.
Configuration
If you want to use the AF_Packet from CLI, you can run the command with the following syntax
zeek -C -i af_packet::ens192
Flag -C
is optional, but very useful, because Zeek will not drop packets with an invalid checksum.
Lets say that we want to configure a server with 2 capture interfaces in cluster mode.
Edit /opt/zeek/etc/node.cfg
[logger-1] type=logger host=localhost [manager] type=manager host=localhost [worker-1] type=worker host=localhost interface=af_packet::ens192 lb_method=custom lb_procs=2 pin_cpus=0,1 af_packet_fanout_id=99 [worker-2] type=worker host=localhost interface=af_packet::ens224 lb_method=custom lb_procs=2 pin_cpus=2,3 af_packet_fanout_id=100
We have to observe that we use different af_packet_fanout_id
. So for the interface ens192 we use Cluster ID 99 and for interface ens224 we will use Cluster ID 100. With this setup, we are creating a ring for each interface and the 2 workers of each interface will collect the packages. In this point, I want to mention that the default way that the 2 workers collect the packages, is with hash mode, (af_packet_fanout_mode=AF_Packet::FANOUT_HASH). Hash mode load-balance the packages based on Source IP, Source Port, Destination IP, Destination Port, and Protocol.
Then run to deploy the new configuration and restart the capture of Zeek.
zeekctl deploy
After the restart is finished and no error occurred, we can check that the deployment went well. Execute the command
zeekctl status
From the output, we have to see 4 workers, 2 for each interface, a logger, and a manager.
root@ubuntu:~# zeekctl status Name Type Host Status Pid Started logger-1 logger localhost running 2152 03 Mar 11:02:41 manager manager localhost running 2215 03 Mar 11:02:44 proxy-1 proxy localhost running 2264 03 Mar 11:02:45 worker-1-1 worker localhost running 2340 03 Mar 11:02:47 worker-1-2 worker localhost running 2356 03 Mar 11:02:47 worker-2-1 worker localhost running 2347 03 Mar 11:02:47 worker-2-2 worker localhost running 2357 03 Mar 11:02:47