Zeek – Enable AF-Packet – #Threat Hunting Tails

When you install an IDPS Sensor in an environment with a high traffic rate, it is preferred to run your sensor with AF-Packet.

UPDATE: There is no need in the latest versions of Zeek(5.2 or greater) to install any af_packet plugin because now it is a built-in functionality. More info at (https://github.com/zeek/zeek-af_packet-plugin)

Installation

First, we must install the Zeek plugin for AF-Packet (https://github.com/J-Gras/zeek-af_packet-plugin). We will use the default package manager of Zeek, the ZKG.

zkg install zeek/j-gras/zeek-af_packet-plugin

The successful installation can be checked by running the following command

root@ubuntu:~# zkg list
zeek/j-gras/zeek-af_packet-plugin (installed: 3.0.2) - This plugin provides native AF_Packet support for Zeek.

Configuration

If you want to use the AF_Packet from CLI, you can run the command with the following syntax

zeek -C -i af_packet::ens192

Flag -C is optional, but very useful, because Zeek will not drop packets with an invalid checksum.

Lets say that we want to configure a server with 2 capture interfaces in cluster mode.

Edit /opt/zeek/etc/node.cfg

[logger-1]
type=logger
host=localhost

[manager]
type=manager
host=localhost

[worker-1]
type=worker
host=localhost
interface=af_packet::ens192
lb_method=custom
lb_procs=2
pin_cpus=0,1
af_packet_fanout_id=99

[worker-2]
type=worker
host=localhost
interface=af_packet::ens224
lb_method=custom
lb_procs=2
pin_cpus=2,3
af_packet_fanout_id=100

We have to observe that we use different af_packet_fanout_id . So for the interface ens192 we use Cluster ID 99 and for interface ens224 we will use Cluster ID 100. With this setup, we are creating a ring for each interface and the 2 workers of each interface will collect the packages. In this point, I want to mention that the default way that the 2 workers collect the packages, is with hash mode, (af_packet_fanout_mode=AF_Packet::FANOUT_HASH). Hash mode load-balance the packages based on Source IP, Source Port, Destination IP, Destination Port, and Protocol.

Then run to deploy the new configuration and restart the capture of Zeek.

zeekctl deploy

After the restart is finished and no error occurred, we can check that the deployment went well. Execute the command

zeekctl status

From the output, we have to see 4 workers, 2 for each interface, a logger, and a manager.

root@ubuntu:~# zeekctl status
Name         Type    Host             Status    Pid    Started
logger-1     logger  localhost        running   2152   03 Mar 11:02:41
manager      manager localhost        running   2215   03 Mar 11:02:44
proxy-1      proxy   localhost        running   2264   03 Mar 11:02:45
worker-1-1   worker  localhost        running   2340   03 Mar 11:02:47
worker-1-2   worker  localhost        running   2356   03 Mar 11:02:47
worker-2-1   worker  localhost        running   2347   03 Mar 11:02:47
worker-2-2   worker  localhost        running   2357   03 Mar 11:02:47

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_092CVX01F7	2 years	This cookie is installed by Google Analytics.

Zeek – Enable AF-Packet

Installation

Configuration

You Missed

Suricata – Suricata Monitoring with Zabbix

Zeek – Network File Extraction

Decapsulating HP-ERM Remote SPAN

Zeek – Restrict Capturing Traffic with BPF Filters