When you install an IDPS Sensor in an environment with a high traffic rate, it is preferred to run your sensor with AF-Packet.

UPDATE: There is no need in the latest versions of Zeek(5.2 or greater) to install any af_packet plugin because now it is a built-in functionality. More info at (https://github.com/zeek/zeek-af_packet-plugin)

Installation

First, we must install the Zeek plugin for AF-Packet (https://github.com/J-Gras/zeek-af_packet-plugin). We will use the default package manager of Zeek, the ZKG.

zkg install zeek/j-gras/zeek-af_packet-plugin

The successful installation can be checked by running the following command

root@ubuntu:~# zkg list
zeek/j-gras/zeek-af_packet-plugin (installed: 3.0.2) - This plugin provides native AF_Packet support for Zeek.

Configuration

If you want to use the AF_Packet from CLI, you can run the command with the following syntax

zeek -C -i af_packet::ens192

Flag -C is optional, but very useful, because Zeek will not drop packets with an invalid checksum.

Lets say that we want to configure a server with 2 capture interfaces in cluster mode.

Edit /opt/zeek/etc/node.cfg

[logger-1]
type=logger
host=localhost

[manager]
type=manager
host=localhost

[worker-1]
type=worker
host=localhost
interface=af_packet::ens192
lb_method=custom
lb_procs=2
pin_cpus=0,1
af_packet_fanout_id=99

[worker-2]
type=worker
host=localhost
interface=af_packet::ens224
lb_method=custom
lb_procs=2
pin_cpus=2,3
af_packet_fanout_id=100

We have to observe that we use different af_packet_fanout_id . So for the interface ens192 we use Cluster ID 99 and for interface ens224 we will use Cluster ID 100. With this setup, we are creating a ring for each interface and the 2 workers of each interface will collect the packages. In this point, I want to mention that the default way that the 2 workers collect the packages, is with hash mode, (af_packet_fanout_mode=AF_Packet::FANOUT_HASH). Hash mode load-balance the packages based on Source IP, Source Port, Destination IP, Destination Port, and Protocol.

Then run to deploy the new configuration and restart the capture of Zeek.

zeekctl deploy

After the restart is finished and no error occurred, we can check that the deployment went well. Execute the command

zeekctl status

From the output, we have to see 4 workers, 2 for each interface, a logger, and a manager.

root@ubuntu:~# zeekctl status
Name         Type    Host             Status    Pid    Started
logger-1     logger  localhost        running   2152   03 Mar 11:02:41
manager      manager localhost        running   2215   03 Mar 11:02:44
proxy-1      proxy   localhost        running   2264   03 Mar 11:02:45
worker-1-1   worker  localhost        running   2340   03 Mar 11:02:47
worker-1-2   worker  localhost        running   2356   03 Mar 11:02:47
worker-2-1   worker  localhost        running   2347   03 Mar 11:02:47
worker-2-2   worker  localhost        running   2357   03 Mar 11:02:47