From 36ef9d7f724452e142df85f49c219e99a0f2e174 Mon Sep 17 00:00:00 2001 From: Melanie Pierce Date: Tue, 17 Sep 2024 13:50:11 -0600 Subject: [PATCH 01/17] Add opensearch api call to create indices --- dashboards/scripts/shared-object-creation.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/dashboards/scripts/shared-object-creation.sh b/dashboards/scripts/shared-object-creation.sh index 8abf9b6cd..8f150b5da 100755 --- a/dashboards/scripts/shared-object-creation.sh +++ b/dashboards/scripts/shared-object-creation.sh @@ -425,6 +425,17 @@ if [[ "${CREATE_OS_ARKIME_SESSION_INDEX:-true}" = "true" ]] ; then # end OpenSearch Tweaks ############################################################################################################################# + + # OpenSearch Create Initial Indices + + curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \ + -XPUT "$OPENSEARCH_URL_TO_USE/${MALCOLM_NETWORK_INDEX_PATTERN%?}initial" \ + -H "$XSRF_HEADER:true" -H 'Content-type:application/json' + + curl "${CURL_CONFIG_PARAMS[@]}" -w "\n" --location --silent --output /dev/null --show-error \ + -XPUT "$OPENSEARCH_URL_TO_USE/${MALCOLM_OTHER_INDEX_PATTERN%?}initial" \ + -H "$XSRF_HEADER:true" -H 'Content-type:application/json' + # before we go on to create the anomaly detectors, we need to wait for actual network log documents /data/opensearch_status.sh -w >/dev/null 2>&1 sleep 60 From 3bf882d115bf27775e618705b1f27b8587dca116 Mon Sep 17 00:00:00 2001 From: Melanie Pierce Date: Tue, 24 Sep 2024 18:20:29 -0600 Subject: [PATCH 02/17] Add ssh optionn to local.zeek. Use JA4 fork --- .../includes.chroot/usr/local/etc/zeek/local.zeek | 1 + shared/bin/zeek_install_plugins.sh | 2 +- zeek/config/local.zeek | 10 ++++++++++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek index a2794d2fe..7ba132d05 100644 --- a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek +++ b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek @@ -277,6 +277,7 @@ event zeek_init() &priority=-5 { redef LDAP::default_capture_password = T; @endif +redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = ja4_ssh_packet_count; redef LDAP::default_log_search_attributes = F; redef SNIFFPASS::notice_log_enable = F; redef CVE_2021_44228::log = F; diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh index ab535b333..3b7a269f2 100755 --- a/shared/bin/zeek_install_plugins.sh +++ b/shared/bin/zeek_install_plugins.sh @@ -103,7 +103,7 @@ ZKG_GITHUB_URLS=( "https://github.com/corelight/zeek-xor-exe-plugin|master" "https://github.com/corelight/zerologon" "https://github.com/cybera/zeek-sniffpass" - "https://github.com/FoxIO-LLC/ja4" + "https://github.com/piercema/ja4" "https://github.com/mmguero-dev/bzar" "https://github.com/ncsa/bro-is-darknet" "https://github.com/ncsa/bro-simple-scan" diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek index 7de26a3c7..9182c67f8 100644 --- a/zeek/config/local.zeek +++ b/zeek/config/local.zeek @@ -5,6 +5,7 @@ ##! https://github.com/zeek/zeek/blob/master/scripts/site/local.zeek global true_regex: pattern = /^\s*(?i:t(rue)?|y(es)?|on|1)\s*$/; +global global disable_stats = (getenv("ZEEK_DISABLE_STATS") == true_regex) ? T : F; global disable_hash_all_files = (getenv("ZEEK_DISABLE_HASH_ALL_FILES") == true_regex) ? T : F; @@ -16,6 +17,7 @@ global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == true_r global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS"); global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS"); global enip_ports_str = getenv("ZEEK_ENIP_PORTS"); +global zeek_ja4_ssh_packet_count = getenv("ZEEK_JA4SSH_PACKET_COUNT") global zeek_local_nets_str = getenv("ZEEK_LOCAL_NETS"); global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == true_regex) ? T : F; @@ -42,6 +44,7 @@ global disable_ics_profinet_io_cm = (getenv("ZEEK_DISABLE_ICS_PROFINET_IO_CM") = global disable_ics_s7comm = (getenv("ZEEK_DISABLE_ICS_S7COMM") == true_regex) ? T : F; global disable_ics_synchrophasor = (getenv("ZEEK_DISABLE_ICS_SYNCHROPHASOR") == true_regex) ? T : F; + redef Broker::default_listen_address = "127.0.0.1"; redef ignore_checksums = T; @@ -276,7 +279,14 @@ event zeek_init() &priority=-5 { redef SNIFFPASS::log_password_plaintext = T; redef LDAP::default_capture_password = T; @endif +@if (is_num(zeek_ja4_ssh_packet_count)) + redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = zeek_ja4_ssh_packet_count; +@else + redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = 200; +@endif + +redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = ja4_ssh_packet_count; redef LDAP::default_log_search_attributes = F; redef SNIFFPASS::notice_log_enable = F; redef CVE_2021_44228::log = F; From 51b1c2fb9ec3f6a8847d775e523a4821c03353ea Mon Sep 17 00:00:00 2001 From: Seth Grover Date: Mon, 7 Oct 2024 12:59:49 -0600 Subject: [PATCH 03/17] Fix the bad dashboards that got into v24.09.0, see idaholab/Malcolm#588 --- dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json | 2 +- dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json | 2 +- dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json | 2 +- dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json | 2 +- dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json | 2 +- dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json | 2 +- dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json | 2 +- dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json | 2 +- dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json | 2 +- dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json | 2 +- dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json | 2 +- dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json | 2 +- dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json | 2 +- dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json | 2 +- 14 files changed, 14 insertions(+), 14 deletions(-) diff --git a/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json b/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json index 1d7a8e0f5..e434649ee 100644 --- a/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json +++ b/dashboards/dashboards/024062a6-48d6-498f-a91a-3bf2da3a3cd3.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json b/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json index 60b26113a..27db8f8a9 100644 --- a/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json +++ b/dashboards/dashboards/0a490422-0ce9-44bf-9a2d-19329ddde8c3.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json b/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json index ce72bd1fd..a6fd63905 100644 --- a/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json +++ b/dashboards/dashboards/11be6381-beef-40a7-bdce-88c5398392fc.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json b/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json index 64827ff48..2e2f64890 100644 --- a/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json +++ b/dashboards/dashboards/11ddd980-e388-11e9-b568-cf17de8e860c.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json b/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json index 21df165ed..6750c90bd 100644 --- a/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json +++ b/dashboards/dashboards/1fff49f6-0199-4a0f-820b-721aff9ff1f1.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json b/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json index 69031e2b0..23bd223d4 100644 --- a/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json +++ b/dashboards/dashboards/2cf94cd0-ecab-40a5-95a7-8419f3a39cd9.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json b/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json index 919af2e88..a48786060 100644 --- a/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json +++ b/dashboards/dashboards/432af556-c5c0-4cc3-8166-b274b4e3a406.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json b/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json index 2d3d8d0b0..d5fd80bc8 100644 --- a/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json +++ b/dashboards/dashboards/50ced171-1b10-4c3f-8b67-2db9635661a6.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json b/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json index d4a74ebf5..5f4c65802 100644 --- a/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json +++ b/dashboards/dashboards/543118a9-02d7-43fe-b669-b8652177fc37.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json b/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json index b1b74ea1c..462e488b4 100644 --- a/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json +++ b/dashboards/dashboards/7f41913f-cba8-43f5-82a8-241b7ead03e0.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json b/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json index a9076e452..374bb560d 100644 --- a/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json +++ b/dashboards/dashboards/92985909-dc29-4533-9e80-d3182a0ecf1d.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json b/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json index c604ca109..2a94b378b 100644 --- a/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json +++ b/dashboards/dashboards/a7514350-eba6-11e9-a384-0fcf32210194.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json b/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json index bfc03d799..bdafb1f1e 100644 --- a/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json +++ b/dashboards/dashboards/c2549e10-7f2e-11ea-9f8a-1fe1327e2cd2.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ diff --git a/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json b/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json index b28cef539..84da7d3be 100644 --- a/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json +++ b/dashboards/dashboards/caef3ade-d289-4d05-a511-149f3e97f238.json @@ -18,7 +18,7 @@ "version": 1, "timeRestore": false, "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"filter\":[]}" + "searchSourceJSON": "{\"highlightAll\":false,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}" } }, "references": [ From 71d84db6fae7ea6624fbfe074cd5e5ef578e8505 Mon Sep 17 00:00:00 2001 From: Melanie Pierce Date: Tue, 15 Oct 2024 13:01:49 -0600 Subject: [PATCH 04/17] Technical Changes --- Dockerfiles/zeek.Dockerfile | 2 +- config/zeek.env.example | 4 +++- shared/bin/zeek-deb-download.sh | 2 +- zeek/config/local.zeek | 14 +++----------- 4 files changed, 8 insertions(+), 14 deletions(-) diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile index bc9034125..dd8030dad 100644 --- a/Dockerfiles/zeek.Dockerfile +++ b/Dockerfiles/zeek.Dockerfile @@ -33,7 +33,7 @@ USER root # see PUSER_CHOWN at the bottom of the file (after the other environment variables it references) # for download and install -ARG ZEEK_VERSION=7.0.1-0 +ARG ZEEK_VERSION=7.0.3-0 ENV ZEEK_VERSION $ZEEK_VERSION # put Zeek and Spicy in PATH diff --git a/config/zeek.env.example b/config/zeek.env.example index ee73ef729..5741adf2d 100644 --- a/config/zeek.env.example +++ b/config/zeek.env.example @@ -62,6 +62,8 @@ EXTRACTED_FILE_HTTP_SERVER_ZIP=false EXTRACTED_FILE_HTTP_SERVER_MAGIC=false # HTTP server will look in subdirectories for requested filename (e.g., in "/quarantined" and "/preserved") EXTRACTED_FILE_HTTP_SERVER_RECURSIVE=true +# Adjust how often the JA4SSH hash is calculated. +ZEEK_JA4SSH_PACKET_COUNT=200 # Environment variables for tweaking Zeek at runtime (see local.zeek) # Set to true to disable the corresponding feature ZEEK_DISABLE_HASH_ALL_FILES= @@ -79,7 +81,7 @@ ZEEK_DISABLE_SPICY_WIREGUARD= ZEEK_DISABLE_ICS_ALL= ZEEK_DISABLE_ICS_BACNET= ZEEK_DISABLE_ICS_BSAP= -ZEEK_DISABLE_ICS_DNP3= +ZEEK_DISABLE_ICS_DNP3= ZEEK_DISABLE_ICS_ENIP= ZEEK_DISABLE_ICS_ETHERCAT= ZEEK_DISABLE_ICS_GENISYS=true diff --git a/shared/bin/zeek-deb-download.sh b/shared/bin/zeek-deb-download.sh index cbe8e6fcf..119ef017a 100755 --- a/shared/bin/zeek-deb-download.sh +++ b/shared/bin/zeek-deb-download.sh @@ -6,7 +6,7 @@ unset VERBOSE command -v dpkg >/dev/null 2>&1 && ARCH="$(dpkg --print-architecture)" || ARCH=amd64 DISTRO=Debian_12 OUTPUT_DIR=/tmp -ZEEK_VERSION=7.0.1-0 +ZEEK_VERSION=7.0.3-0 while getopts a:d:o:vz: opts; do case ${opts} in diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek index 8ccc2d0ee..7b6cf34a1 100644 --- a/zeek/config/local.zeek +++ b/zeek/config/local.zeek @@ -4,8 +4,7 @@ ##! https://docs.zeek.org/en/stable/script-reference/scripts.html ##! https://github.com/zeek/zeek/blob/master/scripts/site/local.zeek -global true_regex: pattern = /^\s*(?i:t(rue)?|y(es)?|on|1)\s*$/; -global +global true_regex: pattern = /^\s*(?i:t(rue)?|y(es)?|on|1)\s*$/; global disable_stats = (getenv("ZEEK_DISABLE_STATS") == true_regex) ? T : F; global disable_hash_all_files = (getenv("ZEEK_DISABLE_HASH_ALL_FILES") == true_regex) ? T : F; @@ -17,7 +16,7 @@ global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == true_r global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS"); global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS"); global enip_ports_str = getenv("ZEEK_ENIP_PORTS"); -global zeek_ja4_ssh_packet_count = getenv("ZEEK_JA4SSH_PACKET_COUNT") +global zeek_ja4_ssh_packet_count = (getenv("ZEEK_JA4SSH_PACKET_COUNT") == "") ? 200 : to_count(getenv("ZEEK_JA4SSH_PACKET_COUNT")); global zeek_local_nets_str = getenv("ZEEK_LOCAL_NETS"); global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == true_regex) ? T : F; @@ -116,7 +115,6 @@ global json_format = (getenv("ZEEK_JSON") == true_regex) ? T : F; @load custom event zeek_init() &priority=-5 { - if (zeek_local_nets_str != "") { local nets_strs = split_string(zeek_local_nets_str, /,/); if (|nets_strs| > 0) { @@ -284,14 +282,8 @@ event zeek_init() &priority=-5 { redef SNIFFPASS::log_password_plaintext = T; redef LDAP::default_capture_password = T; @endif -@if (is_num(zeek_ja4_ssh_packet_count)) - redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = zeek_ja4_ssh_packet_count; -@else - redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = 200; -@endif - -redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = ja4_ssh_packet_count; +redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = zeek_ja4_ssh_packet_count; redef LDAP::default_log_search_attributes = F; redef SNIFFPASS::notice_log_enable = F; redef CVE_2021_44228::log = F; From 0f3aa65d5c03c5c8cfec025098f48d44cf08a2f6 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:30:46 -0600 Subject: [PATCH 05/17] Update zeek.env.example --- config/zeek.env.example | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/zeek.env.example b/config/zeek.env.example index 130553949..ff3b192da 100644 --- a/config/zeek.env.example +++ b/config/zeek.env.example @@ -82,7 +82,7 @@ ZEEK_DISABLE_SPICY_WIREGUARD= ZEEK_DISABLE_ICS_ALL= ZEEK_DISABLE_ICS_BACNET= ZEEK_DISABLE_ICS_BSAP= -ZEEK_DISABLE_ICS_DNP3= +ZEEK_DISABLE_ICS_DNP3= ZEEK_DISABLE_ICS_ENIP= ZEEK_DISABLE_ICS_ETHERCAT= ZEEK_DISABLE_ICS_GENISYS=true @@ -98,4 +98,4 @@ ZEEK_SYNCHROPHASOR_PORTS= ZEEK_SYNCHROPHASOR_DETAILED= ZEEK_GENISYS_PORTS= ZEEK_ENIP_PORTS= -ZEEK_DISABLE_BEST_GUESS_ICS=true \ No newline at end of file +ZEEK_DISABLE_BEST_GUESS_ICS=true From 3953d1aa42eaa15b407cb4afa51d8bc21a02dd2b Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:31:12 -0600 Subject: [PATCH 06/17] Update local.zeek --- .../config/includes.chroot/usr/local/etc/zeek/local.zeek | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek index e9825fa6b..3222e99f8 100644 --- a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek +++ b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek @@ -284,7 +284,7 @@ event zeek_init() &priority=-5 { redef FINGERPRINT::JA4SSH::ja4_ssh_packet_count = ja4_ssh_packet_count; redef HTTP::log_client_header_names = T; -redef HTTP::log_server_header_names = T +redef HTTP::log_server_header_names = T; redef LDAP::default_log_search_attributes = F; redef SNIFFPASS::notice_log_enable = F; redef CVE_2021_44228::log = F; From f04a9c3944ebd46466319897f1a4f1549487d1e2 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 14:46:48 -0600 Subject: [PATCH 07/17] Fix whitespace --- shared/bin/zeek-deb-download.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/shared/bin/zeek-deb-download.sh b/shared/bin/zeek-deb-download.sh index 90e9a8308..c695ccad2 100755 --- a/shared/bin/zeek-deb-download.sh +++ b/shared/bin/zeek-deb-download.sh @@ -11,7 +11,6 @@ PRESERVE_HIERARCHY=false ZEEK_DEB_ALTERNATE_DOWNLOAD_URL=${ZEEK_DEB_ALTERNATE_DOWNLOAD_URL:-} ZEEK_DEB_ALTERNATE_DOWNLOAD_URL_FILE=${ZEEK_DEB_ALTERNATE_DOWNLOAD_URL_FILE:-} - while getopts a:d:f:ho:u:vz: opts; do case ${opts} in a) ARCH=${OPTARG} ;; From 8d12544d31dc82510c98260823344462da56dc55 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 15:01:35 -0600 Subject: [PATCH 08/17] Update zeek.env.example From 2df70976e460bb5a35d4743059e987d55d7b1117 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 15:01:59 -0600 Subject: [PATCH 09/17] Update zeek.env.example From a21a440351534929cc8f0be2df09acf094a7d405 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 15:02:53 -0600 Subject: [PATCH 10/17] Update local.zeek --- zeek/config/local.zeek | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek index d4d35af9b..a2fef6e6c 100644 --- a/zeek/config/local.zeek +++ b/zeek/config/local.zeek @@ -4,7 +4,7 @@ ##! https://docs.zeek.org/en/stable/script-reference/scripts.html ##! https://github.com/zeek/zeek/blob/master/scripts/site/local.zeek -global true_regex: pattern = /^\s*(?i:t(rue)?|y(es)?|on|1)\s*$/; +global true_regex: pattern = /^\s*(?i:t(rue)?|y(es)?|on|1)\s*$/; global disable_stats = (getenv("ZEEK_DISABLE_STATS") == true_regex) ? T : F; global disable_hash_all_files = (getenv("ZEEK_DISABLE_HASH_ALL_FILES") == true_regex) ? T : F; @@ -44,7 +44,6 @@ global disable_ics_profinet_io_cm = (getenv("ZEEK_DISABLE_ICS_PROFINET_IO_CM") = global disable_ics_s7comm = (getenv("ZEEK_DISABLE_ICS_S7COMM") == true_regex) ? T : F; global disable_ics_synchrophasor = (getenv("ZEEK_DISABLE_ICS_SYNCHROPHASOR") == true_regex) ? T : F; - redef Broker::default_listen_address = "127.0.0.1"; redef ignore_checksums = T; @@ -115,6 +114,7 @@ global json_format = (getenv("ZEEK_JSON") == true_regex) ? T : F; @load custom event zeek_init() &priority=-5 { + if (zeek_local_nets_str != "") { local nets_strs = split_string(zeek_local_nets_str, /,/); if (|nets_strs| > 0) { From 8493a437f27563e7a7218c9b4866126e3a76d4f9 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 15:05:14 -0600 Subject: [PATCH 11/17] Update local.zeek --- .../config/includes.chroot/usr/local/etc/zeek/local.zeek | 1 + 1 file changed, 1 insertion(+) diff --git a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek index 3222e99f8..89cf9cd59 100644 --- a/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek +++ b/hedgehog-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek @@ -16,6 +16,7 @@ global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == true_r global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS"); global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS"); global enip_ports_str = getenv("ZEEK_ENIP_PORTS"); +global zeek_ja4_ssh_packet_count = (getenv("ZEEK_JA4SSH_PACKET_COUNT") == "") ? 200 : to_count(getenv("ZEEK_JA4SSH_PACKET_COUNT")); global zeek_local_nets_str = getenv("ZEEK_LOCAL_NETS"); global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == true_regex) ? T : F; From 0766fd409023f608d086955710042b17bfd1a58d Mon Sep 17 00:00:00 2001 From: Melanie Pierce Date: Tue, 15 Oct 2024 17:20:37 -0600 Subject: [PATCH 12/17] Documentation addition --- docs/malcolm-config.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index 941a2880e..efc206f64 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -130,6 +130,7 @@ Although the configuration script automates many of the following configuration - `ZEEK_INTEL_FEED_SINCE` - when querying a [TAXII](zeek-intel.md#ZeekIntelSTIX) or [MISP](zeek-intel.md#ZeekIntelMISP) feed, only process threat indicators created or modified since the time represented by this value; it may be either a fixed date/time (`01/01/2021`) or relative interval (`30 days ago`) - `ZEEK_INTEL_ITEM_EXPIRATION` - specifies the value for Zeek's [`Intel::item_expiration`](https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#id-Intel::item_expiration) timeout as used by the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) (default `-1min`, which disables item expiration) - `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` - specifies a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) indicating the refresh interval for generating the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) files (defaults to empty, which disables automatic refresh) + - `ZEEK_JA4SSH_PACKET_COUNT` - the zeek [JA4 plugin](https://github.com/piercema/ja4.git) calculates the JA4SSH value once for every x SSH packets. This sets the value of x (defaults to 200). - `ZEEK_LIVE_CAPTURE` - if set to `true`, Zeek will monitor live traffic on the local interface(s) defined by `PCAP_FILTER` + See [**Tuning Zeek**](live-analysis.md#LiveAnalysisTuningZeek) for other variables related to managing Zeek's performance and resource utilization. - `ZEEK_LOCAL_NETS` - specifies the value for Zeek's [`Site::local_nets`](https://docs.zeek.org/en/master/scripts/base/utils/site.zeek.html#id-Site::local_nets) variable (and `networks.cfg` for live capture) (e.g., `1.2.3.0/24,5.6.7.0/24`); note that by default, Zeek considers IANA-registered private address space such as `10.0.0.0/8` and `192.168.0.0/16` site-local From f1efb7df0c5858cce5efeb4af0c40dd1519959d5 Mon Sep 17 00:00:00 2001 From: Melanie Pierce Date: Tue, 15 Oct 2024 17:48:17 -0600 Subject: [PATCH 13/17] Add to hedgehog --- hedgehog-iso/interface/sensor_ctl/control_vars.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/hedgehog-iso/interface/sensor_ctl/control_vars.conf b/hedgehog-iso/interface/sensor_ctl/control_vars.conf index 4dd4eac96..d7c9ec680 100644 --- a/hedgehog-iso/interface/sensor_ctl/control_vars.conf +++ b/hedgehog-iso/interface/sensor_ctl/control_vars.conf @@ -145,6 +145,7 @@ export ZEEK_DISABLE_ICS_PROFINET= export ZEEK_DISABLE_ICS_PROFINET_IO_CM= export ZEEK_DISABLE_ICS_S7COMM= export ZEEK_DISABLE_ICS_SYNCHROPHASOR= +export ZEEK_JA4SSH_PACKET_COUNT=200 export ZEEK_SYNCHROPHASOR_PORTS= export ZEEK_SYNCHROPHASOR_DETAILED= export ZEEK_GENISYS_PORTS= From 78e4da9c681001d9748d6a884c9bf60497684b46 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:50:33 -0600 Subject: [PATCH 14/17] Update malcolm-config.md --- docs/malcolm-config.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index efc206f64..539d2a0b0 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -130,7 +130,7 @@ Although the configuration script automates many of the following configuration - `ZEEK_INTEL_FEED_SINCE` - when querying a [TAXII](zeek-intel.md#ZeekIntelSTIX) or [MISP](zeek-intel.md#ZeekIntelMISP) feed, only process threat indicators created or modified since the time represented by this value; it may be either a fixed date/time (`01/01/2021`) or relative interval (`30 days ago`) - `ZEEK_INTEL_ITEM_EXPIRATION` - specifies the value for Zeek's [`Intel::item_expiration`](https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#id-Intel::item_expiration) timeout as used by the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) (default `-1min`, which disables item expiration) - `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` - specifies a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) indicating the refresh interval for generating the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) files (defaults to empty, which disables automatic refresh) - - `ZEEK_JA4SSH_PACKET_COUNT` - the zeek [JA4 plugin](https://github.com/piercema/ja4.git) calculates the JA4SSH value once for every x SSH packets. This sets the value of x (defaults to 200). + - `ZEEK_JA4SSH_PACKET_COUNT` - the Zeek [JA4 plugin](https://github.com/piercema/ja4.git) calculates the JA4SSH value once for every x SSH packets as set here (defaults to 200). - `ZEEK_LIVE_CAPTURE` - if set to `true`, Zeek will monitor live traffic on the local interface(s) defined by `PCAP_FILTER` + See [**Tuning Zeek**](live-analysis.md#LiveAnalysisTuningZeek) for other variables related to managing Zeek's performance and resource utilization. - `ZEEK_LOCAL_NETS` - specifies the value for Zeek's [`Site::local_nets`](https://docs.zeek.org/en/master/scripts/base/utils/site.zeek.html#id-Site::local_nets) variable (and `networks.cfg` for live capture) (e.g., `1.2.3.0/24,5.6.7.0/24`); note that by default, Zeek considers IANA-registered private address space such as `10.0.0.0/8` and `192.168.0.0/16` site-local @@ -177,4 +177,4 @@ In instances where Malcolm is deployed with the intention of running indefinitel - `EXTRACTED_FILE_PRUNE_INTERVAL_SECONDS` - the interval between checking the prune conditions, in seconds (default `300`) * [Index management policies](index-management.md) can be handled via plugins provided as part of the OpenSearch and Elasticsearch platforms, respectively. In addition to those tools, the `OPENSEARCH_INDEX_SIZE_PRUNE_LIMIT` variable in **`dashboards-helper.env`** defines a maximum cumulative that OpenSearch indices are allowed to consume before the oldest indices [are deleted]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/opensearch_index_size_prune.py), specified as either as a human-readable data size (e.g., `250G`) or as a percentage of the total disk size (e.g., `70%`): e.g., a value of `500G` means "delete the oldest OpenSearch indices if the total space consumed by Malcolm's indices exceeds five hundred gigabytes." -Similar settings exist on for managing disk usage [Hedgehog Linux](malcolm-hedgehog-e2e-iso-install.md#HedgehogDiskUsage). \ No newline at end of file +Similar settings exist on for managing disk usage [Hedgehog Linux](malcolm-hedgehog-e2e-iso-install.md#HedgehogDiskUsage). From 07916b63f8011598d0235affe7620cc261d216b3 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:51:14 -0600 Subject: [PATCH 15/17] Update malcolm-config.md --- docs/malcolm-config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index 539d2a0b0..e21a45da2 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -130,7 +130,7 @@ Although the configuration script automates many of the following configuration - `ZEEK_INTEL_FEED_SINCE` - when querying a [TAXII](zeek-intel.md#ZeekIntelSTIX) or [MISP](zeek-intel.md#ZeekIntelMISP) feed, only process threat indicators created or modified since the time represented by this value; it may be either a fixed date/time (`01/01/2021`) or relative interval (`30 days ago`) - `ZEEK_INTEL_ITEM_EXPIRATION` - specifies the value for Zeek's [`Intel::item_expiration`](https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#id-Intel::item_expiration) timeout as used by the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) (default `-1min`, which disables item expiration) - `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` - specifies a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) indicating the refresh interval for generating the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) files (defaults to empty, which disables automatic refresh) - - `ZEEK_JA4SSH_PACKET_COUNT` - the Zeek [JA4 plugin](https://github.com/piercema/ja4.git) calculates the JA4SSH value once for every x SSH packets as set here (defaults to 200). + - `ZEEK_JA4SSH_PACKET_COUNT` - the Zeek [JA4 plugin](https://github.com/piercema/ja4.git) calculates the JA4SSH value once for every x SSH packets; x is set here (defaults to 200). - `ZEEK_LIVE_CAPTURE` - if set to `true`, Zeek will monitor live traffic on the local interface(s) defined by `PCAP_FILTER` + See [**Tuning Zeek**](live-analysis.md#LiveAnalysisTuningZeek) for other variables related to managing Zeek's performance and resource utilization. - `ZEEK_LOCAL_NETS` - specifies the value for Zeek's [`Site::local_nets`](https://docs.zeek.org/en/master/scripts/base/utils/site.zeek.html#id-Site::local_nets) variable (and `networks.cfg` for live capture) (e.g., `1.2.3.0/24,5.6.7.0/24`); note that by default, Zeek considers IANA-registered private address space such as `10.0.0.0/8` and `192.168.0.0/16` site-local From abcbdf078c7e201e7f5b8b42a4411f6a1d015d48 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:51:40 -0600 Subject: [PATCH 16/17] Update malcolm-config.md --- docs/malcolm-config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index e21a45da2..b80aad384 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -130,7 +130,7 @@ Although the configuration script automates many of the following configuration - `ZEEK_INTEL_FEED_SINCE` - when querying a [TAXII](zeek-intel.md#ZeekIntelSTIX) or [MISP](zeek-intel.md#ZeekIntelMISP) feed, only process threat indicators created or modified since the time represented by this value; it may be either a fixed date/time (`01/01/2021`) or relative interval (`30 days ago`) - `ZEEK_INTEL_ITEM_EXPIRATION` - specifies the value for Zeek's [`Intel::item_expiration`](https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#id-Intel::item_expiration) timeout as used by the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) (default `-1min`, which disables item expiration) - `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` - specifies a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) indicating the refresh interval for generating the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) files (defaults to empty, which disables automatic refresh) - - `ZEEK_JA4SSH_PACKET_COUNT` - the Zeek [JA4 plugin](https://github.com/piercema/ja4.git) calculates the JA4SSH value once for every x SSH packets; x is set here (defaults to 200). + - `ZEEK_JA4SSH_PACKET_COUNT` - the Zeek [JA4 plugin](https://github.com/piercema/ja4.git) calculates the JA4SSH value once for every x SSH packets; x is set here (defaults to 200) - `ZEEK_LIVE_CAPTURE` - if set to `true`, Zeek will monitor live traffic on the local interface(s) defined by `PCAP_FILTER` + See [**Tuning Zeek**](live-analysis.md#LiveAnalysisTuningZeek) for other variables related to managing Zeek's performance and resource utilization. - `ZEEK_LOCAL_NETS` - specifies the value for Zeek's [`Site::local_nets`](https://docs.zeek.org/en/master/scripts/base/utils/site.zeek.html#id-Site::local_nets) variable (and `networks.cfg` for live capture) (e.g., `1.2.3.0/24,5.6.7.0/24`); note that by default, Zeek considers IANA-registered private address space such as `10.0.0.0/8` and `192.168.0.0/16` site-local From cbb716238e83fa457d137efceeca050b0791f971 Mon Sep 17 00:00:00 2001 From: Melanie Pierce <59747276+piercema@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:53:12 -0600 Subject: [PATCH 17/17] Update malcolm-config.md