GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → juju4 → ansible-zeek

juju4 / ansible-zeek

Licence: BSD-2-Clause license
setup zeek, previously Bro IDS

Programming Languages

Jinja
831 projects
shell
77523 projects
ruby
36898 projects - #4 most used programming language
Zeek
47 projects
python
139335 projects - #7 most used programming language

Labels

nidszeek

Projects that are alternatives of or similar to ansible-zeek

S1EM
This project is a SIEM with SIRP and Threat Intel, all in one.
Stars: ✭ 270 (+1828.57%)
Mutual labels:  zeek
zeek-plugin-s7comm
Zeek network security monitor plugin that enables parsing of the S7 protocol
Stars: ✭ 31 (+121.43%)
Mutual labels:  zeek
MegaDev
Bro IDS + ELK Stack to detect and block data exfiltration
Stars: ✭ 46 (+228.57%)
Mutual labels:  zeek
zeek-docs
Documentation for Zeek
Stars: ✭ 41 (+192.86%)
Mutual labels:  zeek
tsharkVM
tshark + ELK analytics virtual machine
Stars: ✭ 51 (+264.29%)
Mutual labels:  nids
eewids
Easily Expandable Wireless Intrusion Detection System
Stars: ✭ 25 (+78.57%)
Mutual labels:  nids
mole
Yara powered NIDS with high speed packet capture powered by PF_RING
Stars: ✭ 51 (+264.29%)
Mutual labels:  nids
testmynids.org
A website and framework for testing NIDS detection
Stars: ✭ 55 (+292.86%)
Mutual labels:  nids
Ivre
Network recon framework, published by @cea-sec & @ANSSI-FR. Build your own, self-hosted and fully-controlled alternatives to Shodan / ZoomEye / Censys and GreyNoise, run your Passive DNS service, collect and analyse network intelligence from your sensors, and much more!
Stars: ✭ 2,331 (+16550%)
Mutual labels:  zeek
Zeek
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
Stars: ✭ 4,180 (+29757.14%)
Mutual labels:  zeek
zeek-plugin-tds
Zeek network security monitor plugin that enables parsing of the Tabular Data Stream (TDS) protocol
Stars: ✭ 19 (+35.71%)
Mutual labels:  zeek
Zeek-Network-Security-Monitor
A Zeek Network Security Monitor tutorial that will cover the basics of creating a Zeek instance on your network in addition to all of the necessary hardware and setup and finally provide some examples of how you can use the power of Zeek to have absolute control over your network.
Stars: ✭ 38 (+171.43%)
Mutual labels:  zeek
brimcap
Convert pcap files into richly-typed ZNG summary logs (Zeek, Suricata, and more)
Stars: ✭ 22 (+57.14%)
Mutual labels:  zeek
zeek2es
A Python application to filter and transfer Zeek logs to Elastic/OpenSearch. This app can also output pure JSON logs to stdout for further processing!
Stars: ✭ 16 (+14.29%)
Mutual labels:  zeek
docker-zeek
Zeek IDS Dockerfile
Stars: ✭ 82 (+485.71%)
Mutual labels:  zeek
graylog-zeek-content-pack
BRO/Zeek IDS content pack contains pipeline rules, a stream, a dashboard displaying interesting activity, and a syslog tcp input to capture and index BRO/Zeek logs coming from a remote sensor.
Stars: ✭ 18 (+28.57%)
Mutual labels:  zeek
ivre
Network recon framework. Build your own, self-hosted and fully-controlled alternatives to Shodan / ZoomEye / Censys and GreyNoise, run your Passive DNS service, collect and analyse network intelligence from your sensors, and much more!
Stars: ✭ 2,712 (+19271.43%)
Mutual labels:  zeek

Actions Status - Master Actions Status - Devel

Zeek ansible role

Ansible role to setup Zeek, previously Bro IDS

Installation from

  • Opensuse repository (rpm or deb)(default)
  • SecurityOnion repository (precise or trusty only)
  • source

Requirements & Dependencies

Ansible

It was tested on the following versions:

  • 2.0
  • 2.2
  • 2.5
  • 2.9

Operating systems

Tested on Ubuntu 14.04, 16.04, 18.04, Centos 7. Kitchen test vagrant or lxd, Travis.

Example Playbook

Just include this role in your list. For example

- hosts: server
  roles:
    - juju4.zeek

?Some nrpe commands are included to help for monitoring.

Post-install check

$ sudo /opt/bro/bin/broctl
[BroControl] > install
[BroControl] > diag

Variables

There is a good number of variables to set the different settings. Some like password should be stored in ansible vault for production systems at least.

bro_mode: alone
#bro_mode: manager
#bro_mode: node
#bro_manager: 10.0.0.10
#bro_nodes:
#   - 10.0.0.11
#   - 10.0.0.12
#bro_nodes_if: eth0

## Only available for Ubuntu 12.04 (EOL Apr 2017), has pfring
use_securityonion_deb: false
## pfring/high network performance = build source
bro_w_pfring: false
## for source install
force_source_build: false
bro_v: 2.4
bro_archive_sha256: 740c0d0b0bec279c2acef5e1b6b4d0016c57cd02a729f5e2924ae4a922e208b2


## mysql setup for passivedns
mysql_user: root
mysql_root_password: mysql_root_pass_to_change_or_get_lost
mysql_old_root_password:
mysql_pdns_user: pdns
mysql_pdns_pass: pdns_pass_to_change_or_get_lost

Continuous integration

This role has a travis basic test (for github), more advanced with kitchen and also a Vagrantfile (test/vagrant).

Once you ensured all necessary roles are present, You can test with:

$ cd /path/to/roles/juju.zeek
$ kitchen verify
$ kitchen login
$ KITCHEN_YAML=".kitchen.vagrant.yml" kitchen verify

or

$ cd /path/to/roles/juju4.zeek/test/vagrant
$ vagrant up
$ vagrant ssh

or

$ pip install molecule docker
$ molecule test
$ MOLECULE_DISTRO=ubuntu:18.04 molecule test --destroy=never

Troubleshooting & Known issues

  • At May 2016, kitchen tests are validated. Travis still have issues (Read-only filesystem. Huh?) and some ansible variable (ansible_default_ipv4) not set
  • role is not idempotent, mostly broctl
  • "Error bro: capstats failed (Host 127.0.0.1 is not alive)" (/opt/bro/logs/stats/stats.log)
  • Monit: bro_rc and bro process falls in "Not monitored" state so no automatic restart

License

BSD 2-clause

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].