idaholab#295, specify local networks via ZEEK_LOCAL_NETS environment …

…variable
mmguero-dev · Nov 20, 2023 · 54d7c15 · 54d7c15
1 parent 379054f
commit 54d7c15
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 1 deletion.
diff --git a/config/zeek.env.example b/config/zeek.env.example
@@ -1,3 +1,8 @@
+# Specifies a comma-separated list of the networks that Zeek considers "local",
+#   for Site::local_nets and networks.cfg. e.g., 1.2.3.0/24,5.6.7.0/24.
+#   Note that by default, Zeek considers IANA-registered private address space
+#   such as 10/8 and 192.168/16 site-local.
+ZEEK_LOCAL_NETS=
 # Specifies the value for Zeek's Intel::item_expiration timeout (-1min to disable)
 ZEEK_INTEL_ITEM_EXPIRATION=-1min
 # When querying a TAXII or MISP feed, only process threat indicators that have

diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md
@@ -99,6 +99,7 @@ Although the configuration script automates many of the following configuration
     - `ZEEK_INTEL_ITEM_EXPIRATION` - specifies the value for Zeek's [`Intel::item_expiration`](https://docs.zeek.org/en/current/scripts/base/frameworks/intel/main.zeek.html#id-Intel::item_expiration) timeout as used by the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) (default `-1min`, which disables item expiration)
     - `ZEEK_INTEL_REFRESH_CRON_EXPRESSION` - specifies a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression) indicating the refresh interval for generating the [Zeek Intelligence Framework](zeek-intel.md#ZeekIntel) files (defaults to empty, which disables automatic refresh)
     - `ZEEK_LIVE_CAPTURE` - if set to `true`, Zeek will monitor live traffic on the local interface(s) defined by `PCAP_FILTER`
+    - `ZEEK_LOCAL_NETS` - specifies the value for Zeek's [`Site::local_nets`](https://docs.zeek.org/en/master/scripts/base/utils/site.zeek.html#id-Site::local_nets) variable (and `networks.cfg` for live capture) (e.g., `1.2.3.0/24,5.6.7.0/24`); note that by default, Zeek considers IANA-registered private address space such as `10.0.0.0/8` and `192.168.0.0/16` site-local
     - `ZEEK_ROTATED_PCAP` - if set to `true`, Zeek can analyze captured PCAP files captured by `netsniff-ng` or `tcpdump` (see `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP`, as well as `ZEEK_AUTO_ANALYZE_PCAP_FILES`); if `ZEEK_LIVE_CAPTURE` is `true`, this should be `false`; otherwise Zeek will see duplicate traffic
 
 ## <a name="CommandLineConfig"></a>Command-line arguments

diff --git a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
@@ -13,6 +13,7 @@ global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == "") ?
 global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS");
 global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS");
 global enip_ports_str = getenv("ZEEK_ENIP_PORTS");
+global zeek_local_nets_str = getenv("ZEEK_LOCAL_NETS");
 
 global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T;
 global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T;
@@ -91,6 +92,18 @@ redef ignore_checksums = T;
 
 event zeek_init() &priority=-5 {
 
+  if (zeek_local_nets_str != "") {
+    local nets_strs = split_string(zeek_local_nets_str, /,/);
+    if (|nets_strs| > 0) {
+      for (net_idx in nets_strs) {
+        local local_subnet = to_subnet(nets_strs[net_idx]);
+        if (local_subnet != [::]/0) {
+          add Site::local_nets[local_subnet];
+        }
+      }
+    }
+  }
+
   if (disable_ics_all || disable_ics_bacnet) {
     Analyzer::disable_analyzer(Analyzer::ANALYZER_BACNET);
   }

diff --git a/sensor-iso/interface/sensor_ctl/control_vars.conf b/sensor-iso/interface/sensor_ctl/control_vars.conf
@@ -45,6 +45,7 @@ export ZEEK_LB_PROCS=1
 export ZEEK_LB_METHOD=custom
 export ZEEK_AF_PACKET_BUFFER_SIZE=67108864
 
+export ZEEK_LOCAL_NETS=
 export ZEEK_RULESET=local
 export ZEEK_INTEL_ITEM_EXPIRATION=-1min
 export ZEEK_INTEL_FEED_SINCE=

diff --git a/shared/bin/zeekdeploy.sh b/shared/bin/zeekdeploy.sh
@@ -62,6 +62,7 @@ fi
 [[ -z $ZEEK_EXTRACTOR_MODE ]] && ZEEK_EXTRACTOR_MODE="none"
 
 # some other defaults
+[[ -z $ZEEK_LOCAL_NETS ]] && ZEEK_LOCAL_NETS=
 [[ -z $ZEEK_LB_PROCS ]] && ZEEK_LB_PROCS="1"
 [[ -z $WORKER_LB_PROCS ]] && WORKER_LB_PROCS="$ZEEK_LB_PROCS"
 [[ -z $ZEEK_LB_METHOD ]] && ZEEK_LB_METHOD="custom"
@@ -208,7 +209,12 @@ EOF
   ZEEK_PROCS=$((ZEEK_PROCS+1))
 done
 
-# we'll assume we didn't mess with networks.cfg, leave it alone
+# populate networks.cfg from ZEEK_LOCAL_NETS
+echo "# \$ZEEK_LOCAL_NETS:" > ./networks.cfg
+echo "#   $ZEEK_LOCAL_NETS" >> ./networks.cfg
+for NET in ${ZEEK_LOCAL_NETS//,/ }; do
+  echo "$NET" | sed -re 's/^[[:blank:]]+|[[:blank:]]+$//g' -e 's/[[:blank:]]+/ /g' >> ./networks.cfg
+done
 
 popd >/dev/null 2>&1
 

diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek
@@ -13,6 +13,7 @@ global synchrophasor_detailed = (getenv("ZEEK_SYNCHROPHASOR_DETAILED") == "") ?
 global synchrophasor_ports_str = getenv("ZEEK_SYNCHROPHASOR_PORTS");
 global genisys_ports_str = getenv("ZEEK_GENISYS_PORTS");
 global enip_ports_str = getenv("ZEEK_ENIP_PORTS");
+global zeek_local_nets_str = getenv("ZEEK_LOCAL_NETS");
 
 global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T;
 global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T;
@@ -91,6 +92,18 @@ redef ignore_checksums = T;
 
 event zeek_init() &priority=-5 {
 
+  if (zeek_local_nets_str != "") {
+    local nets_strs = split_string(zeek_local_nets_str, /,/);
+    if (|nets_strs| > 0) {
+      for (net_idx in nets_strs) {
+        local local_subnet = to_subnet(nets_strs[net_idx]);
+        if (local_subnet != [::]/0) {
+          add Site::local_nets[local_subnet];
+        }
+      }
+    }
+  }
+
   if (disable_ics_all || disable_ics_bacnet) {
     Analyzer::disable_analyzer(Analyzer::ANALYZER_BACNET);
   }