Skip to content
This repository has been archived by the owner on Apr 16, 2021. It is now read-only.

Zeek 3.0.13 #1821

Closed
dougburks opened this issue Feb 22, 2021 · 6 comments
Closed

Zeek 3.0.13 #1821

dougburks opened this issue Feb 22, 2021 · 6 comments
Assignees
@dougburks
Projects
16.04.7.3

Comments

@dougburks
Copy link
Contributor

https://lists.zeek.org/archives/list/zeek-announce@lists.zeek.org/thread/UIOWWQZDXP2HPH4EKHYS4UGFQVBS2H2N/
@dougburks dougburks self-assigned this Feb 22, 2021
@dougburks dougburks added this to To do in 16.04.7.3 via automation Feb 22, 2021
@dougburks dougburks moved this from To do to In progress in 16.04.7.3 Feb 22, 2021
@dougburks
Copy link
Contributor Author

List of packages to be tested:

  • securityonion-bro - 3.0.13-1ubuntu1securityonion1 (Zeek 3.0.13)
  • securityonion-bro-afpacket - 1.3.0-1ubuntu1securityonion33
  • securityonion-bro-scripts - 20121004-0ubuntu0securityonion112

An overview of the testing process can be found in the comments below.

Please record all testing results via comments on this issue.

Thanks in advance for your time and effort!

@dougburks
Copy link
Contributor Author

How To Start Testing

  • install the current 16.04 ISO image

  • snapshot the VM if possible

  • add the test PPA:

sudo add-apt-repository -y ppa:securityonion/test
  • update:
sudo soup

@dougburks
Copy link
Contributor Author

How To Verify Proper Zeek Operation

  • first, please note that Bro has been renamed to Zeek but the packages still adhere to the traditional bro naming convention

  • as the Zeek packages install, verify that the package installation scripts display a message about checking configuration and adding back any local customizations

  • verify that Bro packages were upgraded:

dpkg -l |grep securityonion-bro

  • verify that the new Zeek packages create symlinks as necessary so that the new zeek paths resolve to the traditional bro locations (for example: /opt/zeek is a symlink to /opt/bro, /nsm/zeek is a symlink to /nsm/bro, etc.)

  • verify that the new Zeek packages create symlinks as necessary so that well known bro files resolve to the new zeek locations (for example: /opt/bro/etc/broctl.cfg is a symlink to zeekctl.cfg, so it can be accessed via /opt/bro/etc/broctl.cfg or /opt/zeek/etc/zeekctl.cfg)

  • if new installation, run through Setup

  • verify that the package installation scripts backed up /opt/bro/etc/ with a _pre-3.0.13 extension

  • verify that StatusCmdShowAll has been set to 0 in /opt/zeek/etc/zeekctl.cfg:

grep StatusCmdShowAll /opt/zeek/etc/zeekctl.cfg
  • verify that lb_custom.InterfacePrefix=af_packet:: has been added to /opt/zeek/etc/zeekctl.cfg:
grep af_packet /opt/zeek/etc/zeekctl.cfg
  • Restart Zeek:
sudo so-zeek-restart
  • check status:
sudo so-status
  • check Zeek startup logs for any warnings/errors out of the ordinary:
cat /nsm/zeek/logs/current/reporter.log
cat /nsm/zeek/logs/current/stdout.log
cat /nsm/zeek/logs/current/stderr.log
  • replay LOTS of traffic:
sudo so-test
  • verify that files are extracted to /nsm/zeek/extracted:
ls -alh /nsm/zeek/extracted
  • verify that /nsm/zeek/logs/current/conn.log contains the proper sensorname at the end of each log entry:
cat /nsm/zeek/logs/current/conn.log

  • verify that Zeek logs are in the same format as they were pre-upgrade (should be JSON by default).

  • verify that the Elastic Stack is parsing and displaying Zeek logs properly (whether JSON or TSV format)

  • verify that you can pivot to CapMe for both TCP and UDP traffic

  • check sostat output for anything out of the ordinary (specifically, check the pf_ring and Zeek sections for packet loss)

  • verify that Zeek ja3 script is loaded and logging:

grep ja3 /nsm/zeek/logs/current/*
  • verify that Zeek hassh script is loaded and logging:
grep hassh /nsm/zeek/logs/current/*

  • verify that /etc/cron.d/bro has been moved to /etc/cron.d/zeek and that it works properly

  • verify that /opt/samples/zeek is a symlink to /opt/samples/bro

  • verify that everything else works properly with no regressions

  • reboot and make sure everything still works properly

Please test in as many different combinations as possible:

  • Evaluation Mode (Zeek Standalone mode) vs Production Mode (Zeek cluster mode)

  • single sniffing interface vs multiple sniffing interfaces

  • file extraction enabled or disabled

  • json-logs enabled or disabled

  • traffic without vlan tags vs traffic with vlan tags

  • new installation vs upgrade

  • Zeek cluster mode - PF_RING (lb_method=pf_ring) vs AF_PACKET (lb_method=custom)

@cm-ops
Copy link

cm-ops commented Feb 25, 2021

Testing guidelines were verified and all symlinks, settings, files, and logs were validated on all tests.

Evaluation Mode: no Issues
Production Mode: (Standalone and Distributed) no issues

Single sniffing interface: no issues
Multiple sniffing interfaces: no issues

File extraction enabled or disabled: no issues
json-logs enabled or disabled: no issues

New installation: no issues
Upgrade: no issues

Zeek cluster mode - PF_RING (lb_method=pf_ring) vs AF_PACKET (lb_method=custom): no issues

@dougburks
Copy link
Contributor Author

Thanks @cm-ops !

@dougburks
Copy link
Contributor Author

Published:
https://blog.securityonion.net/2021/02/zeek-3013-now-available-for-security.html

16.04.7.3 automation moved this from In progress to Done Feb 25, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dougburks dougburks

Labels
None yet
Projects
No open projects
16.04.7.3
Done
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dougburks @cm-ops