break Zeek/Suricata into two containers: one for "live" capture and one for uploaded PCAPs #109
Assignees
Labels
capture
Relating to pcap-capture container
docker
Relating to docker and docker-compose as used by Malcolm
enhancement
New feature or request
zeek
Relating to Malcolm's use of Zeek
Comments
mmguero
added
capture
mmguero
changed the title
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 26, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 26, 2022
Signed-off-by: Seth Grover <[email protected]>
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 26, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 26, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 26, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 26, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 26, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 26, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 26, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 26, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 26, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 27, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 27, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 27, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 27, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 27, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 27, 2022
… see idaholab#109 commit 30ab5eb Author: SG <[email protected]> Date: Wed Jul 27 11:40:48 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit dda60d7 Author: SG <[email protected]> Date: Wed Jul 27 11:40:30 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit b08e3e7 Author: SG <[email protected]> Date: Wed Jul 27 10:39:08 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit 51c8e04 Author: Seth Grover <[email protected]> Date: Wed Jul 27 08:26:01 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit 35da23a Author: Seth Grover <[email protected]> Date: Wed Jul 27 07:00:47 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit b6c99f9 Author: Seth Grover <[email protected]> Date: Tue Jul 26 17:17:19 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit ce9149e Author: Seth Grover <[email protected]> Date: Tue Jul 26 16:30:22 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit 3aec8b5 Author: Seth Grover <[email protected]> Date: Tue Jul 26 16:08:37 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit a9fe5b2 Author: Seth Grover <[email protected]> Date: Tue Jul 26 15:49:58 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit 78f0866 Author: Seth Grover <[email protected]> Date: Tue Jul 26 15:33:31 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit 0e4f043 Author: Seth Grover <[email protected]> Date: Tue Jul 26 14:48:56 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit 6a16eee Author: Seth Grover <[email protected]> Date: Tue Jul 26 14:05:56 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit ad394b0 Author: Seth Grover <[email protected]> Date: Tue Jul 26 13:53:39 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit c80b465 Author: Seth Grover <[email protected]> Date: Tue Jul 26 13:07:54 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit 32d5ca1 Author: Seth Grover <[email protected]> Date: Tue Jul 26 12:02:17 2022 -0600 work in progress for zeek- and suricata- live capture (see idaholab#109) Signed-off-by: Seth Grover <[email protected]> commit 326db59 Author: Seth Grover <[email protected]> Date: Tue Jul 26 09:53:43 2022 -0600 bump to v6.2.0 for idaholab#109
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 27, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 27, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 28, 2022
… see idaholab#109 commit 30ab5eb Author: SG <[email protected]> Date: Wed Jul 27 11:40:48 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit dda60d7 Author: SG <[email protected]> Date: Wed Jul 27 11:40:30 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit b08e3e7 Author: SG <[email protected]> Date: Wed Jul 27 10:39:08 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit 51c8e04 Author: Seth Grover <[email protected]> Date: Wed Jul 27 08:26:01 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit 35da23a Author: Seth Grover <[email protected]> Date: Wed Jul 27 07:00:47 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit b6c99f9 Author: Seth Grover <[email protected]> Date: Tue Jul 26 17:17:19 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit ce9149e Author: Seth Grover <[email protected]> Date: Tue Jul 26 16:30:22 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit 3aec8b5 Author: Seth Grover <[email protected]> Date: Tue Jul 26 16:08:37 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit a9fe5b2 Author: Seth Grover <[email protected]> Date: Tue Jul 26 15:49:58 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit 78f0866 Author: Seth Grover <[email protected]> Date: Tue Jul 26 15:33:31 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit 0e4f043 Author: Seth Grover <[email protected]> Date: Tue Jul 26 14:48:56 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit 6a16eee Author: Seth Grover <[email protected]> Date: Tue Jul 26 14:05:56 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit ad394b0 Author: Seth Grover <[email protected]> Date: Tue Jul 26 13:53:39 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit c80b465 Author: Seth Grover <[email protected]> Date: Tue Jul 26 13:07:54 2022 -0600 work in progress for zeek- and suricata- live capture (idaholab#109) commit 32d5ca1 Author: Seth Grover <[email protected]> Date: Tue Jul 26 12:02:17 2022 -0600 work in progress for zeek- and suricata- live capture (see idaholab#109) Signed-off-by: Seth Grover <[email protected]> commit 326db59 Author: Seth Grover <[email protected]> Date: Tue Jul 26 09:53:43 2022 -0600 bump to v6.2.0 for idaholab#109
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 28, 2022
mmguero
added a commit
to mmguero-dev/Malcolm
that referenced
this issue
Jul 28, 2022
|
I think this is done, need to do some final testing but closing pending release. |
Repository owner
moved this from In Progress
to Done
in Malcolm
Aug 2, 2022
This was referenced Aug 3, 2022
Merged
mmguero
added a commit
that referenced
this issue
Aug 3, 2022
merge v6.2.0 development into main
* Improvements
- #109: break Zeek/Suricata into two containers: one for "live" capture and one for uploaded PCAPs
+ give option to disable capture interface hardware offloading and adjust ring buffer sizes for standalone Malcolm capture
+ Zeek and Suricata images are now configured to not drop privileges at init (in order to be able to set permissions for network capture), but supervisord will drop privileges for all of its child processes before they execute to maintain security posture
+ include headers needed to build Zeek af_packet plugin in Zeek docker container
+ updated README to describe methods for capturing local traffic with standalone Malcolm
+ same images will be used for `zeek` and `zeek-live` containers, as well as for `suricata` and `suricata-live` containers, respectively
+ use the same scripts `zeekdeploy.sh` to configure and run Zeek on both Hedgehog and in the Malcolm `zeek` docker images
+ prevent "live" and "non-live" Zeek containers from both trying to update intel indicators at the same time
- Speed up build time by getting official Debian suricata packages from backports rather than building from source
- Added Suricata rule update cron jobs
- Added documentation (in the form of comments) to all docker-compose file variables
* Bugs
- Fix #107: expand action/result meaning in DNP3 (and other?) dashboards
- Clean up some `Nul` values that could appear in Zeek logs
- improve mapping of BACnet actions
- Fix #108: export PCAP not working from Arkime sessions without "Arkime Sessions"
- Fix #110: SFTP upload broken due to dollar sign(s) in openssl-encrypted password
+ prompt in `install.py --configure` whether or not to expose this port to external hosts
- Fix an issue that could prevent some zeek logs from being parsed correctly if they contained non-ASCII charactters
mmguero
added a commit
to cisagov/Malcolm
that referenced
this issue
Aug 3, 2022
merge v6.2.0 into main
* Improvements
- idaholab#109: break Zeek/Suricata into two containers: one for "live" capture and one for uploaded PCAPs
+ give option to disable capture interface hardware offloading and adjust ring buffer sizes for standalone Malcolm capture
+ Zeek and Suricata images are now configured to not drop privileges at init (in order to be able to set permissions for network capture), but supervisord will drop privileges for all of its child processes before they execute to maintain security posture
+ include headers needed to build Zeek af_packet plugin in Zeek docker container
+ updated README to describe methods for capturing local traffic with standalone Malcolm
+ same images will be used for `zeek` and `zeek-live` containers, as well as for `suricata` and `suricata-live` containers, respectively
+ use the same scripts `zeekdeploy.sh` to configure and run Zeek on both Hedgehog and in the Malcolm `zeek` docker images
+ prevent "live" and "non-live" Zeek containers from both trying to update intel indicators at the same time
- Speed up build time by getting official Debian suricata packages from backports rather than building from source
- Added Suricata rule update cron jobs
- Added documentation (in the form of comments) to all docker-compose file variables
* Bugs
- Fix idaholab#107: expand action/result meaning in DNP3 (and other?) dashboards
- Clean up some `Nul` values that could appear in Zeek logs
- improve mapping of BACnet actions
- Fix idaholab#108: export PCAP not working from Arkime sessions without "Arkime Sessions"
- Fix idaholab#110: SFTP upload broken due to dollar sign(s) in openssl-encrypted password
+ prompt in `install.py --configure` whether or not to expose this port to external hosts
- Fix an issue that could prevent some zeek logs from being parsed correctly if they contained non-ASCII charactters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hedgehog Linux is the preferred method for live network traffic capture/monitoring with Malcolm because it 1) allows you to have dedicated resources for capture separate from the Malcolm aggregator and 2) allows the traffic to be analyzed as it's "streamed" rather than buffering it to PCAP first and then analyzed on some sort of trigger as the PCAPs are rolled (managed by the
PCAP_ROTATE_...environment variables).This second method I've described is the way "standalone" Malcolm captures live traffic, which results in PCAP files being copied to the
./pcap/uploaddirectory and processed in the same way as any other "offline" PCAP files that the user has previously captured and uploaded manually.The reason for this different implementation has to do with giving the capture docker container the ability to promiscuously monitor a network interface: this, as far as I am aware, requires the container to run with host networking. This is an issue mainly for the Arkime
captureprogram, which needs to have a local connection to thehttp://opensearchendpoint, which is NOT running in host networking mode. I'd prefer to avoid connecting to opensearch via port forwarding as we'd have to surface authentication/encryption between the containers and it's just much simpler to have them be able to talk openly on the same docker network.While this is a limitation for arkime capture, as far as Zeek and Suricata are concerned I don't think we'd have the same issue, since those programs are just generating textual log files into directories which could be picked up and analyzed by the other monitoring containers (this is essentially what we're doing with the
pcap-capturecontainer-produced PCAP files anyway).So my proposal is that if live capture on a local interface is requested for a standalone Malcolm instance (via
PCAP_IFACEin the docker-compose file) and Zeek and/or Suricata analysis is requested, I'd have an additional container for running those processes "live" for capture in host networking mode. Those containers wouldn't need to have separate images (they could use the same ones as their "offline PCAP" counterparts use today) but would have different arguments for starting live capture. The filebeat container would have to watch these live containers' output in additional locations aside from the ones it monitors today.It wouldn't "solve" the same issue for Arkime capture (that would still be on a "rotate" delay) but it would improve the quality and speed up the availability of the Zeek/Suricata logs.
The text was updated successfully, but these errors were encountered: