Managing Zeek in Security Onion 2

[TOoSmOotH]

I have seen several threads on adding custom Zeek policies and managing the intel framework. This has been documented on the docs page but since it is unclear I can describe it further.

Managing custom intel:

From https://docs.securityonion.net/en/2.3/zeek.html?highlight=intel#intel

You can add your own intel to /opt/so/saltstack/local/salt/zeek/policy/intel/intel.dat on the manager and then run sudo salt $SENSORNAME_$ROLE state.highstate. When writing this file, ensure there are no leading/trailing spaces or lines, and that only a single tab is used to separate fields. If you experience an error, or do not notice /nsm/zeek/logs/current/intel.log being generated, try having a look in /nsm/zeek/logs/current/reporter.log for clues. You may also want to restart Zeek after making changes by running sudo so-zeek-restart.

So as long as you put all of your intel feeds into that file it should get loaded by default.

Adding Custom Zeek Policies:

From https://docs.securityonion.net/en/2.3/zeek.html#custom-scripts

Custom scripts can be added to /opt/so/conf/zeek/policy/custom/<$custom-module> on the manager. Once the script module is created, the configuration for local.zeek will need to be updated. In Security Onion 2, this configuration is abstracted into a SaltStack pillar. For example, we would copy /opt/so/saltstack/default/pillar/zeek/init.sls to /opt/so/saltstack/local/pillar/zeek/init.sls, and add our custom module to be loaded by Zeek (alternatively, the pillar could be modified in the global.sls file.

I would use the pillar method so that any new changes upstream will be honored. Keep in mind that you have to put that entire entry into the global.sls and make the appropriate changes.

Changing Zeek settings like MailTo etc:

https://docs.securityonion.net/en/2.3/zeek.html#configuration

That same pillar structure can be used to change what mime types you want to extract from the network:

https://github.com/Security-Onion-Solutions/securityonion/blob/master/salt/zeek/fileextraction_defaults.yaml

You use the global.sls if you want it applied to all sensors or drop it into the specific minion sls file if you want to change a specific sensor. I know for some that this is a different way of doing things and it will take some getting used to. Changing these options in pillars can feel cumbersome when you have a small deployment but it is laying the foundation for the future when we have a gui that will manage all of this. This method of doing things allow you to manage 1 sensor or 1000 sensors with the same level of effort.

[oneCrazyAdmin]

Thank you for the clarification! Very helpful.

I would ask one more thing about the zeek scripts. There is a section in the docs where you can Modify the Base scripts.https://docs.securityonion.net/en/2.3/zeek.html#:~:text=zeek%2Drestart-,Modifying%20base%20protocol%20scripts,modifying%20the%20default%20ports%20that%20Zeek%20considers%20for%20the%20MySQL%20analyzer%3A,-const%20ports%20%3D

But it is not clear where the location of these base scripts are. I am trying to change the TDS port number, similar to the example. I am not sure where to change it though.

[dougburks]

Your hyperlink isn't rendering properly. Assuming you are referring to https://docs.securityonion.net/en/2.3/zeek.html#modifying-base-protocol-scripts, then you should be able to add your modification as a custom script as shown right before that section. See https://docs.securityonion.net/en/2.3/zeek.html#custom-scripts.

If you have further questions or problems, please start a new discussion rather than replying to this old discussion from 2021.