Zeek Intel update script

[hacker0ni]

In order to use the CriticalPathSecurity's Zeek Intelligence Feeds that the script below uses, you need to add a config into your default load script found in /opt/so/saltstack/local/salt/zeek/policy/intel/__load__.zeek:
@load integration/collective-intel
Once you have added that line to the top of your __load__.zeek file, you need to apply the state from the manager using :
sudo salt '*sensor' state.apply zeek

NOTE: CriticalPathSecurity suggests adding @load policy/integration/collective-intel to the load file, but that doesn't work with SO, due to the load file pointing into the /opt/zeek/share/zeek/policy within the zeek container on sensor nodes. So you don't have to supply the policy directory again in the __load__.zeek config. You can confirm this by logging into your sensor node and then logging into the zeek docker container using the following command:
sudo docker exec -it so-zeek /bin/bash and then going into /opt/zeek/share/zeek/policy.

Your /opt/so/saltstack/local/salt/zeek/policy/intel/__load__.zeek file should look like the following once you're done with the changes:

@load integration/collective-intel
@load frameworks/intel/seen
@load frameworks/intel/do_notice
@load frameworks/files/hash-all-files
redef Intel::read_files += {
        "/opt/zeek/share/zeek/policy/intel/intel.dat"
};

Here's a simple script that you can then modify and use to update your Zeek Intelligence data from the manager node of your environment:

#!/bin/bash
echo "Cloning Zeek intelligence repo"
git clone https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds.git /tmp/Zeek-Intelligence-Feeds/

echo "Adding IP blocklists to Zeek"
cat /tmp/Zeek-Intelligence-Feeds/abuse-ch-ipblocklist.intel > /opt/so/saltstack/local/salt/zeek/policy/intel/intel.dat

echo "Adding malicious domains to Zeek"
sed '1d' /tmp/Zeek-Intelligence-Feeds/abuse-ch-malware.intel >> /opt/so/saltstack/local/salt/zeek/policy/intel/intel.dat

echo "Applying highstate on Manager node, this might take a while"
sudo salt "*sensor" state.highstate

echo "Restarting Zeek on sensors"
sudo salt "*sensor" cmd.run "sudo so-zeek-restart"

echo "Cleaning up"
rm -r /tmp/Zeek-Intelligence-Feeds
echo "Done! Please check the status of components down below!"
sleep 3
sudo salt "*sensor" cmd.run "sudo so-status"

NOTE: Zeek is very strict about the format of intel.dat. Please inspect the file before appending its contents into your intel.dat file.

[presianbg]

Hi,

Thanks for the resource!
I have to questions for you:

1. Do you experience any zeek crashes related to the intel framework with those feeds ?
   See - Zeek post-terminate crash #6587

2. Do we need to load the integration/collective-intel to make it work properly ?
   Looking at the Zeek-Intelligence-Feeds repo:
   https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds/blob/master/main.zeek

##! Load Intel Framework
@load policy/integration/collective-intel
@load policy/frameworks/intel/seen
@load policy/frameworks/intel/do_notice

Ref:
https://docs.zeek.org/en/v3.0.14/frameworks/intel.html#loading-intelligence

SO does not load the integration/collective-intel by default neither do you with your script.

Cheers,
PY

[hacker0ni]

Wow, thanks for pointing that out. You're right I've missed that. Implementing it is simple though, I'll edit the first post to include the details about it! To address the first question, I never had issues with Zeek crashes with these custom feeds, but then again I don't load all of them in there and the script manipulates the contents to fit Zeek's needs.

[presianbg]

Nice!

Strange... on my setup __load__.zeek is not in /opt/so/saltstack/local/salt/zeek/policy/intel/ , have you copied it there?
Only intel.dat resides in that folder and I'm wondering if just adding - integration/collective-intel under zeek -> local -> @load section (/opt/so/saltstack/local/pillar/global.sls) is fine ?

[hacker0ni]

I would highly suggest copying the file from the default directory to make changes :

cp /opt/so/saltstack/default/salt/zeek/policy/intel/__load__.zeek /opt/so/saltstack/local/salt/zeek/policy/intel/__load__.zeek

The default dir (/opt/so/saltstack/default) contains config provided by Security Onion. You can copy any file from there to the corresponding directory under local (/opt/so/saltstack/local) to make changes and apply them to your grid.