Recap of eZeeKonfigurator Notice Configuration and Zeek Week Oct 2019
A summary of events involving a talk at Zeek Week, issues with notice configuration, experiences with Zeek/Bro, and the introduction of eZeeKonfigurator for configuring Zeek clusters. The content includes descriptions of individuals involved, challenges faced, support for cluster configurations, and the importance of notice configuration in Zeek.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
eZeeKonfigurator - notice config ZeekWeek Oct 2019
This guy... Gave a talk yesterday Had small hiccup with notice config options That may be my fault (unconfirmed) May also be PG&E's fault Has a photo that looks like a school picture Doesn't use the ESnet standard slide template
Me... Jack of all Security Trades Master of none Been using Zeek/Bro since ~2007 Thanks Aashish! Tried to get a major bank to use Zeek before commercial support existed Lulz Loves his job at ESnet usually* Uses appropriate slide template * hates PG&E
eZeeKonfigurator Recap Web UI for configuring all of your Zeek cluster options Supports multiple clusters No cluster restarts with changes in real-time When you have multiple clusters, configs in git aren't good enough. @ifdef(environment == "WAN")... x 50 (oh no!) Free!
Notice Configuration I did a lot of messy things early on... Created alert_types Things we get alerts for, but aren't necessarily notice_alarm worthy, but also aren't paging us page_types, bhr_types Script logic to process different notice types All at the bottom of local.zeek Based off redefs that need to be updated every time a script is added or removed.
zeek-notice-config package: Actions Notices will write to notice.log by default IGNORE overrides that. BHR adds an Action::BHR that you can handle later Zeek & Destroy! PAGE and BHR may need additional scripts for your own situation (examples will be provided) There is not and will not be support for Action::EMAIL Talk to Sam
zeek-notice-config: config format Being a vector is important Notice config options are processed in order Much like firewall policies First match wins pseudo: 1) whitelist addresses, Scan::Address_Scan, IGNORE 2) Scan::Address_Scan, LOG,BHR
zeek-notice-config: logic There is still script logic to process these notices But we no longer need to read it and understand it to make a change in how notices are processed It can work standalone as shown BUT.. with eZeekConfigurator you can just manipulate the options from the UI.
Video of the power being shut off at the lab: https://twitter.com/BerkeleyLab/status/1182317173034741763
