Recap of eZeeKonfigurator Notice Configuration and Zeek Week Oct 2019
eZeeKonfigurator - notice config
ZeekWeek
Oct 2019
This guy...
•
Gave a talk yesterday
•
Had small hiccup with notice config options
–
That may be my fault (unconfirmed)
–
May also be PG&E's fault
•
Has a photo that looks like a school picture
•
Doesn't use the ESnet standard slide template
Me...
•
Jack of all Security Trades
–
Master of none
•
Been using Zeek/Bro since ~2007
–
Thanks Aashish!
•
Tried to get a major bank to use Zeek before commercial support existed
–
Lulz
•
Loves his job at ESnet
–
usually*
•
Uses appropriate slide template
* hates PG&E
PG&E Recap
eZeeKonfigurator Recap
•
Web UI for configuring all of your Zeek cluster
options
•
Supports multiple clusters
•
No cluster restarts with changes in real-time
•
When you have multiple clusters, configs in git aren't good
enough.
–
@ifdef(environment == "WAN")... x 50 (oh no!)
•
Free!
EZK UI
Notice Configuration
I did a lot of messy things early on...
•
Created alert_types
–
Things we get alerts for, but aren't necessarily
notice_alarm worthy, but also aren't paging us
–
page_types, bhr_types
•
Script logic to process different notice types…
–
All at the bottom of local.zeek
–
Based off redefs that need to be updated every time a
script is added or removed.
zeek-notice-config package: Actions
•
Notices will write to notice.log by default
–
IGNORE overrides that.
•
BHR adds an Action::BHR that you can handle later
–
Zeek & Destroy!
•
PAGE and BHR may need additional scripts for your own
situation (examples will be provided)
•
There is not and will not be support for Action::EMAIL
–
Talk to Sam
zeek-notice-config: config format
•
Being a vector is important
•
Notice config options are processed in order
–
Much like firewall policies
–
First match wins
pseudo:
1)
whitelist addresses, Scan::Address_Scan, IGNORE
2)
Scan::Address_Scan, LOG,BHR
zeek-notice-config: record details
zeek-notice-config: config format, not pseudo
zeek-notice-config: Just add more to the set!
zeek-notice-config: logic
•
There is still script logic to process these notices
–
But we no longer need to read it and understand it to
make a change in how notices are processed
•
It can work standalone as shown
•
BUT.. with eZeekConfigurator you can just manipulate the
options from the UI.
Plans to release as a package: DELAYED
That's it
Except...
For a bad joke.
Was this talk ZeekWeak?
Video of the power being shut off at the lab:
https://twitter.com/BerkeleyLab/status/1182317173034741763
A summary of events involving a talk at Zeek Week, issues with notice configuration, experiences with Zeek/Bro, and the introduction of eZeeKonfigurator for configuring Zeek clusters. The content includes descriptions of individuals involved, challenges faced, support for cluster configurations, and the importance of notice configuration in Zeek.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
eZeeKonfigurator - notice config ZeekWeek Oct 2019
This guy... Gave a talk yesterday Had small hiccup with notice config options That may be my fault (unconfirmed) May also be PG&E's fault Has a photo that looks like a school picture Doesn't use the ESnet standard slide template
Me... Jack of all Security Trades Master of none Been using Zeek/Bro since ~2007 Thanks Aashish! Tried to get a major bank to use Zeek before commercial support existed Lulz Loves his job at ESnet usually* Uses appropriate slide template * hates PG&E
eZeeKonfigurator Recap Web UI for configuring all of your Zeek cluster options Supports multiple clusters No cluster restarts with changes in real-time When you have multiple clusters, configs in git aren't good enough. @ifdef(environment == "WAN")... x 50 (oh no!) Free!
Notice Configuration I did a lot of messy things early on... Created alert_types Things we get alerts for, but aren't necessarily notice_alarm worthy, but also aren't paging us page_types, bhr_types Script logic to process different notice types All at the bottom of local.zeek Based off redefs that need to be updated every time a script is added or removed.
zeek-notice-config package: Actions Notices will write to notice.log by default IGNORE overrides that. BHR adds an Action::BHR that you can handle later Zeek & Destroy! PAGE and BHR may need additional scripts for your own situation (examples will be provided) There is not and will not be support for Action::EMAIL Talk to Sam
zeek-notice-config: config format Being a vector is important Notice config options are processed in order Much like firewall policies First match wins pseudo: 1) whitelist addresses, Scan::Address_Scan, IGNORE 2) Scan::Address_Scan, LOG,BHR
zeek-notice-config: logic There is still script logic to process these notices But we no longer need to read it and understand it to make a change in how notices are processed It can work standalone as shown BUT.. with eZeekConfigurator you can just manipulate the options from the UI.
Video of the power being shut off at the lab: https://twitter.com/BerkeleyLab/status/1182317173034741763
