Instalar Zeek IDS en Raspberry e integración con ELK

Despliegue de una RaspberryPi, donde eth0 se configurará en modo promoscuo y a través de la interfaz wlan gestionaremos la RaspberryPi.

• Referencias: https://www.secognition.com/?p=188
• Referencias: https://www.secognition.com/?p=190
• Referencias: https://www.secognition.com/?p=192
• Referencias: https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds

1 lsof -i -P -n | grep zeek
2 apt get install lsof
3 apt install lsof
4 lsof -i -P -n | grep zeek
5 lsof -i -P -n | grep filebeat
6 lsof -i -P -n | grep filebeat
7 systemctls stop filebeat
8 systemctl stop filebeat
9 systemctl start filebeat
19 lsof -i -P -n | grep filebeat
20 systemctl status filebeat
21 ip ad
22 ping 192.168.23.12
23 clear
24 nc
25 nc -z -v 192.168.23.12 4550
26 nc -z -v 192.168.23.12 5044
27 cat /etc/filebeat/filebeat.yml
28 nano /etc/filebeat/filebeat.yml
29 systemctl stop filebeat
30 systemctl start filebeat
31 systemctl status filebeat
32 lsof -i -P -n | grep filebeat
33 systemctl stop filebeat
34 systemctl start filebeat
35 lsof -i -P -n | grep filebeat
36 nano /etc/filebeat/filebeat.yml
38 systemctl zabix status
39 systemctl status zabbix
40 systemctl status zabbix_agent
41 ping 192.168.23.10
43 zeekctl
44 service filebeat restart
45 service filebeat status
46 ls -la /usr/local/zeek/logs/current/capture_loss.log
47 cd /etc/filebeat/
48 filebeat modules enable zeek
49 file
50 filebeat
51 sudo zeekctl deploy
52 zeekctl deploy
53 cd /usr/local/zeek/bin/
54 zeekctl
55 ls -la
59 zeekctl
61 ls -la /opt/zeek/bin
62 zeek --version
63 ls -la
64 zegrep
65 zeek-cut
66 find / -u zeekctl
67 find / - zeekctl
68 find / -name zeekctl
69 cd /usr/local/zeek/share/zeek/zeekctl
70 zeekctl
71 clear
72 find / -name zeekctl
73 cd /usr/local/zeek/bin/
74 zeekctl
75 cd /usr/local/zeek/share/
76 zeekctl
77 cd /home/pi/zeek/auxil/zeekctl/scripts/
78 zeekctl
79 cd /usr/local/zeek/bin/zeekctl
80 zeekctl /usr/local/zeek/bin/
81 ./zeekctl /usr/local/zeek/bin/
82 ls -la /usr/local/zeek/bin/
83 zeekctl
84 /usr/local/zeek/bin/zeekctl
85 /etc/filebeat/filebeat module enable zeek
86 /etc/filebeat module enable zeek
87 /etc/filebeat/modules.d/zeek enable
88 /etc/filebeat/modules.d/
89 ls -la /etc/filebeat/modules.d/
90 systemctl restart filebeat
91 systemctl status filebeat
92 systemctl start filebeat
93 systemctl status filebeat
94 clear
95 nano /etc/filebeat/filebeat.yml
96 lsof -i -P -n | grep filebeat
97 lsof -i -P -n | grep filebeat
98 systemctl restart filebeat
101 lsof -i -P -n | grep filebeat
102 cat /opt/zeek/logs/current/conn.log
103 history
104 ls -la /usr/local/zeek/logs/current/capture_loss.log
105 ls -la /usr/local/zeek/logs/current/capture_loss.log
106 cat ls -la /usr/local/zeek/logs/current/dns.log
107 cat ls -la /usr/local/zeek/logs/current/conn.log
108 cat ls -la /usr/local/zeek/logs/current/dns.log
109 /usr/local/zeek/logs/current/dns.log
110 lsof -i -P -n | grep filebeat
111 /usr/local/zeek/bin/zeekctl
112 cat /usr/local/zeek/logs/current/dns.log
113 cat /usr/local/zeek/logs/current/conn.log
114 lsof -i -P -n | grep filebeat
115 lsof -i -P -n | grep filebeat
116 lsof -i -P -n | grep filebeat
117 lsof -i -P -n | grep filebeat
118 lsof -i -P -n | grep filebeat
119 lsof -nP -iTCP -sTCP:LISTENlsof -nP -iTCP -sTCP:LISTENlsof -nP -iTCP -sTCP:LISTENlsof -nP -iTCP -sTCP:LISTEN
120 lsof -nP -iTCP -sTCP:LISTEN
121 cd
122 ls -la /usr/local/zeek/share/zeek/site/site
123 ls -la /usr/local/zeek/share/zeek/site/local.zeek 

Configuracion de raspberrypi

• Cambio de contraseñas por defecto: https://www.shellhacks.com/raspberry-pi-default-password-how-to-change/
• Actualizar sistema operativo: https://www.raspbian.org/RaspbianRepository
• Instalar filebeat para ARM (raspberrypi)
• Instalar zeek para ARM (raspberrypi)

Instalación Filebeat para ARM RaspberryPI

Seguimos las instrucciones que se indican en el repositorio para poder desplegar filbeat sobre ARM.

• https://github.com/josh-thurston/easyBEATS