Hello Team,
Iam trying to install af_packet and i see we can only install using package manager.
could you please help to answer if there is a alternative way to install af_packet
Thanks
Venkatesh
Any particular reason you don’t want to use the package manager? It’s designed to simplify the process.
I wrote a how-to guide for installation on CentOS 8 that covers using the package manager: https://www.ericooi.com/zeekurity-zen-part-ii-zeek-package-manager/
Thank you Eric.i have gone through that article.iam having hard time to install zkg via pip(ssl cert error)
So thought of Checking if there is alternative way
Info is here:
https://github.com/J-Gras/bro-af_packet-plugin
Make sure you tell configure where to go like so:
./configure --bro-dist=../bro-3.0.0 --install-root=/opt/bro/lib/bro/plugins
James
TBH I see quite a few reasons why plugins and Zeek should not be installed like that article describes.
-
everything should be packaged. This includes Zeek and all plugins, each as a separate package. Running zkg to install plugin on production will result in building code on the server (and we don’t even have compilers there).
-
the sudo + pip install means you now have python packages installed for the entire OS but outside of the OS control and packaging, making vulnerability management difficult (most likely never detected, forgotten and left there)
-
looks like zeek user can sudo to root. There’s no need for that dangerous capability.
-
cap_net_admin is not needed and dangerous
-
assigning any capabilities to zeekctl is not needed and also dangerous
-
and those 3 affiliation links at the bottom…
Ouch. Can’t please everyone I guess.
Ok, I updated the articles based on Michal’s feedback. I’m still learning and appreciate the comments.
I understand the reasoning around packaging everything. That’s a bit beyond me so I’ll have to dig more into that.
The 3 links, well, hey, it’s my blog. Don’t click if you don’t want. 
Thanks!