How to add community ID to conn.log?

Zeek
1

Hi!
Dear Team!
I have installed zeek lts 5.0.3 on my machine. I want to add community ID to conn.log, I do that like below:

image
image1901×417 21.4 KB

I came acorss errors in picture above, how would I deal with that?
Thanks!

2

Just a wild thought – what OS are you using?

Richard

3

My OS is Centos7.9, and the core is 3.10.0-1160.81.1.el7.x86_64.
Nick

4

Cool. How did you install Zeek?

Richard

5

Nick, could you double-check that the Zeek builds are identical across your cluster? The kind of symbol error you’re showing is typically indicative of running a version of Zeek that differs from the one the plugin was compiled for.

Best,
Christian

6 
cd /etc/yum.repos.d/
wget https://download.opensuse.org/repositories/security:zeek/CentOS_7/security:zeek.repo
yum install zeek-lts

Nick

7

Hi, Christian, Below is my zeek version., and zeek-community-id is 3.2.1.
image
Best,
Nick

8

I compile from source.After make, I do a test below, a similar error occurs.

image
image1088×766 31.9 KB

9

Hey Nick,

You have some confusion on your system between the built plugin .so and the Zeek version. I cannot tell what might have caused it. Here’s a CentOS 7 Dockerfile that shows how to make it all work:

FROM centos:7

RUN yum update -y
RUN yum install -y centos-release-scl epel-release
RUN yum install -y wget devtoolset-8 devtoolset-8-gcc devtoolset-8-gcc-c++

RUN cd /etc/yum.repos.d/ && wget https://download.opensuse.org/repositories/security:zeek/CentOS_7/security:zeek.repo
RUN yum install -y zeek-lts cmake3 git
RUN yum clean all

RUN echo 'export PATH=$PATH:/opt/zeek/bin' >>/root/.bashrc
RUN echo 'source scl_source enable devtoolset-8' >>/root/.bashrc

RUN pip3 install GitPython semantic-version

# Hack to fix a bug affecting EOL'd Pythons
RUN sed -i /opt/zeek/lib/zeek/python/zeekpkg/source.py -e 's/parser.read(aggregate_file)/parser.read(aggregate_file, "utf-8")/'

# "bash -l" here so it sources the earlier .bashrc changes and sees the build environment
RUN bash -l -c 'zkg install --force zeek-community-id'
RUN bash -l -c 'zeek -NN Corelight::CommunityID'

If you run docker build on this, you should see it output the following near the end, meaning the plugin loaded:

Corelight::CommunityID - "Community ID" flow hash support in the connection log (dynamic, version 3.2.0)
    [Function] CommunityID::hash_conn

(The fact that it shows 3.2.0, not 3.2.1, is actually a bug in the Community ID sources! I’m about to fix that.)

I strongly suggest you switch to something newer than CentOS 7 at this point.

Best,
Christian

1 Like