I just started working with Zeek. I have been tasked with creating a way for full packet data to be pushed to our Zeek cluster for analysis and processing on a central server, but to have the agents/nodes only running a low resource binary for capturing packets.
I’ve put something together to capture the packets on the node end and receive a compressed stream on the other end, but now I’m having trouble with pushing the packet data into Zeek for processing.
I have looked into a number of things, including the now deprecated Brocolli for intercommunication as well as the event-based scripting, however, it doesn’t seem to be a viable method to watch for all the events and then process it on the manager that way.
Another option I can think of is to capture the packet data, dump it into a PCAP and then process the PCAP manually via Zeek CLI. But, I wanted to see if there’s any other way I can do this.
assuming you’re using Linux, have you looked into using tc-mirred and a tunnel protocol (VXLAN, Geneve or ERSPAN) to tunnel mirrored traffic to your Zeek cluster?
The first link provides a fairly elaborate tutorial how to do this with tc and vxlan (examples with container, however), the second mentions GRE, Geneve, ERSPAN…
On the Zeek cluster side, you’d have Zeek sniff the interface receiving the mirrored traffic or sniff the tunnel interface to receive decapsulated traffic.
None of these links will readily solve what you want to do, but hopefully provide some pointers.
Another option I can think of is to capture the packet data, dump it into a PCAP and then process the PCAP manually via Zeek CLI. But, I wanted to see if there’s any other way I can do this.
If you end up considering this route further, feel free to chime in on
this ticket, which mentions a couple of related higher-layer approaches:
This too won’t immediately solve your problem, but your use case would
help us understand requirements and prioritize work.