Remote Packet Forwarding to Zeek Workers

Hi all,

I just started working with Zeek. I have been tasked with creating a way for full packet data to be pushed to our Zeek cluster for analysis and processing on a central server, but to have the agents/nodes only running a low resource binary for capturing packets.

I’ve put something together to capture the packets on the node end and receive a compressed stream on the other end, but now I’m having trouble with pushing the packet data into Zeek for processing.

I have looked into a number of things, including the now deprecated Brocolli for intercommunication as well as the event-based scripting, however, it doesn’t seem to be a viable method to watch for all the events and then process it on the manager that way.

Another option I can think of is to capture the packet data, dump it into a PCAP and then process the PCAP manually via Zeek CLI. But, I wanted to see if there’s any other way I can do this.

Thanks all!

1 Like

Hey Brandon,

assuming you’re using Linux, have you looked into using tc-mirred and a tunnel protocol (VXLAN, Geneve or ERSPAN) to tunnel mirrored traffic to your Zeek cluster?

The first link provides a fairly elaborate tutorial how to do this with tc and vxlan (examples with container, however), the second mentions GRE, Geneve, ERSPAN…

https://arthurchiao.art/blog/traffic-mirror-with-tc-and-tunneling/
https://developers.redhat.com/blog/2019/05/17/an-introduction-to-linux-virtual-interfaces-tunnels#erspan

More concretely around Zeek, the following mentions using vxlan for container traffic forwarding (there’s some Python code for this, too):
https://corelight.com/blog/sidecars-for-network-monitoring

On the Zeek cluster side, you’d have Zeek sniff the interface receiving the mirrored traffic or sniff the tunnel interface to receive decapsulated traffic.

None of these links will readily solve what you want to do, but hopefully provide some pointers.

Arne

Hey Brandon,

Another option I can think of is to capture the packet data, dump it into a PCAP and then process the PCAP manually via Zeek CLI. But, I wanted to see if there’s any other way I can do this.

If you end up considering this route further, feel free to chime in on
this ticket, which mentions a couple of related higher-layer approaches:

This too won’t immediately solve your problem, but your use case would
help us understand requirements and prioritize work.

Best,
Christian

Hí,

I for remote sensors and dump data where I have zeek, I use ssh. Don’t know if that’s what you’re looking for.

For example. From where I have zeek, I launch the following:

ssh selks-user@192.168.1.17 -p22 'sudo -S /usr/bin/tcpdump -ieno1 -w - not port 22' | /usr/local/zeek/bin/zeek -C -r - -e 'redef LogAscii::use_json=T;' /usr/local/zeek/share/zeek/site/local.zeek -f'not host 192.168.1.228 and not host 192.168.1.209'