diff --git a/README.md b/README.md index d8c4158..7c319b3 100644 --- a/README.md +++ b/README.md @@ -228,7 +228,6 @@ A collection of delicious docker recipes. - [x] aircrack-ng-arm - [x] amass -- [x] bro - [x] clamav - [x] dirsearch - [x] dsniff @@ -508,6 +507,7 @@ A collection of delicious docker recipes. - [x] wordpress - [x] yourls - [x] ghcr.io/linuxserver/wireguard +- [x] zeek/zeek :skull: - [x] apache/zeppelin - [x] koenkk/zigbee2mqtt - [x] zookeeper diff --git a/bro/README.md b/bro/README.md deleted file mode 100644 index c3bf340..0000000 --- a/bro/README.md +++ /dev/null @@ -1,49 +0,0 @@ -The Bro Network Security Monitor -================================ - -[![](https://badge.imagelayers.io/vimagick/bro:latest.svg)](https://imagelayers.io/?images=vimagick/bro:latest 'Get your own badge on imagelayers.io') - -`Bro` is a powerful network analysis framework that is much different from the -typical IDS you may know. - -- Adaptable -- Efficient -- Flexible -- Forensics -- Commercially Supported -- In-depth Analysis -- Highly Stateful -- Open Interfaces -- Open Source - -## docker-compose.yml - -``` -bro: - image: vimagick/bro - command: bro -C -i eth0 - volumes: - - ./logs:/opt/bro/logs - net: container:shadowsocks_shadowsocks_1 -``` - -> We are going to monitor `shadowsocks` which is a socks5 server. - -## up and running - -``` -$ cd ~/fig/bro/ - -$ docker-compose up -d - -$ docker exec -it bro_bro_1 bash ->>> cat dns.log | bro-cut query | sort | uniq -c | sort -nr | head -5 - 10 www.youtube.com - 3 twitter.com - 2 www.google.com - 1 www.baidu.com - 1 www.facebook.com ->>> exit -``` - -> Don't be evil! diff --git a/bro/docker-compose.yml b/bro/docker-compose.yml deleted file mode 100644 index ecd2e5b..0000000 --- a/bro/docker-compose.yml +++ /dev/null @@ -1,6 +0,0 @@ -bro: - image: vimagick/bro - command: bro -i eth0 - volumes: - - ./logs:/opt/bro/logs - net: container:shadowsocks_shadowsocks_1 diff --git a/bro/Dockerfile b/zeek/Dockerfile similarity index 100% rename from bro/Dockerfile rename to zeek/Dockerfile diff --git a/zeek/README.md b/zeek/README.md new file mode 100644 index 0000000..5b48291 --- /dev/null +++ b/zeek/README.md @@ -0,0 +1,36 @@ +zeek +==== + +[Zeek][1] is a passive, open-source network traffic analyzer. Many operators use +Zeek as a network security monitor (NSM) to support investigations of +suspicious or malicious activity. + +- Adaptable +- Efficient +- Flexible +- Forensics +- Commercially Supported +- In-depth Analysis +- Highly Stateful +- Open Interfaces +- Open Source + +## up and running + +```bash +$ docker compose up -d + +$ docker compose exec zeek bash +>>> cd /usr/local/zeek/logs +>>> cat dns.log | zeek-cut query | sort | uniq -c | sort -nr | head -5 + 10 www.youtube.com + 3 twitter.com + 2 www.google.com + 1 www.baidu.com + 1 www.facebook.com +>>> exit +``` + +> Don't be evil! + +[1]: https://github.com/zeek/zeek diff --git a/zeek/docker-compose.yml b/zeek/docker-compose.yml new file mode 100644 index 0000000..cfdbeaf --- /dev/null +++ b/zeek/docker-compose.yml @@ -0,0 +1,9 @@ +version: "3.8" +services: + zeek: + image: zeek/zeek:tls + command: zeek -C -i eth0 + volumes: + - ./logs:/usr/local/zeek/logs + network_mode: host + restart: unless-stopped