Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Malcolm v24.11.0 #493

Merged
merged 77 commits into from
Nov 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
77 commits
Select commit Hold shift + click to select a range
9cfd8e2
restore some files that were accidentally deleted during merge
mmguero Oct 23, 2024
db5771f
restore some files that were accidentally deleted during merge
mmguero Oct 23, 2024
92a051f
Merge branch 'development' of https://github.com/mmguero-dev/Malcolm …
mmguero Oct 23, 2024
4104256
Merge branch 'development' of https://github.com/mmguero-dev/Malcolm …
mmguero Oct 24, 2024
d3590cf
show invalid argument exception
mmguero Oct 24, 2024
536aa66
set default for lsworkers to 0, which means to autocalculate it
mmguero Oct 24, 2024
582c440
switch to upstream ja4+ plugin repo:
mmguero Oct 24, 2024
c150873
bump for v24.11.0 development
mmguero Oct 25, 2024
cb2d710
packager script tweak
mmguero Oct 25, 2024
6162da6
idaholab/Malcolm#602, include support for sending Zeek logs to Kafka
mmguero Oct 25, 2024
096a024
bump Werkzeug to v3.0.6 for hedgehog-iso to address a couple of depen…
mmguero Oct 28, 2024
b31110d
Added Zeek script for detecting routers (known_routers.log), but disa…
mmguero Oct 28, 2024
1ec7d32
set nproc limits with other limits
mmguero Oct 29, 2024
f11806e
prompt to regenerate netbox passwords by default in noninteractive mode
mmguero Oct 31, 2024
71bf5e2
bump evtx to v0.8.4
mmguero Nov 3, 2024
60b0128
watchdog python library to v6.0.0
mmguero Nov 3, 2024
b9750d7
added netbox healthcheck plugin (https://github.com/netbox-community/…
mmguero Nov 4, 2024
9756b44
have mapi/ready use netbox health check api
mmguero Nov 4, 2024
0dd04ce
add ingest-stats api (idaholab/malcolm#611) needed for automated test…
mmguero Nov 4, 2024
929770d
add ingest-stats api (idaholab/malcolm#611) needed for automated test…
mmguero Nov 4, 2024
e0e96a9
moving issues upstream to cisa
mmguero Nov 4, 2024
efe10f2
First pass at pagination
jjrush Oct 24, 2024
6f411cf
Adding element filter and fixing bug
jjrush Oct 24, 2024
1060785
Setting default elements per page to 50
jjrush Oct 24, 2024
d759f44
Fixing some comments
jjrush Oct 30, 2024
03275fe
Misc fixes
jjrush Oct 30, 2024
d3c49f0
Misc fixes
jjrush Oct 30, 2024
f3c0907
Merge branch 'main' of https://github.com/idaholab/Malcolm into staging
mmguero Nov 4, 2024
02cc65c
Merge branch 'staging' of https://github.com/idaholab/Malcolm into de…
mmguero Nov 4, 2024
316ee61
restore jekyll config file from rebase
mmguero Nov 4, 2024
1dec30a
set links for Malcolm issues board to point to upstream repo
mmguero Nov 5, 2024
6e427bb
Merge branch 'main' of https://github.com/idaholab/Malcolm into staging
mmguero Nov 5, 2024
703712e
Merge branch 'staging' of https://github.com/idaholab/Malcolm into de…
mmguero Nov 5, 2024
34bdf85
added google/mandiant-ti-client library to Zeek docker container for …
mmguero Nov 5, 2024
555384b
bump opensearch and dashboards to v2.18.0
mmguero Nov 6, 2024
c02b1b8
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 6, 2024
1e14ac4
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 6, 2024
7a2610c
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 6, 2024
4d3219d
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 6, 2024
c73b9ce
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 6, 2024
866e30f
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 6, 2024
208f9b6
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 6, 2024
fcd95d8
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 6, 2024
68f416a
have threat intel happen once under supervisord on startup, not in co…
mmguero Nov 7, 2024
45ab9ce
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 7, 2024
6fb54ab
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 7, 2024
c3aeb5c
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 7, 2024
fa0d731
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 7, 2024
b07504f
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 8, 2024
7810d02
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 8, 2024
3c8d301
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 8, 2024
0505fee
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 8, 2024
875c0d1
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 8, 2024
231ad13
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 8, 2024
13bf9a7
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 8, 2024
d970aba
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 8, 2024
e870532
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 8, 2024
76399a9
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 8, 2024
5aa50ef
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 8, 2024
7b44cc6
bump arkime to v5.5.0
mmguero Nov 12, 2024
0010e1a
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 12, 2024
f95bb05
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 12, 2024
b75d4a4
work in progress for mandiant threat intel integration, cisagov/Malco…
mmguero Nov 12, 2024
940eaf7
bump beats and logstas to v8.16.0
mmguero Nov 12, 2024
29197f9
bump beats and logstas to v8.16.0
mmguero Nov 12, 2024
27c6afd
bump beats and logstas to v8.16.0
mmguero Nov 12, 2024
c6e037e
bump beats and logstas to v8.16.0
mmguero Nov 12, 2024
28b6d65
for idaholab/Malcolm#491; added a logstash health check
mmguero Nov 12, 2024
429a45e
for idaholab/Malcolm#361, some tweaks to the nginx conf to make sure …
mmguero Nov 12, 2024
a077875
bump elasticsearch and elasticsearch-dsl to 8.16.0
mmguero Nov 13, 2024
3012680
decomplicate taxii server stuff
mmguero Nov 13, 2024
61895f7
fixed errors when running appliance packager on macOS
robrui Nov 13, 2024
79958a1
minor fix for taxii
mmguero Nov 13, 2024
9e142a6
put page numbers in page labels for extracted files
mmguero Nov 13, 2024
4a77400
add new opcua log type to malcolm
mmguero Nov 13, 2024
0aecb45
for cisagov/Malcolm#401, create an API for exporting dashboards
mmguero Nov 14, 2024
891cb15
Merge branch 'development' of https://github.com/mmguero-dev/Malcolm …
mmguero Nov 14, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Dockerfiles/arkime.Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1

ENV ARKIME_DIR "/opt/arkime"
ENV ARKIME_VERSION "5.4.0"
ENV ARKIME_VERSION "5.5.0"
ENV ARKIME_DEB_URL "https://github.com/arkime/arkime/releases/download/v${ARKIME_VERSION}/arkime_${ARKIME_VERSION}-1.debian12_XXX.deb"
ENV ARKIME_JA4_SO_URL "https://github.com/arkime/arkime/releases/download/v${ARKIME_VERSION}/ja4plus.XXX.so"
ENV ARKIME_LOCALELASTICSEARCH no
Expand Down Expand Up @@ -149,7 +149,7 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \
mkdir -p "${ARKIME_DIR}"/plugins && \
curl -fsSL -o "${ARKIME_DIR}/plugins/ja4plus.${DEBARCH}.so" "$(echo "${ARKIME_JA4_SO_URL}" | sed "s/XXX/${DEBARCH}/g")" && \
chmod 755 "${ARKIME_DIR}/plugins/ja4plus.${DEBARCH}.so" && \
python3 -m pip install --break-system-packages --no-compile --no-cache-dir beautifulsoup4 pyzmq watchdog==5.0.3 && \
python3 -m pip install --break-system-packages --no-compile --no-cache-dir beautifulsoup4 pyzmq watchdog==6.0.0 && \
ln -sfr $ARKIME_DIR/bin/npm /usr/local/bin/npm && \
ln -sfr $ARKIME_DIR/bin/node /usr/local/bin/node && \
ln -sfr $ARKIME_DIR/bin/npx /usr/local/bin/npx && \
Expand Down
10 changes: 5 additions & 5 deletions Dockerfiles/dashboards.Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM opensearchproject/opensearch-dashboards:2.17.1
FROM opensearchproject/opensearch-dashboards:2.18.0

LABEL maintainer="[email protected]"
LABEL org.opencontainers.image.authors='[email protected]'
Expand Down Expand Up @@ -42,10 +42,10 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
# Malcolm manages authentication and encryption via NGINX reverse proxy
/usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin remove securityDashboards --allow-root && \
cd /tmp && \
# unzip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \
# sed -i "s/2\.16\.0/2\.17\.0/g" opensearch-dashboards/transformVis/opensearch_dashboards.json && \
# sed -i "s/2\.16\.0/2\.17\.0/g" opensearch-dashboards/transformVis/package.json && \
# zip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \
unzip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \
sed -i "s/2\.17\.1/2\.18\.0/g" opensearch-dashboards/transformVis/opensearch_dashboards.json && \
sed -i "s/2\.17\.1/2\.18\.0/g" opensearch-dashboards/transformVis/package.json && \
zip transformVis.zip opensearch-dashboards/transformVis/opensearch_dashboards.json opensearch-dashboards/transformVis/package.json && \
cd /usr/share/opensearch-dashboards/plugins && \
/usr/share/opensearch-dashboards/bin/opensearch-dashboards-plugin install file:///tmp/transformVis.zip --allow-root && \
rm -rf /tmp/transformVis /tmp/opensearch-dashboards && \
Expand Down
2 changes: 1 addition & 1 deletion Dockerfiles/file-monitor.Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
python-magic \
stream-zip \
supervisor \
watchdog==5.0.3 \
watchdog==6.0.0 \
yara-python && \
curl -fsSL -o /usr/local/bin/supercronic "${SUPERCRONIC_URL}${BINARCH}" && \
chmod +x /usr/local/bin/supercronic && \
Expand Down
9 changes: 4 additions & 5 deletions Dockerfiles/filebeat.Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM docker.elastic.co/beats/filebeat-oss:8.15.3
FROM docker.elastic.co/beats/filebeat-oss:8.16.0

# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
LABEL maintainer="[email protected]"
Expand Down Expand Up @@ -74,7 +74,7 @@ ENV SUPERCRONIC_CRONTAB "/etc/crontab"
ENV YQ_VERSION "4.44.3"
ENV YQ_URL "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_"

ENV EVTX_VERSION "0.8.3"
ENV EVTX_VERSION "0.8.4"
ENV EVTX_URL "https://github.com/omerbenamram/evtx/releases/download/v${EVTX_VERSION}/evtx_dump-v${EVTX_VERSION}-XXX-unknown-linux-gnu"

USER root
Expand All @@ -100,15 +100,14 @@ RUN export EVTXARCH=$(uname -m | sed 's/arm64/aarch64/') && \
psmisc \
python3-pip \
python3-setuptools \
python3.9 \
python3 \
rsync \
tar \
tini \
unar \
unzip \
xz-utils && \
ln -s -f -r /usr/bin/python3.9 /usr/bin/python3 && \
python3.9 -m pip install --no-compile --no-cache-dir patool entrypoint2 pyunpack python-magic ordered-set supervisor watchdog==5.0.3 && \
python3 -m pip install --no-compile --no-cache-dir --break-system-packages patool entrypoint2 pyunpack python-magic ordered-set supervisor watchdog==6.0.0 && \
curl -fsSL -o /usr/local/bin/supercronic "${SUPERCRONIC_URL}${BINARCH}" && \
chmod +x /usr/local/bin/supercronic && \
curl -fsSL -o /usr/local/bin/yq "${YQ_URL}${BINARCH}" && \
Expand Down
2 changes: 1 addition & 1 deletion Dockerfiles/logstash.Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM docker.elastic.co/logstash/logstash-oss:8.15.3
FROM docker.elastic.co/logstash/logstash-oss:8.16.0

LABEL maintainer="[email protected]"
LABEL org.opencontainers.image.authors='[email protected]'
Expand Down
2 changes: 2 additions & 0 deletions Dockerfiles/netbox.Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ ENV SUPERCRONIC_CRONTAB "/etc/crontab"

ENV NETBOX_INITIALIZERS_VERSION "50d077d"
ENV NETBOX_TOPOLOGY_VERSION "4.0.1"
ENV NETBOX_HEALTHCHECK_VERSION "0.2.0"

ENV YQ_VERSION "4.44.3"
ENV YQ_URL "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_"
Expand Down Expand Up @@ -86,6 +87,7 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
"${NETBOX_PATH}/venv/bin/python" -m pip install --break-system-packages --no-compile --no-cache-dir \
"git+https://github.com/tobiasge/netbox-initializers@${NETBOX_INITIALIZERS_VERSION}" \
"git+https://github.com/netbox-community/netbox-topology-views@v${NETBOX_TOPOLOGY_VERSION}" \
"git+https://github.com/netbox-community/netbox-healthcheck-plugin@v${NETBOX_HEALTHCHECK_VERSION}" \
psycopg2 \
pynetbox \
python-magic \
Expand Down
2 changes: 1 addition & 1 deletion Dockerfiles/opensearch.Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM opensearchproject/opensearch:2.17.1
FROM opensearchproject/opensearch:2.18.0

# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved.
LABEL maintainer="[email protected]"
Expand Down
2 changes: 1 addition & 1 deletion Dockerfiles/pcap-monitor.Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ RUN apt-get -q update && \
python-magic \
pyzmq \
requests \
watchdog==5.0.3 && \
watchdog==6.0.0 && \
groupadd --gid ${DEFAULT_GID} ${PGROUP} && \
useradd -M --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} ${PUSER}

Expand Down
2 changes: 1 addition & 1 deletion Dockerfiles/suricata.Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
apt-get install -q -y --no-install-recommends -t bookworm-backports \
suricata=${SURICATA_VERSION_PATTERN} \
suricata-update && \
python3 -m pip install --break-system-packages --no-compile --no-cache-dir watchdog==5.0.3 && \
python3 -m pip install --break-system-packages --no-compile --no-cache-dir watchdog==6.0.0 && \
curl -fsSL -o /usr/local/bin/supercronic "${SUPERCRONIC_URL}${BINARCH}" && \
chmod +x /usr/local/bin/supercronic && \
curl -fsSL -o /usr/bin/yq "${YQ_URL}${BINARCH}" && \
Expand Down
29 changes: 21 additions & 8 deletions Dockerfiles/zeek.Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
libmaxminddb0 \
libpcap-dev \
libpcap0.8 \
librdkafka-dev \
libssl-dev \
libssl3 \
libtcmalloc-minimal4 \
Expand All @@ -107,6 +108,7 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
python3-setuptools \
python3-tz \
python3-wheel \
python3-yaml \
python3-zmq \
rsync \
supervisor \
Expand All @@ -115,7 +117,12 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
vim-tiny \
xxd \
zlib1g-dev && \
python3 -m pip install --break-system-packages --no-cache-dir pymisp stix2 taxii2-client dateparser && \
python3 -m pip install --break-system-packages --no-cache-dir \
dateparser \
git+https://github.com/google/mandiant-ti-client \
pymisp \
stix2 \
taxii2-client && \
mkdir -p /tmp/zeek-packages && \
bash /usr/local/bin/zeek-deb-download.sh -o /tmp/zeek-packages -z "${ZEEK_VERSION}" && \
dpkg -i /tmp/zeek-packages/*.deb && \
Expand All @@ -133,6 +140,7 @@ RUN export BINARCH=$(uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
( find "${ZEEK_DIR}"/lib/zeek/plugins/packages -type f -name "*.hlto" -exec chmod 755 "{}" \; || true ) && \
mkdir -p "${ZEEK_DIR}"/share/zeek/site/intel/STIX && \
mkdir -p "${ZEEK_DIR}"/share/zeek/site/intel/MISP && \
mkdir -p "${ZEEK_DIR}"/share/zeek/site/intel/Mandiant && \
mkdir -p "${ZEEK_DIR}"/share/zeek/site/custom && \
touch "${ZEEK_DIR}"/share/zeek/site/intel/__load__.zeek && \
touch "${ZEEK_DIR}"/share/zeek/site/custom/__load__.zeek && \
Expand Down Expand Up @@ -174,7 +182,7 @@ RUN groupadd --gid ${DEFAULT_GID} ${PUSER} && \

# sanity checks to make sure the plugins installed and copied over correctly
# these ENVs should match the third party scripts/plugins installed by zeek_install_plugins.sh
ENV ZEEK_THIRD_PARTY_PLUGINS_GREP "(Zeek::Spicy|ANALYZER_SPICY_OSPF|ANALYZER_SPICY_OPENVPN_UDP\b|ANALYZER_SPICY_IPSEC_UDP\b|ANALYZER_SPICY_TFTP|ANALYZER_SPICY_WIREGUARD|ANALYZER_SPICY_HART_IP_UDP|ANALYZER_SPICY_HART_IP_TCP|ANALYZER_SYNCHROPHASOR_TCP|ANALYZER_GENISYS_TCP|ANALYZER_SPICY_GE_SRTP|ANALYZER_SPICY_PROFINET_IO_CM|ANALYZER_S7COMM_TCP|Corelight::PE_XOR|ICSNPP::BACnet|ICSNPP::BSAP|ICSNPP::ENIP|ICSNPP::ETHERCAT|ICSNPP::OPCUA_Binary|Salesforce::GQUIC|Zeek::PROFINET|Zeek::TDS)"
ENV ZEEK_THIRD_PARTY_PLUGINS_GREP "(Zeek::Spicy|ANALYZER_SPICY_OSPF|ANALYZER_SPICY_OPENVPN_UDP\b|ANALYZER_SPICY_IPSEC_UDP\b|ANALYZER_SPICY_TFTP|ANALYZER_SPICY_WIREGUARD|ANALYZER_SPICY_HART_IP_UDP|ANALYZER_SPICY_HART_IP_TCP|ANALYZER_SYNCHROPHASOR_TCP|ANALYZER_GENISYS_TCP|ANALYZER_SPICY_GE_SRTP|ANALYZER_SPICY_PROFINET_IO_CM|ANALYZER_S7COMM_TCP|Corelight::PE_XOR|ICSNPP::BACnet|ICSNPP::BSAP|ICSNPP::ENIP|ICSNPP::ETHERCAT|ICSNPP::OPCUA_Binary|Salesforce::GQUIC|Zeek::PROFINET|Zeek::TDS|Seiso::Kafka)"
ENV ZEEK_THIRD_PARTY_SCRIPTS_GREP "(bro-is-darknet/main|bro-simple-scan/scan|bzar/main|callstranger-detector/callstranger|cve-2020-0601/cve-2020-0601|cve-2020-13777/cve-2020-13777|CVE-2020-16898/CVE-2020-16898|CVE-2021-38647/omigod|CVE-2021-31166/detect|CVE-2021-41773/CVE_2021_41773|CVE-2021-42292/main|cve-2021-44228/CVE_2021_44228|cve-2022-22954/main|cve-2022-26809/main|CVE-2022-3602/__load__|hassh/hassh|http-more-files-names/main|ja4/main|pingback/detect|ripple20/ripple20|SIGRed/CVE-2020-1350|zeek-EternalSafety/main|zeek-httpattacks/main|zeek-sniffpass/__load__|zerologon/main)\.(zeek|bro)"

RUN mkdir -p /tmp/logs && \
Expand All @@ -183,7 +191,7 @@ RUN mkdir -p /tmp/logs && \
export ZEEK_THIRD_PARTY_SCRIPTS_COUNT=$(echo "$ZEEK_THIRD_PARTY_SCRIPTS_GREP" | grep -P -o "\([^)]+\)" | head -n 1 | sed "s/^(//" | sed "s/)$//" | tr '|' '\n' | wc -l) && \
"$ZEEK_DIR"/bin/zeek-offline -NN local >zeeknn.log 2>/dev/null && \
bash -c "(( $(grep -cP "$ZEEK_THIRD_PARTY_PLUGINS_GREP" zeeknn.log) >= $ZEEK_THIRD_PARTY_PLUGINS_COUNT)) && echo $ZEEK_THIRD_PARTY_PLUGINS_COUNT' Zeek plugins loaded correctly' || (echo 'One or more Zeek plugins did not load correctly' && cat zeeknn.log && exit 1)" && \
"$ZEEK_DIR"/bin/zeek-offline -C -r /tmp/pcaps/udp.pcap local policy/misc/loaded-scripts 2>/dev/null && \
"$ZEEK_DIR"/bin/zeek-offline -C -r /tmp/pcaps/udp.pcap local policy/misc/loaded-scripts >loaded_scripts.log 2>/dev/null && \
bash -c "(( $(grep -cP "$ZEEK_THIRD_PARTY_SCRIPTS_GREP" loaded_scripts.log) == $ZEEK_THIRD_PARTY_SCRIPTS_COUNT)) && echo $ZEEK_THIRD_PARTY_SCRIPTS_COUNT' Zeek scripts loaded correctly' || (echo 'One or more Zeek scripts did not load correctly' && cat loaded_scripts.log && exit 1)" && \
cd /tmp && \
rm -rf /tmp/logs /tmp/pcaps
Expand All @@ -195,8 +203,9 @@ ARG ZEEK_PCAP_PROCESSOR=true
#Whether or not to run "zeek -r XXXXX.pcap local" on each pcap file
ARG ZEEK_AUTO_ANALYZE_PCAP_FILES=false
ARG ZEEK_AUTO_ANALYZE_PCAP_THREADS=1
#Whether or not to refresh intel at various points during processing
ARG ZEEK_INTEL_REFRESH_ON_ENTRYPOINT=false
#Whether or not to do first intel refresh under supervisord
ARG ZEEK_INTEL_REFRESH_ON_STARTUP=false
#Whether or not to do first intel refresh under zeekdeploy.sh
ARG ZEEK_INTEL_REFRESH_ON_DEPLOY=false
ARG ZEEK_INTEL_REFRESH_CRON_EXPRESSION=
ARG ZEEK_INTEL_ITEM_EXPIRATION=-1min
Expand All @@ -219,7 +228,7 @@ ARG PCAP_NODE_NAME=malcolm

ENV AUTO_TAG $AUTO_TAG
ENV ZEEK_PCAP_PROCESSOR $ZEEK_PCAP_PROCESSOR
ENV ZEEK_INTEL_REFRESH_ON_ENTRYPOINT $ZEEK_INTEL_REFRESH_ON_ENTRYPOINT
ENV ZEEK_INTEL_REFRESH_ON_STARTUP $ZEEK_INTEL_REFRESH_ON_STARTUP
ENV ZEEK_INTEL_REFRESH_ON_DEPLOY $ZEEK_INTEL_REFRESH_ON_DEPLOY
ENV ZEEK_INTEL_REFRESH_CRON_EXPRESSION $ZEEK_INTEL_REFRESH_CRON_EXPRESSION
ENV ZEEK_AUTO_ANALYZE_PCAP_FILES $ZEEK_AUTO_ANALYZE_PCAP_FILES
Expand Down Expand Up @@ -249,8 +258,6 @@ ARG ZEEK_DISABLE_SSL_VALIDATE_CERTS=
ARG ZEEK_DISABLE_TRACK_ALL_ASSETS=
ARG ZEEK_DISABLE_DETECT_ROUTERS=true
ARG ZEEK_DISABLE_BEST_GUESS_ICS=true
# TODO: assess spicy-analyzer that replace built-in Zeek parsers
# for now, disable them by default when a Zeek parser exists
ARG ZEEK_DISABLE_SPICY_IPSEC=
ARG ZEEK_DISABLE_SPICY_LDAP=
ARG ZEEK_DISABLE_SPICY_OPENVPN=
Expand All @@ -260,6 +267,9 @@ ARG ZEEK_DISABLE_SPICY_TAILSCALE=
ARG ZEEK_DISABLE_SPICY_TFTP=
ARG ZEEK_DISABLE_SPICY_WIREGUARD=
ARG ZEEK_SYNCHROPHASOR_DETAILED=
ARG ZEEK_KAFKA_ENABLED=
ARG ZEEK_KAFKA_BROKERS=kafka.local:9091
ARG ZEEK_KAFKA_TOPIC=zeek

ENV ZEEK_DISABLE_STATS $ZEEK_DISABLE_STATS
ENV ZEEK_DISABLE_HASH_ALL_FILES $ZEEK_DISABLE_HASH_ALL_FILES
Expand All @@ -278,6 +288,9 @@ ENV ZEEK_DISABLE_SPICY_TAILSCALE $ZEEK_DISABLE_SPICY_TAILSCALE
ENV ZEEK_DISABLE_SPICY_TFTP $ZEEK_DISABLE_SPICY_TFTP
ENV ZEEK_DISABLE_SPICY_WIREGUARD $ZEEK_DISABLE_SPICY_WIREGUARD
ENV ZEEK_SYNCHROPHASOR_DETAILED $ZEEK_SYNCHROPHASOR_DETAILED
ENV ZEEK_KAFKA_ENABLED $ZEEK_KAFKA_ENABLED
ENV ZEEK_KAFKA_BROKERS $ZEEK_KAFKA_BROKERS
ENV ZEEK_KAFKA_TOPIC $ZEEK_KAFKA_TOPIC

# This is in part to handle an issue when running with rootless podman and
# "userns_mode: keep-id". It seems that anything defined as a VOLUME
Expand Down
Loading
Loading