我在'云'上的日子 - Zeek(部署)

发表于 更新于 分类于
本文字数: 4.3k 阅读时长 ≈ 4 分钟

Optional Dependencies

PF_RING

参考:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ sudo git clone https://github.com/ntop/PF_RING.git
$ cd PF_RING/userland/lib
$ ./configure
$ sudo make install

$ cd ../libpcap
$ ./configure
$ sudo make install

$ cd ../tcpdump
$ ./configure
$ sudo make install

$ cd ../../kernel
$ make
$ sudo make install

$ modprobe pf_ring enable_tx_capture=0 min_num_slots=65536

Load pf_ring at boot

1
2
3
4
5
$ echo 'pf_ring' >> /etc/modules
$ sudo reboot

root@ubuntu:~# lsmod | grep pf_ring
pf_ring              1245184  0
GeoLocation

参考:

1
2
3
4
5
$ sudo apt-get install libmaxminddb-dev
$ wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
$ tar zxf GeoLite2-City.tar.gz
$ mkdir -p /usr/share/GeoIP
$ mv GeoLite2-City_20190702/GeoLite2-City.mmdb /usr/share/GeoIP/

Testing

如果未找到任何内容或未设置mmdb_dir,则Zeek按以下顺序查找位置数据库文件:

1
$ zeek -e "print lookup_location(8.8.8.8);"
  • /usr/share/GeoIP/GeoLite2-City.mmdb
  • /var/lib/GeoIP/GeoLite2-City.mmdb
  • /usr/local/share/GeoIP/GeoLite2-City.mmdb
  • /usr/local/var/GeoIP/GeoLite2-City.mmdb
  • /usr/share/GeoIP/GeoLite2-Country.mmdb
  • /var/lib/GeoIP/GeoLite2-Country.mmdb
  • /usr/local/share/GeoIP/GeoLite2-Country.mmdb
  • /usr/local/var/GeoIP/GeoLite2-Country.mmdb

如果出现 “Zeek was not configured for GeoIP support”, 源码安装时需要指定./configure --with-geoip=/usr/share/GeoIP

Gperftools

参考:

1
2
3
4
5
6
$ sudo git clone https://github.com/gperftools/gperftools.git
$ sudo apt-get install libunwind-dev autoconf automake libtool
$ ./autogen.sh
$ ./configure
$ make
$ sudo make install
IPsumdump

参考:

1
2
3
4
5
6
7
$ curl -O http://www.read.seas.harvard.edu/~kohler/ipsumdump/ipsumdump-1.86.tar.gz
$ tar -xzf ipsumdump-1.86.tar.gz
$ cd ipsumdump-1.86
$ ./configure --prefix=/usr/
$ make
$ sudo make install
$ sudo make clean
Krb5

参考:

1
$ sudo apt-get install krb5-user
Jemalloc

参考:

1
2
3
4
5
$ sudo git clone https://github.com/jemalloc/jemalloc.git
$ ./autogen.sh
$ make -j2
$ sudo make install
$ sudo ldconfig

Zeek

Required Dependencies

1
2
# Ubuntu
$ sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

If your system uses Python 2.7, then you will also need to install the python-ipaddres package.

1
$ sudo apt-get install python-ipaddress

参考:

1
2
3
4
$ git clone --recursive https://github.com/zeek/zeek
$ ./configure --with-pcap=/usr/local --with-geoip=/usr/share/GeoIP --enable-jemalloc --enable-perftools
$ make
$ sudo make install

确保Zeek正确链接到所需的libpcap库:

1
2
$ ldd /usr/local/zeek/bin/zeek | grep pcap
	libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x00007fd5b3cfc000)
Add PATH
1
2
3
4
5
$ export PATH=/usr/local/zeek/bin:$PATH
$ source ~/.bashrc

$ sudo vim ~/.bashrc
export PATH=/usr/local/zeek/bin:$PATH
Using PF_RING
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
$ vim /usr/local/zeek/etc/node.cfg

# Example ZeekControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.

# This is a complete standalone configuration.  Most likely you will
# only need to change the interface.
# [zeek]
# type=standalone
# host=localhost
# interface=ens33

## Below is an example clustered configuration. If you use this,
## remove the [zeek] node above.

#[logger]
#type=logger
#host=localhost
#
[manager]
type=manager
host=localhost
#
[proxy-1]
type=proxy
host=localhost
#
[worker-1]
type=worker
host=localhost
interface=ens33
lb_method=pf_ring
lb_procs=35
pin_cpus=0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34
#
#[worker-2]
#type=worker
#host=localhost
#interface=eth0
Enable Json
1
2
3
4
5
6
7
$ vim /usr/local/zeek/share/zeek/site/local.zeek

# Uncomment the following line to enable logging of link-layer addresses. Enabling
# this adds the link-layer address for each connection endpoint to the conn.log file.
# @load policy/protocols/conn/mac-logging
#
@load policy/tuning/json-logs.zeek

压测

  1. 查看是否丢包
1
2
3
4
5
$ zeekctl netstats; date
 worker-1-1: 1585999488.317958 recvd=18 dropped=0 link=18
 worker-1-2: 1585999488.335990 recvd=0 dropped=0 link=0
 worker-1-3: 1585999488.345568 recvd=2 dropped=0 link=2
Sat Apr  4 04:24:48 PDT 2020
  1. 查看资源占用
1
2
3
4
5
6
7
8
$ zeekctl top; date
Name         Type    Host             Pid     VSize  Rss  Cpu   Cmd
manager      manager localhost        4818      1G    87M   0%  zeek
proxy-1      proxy   localhost        4870    649M    85M   0%  zeek
worker-1-1   worker  localhost        4948    655M    92M   0%  zeek
worker-1-2   worker  localhost        4952    655M    92M   0%  zeek
worker-1-3   worker  localhost        4954    655M    92M   0%  zeek
Sat Apr  4 04:24:52 PDT 2020
  1. 查看流量大小(10秒)
1
2
3
4
5
$ zeekctl capstats; date
Interface             kpps       mbps       (10s average)
----------------------------------------
localhost/ens5        37.8       375.2
Fri Aug 16 16:12:47 UTC 2019

参考