def onStart(self):
npyscreen.setTheme(npyscreen.Themes.ColorfulTheme)
env_vars = get_environment_file_dict()
self.zeek_script_config = config.ScriptConfigManager(
env_vars['ZEEK_SCRIPTS'])
self.addForm('MAIN',
ZeekScriptSettingsForm,
name='Zeek Script Configuration')
def onStart(self):
npyscreen.setTheme(npyscreen.Themes.ColorfulTheme)
env_vars = get_environment_file_dict()
self.zeek_script_config = config.ScriptConfigManager(
env_vars['ZEEK_SCRIPTS'],
backup_configuration_directory=os.path.join(
const.CONFIG_BACKUP_PATH))
self.addForm('MAIN',
ZeekScriptSettingsForm,
name='Zeek Script Configuration')
def analyze(cls, pcap_path, name=None, description=None, keep_pcap=True):
"""
Given a PCAP path on disk; analyze that pcap with Zeek storing the results in a directory
deterministically identified by hashing the pcap file.
:param pcap_path: The path to the pcap file on disk
:param name: The name of the pcap (short descriptor)
:param description: A long description for the pcap
:param keep_pcap: If True, we'll save a copy of the pcap to disk after analysis
:return: A ZeekReplay instance
"""
if name:
name = re.sub("[^0-9a-zA-Z]+", "", name)[0:64]
if description:
description = description[0:1024]
environment_variables = utilities.get_environment_file_dict()
install_directory = environment_variables.get('ZEEK_HOME')
scripts_directory = environment_variables.get('ZEEK_SCRIPTS')
pcap_replay_id = utilities.get_filepath_md5_hash(pcap_path)
replay_session = os.path.join(REPLAY_ROOT, str(pcap_replay_id))
utilities.makedirs(replay_session)
zeek_bin_path = os.path.join(install_directory, 'bin', 'zeek')
zeek_scripts_config = config.ScriptConfigManager(scripts_directory)
command = 'cd {}; {} -r {} {} -C'.format(
replay_session, zeek_bin_path, pcap_path,
' '.join(zeek_scripts_config.list_enabled_scripts()))
child = Popen(command,
shell=True,
stdin=PIPE,
stdout=PIPE,
stderr=PIPE,
close_fds=True)
child.communicate()
# Write our metadata to disk
with open(os.path.join(replay_session, '.metadata'), 'a') as meta_f:
meta_f.write(
json.dumps({
'time': time.time(),
'name': name,
'description': description
}) + '\n')
# Copy over the pcap if we want to keep it.
if keep_pcap:
shutil.copy(pcap_path,
os.path.join(replay_session, pcap_replay_id + '.pcap'))
return cls(pcap_replay_id)
def setup_dynamite_zeek_scripts(self):
"""
Installs and enables extra dynamite Zeek scripts
"""
scripts = ''
redefs = ''
self.logger.info('Setting up Zeek scripts.')
install_cache_extra_scripts_path = \
os.path.join(const.DEFAULT_CONFIGS, 'zeek', 'dynamite_extra_scripts')
if not os.path.exists(install_cache_extra_scripts_path):
self.logger.error('dynamite_extra_scripts not found in install_cache.')
raise zeek_exceptions.InstallZeekError(
"Third party scripts could not be installed; could not locate {}".format(
install_cache_extra_scripts_path))
try:
utilities.makedirs(os.path.join(self.configuration_directory, 'dynamite_extra_scripts'), exist_ok=True)
except Exception as e:
self.logger.error('General error occurred while creating dynamite_extra_scripts directory.')
self.logger.debug("General error occurred while creating dynamite_extra_scripts directory; {}".format(e))
zeek_exceptions.InstallZeekError(
"General error occurred while creating dynamite_extra_scripts directory; {}".format(e))
self.logger.info("Installing third-party Zeek scripts.")
extra_scripts_path = os.path.join(self.configuration_directory, 'dynamite_extra_scripts')
try:
utilities.copytree(install_cache_extra_scripts_path, extra_scripts_path)
except Exception as e:
self.logger.error("General error occurred while copying files to dynamite_extra_scripts directory.")
self.logger.debug(
"General error occurred while copying files to dynamite_extra_scripts directory; {}".format(e))
zeek_exceptions.InstallZeekError(
"General error occurred while copying files to dynamite_extra_scripts directory; {}".format(e))
zeek_site_local_path = os.path.join(self.configuration_directory, 'site', 'local.zeek')
try:
with open(zeek_site_local_path, 'r') as rf:
for line in rf.readlines():
if '@load' in line:
scripts += line.strip() + '\n'
elif 'redef' in line:
redefs += line.strip() + '\n'
except Exception as e:
self.logger.error("General error occurred while reading {}.".format(e))
self.logger.debug("General error occurred while reading {}; {}".format(zeek_site_local_path, e))
raise zeek_exceptions.InstallZeekError(
"General error occurred while reading {}; {}".format(zeek_site_local_path, e))
try:
with open(zeek_site_local_path, 'w') as wf:
extra_script_install_path = os.path.join(self.configuration_directory, 'dynamite_extra_scripts')
wf.write(scripts)
for script_dir in os.listdir(extra_script_install_path):
wf.write('@load {}\n'.format(os.path.join(extra_script_install_path, script_dir)))
wf.write(redefs)
except Exception as e:
self.logger.error("General error occurred while writing {}.".format(e))
self.logger.debug("General error occurred while writing {}; {}".format(zeek_site_local_path, e))
raise zeek_exceptions.InstallZeekError(
"General error occurred while writing {}; {}".format(zeek_site_local_path, e)
)
self.setup_zeek_af_packet_plugin()
self.setup_zeek_community_id_plugin()
self.logger.info('Disabling unneeded Zeek scripts.')
# Disable Unneeded Zeek scripts
try:
script_config = zeek_configs.ScriptConfigManager(self.configuration_directory)
except zeek_exceptions.ReadsZeekConfigError:
self.logger.error('Could not read Zeek script configuration.')
raise zeek_exceptions.InstallZeekError("Could not read Zeek script configuration.")
try:
self.logger.debug('Disabling Zeek Script: protocols/ftp/detect')
script_config.disable_script('protocols/ftp/detect')
self.logger.debug('Disabling Zeek Script: protocols/ftp/software')
script_config.disable_script('protocols/ftp/software')
self.logger.debug('Disabling Zeek Script: protocols/ftp/detect-bruteforcing')
script_config.disable_script('protocols/ftp/detect-bruteforcing')
self.logger.debug('Disabling Zeek Script: protocols/dns/detect-external-names')
script_config.disable_script('protocols/dns/detect-external-names')
self.logger.debug('Disabling Zeek Script: protocols/http/detect-sqli')
script_config.disable_script('protocols/http/detect-sqli')
self.logger.debug('Disabling Zeek Script: protocols/http/detect-webapps')
script_config.disable_script('protocols/http/detect-webapps')
self.logger.debug('Disabling Zeek Script: protocols/krb/ticket-logging')
script_config.disable_script('protocols/krb/ticket-logging')
self.logger.debug('Disabling Zeek Script: protocols/rdp/indicate_ssl')
script_config.disable_script('protocols/rdp/indicate_ssl')
self.logger.debug('Disabling Zeek Script: protocols/smb/log-cmds')
script_config.disable_script('protocols/smb/log-cmds')
self.logger.debug('Disabling Zeek Script: protocols/smtp/blocklists')
script_config.disable_script('protocols/smtp/blocklists')
self.logger.debug('Disabling Zeek Script: protocols/smtp/detect-suspicious-orig')
script_config.disable_script('protocols/smtp/detect-suspicious-orig')
self.logger.debug('Disabling Zeek Script: protocols/smtp/entities-excerpt')
script_config.disable_script('protocols/smtp/entities-excerpt')
self.logger.debug('Disabling Zeek Script: protocols/smtp/blocklists')
script_config.disable_script('protocols/smtp/blocklists')
self.logger.debug('Disabling Zeek Script: protocols/smtp/software')
script_config.disable_script('protocols/smtp/software')
self.logger.debug('Disabling Zeek Script: protocols/ssh/detect-bruteforcing')
script_config.disable_script('protocols/ssh/detect-bruteforcing')
self.logger.debug('Disabling Zeek Script: protocols/ssh/geo-data')
script_config.disable_script('protocols/ssh/geo-data')
self.logger.debug('Disabling Zeek Script: protocols/ssh/interesting-hostnames')
script_config.disable_script('protocols/ssh/interesting-hostnames')
self.logger.debug('Disabling Zeek Script: protocols/ssh/software')
script_config.disable_script('protocols/ssh/software')
self.logger.debug('Disabling Zeek Script: protocols/ssl/expiring-certs')
script_config.disable_script('protocols/ssl/expiring-certs')
self.logger.debug('Disabling Zeek Script: protocols/ssl/extract-certs-pem')
script_config.disable_script('protocols/ssl/extract-certs-pem')
self.logger.debug('Disabling Zeek Script: protocols/ssl/heartbleed')
script_config.disable_script('protocols/ssl/heartbleed')
self.logger.debug('Disabling Zeek Script: protocols/ssl/known-certs')
script_config.disable_script('protocols/ssl/known-certs')
self.logger.debug('Disabling Zeek Script: protocols/ssl/notary')
script_config.disable_script('protocols/ssl/notary')
self.logger.debug('Disabling Zeek Script: protocols/ssl/validate-ocsp')
script_config.disable_script('protocols/ssl/validate-ocsp')
self.logger.debug('Disabling Zeek Script: protocols/ssl/validate-sct')
script_config.disable_script('protocols/ssl/validate-sct')
self.logger.debug('Disabling Zeek Script: protocols/ssl/weak-keys')
script_config.disable_script('protocols/ssl/weak-keys')
self.logger.debug('Disabling Zeek Script: frameworks/dpd/detect-protocols')
script_config.disable_script('frameworks/dpd/detect-protocols')
self.logger.debug('Disabling Zeek Script: frameworks/dpd/packet-segment-logging')
script_config.disable_script('frameworks/dpd/packet-segment-logging')
self.logger.debug('Disabling Zeek Script: frameworks/files/detect-MHR')
script_config.disable_script('frameworks/files/detect-MHR')
self.logger.debug('Disabling Zeek Script: frameworks/files/entropy-test-all-files')
script_config.disable_script('frameworks/files/entropy-test-all-files')
self.logger.debug('Disabling Zeek Script: frameworks/files/extract-all-files')
script_config.disable_script('frameworks/files/extract-all-files')
self.logger.debug('Disabling Zeek Script: frameworks/files/hash-all-files')
script_config.disable_script('frameworks/files/hash-all-files')
self.logger.debug('Disabling Zeek Script: policy/frameworks/notice/extend-email/hostnames')
script_config.disable_script('policy/frameworks/notice/extend-email/hostnames')
except zeek_exceptions.ZeekScriptNotFoundError:
self.logger.error('Could not disable one or more Zeek scripts.')
raise zeek_exceptions.InstallZeekError("Could not disable one or more Zeek scripts.")
try:
script_config.write_config()
except zeek_exceptions.WriteZeekConfigError:
self.logger.error('Could not write Zeek script configuration.')
raise zeek_exceptions.InstallZeekError("Could not write Zeek script configuration.")