Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-15 04:58:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
No description
9661 commits 389 branches 197 tags 279 MiB
Find a file
Arne Welzel 4b4595f5db ScannedFile: Identify already scanned files by device and inode 
Zeek scripts located on separate filesystems, but sharing the same inode
number leads to scripts not being loaded. The reason is that a `ScannedFile`
is only identified by `st_ino` which is not enough to uniquely identify a
file in a system.

This problem may be hit when `ZEEKPATH` points to separate filesystems and
two script files happen have the same `st_ino` value - definitely not very
likely, but possibly very confusing when it happens.

The following test case creates two zeek scripts on separate filesystems.
As the filesystems are freshly created and of the same type, the files will
(tested a few times with xfs/ext4) have the same `st_ino` values.

    #!/bin/bash
    ZEEKDIR=${ZEEKDIR:-/home/awelzel/projects/zeek}
    export ZEEKPATH=.:${ZEEKDIR}/build/scripts:${ZEEKDIR}/scripts

    cat << EOF > hello.zeek
    event zeek_init() {
        print("Hello, once or twice?");
    }
    EOF

    for i in 1 2 ; do
        dd if=/dev/urandom of=img${i} count=16 bs=1M 2>/dev/null
        sudo mkfs.xfs -q ./img${i}
        mkdir -p mount${i}
        sudo mount ./img${i} ./mount${i}
        sudo cp hello.zeek ./mount${i}/hello.zeek
    done

    ls ./mount*/*zeek
    stat -c "%n: device=%d inode=%i" ./mount*/hello.zeek

    ${ZEEKDIR}/build/src/zeek -b ./mount1/hello.zeek ./mount2/hello.zeek

    # Cleanup
    for i in 1 2 ; do
        sudo umount ./mount${i}
        rm -rfv ./img${i} ./mount${i}
        rm -rfv hello.zeek
    done

Before this patch, `Hello, once or twice?` is printed only once,
afterwards twice:

    $ sh testcase.sh
    [sudo] password for awelzel:
    ./mount1/hello.zeek  ./mount2/hello.zeek
    ./mount1/hello.zeek: device=1794 inode=6915
    ./mount2/hello.zeek: device=1795 inode=6915
    Hello, once or twice?
    Hello, once or twice?
2020-02-23 17:26:08 +01:00
.github/workflows Switch GitHub Action for CI emails to use zeek organization 2020-02-06 13:06:56 -08:00
aux Updating submodule(s). 2020-02-22 11:55:34 -08:00
ci Fix CI to checkout right commit of zeek-testing-private 2020-02-21 22:57:53 -08:00
cmake@84e81d909d Updating submodule(s). 2020-02-10 12:12:02 -08:00
doc@16d3ab7149 Fix broken links in documentation 2020-02-08 15:48:11 -08:00
man Rename all BRO-prefixed environment variables 2019-05-22 00:12:31 -05:00
scripts GH-780: Prevent log batches from indefinite buffering 2020-02-05 13:06:52 -08:00
src ScannedFile: Identify already scanned files by device and inode 2020-02-23 17:26:08 +01:00
testing Fix code format of various reporter btests 2020-02-14 22:03:11 -08:00
.cirrus.yml Use 2 btest retries for CI 2020-02-06 17:47:38 -08:00
.clang-tidy Change over to whitelisting clang-tidy options instead of blacklisting 2019-08-12 13:59:17 -07:00
.gitattributes Make github identify our Flex source correctly. 2019-08-23 14:27:06 -04:00
.gitignore Add CLion directories to gitignore 2019-05-30 16:00:18 -07:00
.gitmodules Initial paraglob integration. 2019-06-04 14:24:51 -07:00
.travis.yml Disable Travis leak test 2020-02-03 13:21:32 -08:00
.update-changes.cfg Add script to update external test repo commit pointers 2019-04-05 17:09:01 -07:00
CHANGES Update a URL in CI README 2020-02-21 21:24:31 -08:00
CMakeLists.txt GH-808: Add ZEEK_VERSION_NUMBER definition to zeek-config.h 2020-02-23 09:55:20 +00:00
configure Merge branch 'master' of https://github.com/ffontaine/zeek 2020-02-03 13:05:50 -08:00
COPYING Update license year for 2018 2018-11-01 13:54:07 -05:00
COPYING.3rdparty Modify IOSource Manager to implement new loop architecture 2020-01-31 10:13:09 -07:00
INSTALL Make INSTALL a symlink to doc/install/install.rst 2015-03-13 15:45:20 -05:00
Makefile More bro-to-zeek renaming in scripts and other files 2019-05-16 02:36:41 -05:00
NEWS Update to start of 3.2.0 development 2020-02-08 16:08:01 -08:00
README Fix hello world script in the readme. 2019-07-31 14:43:18 -04:00
README.md Use new Zeek Logo instead of Bro Eyes on README.md 2019-12-02 10:13:33 -08:00
VERSION Update a URL in CI README 2020-02-21 21:24:31 -08:00
zeek-config.h.in GH-808: Add ZEEK_VERSION_NUMBER definition to zeek-config.h 2020-02-23 09:55:20 +00:00
zeek-config.in Rename directories from bro to zeek 2019-05-24 03:32:14 -05:00
zeek-path-dev.in Rename all BRO-prefixed environment variables 2019-05-22 00:12:31 -05:00
zeek-wrapper.in Merge remote-tracking branch 'origin/topic/robin/631-deprecation-v2' 2020-01-30 19:19:56 -08:00

README.md

Zeek Logo

The Zeek Network Security Monitor

A powerful framework for network traffic analysis and security monitoring.

Key FeaturesDocumentationGetting StartedDevelopmentLicense

Follow us on Twitter at @zeekurity.

Key Features

  • In-depth Analysis Zeek ships with analyzers for many protocols, enabling high-level semantic analysis at the application layer.

  • Adaptable and Flexible Zeek's domain-specific scripting language enables site-specific monitoring policies and means that it is not restricted to any particular detection approach.

  • Efficient Zeek targets high-performance networks and is used operationally at a variety of large sites.

  • Highly Stateful Zeek keeps extensive application-layer state about the network it monitors and provides a high-level archive of a network's activity.

Getting Started

The best place to find information about getting started with Zeek is our web site www.zeek.org, specifically the documentation section there. On the web site you can also find downloads for stable releases, tutorials on getting Zeek set up, and many other useful resources.

You can find release notes in NEWS, and a complete record of all changes in CHANGES.

To work with the most recent code from the development branch of Zeek, clone the master git repository:

git clone --recursive https://github.com/zeek/zeek

With all dependencies in place, build and install:

./configure && make && sudo make install

Write your first Zeek script:

# File "hello.zeek"

event zeek_init()
    {
    print "Hello World!";
    }

And run it:

zeek hello.zeek

For learning more about the Zeek scripting language, try.zeek.org is a great resource.

Development

Zeek is developed on GitHub by its community. We welcome contributions. Working on an open source project like Zeek can be an incredibly rewarding experience and, packet by packet, makes the Internet a little safer. Today, as a result of countless contributions, Zeek is used operationally around the world by major companies and educational and scientific institutions alike for securing their cyber infrastructure.

If you're interested in getting involved, we collect feature requests and issues on GitHub here and you might find these to be a good place to get started. More information on Zeek's development can be found here, and information about its community and mailing lists (which are fairly active) can be found here.

License

Zeek comes with a BSD license, allowing for free use with virtually no restrictions. You can find it here.