ARG PLATFORM=linux/amd64 FROM ubuntu:noble ENV ZEEK_HOME=/usr/local/zeek ENV PATH="${ZEEK_HOME}/bin:${PATH}" USER root # Install system dependencies RUN apt-get update && apt-get install -y \ wget cmake make gcc g++ flex bison libfl-dev libpcap-dev libssl-dev build-essential \ python3 python3-dev swig zlib1g-dev python3-pip \ libmaxminddb-dev libnghttp2-dev libbrotli-dev \ git net-tools iproute2 wget nodejs lshw ethtool nano \ sendmail cron gettext ca-certificates python3-requests python3-jinja2 python3-yaml \ libcap2-bin passwd openssh-server openssh-client iputils-ping rsync && \ update-ca-certificates # Install Python Package Requirements RUN pip3 install GitPython semantic-version zkg --break-system-packages ## Create user and group #RUN groupadd -g 9000 cyber-user-group && \ # useradd -r -u 9000 -g cyber-user-group -m zeek # Build Zeek from source WORKDIR /opt RUN git clone --recursive https://git.leargas.io/pk/zeek && \ cd zeek && \ ./configure --prefix=${ZEEK_HOME} && \ make && \ make install && \ ln -sfn ${ZEEK_HOME} /usr/local/zeek # Set up directories and permissions #RUN mkdir -p /data/bro/logs /data/bro/spool && \ # chown -R zeek:cyber-user-group /data/bro && \ RUN mkdir -p /usr/local/zeek/share/zeek/site/scripts/capitalone # Copy local content for Zeek site (must be in build context) COPY capitalone /usr/local/zeek/share/zeek/site/scripts/capitalone # Install Zeek plugins using zkg RUN zkg autoconfig --force && \ zkg install --force https://git.leargas.io/pk/bzar && \ zkg install --force https://git.leargas.io/pk/hassh && \ zkg install --force https://git.leargas.io/pk/ja3 && \ zkg install --force https://git.leargas.io/pk/file-extraction && \ zkg install --force https://git.leargas.io/pk/mdns || true # Apply raw/net admin capabilities and cleanup RUN setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/zeek || true && \ setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/capstats || true && \ setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/zeekctl || true && \ apt-get remove -y wget && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* /opt/zeek # SSH & cron setup RUN mkdir -p /var/run/sshd /etc/ssh && \ mkdir -p /root/.ssh && \ echo 'Host *\n StrictHostKeyChecking no\n UserKnownHostsFile=/dev/null' > /root/.ssh/config && \ chmod 600 /root/.ssh/config && \ ssh-keygen -A # Copy configuration files (must be in build context) COPY local.zeek ${ZEEK_HOME}/share/zeek/site/local.zeek COPY zeekctl.cfg ${ZEEK_HOME}/etc/zeekctl.cfg COPY GeoLite2-City.mmdb /opt/GeoLite2-City.mmdb # Set permissions on MMDB #RUN chmod 644 /opt/GeoLite2-City.mmdb && \ # chown zeek:cyber-user-group /opt/GeoLite2-City.mmdb # Final CMD CMD bash -c '\ echo "[INFO] Disabling NIC offloading (if interfaces exist)..." && \ for i in enp0s3 ens33 ens34 ens192 ens160 eth0 eth1 eth4 eth5 br0 enp11s0f1 enp11s0f0 enp10s0f1 enp10s0f0; do \ if ip link show "$i" &>/dev/null; then \ echo "[INFO] Tuning $i..." && \ for n in lro tso gso gro; do \ /sbin/ethtool -K "$i" "$n" off 2>/dev/null || true; \ done; \ fi; \ done && \ echo "[INFO] Starting SSH daemon and cron..." && \ service cron start && \ /usr/sbin/sshd && \ echo "[INFO] Starting Zeek..." && \ su - zeek -c "zeekctl deploy" && \ tail -f /dev/null'