93 lines
3.3 KiB
Docker
93 lines
3.3 KiB
Docker
ARG PLATFORM=linux/amd64
|
|
FROM ubuntu:noble
|
|
|
|
ENV ZEEK_HOME=/usr/local/zeek
|
|
ENV PATH="${ZEEK_HOME}/bin:${PATH}"
|
|
|
|
USER root
|
|
|
|
# Install system dependencies
|
|
RUN apt-get update && apt-get install -y \
|
|
wget cmake make gcc g++ flex bison libfl-dev libpcap-dev libssl-dev build-essential \
|
|
python3 python3-dev swig zlib1g-dev python3-pip \
|
|
libmaxminddb-dev libnghttp2-dev libbrotli-dev \
|
|
git net-tools iproute2 wget nodejs lshw ethtool nano \
|
|
sendmail cron gettext ca-certificates python3-requests python3-jinja2 python3-yaml \
|
|
libcap2-bin passwd openssh-server openssh-client iputils-ping rsync && \
|
|
update-ca-certificates
|
|
|
|
# Install Python Package Requirements
|
|
RUN pip3 install GitPython semantic-version zkg --break-system-packages
|
|
|
|
## Create user and group
|
|
#RUN groupadd -g 9000 cyber-user-group && \
|
|
# useradd -r -u 9000 -g cyber-user-group -m zeek
|
|
|
|
# Build Zeek from source
|
|
WORKDIR /opt
|
|
RUN git clone --recursive https://git.leargas.io/pk/zeek && \
|
|
cd zeek && \
|
|
./configure --prefix=${ZEEK_HOME} && \
|
|
make && \
|
|
make install && \
|
|
ln -sfn ${ZEEK_HOME} /usr/local/zeek
|
|
|
|
# Set up directories and permissions
|
|
#RUN mkdir -p /data/bro/logs /data/bro/spool && \
|
|
# chown -R zeek:cyber-user-group /data/bro && \
|
|
RUN mkdir -p /usr/local/zeek/share/zeek/site/scripts/capitalone
|
|
|
|
# Copy local content for Zeek site (must be in build context)
|
|
COPY capitalone /usr/local/zeek/share/zeek/site/scripts/capitalone
|
|
|
|
# Install Zeek plugins using zkg
|
|
RUN zkg autoconfig --force && \
|
|
zkg install --force https://git.leargas.io/pk/bzar && \
|
|
zkg install --force https://git.leargas.io/pk/hassh && \
|
|
zkg install --force https://git.leargas.io/pk/ja3 && \
|
|
zkg install --force https://git.leargas.io/pk/file-extraction && \
|
|
zkg install --force https://git.leargas.io/pk/mdns || true
|
|
|
|
# Apply raw/net admin capabilities and cleanup
|
|
RUN setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/zeek || true && \
|
|
setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/capstats || true && \
|
|
setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/zeekctl || true && \
|
|
apt-get remove -y wget && \
|
|
apt-get clean && \
|
|
rm -rf /var/lib/apt/lists/* /opt/zeek
|
|
|
|
# SSH & cron setup
|
|
RUN mkdir -p /var/run/sshd /etc/ssh && \
|
|
mkdir -p /root/.ssh && \
|
|
echo 'Host *\n StrictHostKeyChecking no\n UserKnownHostsFile=/dev/null' > /root/.ssh/config && \
|
|
chmod 600 /root/.ssh/config && \
|
|
ssh-keygen -A
|
|
|
|
# Copy configuration files (must be in build context)
|
|
COPY local.zeek ${ZEEK_HOME}/share/zeek/site/local.zeek
|
|
COPY zeekctl.cfg ${ZEEK_HOME}/etc/zeekctl.cfg
|
|
COPY GeoLite2-City.mmdb /opt/GeoLite2-City.mmdb
|
|
|
|
# Set permissions on MMDB
|
|
#RUN chmod 644 /opt/GeoLite2-City.mmdb && \
|
|
# chown zeek:cyber-user-group /opt/GeoLite2-City.mmdb
|
|
|
|
# Final CMD
|
|
CMD bash -c '\
|
|
echo "[INFO] Disabling NIC offloading (if interfaces exist)..." && \
|
|
for i in enp0s3 ens33 ens34 ens192 ens160 eth0 eth1 eth4 eth5 br0 enp11s0f1 enp11s0f0 enp10s0f1 enp10s0f0; do \
|
|
if ip link show "$i" &>/dev/null; then \
|
|
echo "[INFO] Tuning $i..." && \
|
|
for n in lro tso gso gro; do \
|
|
/sbin/ethtool -K "$i" "$n" off 2>/dev/null || true; \
|
|
done; \
|
|
fi; \
|
|
done && \
|
|
echo "[INFO] Starting SSH daemon and cron..." && \
|
|
service cron start && \
|
|
/usr/sbin/sshd && \
|
|
echo "[INFO] Starting Zeek..." && \
|
|
su - zeek -c "zeekctl deploy" && \
|
|
tail -f /dev/null'
|
|
|