82 lines
3.0 KiB
Docker
82 lines
3.0 KiB
Docker
ARG PLATFORM=linux/amd64
|
|
FROM ubuntu:noble
|
|
ENV ZEEK_HOME=/usr/local/zeek
|
|
ENV PATH="${ZEEK_HOME}/bin:${PATH}"
|
|
|
|
USER root
|
|
|
|
# Install system dependencies
|
|
RUN apt-get update && apt-get install -y \
|
|
wget cmake make gcc g++ flex bison libfl-dev libpcap-dev libssl-dev build-essential \
|
|
python3 python3-dev swig zlib1g-dev python3-pip \
|
|
libmaxminddb-dev libnghttp2-dev libbrotli-dev \
|
|
git net-tools iproute2 wget nodejs lshw ethtool nano \
|
|
sendmail cron gettext ca-certificates python3-requests python3-jinja2 python3-yaml \
|
|
libcap2-bin passwd && \
|
|
update-ca-certificates
|
|
|
|
# Install Python Package Requirements
|
|
RUN pip3 install GitPython semantic-version --break-system-packages
|
|
|
|
# Create user and group
|
|
RUN groupadd -g 9000 cyber-user-group && \
|
|
useradd -r -u 9000 -g cyber-user-group -m zeek
|
|
|
|
# Build Zeek from source
|
|
RUN cd /opt && \
|
|
git clone --recursive https://git.leargas.io/pk/zeek && \
|
|
cd zeek && \
|
|
./configure --prefix=${ZEEK_HOME} && \
|
|
make && \
|
|
make install && \
|
|
ln -s ${ZEEK_HOME} /usr/local/zeek
|
|
|
|
# Set up directories and permissions
|
|
RUN mkdir -p /data/bro/logs /data/bro/spool && \
|
|
chown -R zeek:cyber-user-group /data/bro && \
|
|
mkdir -p ${ZEEK_HOME}/share/zeek/site/scripts/capitalone && \
|
|
mv ${ZEEK_HOME}/etc ${ZEEK_HOME}/etc.bak && \
|
|
mkdir -p ${ZEEK_HOME}/etc
|
|
|
|
# Install Zeek plugins using zkg
|
|
RUN zkg autoconfig --force && \
|
|
zkg install --force https://git.leargas.io/pk/bzar && \
|
|
zkg install --force https://git.leargas.io/pk/hassh && \
|
|
zkg install --force https://git.leargas.io/pk/ja3 && \
|
|
zkg install --force https://git.leargas.io/pk/file-extraction && \
|
|
zkg install --force https://git.leargas.io/pk/mdns && \
|
|
zkg install --force https://git.leargas.io/pk/geoip-conn || true
|
|
|
|
# Apply raw/net admin capabilities and cleanup
|
|
RUN setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/zeek || true && \
|
|
setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/capstats || true && \
|
|
setcap cap_net_raw,cap_net_admin=eip ${ZEEK_HOME}/bin/zeekctl || true && \
|
|
apt-get remove -y wget && \
|
|
apt-get clean && \
|
|
rm -rf /var/lib/apt/lists/* /opt/zeek
|
|
|
|
# Copy configuration files
|
|
COPY local.zeek ${ZEEK_HOME}/share/zeek/site/local.zeek
|
|
COPY zeekctl.cfg ${ZEEK_HOME}/etc/zeekctl.cfg
|
|
COPY GeoLite2-City.mmdb /opt/GeoLite2-City.mmdb
|
|
|
|
# Set permissions on MMDB
|
|
RUN chmod 644 /opt/GeoLite2-City.mmdb && \
|
|
chown zeek:cyber-user-group /opt/GeoLite2-City.mmdb
|
|
|
|
# Final CMD includes NIC offload tuning + Zeek launch
|
|
USER root
|
|
CMD bash -c '\
|
|
echo "[INFO] Disabling NIC offloading (if interfaces exist)..." && \
|
|
for i in enp0s3 ens33 ens34 ens192 ens160 eth0 eth1 eth4 eth5 br0 enp11s0f1 enp11s0f0 enp10s0f1 enp10s0f0; do \
|
|
if ip link show "$i" &>/dev/null; then \
|
|
echo "[INFO] Tuning $i..." && \
|
|
for n in lro tso gso gro; do \
|
|
/sbin/ethtool -K "$i" "$n" off 2>/dev/null || true; \
|
|
done; \
|
|
fi; \
|
|
done && \
|
|
echo "[INFO] Starting Zeek..." && \
|
|
exec su - zeek -c "zeek --version"'
|
|
|