{"id":17709399,"url":"https://github.com/0snap/zeek-cluster","last_synced_at":"2025-10-24T04:04:34.358Z","repository":{"id":78799401,"uuid":"152839817","full_name":"0snap/zeek-cluster","owner":"0snap","description":"Docker based Zeek IDS worker cluster","archived":false,"fork":false,"pushed_at":"2019-04-05T04:29:26.000Z","size":23,"stargazers_count":12,"open_issues_count":0,"forks_count":3,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-02-26T20:22:11.313Z","etag":null,"topics":["bro","bro-ids","cluster","docker","ids","intrusion-detection-system","zeek","zeek-ids"],"latest_commit_sha":null,"homepage":"","language":"Dockerfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0snap.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-10-13T05:48:53.000Z","updated_at":"2025-01-31T22:58:45.000Z","dependencies_parsed_at":"2023-07-17T07:16:38.769Z","dependency_job_id":null,"html_url":"https://github.com/0snap/zeek-cluster","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0snap%2Fzeek-cluster","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0snap%2Fzeek-cluster/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0snap%2Fzeek-cluster/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0snap%2Fzeek-cluster/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0snap","download_url":"https://codeload.github.com/0snap/zeek-cluster/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243433012,"owners_count":20290191,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bro","bro-ids","cluster","docker","ids","intrusion-detection-system","zeek","zeek-ids"],"created_at":"2024-10-25T04:03:54.114Z","updated_at":"2025-10-24T04:04:34.284Z","avatar_url":"https://github.com/0snap.png","language":"Dockerfile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Docker Zeek IDS cluster\n\n[Zeek IDS](https://www.zeek.org/index.html) can be used in a worker cluster setup. Mutliple slave nodes share the workload of traffic analysis and report to a logger node. The cluster is managed in a centralized fashion by a dedicated manager node.\n\n[Official Zeek IDS cluster documentation](https://docs.zeek.org/en/stable/cluster/index.html)\n\nThis repo provides a docker wrapper around Zeek that allows for a containerized Zeek IDS cluster.\n\nThe base image is a raw Zeek IDS installation with `python3`, `librocksdb` for broker support and geo data available inside the container: [fixel/zeek](https://cloud.docker.com/repository/docker/fixel/zeek) \n\n## Internals and setup\n\nZeek uses ssh to manage the nodes. The manager node needs to ssh into all slave nodes it wants to manage. Therefore:\n\n- all slaves have to run `sshd`\n- ssh has to be possible with PKI only\n- key distribution ?\n\n#### Security disclaimer\n\nI intend to use this setup on an offline demo environment. I do not have to be concerned about access violations whatsoever. Thus it is ok for me to have fixed ssh keys and that is why I put them on github.\n\n*If you want to reuse parts of this project make sure to change the keys and how they are stored + distributed.*\n\n## Docker\n\nImages ship with `supervisord` (nodaemon). It wraps the `sshd` and `bro` processes. Images build against latest Zeek master.\n\nPre-built images for `x86_64` can be found on [dockerhub](https://cloud.docker.com/u/fixel/repository/docker/fixel/zeek-cluster)\n\n#### ARM 64v8\n\nI plan on rebuilding and providing images for 64bit ARM again. The dockerfiles inherit from the debian `arm64v8` base image. I need to get the appropiate hardware back first. The images will be uploaded the next weeks.\n\n### Network\n\nSee the [docker-compose.yml](docker-compose.yml) and [manager/config/node.cfg](manager/config/node.cfg) file. All nodes in the Zeek cluster must be resolvable for the manager (IP or hostname).\n\n## Usage\n\nRun a minimalistic local cluster of `2 workers`, `1 proxy`  and `1 master` (without dedicated `logger`) with `docker-compose`\n\n    $ docker-compose up             # start the whole thing. daemonize with -d\n    $ docker-compose down           # (in same directory) tear down cluster, throw away containers\n\nToy around with it, for example `docker inspect zeek-cluster_worker1_1`, find the IP and request some port there (locally!). When you now exec into the `manager` container you should see your request to the worker in the manager logs (`current/conn.log`)\n\n### Custom Scripts\n\n[Zeek can be scripted](https://docs.zeek.org/en/stable/examples/scripting/index.html). Per default, it will load the script at `$ZEEK_HOME/share/bro/site/local.bro`. See also the [broctl#bro-scripts](https://github.com/zeek/broctl#bro-scripts) documentation.\n\nTo add custom scripts just mount a volume into the manager container. See the [docker-compose.yml](docker-compose.yml) for an example. The manager will populate the scripts to all workers.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0snap%2Fzeek-cluster","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0snap%2Fzeek-cluster","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0snap%2Fzeek-cluster/lists"}