{"id":20010193,"url":"https://github.com/activecm/docker-zeek","last_synced_at":"2025-03-17T02:08:15.926Z","repository":{"id":43673272,"uuid":"265926542","full_name":"activecm/docker-zeek","owner":"activecm","description":"Run zeek with zeekctl in docker","archived":false,"fork":false,"pushed_at":"2024-09-12T15:23:04.000Z","size":91,"stargazers_count":51,"open_issues_count":9,"forks_count":18,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-04T04:27:57.889Z","etag":null,"topics":["docker","hacktoberfest","zeek","zeekctl"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/activecm.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-21T18:47:13.000Z","updated_at":"2024-12-09T17:20:16.000Z","dependencies_parsed_at":"2025-01-09T19:41:03.454Z","dependency_job_id":"4ded969b-a85a-43c3-9af4-86a35eb0ab35","html_url":"https://github.com/activecm/docker-zeek","commit_stats":{"total_commits":69,"total_committers":5,"mean_commits":13.8,"dds":0.4057971014492754,"last_synced_commit":"9edadec34a8858555851c1c6490718d70ae60757"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/activecm%2Fdocker-zeek","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/activecm%2Fdocker-zeek/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/activecm%2Fdocker-zeek/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/activecm%2Fdocker-zeek/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/activecm","download_url":"https://codeload.github.com/activecm/docker-zeek/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243960666,"owners_count":20375104,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","hacktoberfest","zeek","zeekctl"],"created_at":"2024-11-13T07:18:48.261Z","updated_at":"2025-03-17T02:08:15.904Z","avatar_url":"https://github.com/activecm.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n[activecm/zeek](https://hub.docker.com/r/activecm/zeek) is meant to run a single-system Zeek cluster inside of a docker container. It is based on, but differs from [blacktop/zeek:zeekctl](https://hub.docker.com/r/blacktop/zeek) in that it focuses on running multiple Zeek processes with `zeekctl`. To that end, there are several helpful features included:\n\n- A [configuration wizard](https://github.com/activecm/zeekcfg) for generating a `node.cfg` cluster configuration\n- Will automatically run `zeekctl` on start and print a diagnostic report if it fails\n- Cron will periodically ensure that all Zeek processes are running and restart any that have crashed\n- Zeek's package manager is included, allowing you to easily install zeek plugins\n- Performance improvement by using `ethtool` to disable certain interface features by default\n- Performance improvement with AF_Packet plugin installed and enabled by default in the configuration wizard\n- Comes with the following other plugins pre-installed\n  - bro-interface-setup \n  - bro-doctor \n  - ja3\n\n## Supported Docker Tags\n\nThe docker tags correspond with the version of [Zeek](https://zeek.org/get-zeek/) installed in the image. Zeek currently has two release tracks: feature and lts.\n\n* `v3-latest`, `3.2`, `3.2.3`\n* `v3-lts`, `3`, `3.0`, `3.0.12`\n* `v4-latest`, `4.2`, `4.2.0`\n* `v4-lts`, `4.0`, `4.0.5`\n* `latest`, `6.2`, `6.2.1`\n* `lts`, `6.2`, `6.2.1`\n\n## Quickstart\n\nYou'll first need Docker. If you don't already have it here is a quick and dirty way to install it on Linux:\n\n```bash\ncurl -fsSL https://get.docker.com | sh -\n```\n\nOtherwise, follow the [install instructions](https://docs.docker.com/get-docker/) for your operating system.\n\nYou can then use the `zeek` script in this repo to quickly get Zeek running. We recommend putting this `zeek` script in your system `PATH`. The rest of this readme will assume this repo's `zeek` script is in the system `PATH`.\n\n```bash\nsudo wget -O /usr/local/bin/zeek https://raw.githubusercontent.com/activecm/docker-zeek/master/zeek\nsudo chmod +x /usr/local/bin/zeek\n```\n\nThen use the script to start Zeek.\n\n```bash\nzeek start\n```\n\n## Customizing\n\nIf the Quickstart section above doesn't fit your needs, you can use the following documentation to customize your install.\n\n### Zeek Files Location\n\nThe default location our `zeek` script puts its files on your host is `/opt/zeek/`. You can change this directory by setting the `zeek_top_dir` environment variable. We recommend making this change permanent by creating the file `/etc/profile.d/zeek`. For example, to change the directory to `/usr/local/zeek/`:\n\n```bash\necho \"export zeek_top_dir=/usr/local/zeek/\" | sudo tee -a /etc/profile.d/zeek.sh\nsource /etc/profile.d/zeek.sh\n```\n\n### Zeek Version\n\nThe default version tag is `6.2.1` which will correspond to the latest release in the 6.2.1 Zeek release channel. You can customize this with the `zeek_release` environment variable. Set this variable to your desired Docker image tag. For example, to use the latest feature release:\n\n```bash\necho \"export zeek_release=latest\" | sudo tee -a /etc/profile.d/zeek.sh\nsource /etc/profile.d/zeek.sh\n```\n\n### Install a Plugin\n\nYou can install Zeek packages from https://packages.zeek.org/ using the Zeek Package Manager, `zkg`. For example, to install the `hassh` plugin:\n\n```\n# Run `zeek start` if you haven't already\ndocker exec -it zeek zkg install hassh\n# Restart Zeek to activate plugin\nzeek restart\n```\n\nNote: Currently only plugins that don't require compiling can be installed.\n\n### Zeek Scripts and local.zeek\n\nThis project will auto-generate a `local.zeek` file. This means that you should _not_ attempt to create or modify this file yourself. Instead, anything that would normally go inside the `local.zeek` file can be put inside one or more `.zeek` files in the `share/zeek/site/autoload` directory. The files there are included in alphabetical order to create the `local.zeek` file. The default `local.zeek` provided by the Zeek project is included for your convenience at `autoload/100-default.zeek` and this file can be safely modified.\n\n```bash\nsudo mkdir -p /opt/zeek/share/zeek/site/autoload\nsudo mv custom.zeek /opt/zeek/share/zeek/site/autoload/210-custom.zeek\nzeek restart\n```\n\n### Zeekctl Config\n\nZeekctl has several config files you may want to modify such as `zeekctl.cfg` or `networks.cfg`. The default files used are [here](https://github.com/activecm/docker-zeek/tree/master/etc). If you want to provide your own, place your custom file in the appropriate place on your host and then restart Zeek. By default this would be in `/opt/zeek/etc/`.\n\nThe `zeek` script will automatically prompt and create a `node.cfg` file for you. If you would like to re-run this prompt you can delete the existing `node.cfg` file and restart Zeek. For instance, if your files are in the default location:\n\n```bash\nzeek stop\nsudo rm /opt/zeek/etc/node.cfg\nzeek start\n```\n\n### Updating\n\nYou can obtain the newest version of the `zeek` script from this repo.\n\n```bash\nsudo wget -O /usr/local/bin/zeek https://raw.githubusercontent.com/activecm/docker-zeek/master/zeek\n```\n\nYou can use the included `zeek` script to pull the most recent Docker image. This will also restart your Zeek instance.\n\n```bash\nzeek update\n```\n\n### Diagnosing Issues\n\nIf Zeek crashes right after starting you can check the log output.\n\n```\ndocker logs zeek\n```\n\nIf Zeek is successfully capturing and you want to see if there are any issues:\n\n```\n# Container must be running already\ndocker exec zeek zeekctl doctor\n```\n\n## Development\n\nDeveloper documentation can be found in the [docs](docs/) folder.\n\n## Credits\n\nDockerfile based on [blacktop/docker-zeek](https://github.com/blacktop/docker-zeek/tree/master/zeekctl).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Factivecm%2Fdocker-zeek","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Factivecm%2Fdocker-zeek","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Factivecm%2Fdocker-zeek/lists"}