https://github.com/0snap/zeek-docker
Zeek IDS and Zeek-Broker Docker images
https://github.com/0snap/zeek-docker
broker broker-docker docker zeek zeek-broker zeek-docker zeek-ids
Last synced: 8 months ago
JSON representation
Zeek IDS and Zeek-Broker Docker images
- Host: GitHub
- URL: https://github.com/0snap/zeek-docker
- Owner: 0snap
- License: mit
- Created: 2019-01-31T04:10:56.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2020-09-03T17:53:33.000Z (almost 6 years ago)
- Last Synced: 2025-02-06T12:15:52.647Z (over 1 year ago)
- Topics: broker, broker-docker, docker, zeek, zeek-broker, zeek-docker, zeek-ids
- Language: Dockerfile
- Homepage: https://hub.docker.com/r/fixel/zeek
- Size: 6.84 KB
- Stars: 2
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
Zeek Docker
===========
#### Zeek Image:
- Container base is `debian:buster`
- Uses `python 3`
- Installs the `zkg` [packet manager](https://packages.zeek.org/)
#### Broker Image:
- Container base is `debian:buster`
- Uses `python 3`
- Has python bindings
## Usage
[Zeek can be scripted](https://docs.zeek.org/en/stable/examples/scripting/index.html). Per default, it will load the script at `$ZEEK_HOME/share/zeek/site/local.zeek`. See also the [zeek-ctl#zeek-scripts](https://github.com/zeek/zeekctl#zeek-scripts) documentation.
You can mount a directory to `/opt/zeek/share/zeek/site` to set custom scripts for Zeek to use.
## Build
$ docker build . -t fixel/zeek:latest
$ docker build . -f Dockerfile_broker --build-arg BROKER_VERSION=v1.4.0 -t fixel/zeek:broker-latest
## Run
You can find a container image on docker hub: [fixel/zeek](https://cloud.docker.com/repository/docker/fixel/zeek)
The container expects that you pass arguments to it, everything is passed to the `zeek` command. To listen on the interface `enp0s31f6` you would run this:
$ docker run --net=host --name=zeek --rm -ti fixel/zeek -i enp0s31f6
The logs will be stored in `/var/log/zeek`, which is marked as docker volume. You can extract the logs by the usual means of container management.
## Computation Speed Up & Clustering
Zeek IDS can only leverage one processor core. But it can be run in a worker cluster setup to share the computational costs of traffic processing. Find a docker based Zeek IDS worker cluster on github: [0ortmann/zeek-cluster](https://github.com/0ortmann/zeek-cluster), on docker hub: [fixel/zeek-cluster](https://cloud.docker.com/u/fixel/repository/docker/fixel/zeek-cluster).