Zeek 网络入侵检测工具安装和测试

参考官方主页：https://docs.zeek.org/en/current/install/install.html

1. 安装dependencies

To build Zeek from source, the following additional dependencies are required:

• CMake 3.0 or greater (http://www.cmake.org)
• Make
• C/C++ compiler with C++17 support (GCC 7+ or Clang 4+)
• SWIG (http://www.swig.org)
• Bison 2.5 or greater (https://www.gnu.org/software/bison/)
• Flex (lexical analyzer generator) (https://github.com/westes/flex)
• Libpcap headers (http://www.tcpdump.org)
• OpenSSL headers (http://www.openssl.org)
• zlib headers (https://zlib.net/)
• Python (https://www.python.org/)

在不同系统上：

• RPM/RedHat-based Linux:

  sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel
  

  On RHEL/CentOS 6/7, you can install and activate a devtoolset to get access to recent GCC versions. You will also have to install and activate CMake 3. For example:

  sudo yum install cmake3 devtoolset-7
  scl enable devtoolset-7 bash
  

• DEB/Debian-based Linux:

  sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
  

  If your system uses Python 2.7, then you will also need to install the “python-ipaddress” package. If you are running Debian 8 (jessie), install clang-4.0 instead of GCC.

• FreeBSD:

  Most required dependencies should come with a minimal FreeBSD install except for the following.

  sudo pkg install bash cmake swig30 bison python py27-sqlite3 py27-ipaddress
  

• Mac OS X:

  Compiling source code on Macs requires first installing either Xcode or the “Command Line Tools” (which is a much smaller download). To check if either is installed, run the xcode-select -p command. If you see an error message, then neither is installed and you can then run xcode-select --install which will prompt you to either get Xcode (by clicking “Get Xcode”) or to install the command line tools (by clicking “Install”).

  用Homebrew的包管理工具

  brew install cmake make flex bison swig openssl bison libpcap zlib python
  pip install ipaddress
  

  安装额外的非必要dependencies

  • libmaxminddb (for geolocating IP addresses)
  • sendmail (enables Zeek and ZeekControl to send mail)
  • curl (used by a Zeek script that implements active HTTP)
  • gperftools (tcmalloc is used to improve memory and CPU usage)
  • jemalloc (http://www.canonware.com/jemalloc/)
  • PF_RING (Linux only, see Cluster Configuration)
  • krb5 libraries and headers: Kerberos
  • ipsumdump (for trace-summary; http://www.cs.ucla.edu/~kohler/ipsumdump)

  在Mac OS X系统上安装

  brew install curl libmaxminddb gperftools jemalloc krb5
  

2. Installing from Source

the latest Zeek development version can be obtained through git repositories hosted at https://github.com/zeek. See our git development documentation for comprehensive information on Zeek’s use of git revision control, but the short story for downloading the full source code experience for Zeek via git is:

git clone --recursive https://github.com/zeek/zeek

The typical way to build and install from source is (for more options, run ./configure --help):

./configure
make
sudo make install

If the configure script fails, then it is most likely because it either couldn’t find a required dependency or it couldn’t find a sufficiently new version of a dependency. Assuming that you already installed all required dependencies, then you may need to use one of the --with-* options that can be given to the configure script to help it locate a dependency.

The default installation path is /usr/local/zeek. 执行下面的命令，可以看到zeek提供的可执行程序。

$ ls /usr/local/zeek/bin/
bifcl		bro		bro-cut		capstats	trace-summary	zeek-config	zeek-wrapper
binpac		bro-config	broctl		paraglob-test	zeek		zeek-cut	zeekctl

Depending on the Zeek package you downloaded, there may be auxiliary tools and libraries available in the aux/ directory. Some of them will be automatically built and installed along with Zeek. There are --disable-* options that can be given to the configure script to turn off unwanted auxiliary projects that would otherwise be installed automatically. Finally, use make install-aux to install some of the other programs that are in the aux/zeek-aux directory. 执行下面的命令，可以看到Zeek提供的附属packages。

$ ls aux
bifcl			btest			netcontrol-connectors	zeek-aux
binpac			highwayhash		paraglob		zeekctl
broker			libkqueue		rapidjson
$ sudo make install-aux

Finally, if you want to build the Zeek documentation (not required, because all of the documentation for the latest Zeek release is available on the Zeek web site), there are instructions in doc/README in the source distribution. 执行下面命令，可生成所有Zeek官方文档。

cd doc
make
cd ..

打开zeek/doc/build/html/index.html，可以看到生成的文档。

3. Configure the Run-Time Environment

You may want to adjust your PATH environment variable according to the platform/shell/package you’re using. For example:

Bourne-Shell Syntax:

export PATH=/usr/local/zeek/bin:$PATH

C-Shell Syntax:

setenv PATH /usr/local/zeek/bin:$PATH

4. 测试Zeek的安装结果

在Zeek源代码目录里有testing子目录，里面有各种功能测试脚本。

$ cd testing
$ make
1043 tests successful, 6 skipped
3770/5482 (68.8%) Zeek script statements covered.
Coverage for 'btest' dir:
3770/5482 (68.8%) Zeek script statements covered.
Coverage for 'external' dir:
Complete test suite code coverage:
3770/5482 (68.8%) Zeek script statements covered.
Checking for coverage files... no .gcda files, nothing to do

5. 试试Zeek自带的Examples and Use Cases

查看文档：https://docs.zeek.org/en/current/examples/