Only a couple members could make tonight’s meeting, but it was a positive meeting anyway. I was working on my Vic-20 recovery when Kevin arrived, and we pretty quickly ended up in a conversation about Zeek. He needs to master it for work, and I need to master it just because. I found a lab from FAU that might be helpful. Here’s the link:
http://ce.sc.edu/cyberinfra/docs/workshop/Zeek_Lab_Series.pdf
We did a bit of research on network taps, and settled on Great Scott Gadgets’ Lan Tap Pro (or, if you’re cheap and handy like me, the Throwing Star Lan Tap Kit). both are passive LAN taps, and will pipe all traffic that passes through them into your Zeek, Snort or other IDS box.
We’re looking forward into the new year and planning some exciting talks and presentations. Maybe we’ll talk about Zeek in February if we’re ready, and Dan wants to talk about social engineering research tools, possibly in March.
Next meeting is Monday February 24. I hope you can make it.
Brilliant!
Update: I got lucky. Turns out the original DC540 CTF (which I’ll now call the Original WOPR) has two ethernet interfaes. Installed CentOS 8 last night, and I’m now following these instructions: https://www.ericooi.com/zeekurity-zenpart-i-how-to-i-nstall-zeek-bro-on-centos-8/
First thing I noticed is that the onboard Intel nic supports the ethtool -g command to get the ring options, but the add-on RTL8169 does not, so I had to swap interfaces and use the onboard as the sniffing interface to comply with these instructions.
Second thing, MaxMind changed the method of retrieving the GeoLite2 database as of the end of the year, so that part of the how-to is already out of date.
Third, configure barked at not having python3-devel, which should have been listed in the prerequisites..
Wow, this software is no joke. I’ve done gentoo kernel recompiles that took less time than this compile.
That is awesome! I also just put together a Medium article with step-by-step instructions with the new $40 tap! Check it out.
https://medium.com/@mytechnotalent/zeek-network-security-monitor-tutorial-part-1-setup-f0ac2fb8eba8
That is great you got it working on CentOS! In my tutorial I used Ubuntu as it worked quite easily. Check it out let me know what you think.
By the way that PDF is gold! I am going to be making tutorials based on alot of the info in that guide thank you!
Regarding your Geo account follow these steps:
1)https://www.maxmind.com/en/geolite2/signup
2)https://dev.maxmind.com/geoip/geoipupdate/#Direct_Downloads
You need to edit the GeoIP.conf with your ID and key make sure you write it down as it only shows you the key once.