-
Notifications
You must be signed in to change notification settings - Fork 47
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #95 from awelzel/zeekjs-misp-integration
new: [blog] Zeek JavaScript MISP integration
- Loading branch information
Showing
3 changed files
with
123 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,123 @@ | ||
| --- | ||
| title: Using Zeek's new JavaScript support for MISP integration | ||
| authors: | ||
| - Arne Welzel | ||
| date: 2024-01-03 | ||
| banner: /img/blog/zeekjs-misp-overview.png | ||
| layout: post | ||
| --- | ||
|
|
||
| # Using Zeek's new JavaScript support for MISP integration | ||
|
|
||
| With Zeek 6.0, experimental [JavaScript support](https://docs.zeek.org/en/master/scripting/javascript.html) was added to [Zeek](https://zeek.org/), | ||
| making Node.js and its vast ecosystem available to Zeek script developers to more easily integrate with external systems. | ||
|
|
||
| ## MISP Integration | ||
|
|
||
| As a tech-demo, the popular Zeek package [dovehawk](https://github.com/tylabs/dovehawk) has been re-implemented using JavaScript. | ||
| The re-implementation is named [zeekjs-misp](https://github.com/awelzel/zeekjs-misp) and has been published on GitHub. | ||
|
|
||
| In essence, the new package uses Node's [https module](https://nodejs.org/api/https.html) to communicate with | ||
| [MISP's Rest API](https://www.misp-project.org/openapi/), achieving the following: | ||
|
|
||
| * Populate Zeek's [Intelligence Framework](https://docs.zeek.org/en/master/frameworks/intel.html) with attributes and event information collected using the [restSearch endpoint](https://www.misp-project.org/openapi/#tag/Attributes/operation/restSearchAttributes). | ||
|
|
||
| * Report intelligence matches back to the MISP instance as sightings using the [addSighting endpoint](https://www.misp-project.org/openapi/#tag/Sightings/operation/addSighting). | ||
|
|
||
|
|
||
| ## Demo | ||
|
|
||
| One component for the demo is a [misp-docker](https://github.com/MISP/misp-docker) docker-compose setup. | ||
| The misp-docker project makes it very easy to run a local MISP instance for testing. | ||
| The default "Tor ALL nodes" feed is enabled in this instance. This feed provides `ip-dst` attributes for all currently known Tor nodes. | ||
| zeekjs-misp fetches these and converts the `ip-dst` attributes into Zeek `Intel::ADDR` intelligence items. | ||
|
|
||
| The other component of the demo is a Zeek container running in host-network mode with the zeekjs-misp package installed. | ||
| Zeek's [official container images](https://hub.docker.com/r/zeek/zeek) have JavaScript support built-in by default. | ||
| For demonstration purposes, the individual commands are reproduced below. Usually, the package installation via `zkg` | ||
| would be done in a dedicated `Dockerfile`. The MISP options would conventionally be placed into `local.zeek` instead | ||
| of directly on the command line. | ||
|
|
||
|
|
||
| First, the container is started and the zeekjs-misp package installed: | ||
|
|
||
| ``` | ||
| $ docker pull zeek/zeek | ||
| $ docker run --net=host --rm -it zeek/zeek | ||
| # zeek -N Zeek::JavaScript | ||
| Zeek::JavaScript - Experimental JavaScript support for Zeek (built-in) | ||
| # echo "yes" | zkg install zeekjs-misp | ||
| The following packages will be INSTALLED: | ||
| zeek/awelzel/zeekjs-misp (main) | ||
| Proceed? [Y/n] Installing "zeek/awelzel/zeekjs-misp" | ||
| Installed "zeek/awelzel/zeekjs-misp" (main) | ||
| Loaded "zeek/awelzel/zeekjs-misp" | ||
| ``` | ||
|
|
||
| Thereafter, Zeek is invoked as follows. This loads the zeekjs-misp and frameworks/intel/seen | ||
| packages and uses the wireless interface of the host (available within the container due to running in host networking mode). | ||
| It further configures the zeekjs-misp authentication options for use with the testing MISP instance and enables debug logging: | ||
|
|
||
| ``` | ||
| # zeek -C -i wlp0s20f3 zeekjs-misp frameworks/intel/seen MISP::url=https://localhost MISP::api_key=6gIV…BAJ MISP::insecure=T MISP::debug=T | ||
| <params>, line 1: listening on wlp0s20f3 | ||
| zeek-misp: Starting up zeekjs-misp | ||
| zeek-misp: url https://localhost | ||
| zeek-misp: api_key 6gIV... | ||
| zeek-misp: refresh_interval 120000 | ||
| zeek-misp: max_item_sightings 5n | ||
| zeek-misp: max_item_sightings_interval 5000 | ||
| zeek-misp: Schedule for 120000... | ||
| zeek-misp: Loading intel data through attributes search | ||
| zeek-misp: Attribute search {"tags":[],"to_ids":1,"eventid":[],"type":"!yara,!malware-sample,!ssdeep,!pattern-in-traffic,!btc","from":1695133600} | ||
| zeek-misp: searchAttributes done items=8660 requestMs=213.13ms insertMs=108.82661300897598ms | ||
| zeek-misp: Summary of attribute types | ||
| zeek-misp: ip-dst = 8660 | ||
| zeek-misp: Attributes search done | ||
| ``` | ||
|
|
||
| The output shows that 8660 `ip-dst` attributes have been fetched from the MISP instance and inserted into Zeek's Intelligence store. | ||
| Attributes are fetched every 2 minutes by default. The package provides further configurability to limit the time range, | ||
| filter attributes by types, or limit to attributes of specific events only. | ||
|
|
||
| There is now a single Zeek process running, monitoring the wireless interface of the host. | ||
| Running `nc` on the host system to establish a connection to one of the active Tor node IPs | ||
| shows Zeek successfully detecting the connection and producing an `intel.log` entry. | ||
|
|
||
| On the host system: | ||
| ``` | ||
| $ nc -z -v 97.107.139.108 80 | ||
| Connection to 97.107.139.108 80 port [tcp/http] succeeded! | ||
| ``` | ||
|
|
||
| Within the container where Zeek is running, the `Intel::match` event and sighting | ||
| report is logged and the `intel.log` file populated. | ||
| ``` | ||
| <params>, line 1: listening on wlp0s20f3 | ||
| ... | ||
| zeek-misp: zeek-misp: Intel::match 97.107.139.108 | ||
| zeek-misp: Sightings reported 97.107.139.108 | ||
| ^Z | ||
| # zeek-cut -m ts uid id.resp_h seen.indicator seen.indicator_type sources < intel.log | ||
| ts uid id.resp_h seen.indicator seen.indicator_type sources | ||
| 1702911422.470607 CXNOS517lUT5M5wBuk 97.107.139.108 97.107.139.108 Intel::ADDR MISP-1 | ||
| ``` | ||
|
|
||
| Navigating to the event in the MISP UI for the Tor All Nodes feed shows an increased number of sightings: | ||
|
|
||
|  | ||
|
|
||
|
|
||
|
|
||
| ## Conclusion | ||
|
|
||
| Zeek's new JavaScript support enables easier integration with external systems. | ||
| The zeekjs-misp package allows connecting Zeek with a MISP instance using MISP's extensive REST API. | ||
| Note that the zeekjs-misp package is currently meant as a tech demo. The author of the package isn't a MISP | ||
| user and deploying it in a production environment may come with further requirements. | ||
|
|
||
| Feedback and contributions on GitHub are more than welcome. | ||
| Also, feel free to reach out in the [Zeek Slack's package channel](https://zeek.org/slack). |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.