Pages

Sunday, February 7, 2021

Fedora 33 : Running Zeek - part 001.

Zeek is often used as a network analysis tool but can also be deployed as an IDS known as Intrusion Detection System.
The full documentation can be found on this website page.
Let's install this tool on Fedora 33 distro.
[root@desk mythcat]# dnf search zeek
Last metadata expiration check: 0:18:02 ago on Sun 07 Feb 2021 11:21:35 AM EET.
No matches found.
[root@desk mythcat]# dnf config-manager --add-repo 
https://download.opensuse.org/repositories/security:zeek/Fedora_33/security:zeek.repo
Adding repo from: https://download.opensuse.org/repositories/security:zeek/Fedora_33/security:zeek.repo
[root@desk mythcat]# dnf install zeek
The Zeek Network Security Monitor. (Fedora_33)  105 kB/s | 128 kB     00:01    
Last metadata expiration check: 0:00:01 ago on Sun 07 Feb 2021 11:40:31 AM EET.
...
  Verifying        : zeekctl-3.2.3-1.1.x86_64                               8/8 

Installed:
  libbroker-devel-3.2.3-1.1.x86_64       libpcap-devel-14:1.9.1-6.fc33.x86_64  
  openssl-devel-1:1.1.1i-1.fc33.x86_64   zeek-3.2.3-1.1.x86_64                 
  zeek-core-3.2.3-1.1.x86_64             zeek-devel-3.2.3-1.1.x86_64           
  zeek-libcaf-devel-3.2.3-1.1.x86_64     zeekctl-3.2.3-1.1.x86_64              

Complete!
[root@desk mythcat]# whereis zeek
zeek: /opt/zeek/bin/zeek
[root@desk mythcat]# whereis zeekctl
zeekctl: /opt/zeek/bin/zeekctl
I found this informations into the documentation area:
ZeekControl is an interactive shell for easily operating/managing Zeek installations on a single system or even across multiple systems in a traffic-monitoring cluster.
A Minimal Starting Configuration
These are the basic configuration changes to make for a minimal ZeekControl installation that will manage a single Zeek instance on the localhost:
  • In $PREFIX/etc/node.cfg, set the right interface to monitor.
  • In $PREFIX/etc/networks.cfg, comment out the default settings and add the networks that Zeek will consider local to the monitored environment.
  • In $PREFIX/etc/zeekctl.cfg, change the MailTo email address to a desired recipient and the LogRotationInterval to a desired log archival frequency.
Next step is to configure and adjust your PATH environment variable:
[root@desk mythcat]# export PATH=/opt/zeek/bin:$PATH
[root@desk mythcat]# zeekctl

Welcome to ZeekControl 2.2.0

Type "help" for help.
...
Use install , start and diag commands on Zeek command line to check if the Zeek tool works fine.
If you received this error on diag command , then you need to set your network interface:
==== stderr.log
fatal error: problem with interface eth0 (pcap_error: SIOCGIFHWADDR: No such device (pcap_activate))
Let's fix this error using the files configuration:
[root@desk mythcat]# updatedb
[root@desk mythcat]# locate node.cfg
/opt/zeek/etc/node.cfg
[root@desk mythcat]# vi /opt/zeek/etc/node.cfg
I change the row with the interface= with my network interface.
You can find your interface with these commands:
[root@desk mythcat]# ip link show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
...
[root@desk mythcat]# nmcli device status
DEVICE  TYPE      STATE                   CONNECTION 
...
Now I can run the zeekctl command an check if is all right.
And first issue reported by diag and zeekctl is this:
1612693272.168741 Reporter::WARNING Your interface is likely receiving invalid TCP and UDP checksums, most likely from NIC checksum offloading. By default, packets with invalid checksums are discarded by Zeek unless using the -C command-line option or toggling the 'ignore_checksums' variable. Alternatively, disable checksum offloading by the network adapter to ensure Zeek analyzes the actual checksums that are transmitted. /opt/zeek/share/zeek/base/misc/find-checksum-offloading.zeek, line 54
You can see this tool can provide good information for users.

Fedora 33 : C# and Google A.P.I .

In this tutorial, I will show you how to use C # with Google A.P.I. on Fedora Linux. 
You can find more C # tutorials written by me on the web. 
This tutorial was added here by me because it is used with Fedora 33 distro. 
You will need to set an authentication key in your google account, see the credentials page
I used Fedora Linux to install the NuGet command:
[root@desk mythcat]# dnf install nuget 
...
Installed:
  nuget-2.8.7-11.fc33.x86_64                                                    
Complete!
Use this command to install it:
[mythcat@desk CSharpProjects]$ nuget install Google.Apis.Discovery.v1 
Attempting to resolve dependency 'Google.Apis (= 1.10.0)'.
Attempting to resolve dependency 'Google.Apis.Core (≥ 1.10.0)'.
...
Attempting to resolve dependency 'Google.Apis (≥ 1.49.0)'.
'Google.Apis' already has a dependency defined for 'Google.Apis.Core'.
Create a basic C# project and test it:
[mythcat@desk CSharpProjects]$ mkdir booksAPI && cd booksAPI
[mythcat@desk booksAPI]$ dotnet new console
Getting ready...
...
[mythcat@desk booksAPI]$ dotnet run
Hello World!
Add Google A.P.I. to this project:
[mythcat@desk booksAPI]$ dotnet add package Google.Apis.Discovery.v1 --version 1.49.0
  Determining projects to restore...
log  : Restored /home/mythcat/CSharpProjects/booksAPI/booksAPI.csproj (in 8.86 sec).
Change the default project source code with this example and add your Google key:
using System;
using System.Threading.Tasks;

using Google.Apis.Discovery.v1;
using Google.Apis.Discovery.v1.Data;
using Google.Apis.Services;
namespace booksAPI
{
    class Program
    {
    [STAThread]
        static void Main(string[] args)
        {
            Console.WriteLine("Discovery API Sample");
            Console.WriteLine("====================");
            try
            {
                new Program().Run().Wait();
            }
            catch (AggregateException ex)
            {
                foreach (var e in ex.InnerExceptions)
                {
                    Console.WriteLine("ERROR: " + e.Message);
                }
            }
            Console.WriteLine("Press any key to continue...");
            Console.ReadKey();
        }

        private async Task Run()
        {
            // Create the service.
            var service = new DiscoveryService(new BaseClientService.Initializer
                {
                    ApplicationName = "Discovery Sample",
                    ApiKey="...",
                });

            // Run the request.
            Console.WriteLine("Executing a list request...");
            var result = await service.Apis.List().ExecuteAsync();

            // Display the results.
            if (result.Items != null)
            {
                foreach (DirectoryList.ItemsData api in result.Items)
                {
                    Console.WriteLine(api.Id + " - " + api.Title);
                }
            }
        }
    }
}
I used my key and this is the result of the run project:
[mythcat@desk booksAPI]$ dotnet run
Discovery API Sample
====================
Executing a list request...
abusiveexperiencereport:v1 - Abusive Experience Report API
acceleratedmobilepageurl:v1 - Accelerated Mobile Pages (AMP) URL API
accessapproval:v1 - Access Approval API
accesscontextmanager:v1beta - Access Context Manager API
...