The automation in this repo provides a convenient and reproducible way for to standup a clean Zeek environment in a docker container.
The automation compiles Zeek from source code and installs it within a Docker container.
If installing on Mac OSX, you will require the following.
Important! Docker Desktop for Mac uses a VM behind the scenes to host the Docker runtime environment. By default it allocates 2 GB of RAM to the VM. This is not enough to compile Zeek! If you try with the default RAM allocation, you will hit a compile error that looks something like this:
c++: internal compiler error: Killed (program cc1plus)
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-7/README.Bugs> for instructions.
This is due to the VM hitting an Out Of Memory condition. To avoid this you will need to allocate more RAM to the VM. Click on the Docker Icon in your menubar and select "Preferences". Click on the "Advanced" tab and then use the slider to select 8 GB of RAM (6 also works, but use 8 just in case). Docker Desktop will restart and then you will be ready to go.
Due to recent changes in the way Maxmind supplies their GeoLite2 Databases a (free) license is required to download them. The steps to obtain the license are described in the blog post here:
- Sign up for a MaxMind account (no purchase required)
- Set your password and create a license key
- Setup your download mechanism by using our GeoIP Update program or creating a direct download script
Once you have gone through all of these steps, set the MAXMIND_LICENSE_KEY variable in your environment to enable direct download of the databases:
$ export MAXMIND_LICENSE_KEY=<value of your license key>
Use the following command to clone this repo:
git clone [email protected]:zeek/zeek-docker.git
To build your Zeek container, type in the commands below:
$ cd zeek-docker
$ make build-stamp_4.2.0
Note: If you want to build a Debug build, you can specify BUILD_TYPE=Debug (default is Release)
That's it! Now watch as the wonders of automation unfold, and your Zeek container is built. You should see something like this on your terminal console:
...
Step 24/24 : CMD /bin/bash -l
---> Running in c1263b7d2ea3
Removing intermediate container c1263b7d2ea3
---> 5bc774250a9a
Successfully built 5bc774250a9a
Successfully tagged broplatform/bro:4.2.0
touch build-stamp_4.2.0
$
Once the container has been built, check to make sure the container image is available in your local docker registry:
$ docker images | grep -e broplatform -e REPO
REPOSITORY TAG IMAGE ID CREATED SIZE
broplatform/bro 4.2.0 5bc774250a9a 8 minutes ago 215MB
Great! Let's fire it up!
Run the following command to start your container and access it via an interactive bash shell:
$ docker run -it -v `pwd`:/pcap broplatform/bro:4.2.0 /bin/bash
root@3535953ccd99:/# which zeek
/zeek/bin//zeek
Congratulations! You are up and running with Zeek!