<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1250">
</head>
<body>
<div>
<div>
<div>
<div style="direction: ltr;">Ouch. Can’t please everyone I guess.</div>
</div>
<div><br>
</div>
<div class="ms-outlook-ios-signature"></div>
</div>
<div> </div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif"><b>From:</b> Micha³ Purzyñski <michalpurzynski1@gmail.com><br>
<b>Sent:</b> Thursday, November 21, 2019 5:10 PM<br>
<b>To:</b> ericooi@gmail.com<br>
<b>Cc:</b> venkatesh bandari; zeek<br>
<b>Subject:</b> Re: [Zeek] af_packet
<div> </div>
</font></div>
<meta content="text/html; charset=utf-8">
<div dir="ltr">
<div>TBH I see quite a few reasons why plugins and Zeek should not be installed like that article describes.<br>
</div>
<div><br>
</div>
<div>- everything should be packaged. This includes Zeek and all plugins, each as a separate package. Running zkg to install plugin on production will result in building code on the server (and we don't even have compilers there).</div>
<div>- the sudo + pip install means you now have python packages installed for the entire OS but outside of the OS control and packaging, making vulnerability management difficult (most likely never detected, forgotten and left there)</div>
<div>- looks like zeek user can sudo to root. There's no need for that dangerous capability.<br>
</div>
<div>- cap_net_admin is not needed and dangerous</div>
<div>- assigning any capabilities to zeekctl is not needed and also dangerous</div>
<div>- and those 3 affiliation links at the bottom...<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Nov 21, 2019 at 7:46 AM <a href="mailto:ericooi@gmail.com">
ericooi@gmail.com</a> <<a href="mailto:ericooi@gmail.com">ericooi@gmail.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">
<div style="">Any particular reason you don’t want to use the package manager? It’s designed to simplify the process.
<div><br>
</div>
<div>I wrote a how-to guide for installation on CentOS 8 that covers using the package manager: <a href="https://www.ericooi.com/zeekurity-zen-part-ii-zeek-package-manager/" target="_blank">https://www.ericooi.com/zeekurity-zen-part-ii-zeek-package-manager/</a><br>
<div><br>
<blockquote type="cite">
<div>On Nov 21, 2019, at 9:25 AM, venkatesh bandari <<a href="mailto:austin522@gmail.com" target="_blank">austin522@gmail.com</a>> wrote:</div>
<br>
<div>
<div dir="ltr">Hello Team,<br>
<div><br>
</div>
<div>Iam trying to install af_packet and i see we can only install using package manager.</div>
<div><br>
</div>
<div>could you please help to answer if there is a alternative way to install af_packet</div>
<div><br>
</div>
<div>Thanks</div>
<div>Venkatesh</div>
</div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></div>
</blockquote>
</div>
<br>
</div>
</div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote>
</div>
</div>
</body>
</html>