[Zeek] af_packet

Eric Ooi ericooi at gmail.com
Thu Nov 21 15:13:26 PST 2019


Ouch.  Can’t please everyone I guess.


________________________________
From: Michał Purzyński <michalpurzynski1 at gmail.com>
Sent: Thursday, November 21, 2019 5:10 PM
To: ericooi at gmail.com
Cc: venkatesh bandari; zeek
Subject: Re: [Zeek] af_packet

TBH I see quite a few reasons why plugins and Zeek should not be installed like that article describes.

- everything should be packaged. This includes Zeek and all plugins, each as a separate package. Running zkg to install plugin on production will result in building code on the server (and we don't even have compilers there).
- the sudo + pip install means you now have python packages installed for the entire OS but outside of the OS control and packaging, making vulnerability management difficult (most likely never detected, forgotten and left there)
- looks like zeek user can sudo to root. There's no need for that dangerous capability.
- cap_net_admin is not needed and dangerous
- assigning any capabilities to zeekctl is not needed and also dangerous
- and those 3 affiliation links at the bottom...

On Thu, Nov 21, 2019 at 7:46 AM ericooi at gmail.com<mailto:ericooi at gmail.com> <ericooi at gmail.com<mailto:ericooi at gmail.com>> wrote:
Any particular reason you don’t want to use the package manager?  It’s designed to simplify the process.

I wrote a how-to guide for installation on CentOS 8 that covers using the package manager: https://www.ericooi.com/zeekurity-zen-part-ii-zeek-package-manager/

On Nov 21, 2019, at 9:25 AM, venkatesh bandari <austin522 at gmail.com<mailto:austin522 at gmail.com>> wrote:

Hello Team,

Iam trying to install af_packet and i see we can only install using package manager.

could you please help to answer if there is a alternative way  to install af_packet

Thanks
Venkatesh
_______________________________________________
Zeek mailing list
zeek at zeek.org<mailto:zeek at zeek.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

_______________________________________________
Zeek mailing list
zeek at zeek.org<mailto:zeek at zeek.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191121/58a39f41/attachment.html 


More information about the Zeek mailing list