diff --git a/content/blog/Zeek_JavaScript_MISP_Integration.md b/content/blog/Zeek_JavaScript_MISP_Integration.md new file mode 100644 index 0000000..86c5ae2 --- /dev/null +++ b/content/blog/Zeek_JavaScript_MISP_Integration.md @@ -0,0 +1,123 @@ +--- +title: Using Zeek's new JavaScript support for MISP integration +authors: +- Arne Welzel +date: 2024-01-03 +banner: /img/blog/zeekjs-misp-overview.png +layout: post +--- + +# Using Zeek's new JavaScript support for MISP integration + +With Zeek 6.0, experimental [JavaScript support](https://docs.zeek.org/en/master/scripting/javascript.html) was added to [Zeek](https://zeek.org/), +making Node.js and its vast ecosystem available to Zeek script developers to more easily integrate with external systems. + +## MISP Integration + +As a tech-demo, the popular Zeek package [dovehawk](https://github.com/tylabs/dovehawk) has been re-implemented using JavaScript. +The re-implementation is named [zeekjs-misp](https://github.com/awelzel/zeekjs-misp) and has been published on GitHub. + +In essence, the new package uses Node's [https module](https://nodejs.org/api/https.html) to communicate with +[MISP's Rest API](https://www.misp-project.org/openapi/), achieving the following: + +* Populate Zeek's [Intelligence Framework](https://docs.zeek.org/en/master/frameworks/intel.html) with attributes and event information collected using the [restSearch endpoint](https://www.misp-project.org/openapi/#tag/Attributes/operation/restSearchAttributes). + +* Report intelligence matches back to the MISP instance as sightings using the [addSighting endpoint](https://www.misp-project.org/openapi/#tag/Sightings/operation/addSighting). + + +## Demo + +One component for the demo is a [misp-docker](https://github.com/MISP/misp-docker) docker-compose setup. +The misp-docker project makes it very easy to run a local MISP instance for testing. +The default "Tor ALL nodes" feed is enabled in this instance. This feed provides `ip-dst` attributes for all currently known Tor nodes. +zeekjs-misp fetches these and converts the `ip-dst` attributes into Zeek `Intel::ADDR` intelligence items. + +The other component of the demo is a Zeek container running in host-network mode with the zeekjs-misp package installed. +Zeek's [official container images](https://hub.docker.com/r/zeek/zeek) have JavaScript support built-in by default. +For demonstration purposes, the individual commands are reproduced below. Usually, the package installation via `zkg` +would be done in a dedicated `Dockerfile`. The MISP options would conventionally be placed into `local.zeek` instead +of directly on the command line. + + +First, the container is started and the zeekjs-misp package installed: + +``` +$ docker pull zeek/zeek +$ docker run --net=host --rm -it zeek/zeek +# zeek -N Zeek::JavaScript +Zeek::JavaScript - Experimental JavaScript support for Zeek (built-in) +# echo "yes" | zkg install zeekjs-misp +The following packages will be INSTALLED: + zeek/awelzel/zeekjs-misp (main) + +Proceed? [Y/n] Installing "zeek/awelzel/zeekjs-misp" +Installed "zeek/awelzel/zeekjs-misp" (main) +Loaded "zeek/awelzel/zeekjs-misp" +``` + +Thereafter, Zeek is invoked as follows. This loads the zeekjs-misp and frameworks/intel/seen +packages and uses the wireless interface of the host (available within the container due to running in host networking mode). +It further configures the zeekjs-misp authentication options for use with the testing MISP instance and enables debug logging: + +``` +# zeek -C -i wlp0s20f3 zeekjs-misp frameworks/intel/seen MISP::url=https://localhost MISP::api_key=6gIV…BAJ MISP::insecure=T MISP::debug=T +, line 1: listening on wlp0s20f3 + +zeek-misp: Starting up zeekjs-misp +zeek-misp: url https://localhost +zeek-misp: api_key 6gIV... +zeek-misp: refresh_interval 120000 +zeek-misp: max_item_sightings 5n +zeek-misp: max_item_sightings_interval 5000 +zeek-misp: Schedule for 120000... +zeek-misp: Loading intel data through attributes search +zeek-misp: Attribute search {"tags":[],"to_ids":1,"eventid":[],"type":"!yara,!malware-sample,!ssdeep,!pattern-in-traffic,!btc","from":1695133600} +zeek-misp: searchAttributes done items=8660 requestMs=213.13ms insertMs=108.82661300897598ms +zeek-misp: Summary of attribute types +zeek-misp: ip-dst = 8660 +zeek-misp: Attributes search done +``` + +The output shows that 8660 `ip-dst` attributes have been fetched from the MISP instance and inserted into Zeek's Intelligence store. +Attributes are fetched every 2 minutes by default. The package provides further configurability to limit the time range, +filter attributes by types, or limit to attributes of specific events only. + +There is now a single Zeek process running, monitoring the wireless interface of the host. +Running `nc` on the host system to establish a connection to one of the active Tor node IPs +shows Zeek successfully detecting the connection and producing an `intel.log` entry. + +On the host system: +``` +$ nc -z -v 97.107.139.108 80 +Connection to 97.107.139.108 80 port [tcp/http] succeeded! +``` + +Within the container where Zeek is running, the `Intel::match` event and sighting +report is logged and the `intel.log` file populated. +``` +, line 1: listening on wlp0s20f3 +... +zeek-misp: zeek-misp: Intel::match 97.107.139.108 +zeek-misp: Sightings reported 97.107.139.108 +^Z + +# zeek-cut -m ts uid id.resp_h seen.indicator seen.indicator_type sources < intel.log +ts uid id.resp_h seen.indicator seen.indicator_type sources +1702911422.470607 CXNOS517lUT5M5wBuk 97.107.139.108 97.107.139.108 Intel::ADDR MISP-1 +``` + +Navigating to the event in the MISP UI for the Tor All Nodes feed shows an increased number of sightings: + +![MISP sightings reported by zeekjs-misp](/img/blog/zeekjs-misp-sightings.png "{class='img-responsive'}") + + + +## Conclusion + +Zeek's new JavaScript support enables easier integration with external systems. +The zeekjs-misp package allows connecting Zeek with a MISP instance using MISP's extensive REST API. +Note that the zeekjs-misp package is currently meant as a tech demo. The author of the package isn't a MISP +user and deploying it in a production environment may come with further requirements. + +Feedback and contributions on GitHub are more than welcome. +Also, feel free to reach out in the [Zeek Slack's package channel](https://zeek.org/slack). diff --git a/static/img/blog/zeekjs-misp-overview.png b/static/img/blog/zeekjs-misp-overview.png new file mode 100644 index 0000000..0bdf9d0 Binary files /dev/null and b/static/img/blog/zeekjs-misp-overview.png differ diff --git a/static/img/blog/zeekjs-misp-sightings.png b/static/img/blog/zeekjs-misp-sightings.png new file mode 100644 index 0000000..2b115f8 Binary files /dev/null and b/static/img/blog/zeekjs-misp-sightings.png differ