update zeek

README.md

@@ -228,7 +228,6 @@ A collection of delicious docker recipes.
 
 - [x] aircrack-ng-arm
 - [x] amass
-- [x] bro
 - [x] clamav
 - [x] dirsearch
 - [x] dsniff
@@ -508,6 +507,7 @@ A collection of delicious docker recipes.
 - [x] wordpress
 - [x] yourls
 - [x] ghcr.io/linuxserver/wireguard
+- [x] zeek/zeek :skull:
 - [x] apache/zeppelin
 - [x] koenkk/zigbee2mqtt
 - [x] zookeeper

bro/README.md

@@ -1,49 +0,0 @@
-The Bro Network Security Monitor
-================================
-
-[![](https://badge.imagelayers.io/vimagick/bro:latest.svg)](https://imagelayers.io/?images=vimagick/bro:latest 'Get your own badge on imagelayers.io')
-
-`Bro` is a powerful network analysis framework that is much different from the
-typical IDS you may know.
-
-- Adaptable
-- Efficient
-- Flexible
-- Forensics
-- Commercially Supported
-- In-depth Analysis
-- Highly Stateful
-- Open Interfaces
-- Open Source
-
-## docker-compose.yml
-
-```
-bro:
-  image: vimagick/bro
-  command: bro -C -i eth0
-  volumes:
-    - ./logs:/opt/bro/logs
-  net: container:shadowsocks_shadowsocks_1
-```
-
-> We are going to monitor `shadowsocks` which is a socks5 server.
-
-## up and running
-
-```
-$ cd ~/fig/bro/
-
-$ docker-compose up -d
-
-$ docker exec -it bro_bro_1 bash
->>> cat dns.log | bro-cut query | sort | uniq -c | sort -nr | head -5
-    10 www.youtube.com
-    3 twitter.com
-    2 www.google.com
-    1 www.baidu.com
-    1 www.facebook.com
->>> exit
-```
-
-> Don't be evil!

bro/docker-compose.yml

@@ -1,6 +0,0 @@
-bro:
-  image: vimagick/bro
-  command: bro -i eth0
-  volumes:
-    - ./logs:/opt/bro/logs
-  net: container:shadowsocks_shadowsocks_1

zeek/README.md

@@ -0,0 +1,36 @@
+zeek
+====
+
+[Zeek][1] is a passive, open-source network traffic analyzer. Many operators use
+Zeek as a network security monitor (NSM) to support investigations of
+suspicious or malicious activity.
+
+- Adaptable
+- Efficient
+- Flexible
+- Forensics
+- Commercially Supported
+- In-depth Analysis
+- Highly Stateful
+- Open Interfaces
+- Open Source
+
+## up and running
+
+```bash
+$ docker compose up -d
+
+$ docker compose exec zeek bash
+>>> cd /usr/local/zeek/logs
+>>> cat dns.log | zeek-cut query | sort | uniq -c | sort -nr | head -5
+    10 www.youtube.com
+    3 twitter.com
+    2 www.google.com
+    1 www.baidu.com
+    1 www.facebook.com
+>>> exit
+```
+
+> Don't be evil!
+
+[1]: https://github.com/zeek/zeek

zeek/docker-compose.yml

@@ -0,0 +1,9 @@
+version: "3.8"
+services:
+  zeek:
+    image: zeek/zeek:tls
+    command: zeek -C -i eth0
+    volumes:
+      - ./logs:/usr/local/zeek/logs
+    network_mode: host
+    restart: unless-stopped