zeek does not start on my pfsense

[thiamata]

Hi

I have tried several times to install zeek on my pfsense. The installation seems to work, but after enabling zeek, it does not startup.

My System:
BIOS Vendor: coreboot
Version: v4.13.0.1
Release Date: Wed Nov 25 2020
Version 2.5.0-RC (amd64)
built on Sat Feb 13 03:07:19 EST 2021
FreeBSD 12.2-STABLE
CPU Type AMD GX-412TC SOC
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (inactive)
Kernel PTI Disabled
MDS Mitigation Inactive

installed modules:
acme security 0.6.9_3
arping net 1.2.2_2
arpwatch net-mgmt 0.2.0_4
bandwidthd net-mgmt 0.7.4_5
darkstat net-mgmt 3.1.3_5
frr net 1.1.0_4
iperf benchmarks 3.0.2_5
Lightsquid www 3.0.6_8
lldpd net-mgmt 0.9.11
mailreport mail 3.6.3_2
mtr-nox11 net 0.85.6_2
map security 1.4.4_2
ntopng net 0.8.13_9
openvpn-client-export security 1.5_5
pfBlockerNG-devel net 3.0.0_10
RRD_Summary sysutils 2.0_1
Shellcmd sysutils 1.0.5_2
squid www 0.4.45_3
Status_Traffic_Totals net 2.3.2_2
syslog-ng sysutils 1.15_7
zeek security 3.0.6_1

I am not really familar with zeek/(bro).

If there is a need for more information like logs etc, please contact me

many thanks for help

thiamata

[thiamata]

sorry forgot to mention:
enbaled for startup

choosing the WAN interface for inspection

configured my local network IPv4/IPv6

Configured a mail address for my lacol mail server.

so far as I understand, this might be the minimum configuration for starting up

regards

[thiamata]

running zeekctl -> deploy on shell level seems to work.

so far the case might be closed immediately after opening.

;-)

[markoverholser]

We'll have to keep an eye on these. So far, we haven't been able to reproduce, but occasionally we get reports of something like this happening from field users. So, it's good to have the workaround documented here (just go run zeekctl deploy from the command line), but we need a better understanding of why it's happening if there is something here to fix. Not your fault, but I hope someone can isolate the variables that cause this so we can dig deeper.

[shadonet]

@markoverholser You're right, I suspect the Zeek service restart script after saving the config, but we have to keep an eye on it and dig deeper.

[markoverholser]

@shadonet I am not sure, since I don't know how it's supposed to work, but I suspect that the circular logic in rc.d/zeek.sh is responsible.

Code starts here

To me, it seems strange that the script calls...itself. Shouldn't it be calling zeekctl deploy for a start, zeekctl restart for a restart, and zeekctl stop for a shutdown/stop action?

[markoverholser]

(continuing to think out loud) and shouldn't it have more logic to do things like detect whether Zeek is enabled? I'm not sure how pfSense interacts with those rc.d scripts, so I'm not sure what should be in them.

[markoverholser]

Scratch that, I'm totally off-base, here. The script doesn't call itself, it calls a different, similarly-named script in the same directory. I'm digging into that now.

[markoverholser]

Okay, so /usr/local/etc/rc.d/zeek.sh calls /usr/local/etc/rc.d/zeek which contains commands for using zeekctl to start, stop, deploy, restart, etc.

However, I can't see a code path where deploy would ever get called on the script /usr/local/etc/rc.d/zeek so I'm not sure how Zeek ever gets correctly deployed and run.

[shadonet]

@markoverholser I think that it is related to the default Zeek path that has been changed. I will update it soon.
Also, the package has been added to the pfSense official package list from version 2.5.1, so it can be installed from the package manager UI

[shadonet]

It has been fixed now.