Options for running self-compiled Zeek and Suricata (pf_ring)

[novaksam]

Hey everyone,

I'm looking to get in to security onion, and I'm wondering what options there are for running my own compiles for Zeek and Suricata, because I intend to use the server to also generate netflow information via nProbe, and use zbalance to distribute copies of the packets to each process, since I can't find information about how pf_ring zero-copy and AFPACKET would coexist on the same host.

If anyone has any ideas I'd appreciate it!
Thanks,
Sam n.

[dougburks]

You might be able to make this work, but we don't provide any support for custom compiles of Zeek/Suricata or pf_ring.

[novaksam]

From an infrastructure standpoint, are zeek and suricata currently ran as docker containers? How would I got about injecting my compilations? I'm hoping to test if I can run both afpacket and pf_ring at the same time in the next couple weeks, though I may see if I can use docker for pf_ring/nProbe.

[dougburks]

From an infrastructure standpoint, are zeek and suricata currently ran as docker containers?

Yes.

How would I got about injecting my compilations?

We don't recommend or support modifying the containers in this way. We recommend treating Security Onion as an appliance and avoid changes like these as they can cause issues:
https://docs.securityonion.net/en/2.3/best-practices.html#avoid-third-party-software-and-modifications

You might want to consider what you hope to get out of nProbe and see if there is some way to achieve that same goal with software that is already in Security Onion. If not, you might consider installing nProbe on a separate box.