work in progress for idaholab#395, added ZEEK_DISABLE_STATS environme…

…nt variable
mmguero-dev · Feb 6, 2024 · e5f39f2 · e5f39f2
1 parent 1ea5296
commit e5f39f2
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 0 deletions.
diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile
@@ -236,6 +236,7 @@ ENV PCAP_FILTER $PCAP_FILTER
 ENV PCAP_NODE_NAME $PCAP_NODE_NAME
 
 # environment variables for zeek runtime tweaks (used in local.zeek)
+ARG ZEEK_DISABLE_STATS=true
 ARG ZEEK_DISABLE_HASH_ALL_FILES=
 ARG ZEEK_DISABLE_LOG_PASSWORDS=
 ARG ZEEK_DISABLE_SSL_VALIDATE_CERTS=
@@ -256,6 +257,7 @@ ARG ZEEK_DISABLE_SPICY_TFTP=
 ARG ZEEK_DISABLE_SPICY_WIREGUARD=
 ARG ZEEK_SYNCHROPHASOR_DETAILED=
 
+ENV ZEEK_DISABLE_STATS $ZEEK_DISABLE_STATS
 ENV ZEEK_DISABLE_HASH_ALL_FILES $ZEEK_DISABLE_HASH_ALL_FILES
 ENV ZEEK_DISABLE_LOG_PASSWORDS $ZEEK_DISABLE_LOG_PASSWORDS
 ENV ZEEK_DISABLE_SSL_VALIDATE_CERTS $ZEEK_DISABLE_SSL_VALIDATE_CERTS

diff --git a/config/zeek-live.env.example b/config/zeek-live.env.example
@@ -1,6 +1,8 @@
 # Whether or not Zeek should monitor live traffic on a local
 #   interface (PCAP_IFACE variable below specifies capture interfaces)
 ZEEK_LIVE_CAPTURE=false
+# Set ZEEK_DISABLE_STATS to blank to generate stats.log and capture_loss.log
+ZEEK_DISABLE_STATS=true
 
 ZEEK_PCAP_PROCESSOR=false
 ZEEK_CRON=true

diff --git a/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek b/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek
@@ -4,6 +4,7 @@
 ##!     https://docs.zeek.org/en/stable/script-reference/scripts.html
 ##!     https://github.com/zeek/zeek/blob/master/scripts/site/local.zeek
 
+global disable_stats = (getenv("ZEEK_DISABLE_STATS") == "") ? F : T;
 global disable_hash_all_files = (getenv("ZEEK_DISABLE_HASH_ALL_FILES") == "") ? F : T;
 global disable_log_passwords = (getenv("ZEEK_DISABLE_LOG_PASSWORDS") == "") ? F : T;
 global disable_ssl_validate_certs = (getenv("ZEEK_DISABLE_SSL_VALIDATE_CERTS") == "") ? F : T;
@@ -78,6 +79,10 @@ redef ignore_checksums = T;
 @if (!disable_hash_all_files)
   @load frameworks/files/hash-all-files
 @endif
+@if (!disable_stats)
+  @load policy/misc/stats
+  @load policy/misc/capture-loss
+@endif
 @load policy/protocols/conn/vlan-logging
 @load policy/protocols/conn/mac-logging
 @load policy/protocols/modbus/known-masters-slaves

diff --git a/sensor-iso/interface/sensor_ctl/control_vars.conf b/sensor-iso/interface/sensor_ctl/control_vars.conf
@@ -55,6 +55,7 @@ export ZEEK_EXTRACTOR_OVERRIDE_FILE=
 export EXTRACTED_FILE_MIN_BYTES=64
 export EXTRACTED_FILE_MAX_BYTES=134217728
 export EXTRACTED_FILE_PRESERVATION=quarantined
+export ZEEK_DISABLE_STATS=true
 export ZEEK_DISABLE_HASH_ALL_FILES=
 export ZEEK_DISABLE_LOG_PASSWORDS=
 export ZEEK_DISABLE_SSL_VALIDATE_CERTS=

diff --git a/zeek/config/local.zeek b/zeek/config/local.zeek
@@ -4,6 +4,7 @@
 ##!     https://docs.zeek.org/en/stable/script-reference/scripts.html
 ##!     https://github.com/zeek/zeek/blob/master/scripts/site/local.zeek
 
+global disable_stats = (getenv("ZEEK_DISABLE_STATS") == "") ? F : T;
 global disable_hash_all_files = (getenv("ZEEK_DISABLE_HASH_ALL_FILES") == "") ? F : T;
 global disable_log_passwords = (getenv("ZEEK_DISABLE_LOG_PASSWORDS") == "") ? F : T;
 global disable_ssl_validate_certs = (getenv("ZEEK_DISABLE_SSL_VALIDATE_CERTS") == "") ? F : T;
@@ -78,6 +79,10 @@ redef ignore_checksums = T;
 @if (!disable_hash_all_files)
   @load frameworks/files/hash-all-files
 @endif
+@if (!disable_stats)
+  @load policy/misc/stats
+  @load policy/misc/capture-loss
+@endif
 @load policy/protocols/conn/vlan-logging
 @load policy/protocols/conn/mac-logging
 @load policy/protocols/modbus/known-masters-slaves