Leveraging Zeek, Zeekctl, and Zeek-cut from CLI

I’m on current stable release 2.4.2-1905. I had few questions about Leveraging Zeek services under the hood without Elastic…

More specifically using zeekctl and zeek-cut. It appears those services aren’t available… Could they be installed?

Are there any side effects to elastic or kibana. I’d like to still have the graphic analysis, but do replays with bro and leverage zeekctl and zeek-cut as well.

Have you tried broctl and bro-cut?

Visualizations depend on kibana which retrieves the data to visualize from elastic. You can certainly install without elastic you just won’t be able to visualize data.

I have tried bro-ctrl. I see it is there in /sbin, but as I understand it, zeek-cut should be there as well. The nomenclature of each appearing to be version dependent. Most recent Zeek versions show both appear as Zeek. Regardless, I already have Rock running, I’m fine with the visualizations provided by elastic.

I suppose I wasn’t clear I want to be able to use both of those functionalities(zeekctl and zeek-cut), I just didn’t want it to disrupt elastic by installing and using them. I don’t particularly care if I can index and visualize them. I just want to be able to grep, awk, zeek-cut in the CLI.

bro-cut is in the bro-aux package that didn’t get installed by default. It’s in the online repo, and I think the offline repo too. If you need it offline and it’s not on disk you can download it from here: https://packagecloud.io/rocknsm/2_4/packages/el/7/bro-aux-0.42-1.el7.x86_64.rpm

Otherwise, just use yum to install it.

sudo yum install bro-aux