pfSense » pfSense Packages

Base install:
Supported in FreeBSD (https://www.freshports.org/security/zeek) so installation and updates should be possible.

Zeek Package Manager:
[https://packages.zeek.org/]
Installable via pip/pip3 [https://docs.zeek.org/projects/package-manager/en/stable/quickstart.html]
Package installation further enhances Zeek allowing for additional protocol decoders and extended functionality.

Required development:
This package would need a Web-GUI page for configuration that for configuration changes; currently one is in development [https://github.com/shadonet/pfSense-pkg-zeek]. This package requires some additional development and enhancements to make this fully functional.

Enhancements:
Zeek package management
Cluster configuration [https://docs.zeek.org/en/current/configuration/]
Logging changes (ASCII vs JSON) [https://docs.zeek.org/en/current/scripts/policy/tuning/json-logs.zeek.html]
Pf_ring isn't supported in FreeBSD, as far as I know, but there are other solutions that could increase capture speed. [https://old.zeek.org/brocon2016/slides/shirk_bsd.pdf]

Nice to haves:
Management of log shippers such as filebeat or splunk log forwarder. *Could be handled using a cluster configuration without adding additional packages to pfsense.

Justification:
Zeek is probably the most robust and complete near realtime network monitoring tool available. With the functionality to quickly deploy Zeek worker nodes on pfSense firewalls and send that data back to a centralized logger network visibility could be increased greatly with reduced requirements for storage of network data when compared to a full package capture solution. As a network monitor Zeek has greater potential to find malicious activity or badly behaving services than a signature based solution such as Snort or Suricata. Zeek has the potential to make pfSense a much more robust monitoring and security solution than it currently is.

Testing:
On my pervious SG-5100 I had manually installed Zeek, using pkg, and setup the zeek package manager. This setup monitored multiple interfaces with minimal impact to performance. Additionally using the splunk log forwarder I was able to ship all of the zeek data to a splunk server for network monitoring. While completely doable this was a risky proposition that many users would probably not implement due to risk of instability and management of the zeek configuration.