Passive
With Zeek
You need to run Zeek (formerly known as
Bro), version 3.0 minimum (tested with 3.0 and 3.1) with the option
-b and the location of the passiverecon/bare.zeek file. If you
want to run it on the eth0 interface, for example, run (replace
/usr/share/ivre/zeek by the appropriate location; use python -c
'import ivre.config; print(ivre.config.guess_prefix("zeek"))' if you
cannot find it):
$ mkdir logs
$ sudo LOG_PATH=logs/passiverecon \
> zeek -b /usr/share/ivre/zeek/ivre/passiverecon/bare.zeek -C -i eth0
If you want to run it on the capture file (capture needs to a
PCAP file), run:
$ mkdir logs
$ LOG_PATH=logs/passiverecon \
> zeek -b /usr/share/ivre/zeek/ivre/passiverecon/bare.zeek -r capture
This will produce log files in the logs directory. Pipe each
generated log file into ivre passiverecon2db:
$ for f in logs/passiverecon.*; do ivre passiverecon2db < "$f"; done
You can also send the data from zeek to the database without using
intermediate files:
$ zeek -b /usr/share/ivre/zeek/ivre/passiverecon/bare.zeek [option] \
> | ivre passiverecon2db
With p0f
You need to install p0f v3, and
use it with the option -o to produce an output file. Then, provide
that output file to ivre p0f2db.
For now, only syn and syn+ack modes are supported.
Enjoying the results
You have several options, depending on what you want to do:
Command line interfaces (see also Passive network analysis in the screenshots gallery):
ivre ipinfotool, for any passive data.ivre iphosttool, for Passive DNS data (see Your own Passive DNS service).
Python API: use the
db.passiveobject of theivre.dbmodule.Web interface:
Using
ivre db2view, you can create or update a view with passive data, that can then be accessed by theviewpurpose (see Purposes), which includes the Web User Interface.
CLI
To show everything stored about an IP address or a network:
$ ivre ipinfo 1.2.3.4
$ ivre ipinfo 1.2.3.0/24
See the output of ivre help ipinfo and ivre help iphost.
Python module
To use the Python module, run for example:
$ python
>>> from ivre.db import db
>>> db.passive.get(db.passive.flt_empty)[0]
For more, run help(db.passive) from the Python shell.