Zeek is a renowned, free, open-source network security monitoring tool employed as a network intrusion detection system and traffic analyzer. This tool is pivotal for security professionals in identifying suspicious signatures and monitoring DNS, HTTP, and FTP activities. Zeek logs network activities into separate files encapsulating critical information such as MIME types, server responses, DNS requests, HTTP sessions, requested URIs, SSL certificates, and more.
In this tutorial, you’ll learn how to install Zeek on an Ubuntu 22.04 system. Follow these steps to get started with Zeek and enhance your network security monitoring capabilities.
Prerequisites
- An Ubuntu 22.04 server with at least 2 GB of RAM.
- Root access with a configured root password on your server.
Getting Started
Firstly, ensure all your system packages are up-to-date. Run the commands below:
apt update -y apt upgrade -y
Once updated, install the necessary packages using:
apt install curl gnupg2 wget -y
Add Zeek Repository
Since Zeek isn’t included in the default Ubuntu repository, you need to add the Zeek repository to APT. Start by downloading and adding the Zeek GPG key:
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/security_zeek.gpg
Then, add the repository with:
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | tee /etc/apt/sources.list.d/security:zeek.list
Update the repository cache again:
apt update -y
Install Zeek
Proceed to install Zeek using:
apt install zeek -y
During the installation, you’ll encounter a screen to choose your mail server. Select local only and press Enter.
Enter your mail server hostname and press Enter again.
Next, incorporate the Zeek installation path into your system variables:
echo "export PATH=$PATH:/opt/zeek/bin" >> ~/.bashrc
Activate these changes with:
source ~/.bashrc
Verify the installed Zeek version:
zeek --version
The expected output is:
zeek version 5.1.1
Configure Zeek Server
Edit the network configuration to define your network:
nano /opt/zeek/etc/networks.cfg
Here’s the default configuration. Append more networks as needed:
10.0.0.0/8 Private IP space 172.16.0.0/12 Private IP space 192.168.0.0/16 Private IP space
Save and close the file, then edit the main configuration file:
nano /opt/zeek/etc/node.cfg
Comment out these lines:
#[zeek] #type=standalone #host=localhost #interface=eth0
Add these configurations at the file’s end:
[zeek-logger] type=logger host=your-server-ip # [zeek-manager] type=manager host=your-server-ip # [zeek-proxy] type=proxy host=your-server-ip # [zeek-worker] type=worker host=your-server-ip interface=eth0 # [zeek-worker-lo] type=worker host=localhost interface=lo
Save the file, verify the configuration with:
zeekctl check
You should see:
Hint: Run the zeekctl "deploy" command to get started. zeek-logger scripts are ok. zeek-manager scripts are ok. zeek-proxy scripts are ok. zeek-worker scripts are ok. zeek-worker-lo scripts are ok.
Deploy Zeek using:
zeekctl deploy
You will get output indicating successful deployment. Now, ensure Zeek’s operational status:
zeekctl status
Name Type Host Status Pid Started zeek-logger logger 209.23.10.179 running 58935 19 Jan 05:37:02 zeek-manager manager 209.23.10.179 running 58985 19 Jan 05:37:03 zeek-proxy proxy 209.23.10.179 running 59035 19 Jan 05:37:05 zeek-worker worker 209.23.10.179 running 59107 19 Jan 05:37:06 zeek-worker-lo worker localhost running 59104 19 Jan 05:37:06
Zeek logs are stored in the /opt/zeek/logs/current/
directory. List all log files using:
ls -l /opt/zeek/logs/current/
Expected output:
total 72 -rw-r--r-- 1 root zeek 1735 Jan 19 05:37 broker.log -rw-r--r-- 1 root zeek 2166 Jan 19 05:37 cluster.log -rw-r--r-- 1 root zeek 187 Jan 19 05:37 packet_filter.log -rw-r--r-- 1 root zeek 6158 Jan 19 05:37 conn.log -rw-r--r-- 1 root zeek 31212 Jan 19 05:37 loaded_scripts.log -rw-r--r-- 1 root zeek 666 Jan 19 05:37 reporter.log -rw-r--r-- 1 root zeek 601 Jan 19 05:37 stats.log -rw-r--r-- 1 root zeek 0 Jan 19 05:37 stderr.log -rw-r--r-- 1 root zeek 204 Jan 19 05:37 stdout.log -rw-r--r-- 1 root zeek 266 Jan 19 05:37 telemetry.log -rw-r--r-- 1 root zeek 960 Jan 19 05:37 weird.log
Inspect the Zeek cluster log with:
tail /opt/zeek/logs/current/cluster.log
Typical output will include messages like:
1674106627.672399 zeek-proxy got hello from zeek-worker-lo (62498247-62ce-5763-b201-a0f0e52b71f9) 1674106627.744144 zeek-proxy got hello from zeek-worker (0c8c7207-f1a1-540d-aee0-2b55cf76e69f) 1674106627.674594 zeek-manager got hello from zeek-worker-lo (62498247-62ce-5763-b201-a0f0e52b71f9) 1674106627.752439 zeek-manager got hello from zeek-worker (0c8c7207-f1a1-540d-aee0-2b55cf76e69f) 1674106627.672635 zeek-worker-lo got hello from zeek-proxy (b0734910-55c0-5aa5-b5fb-abdf7c083d3e) 1674106627.674358 zeek-worker-lo got hello from zeek-manager (b4a3890a-a470-5a1d-b2c7-fc48fd683ff9) 1674106627.666564 zeek-worker-lo got hello from zeek-logger (405e0618-3699-5b85-ac39-0af2743c0aab) 1674106627.708986 zeek-worker got hello from zeek-manager (b4a3890a-a470-5a1d-b2c7-fc48fd683ff9) 1674106627.699878 zeek-worker got hello from zeek-proxy (b0734910-55c0-5aa5-b5fb-abdf7c083d3e) 1674106627.706099 zeek-worker got hello from zeek-logger (405e0618-3699-5b85-ac39-0af2743c0aab)
For the connection log, execute:
tail /opt/zeek/logs/current/conn.log
You should see similar entries:
1674106667.717311 Camkki2oVKl4J9dgpd 209.23.10.179 47762 209.23.10.179 56180 tcp - - - - OTH FF 0 CccC 0 0 0 0 - 1674106667.742276 CZ7aKU3nUfkjSSN5x6 209.23.10.179 56182 209.23.10.179 47762 tcp - - - - OTH FF 0 CcCc 0 0 0 0 - 1674106667.742332 Cd58V813jeHygHXQS2 209.23.10.179 56176 209.23.10.179 47762 tcp - - - - OTH FF 0 CcCc 0 0 0 0 - 1674106668.621860 CZlcm316EidXbp4aMj 209.23.10.179 41430 209.23.10.179 47761 tcp - - - - OTH FF 0 Cc 0 0 0 0 -
Conclusion
Congratulations! You’ve successfully installed the Zeek security monitoring tool on your Ubuntu 22.04 server. This guide should bolster your ability to understand network architecture and identify potential threats. For further assistance, feel free to reach out.
Frequently Asked Questions (FAQ)
What is Zeek used for?
Zeek is used to monitor network traffic and detect network intrusions. It logs network behavior, providing integral insights for security analysis.
Can I use Zeek with other operating systems?
Yes, Zeek is versatile and can be installed on various UNIX-like operating systems, not just Ubuntu.
Is there a GUI available for Zeek?
Zeek itself doesn’t come with a GUI, but there are third-party interfaces available that can provide graphical representations of its logs.
How can I update Zeek?
You can update Zeek by fetching the latest packages from its repository and reinstalling it using the package manager.