Installing Zeek Network Security Monitoring on Ubuntu 22.04

Zeek is a renowned, free, open-source network security monitoring tool employed as a network intrusion detection system and traffic analyzer. This tool is pivotal for security professionals in identifying suspicious signatures and monitoring DNS, HTTP, and FTP activities. Zeek logs network activities into separate files encapsulating critical information such as MIME types, server responses, DNS requests, HTTP sessions, requested URIs, SSL certificates, and more.

In this tutorial, you’ll learn how to install Zeek on an Ubuntu 22.04 system. Follow these steps to get started with Zeek and enhance your network security monitoring capabilities.

Prerequisites

  • An Ubuntu 22.04 server with at least 2 GB of RAM.
  • Root access with a configured root password on your server.

Getting Started

Firstly, ensure all your system packages are up-to-date. Run the commands below:

    apt update -y
    apt upgrade -y

Once updated, install the necessary packages using:

apt install curl gnupg2 wget -y

Add Zeek Repository

Since Zeek isn’t included in the default Ubuntu repository, you need to add the Zeek repository to APT. Start by downloading and adding the Zeek GPG key:

    curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/security_zeek.gpg

Then, add the repository with:

    echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | tee /etc/apt/sources.list.d/security:zeek.list

Update the repository cache again:

apt update -y

Install Zeek

Proceed to install Zeek using:

apt install zeek -y

During the installation, you’ll encounter a screen to choose your mail server. Select local only and press Enter.

Postfix configuration for Zeek

Enter your mail server hostname and press Enter again.

Set system host name for Zeek

Next, incorporate the Zeek installation path into your system variables:

echo "export PATH=$PATH:/opt/zeek/bin" >> ~/.bashrc

Activate these changes with:

source ~/.bashrc

Verify the installed Zeek version:

zeek --version

The expected output is:

zeek version 5.1.1

Configure Zeek Server

Edit the network configuration to define your network:

nano /opt/zeek/etc/networks.cfg

Here’s the default configuration. Append more networks as needed:

    10.0.0.0/8          Private IP space
    172.16.0.0/12       Private IP space
    192.168.0.0/16      Private IP space

Save and close the file, then edit the main configuration file:

nano /opt/zeek/etc/node.cfg

Comment out these lines:

    #[zeek]
    #type=standalone
    #host=localhost
    #interface=eth0

Add these configurations at the file’s end:

    [zeek-logger]
    type=logger
    host=your-server-ip
    #
    [zeek-manager]
    type=manager
    host=your-server-ip
    #
    [zeek-proxy]
    type=proxy
    host=your-server-ip
    #
    [zeek-worker]
    type=worker
    host=your-server-ip
    interface=eth0
    #
    [zeek-worker-lo]
    type=worker
    host=localhost
    interface=lo

Save the file, verify the configuration with:

zeekctl check

You should see:

    Hint: Run the zeekctl "deploy" command to get started.
    zeek-logger scripts are ok.
    zeek-manager scripts are ok.
    zeek-proxy scripts are ok.
    zeek-worker scripts are ok.
    zeek-worker-lo scripts are ok.

Deploy Zeek using:

zeekctl deploy

You will get output indicating successful deployment. Now, ensure Zeek’s operational status:

zeekctl status
    Name         Type    Host             Status    Pid    Started
    zeek-logger  logger  209.23.10.179    running   58935  19 Jan 05:37:02
    zeek-manager manager 209.23.10.179    running   58985  19 Jan 05:37:03
    zeek-proxy   proxy   209.23.10.179    running   59035  19 Jan 05:37:05
    zeek-worker  worker  209.23.10.179    running   59107  19 Jan 05:37:06
    zeek-worker-lo worker  localhost        running   59104  19 Jan 05:37:06

Zeek logs are stored in the /opt/zeek/logs/current/ directory. List all log files using:

ls -l /opt/zeek/logs/current/

Expected output:

    total 72
    -rw-r--r-- 1 root zeek  1735 Jan 19 05:37 broker.log
    -rw-r--r-- 1 root zeek  2166 Jan 19 05:37 cluster.log
    -rw-r--r-- 1 root zeek   187 Jan 19 05:37 packet_filter.log
    -rw-r--r-- 1 root zeek  6158 Jan 19 05:37 conn.log
    -rw-r--r-- 1 root zeek 31212 Jan 19 05:37 loaded_scripts.log
    -rw-r--r-- 1 root zeek   666 Jan 19 05:37 reporter.log
    -rw-r--r-- 1 root zeek   601 Jan 19 05:37 stats.log
    -rw-r--r-- 1 root zeek     0 Jan 19 05:37 stderr.log
    -rw-r--r-- 1 root zeek   204 Jan 19 05:37 stdout.log
    -rw-r--r-- 1 root zeek   266 Jan 19 05:37 telemetry.log
    -rw-r--r-- 1 root zeek   960 Jan 19 05:37 weird.log

Inspect the Zeek cluster log with:

tail /opt/zeek/logs/current/cluster.log

Typical output will include messages like:

    1674106627.672399	zeek-proxy	got hello from zeek-worker-lo (62498247-62ce-5763-b201-a0f0e52b71f9)
    1674106627.744144	zeek-proxy	got hello from zeek-worker (0c8c7207-f1a1-540d-aee0-2b55cf76e69f)
    1674106627.674594	zeek-manager	got hello from zeek-worker-lo (62498247-62ce-5763-b201-a0f0e52b71f9)
    1674106627.752439	zeek-manager	got hello from zeek-worker (0c8c7207-f1a1-540d-aee0-2b55cf76e69f)
    1674106627.672635	zeek-worker-lo	got hello from zeek-proxy (b0734910-55c0-5aa5-b5fb-abdf7c083d3e)
    1674106627.674358	zeek-worker-lo	got hello from zeek-manager (b4a3890a-a470-5a1d-b2c7-fc48fd683ff9)
    1674106627.666564	zeek-worker-lo	got hello from zeek-logger (405e0618-3699-5b85-ac39-0af2743c0aab)
    1674106627.708986	zeek-worker	got hello from zeek-manager (b4a3890a-a470-5a1d-b2c7-fc48fd683ff9)
    1674106627.699878	zeek-worker	got hello from zeek-proxy (b0734910-55c0-5aa5-b5fb-abdf7c083d3e)
    1674106627.706099	zeek-worker	got hello from zeek-logger (405e0618-3699-5b85-ac39-0af2743c0aab)

For the connection log, execute:

tail /opt/zeek/logs/current/conn.log

You should see similar entries:

    1674106667.717311	Camkki2oVKl4J9dgpd	209.23.10.179	47762	209.23.10.179	56180	tcp	-	-	-	-	OTH	FF	0	CccC	0	0	0	0	-
    1674106667.742276	CZ7aKU3nUfkjSSN5x6	209.23.10.179	56182	209.23.10.179	47762	tcp	-	-	-	-	OTH	FF	0	CcCc	0	0	0	0	-
    1674106667.742332	Cd58V813jeHygHXQS2	209.23.10.179	56176	209.23.10.179	47762	tcp	-	-	-	-	OTH	FF	0	CcCc	0	0	0	0	-
    1674106668.621860	CZlcm316EidXbp4aMj	209.23.10.179	41430	209.23.10.179	47761	tcp	-	-	-	-	OTH	FF	0	Cc	0	0	0	0	-

Conclusion

Congratulations! You’ve successfully installed the Zeek security monitoring tool on your Ubuntu 22.04 server. This guide should bolster your ability to understand network architecture and identify potential threats. For further assistance, feel free to reach out.

Frequently Asked Questions (FAQ)

What is Zeek used for?

Zeek is used to monitor network traffic and detect network intrusions. It logs network behavior, providing integral insights for security analysis.

Can I use Zeek with other operating systems?

Yes, Zeek is versatile and can be installed on various UNIX-like operating systems, not just Ubuntu.

Is there a GUI available for Zeek?

Zeek itself doesn’t come with a GUI, but there are third-party interfaces available that can provide graphical representations of its logs.

How can I update Zeek?

You can update Zeek by fetching the latest packages from its repository and reinstalling it using the package manager.