Zeek, formerly known as Bro, is an open-source network security monitoring tool used to analyze network traffic in real-time. It captures packets and interprets their contents to provide insights into the activities and behaviors occurring on a network.
Zeek Network Security Monitoring offers a powerful and flexible solution for organizations seeking to enhance their network security posture by gaining deeper insights into network traffic and detecting potential threats in real time.
In this tutorial, we will show you how to install the Zeek tool on Ubuntu 22.04.
Step 1 – Install Zeek
The Zeek package is not included in the Ubuntu default repository, so you will need to add Zeek’s official repository to APT.
First, download the Zeek GPG key.
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/security_zeek.gpg
Next, add the Zeek repository to the APT source file.
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | tee /etc/apt/sources.list.d/security:zeek.list
Then, update the repository index and install Zeek using the following command.
apt update -y apt install zeek -y
Once the Zeek is installed, add Zeek path to .bashrc file.
echo "export PATH=$PATH:/opt/zeek/bin" >> ~/.bashrc
Reload the .bashrc file using the following command.
source ~/.bashrc
Next, verify the Zeek version using the following command.
zeek --version
Output.
zeek version 6.1.1
Step 2 – Configure Zeek
Zeek default configuration file is located at /opt/zeek/etc/networks.cfg. You can edit it using the nano editor.
nano /opt/zeek/etc/networks.cfg
Add your internal network as shown below:
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
Then, edit the Zeek node.cfg configuration file.
nano /opt/zeek/etc/node.cfg
Comment out the following line:
#[zeek] #type=standalone #host=localhost #interface=eth0
Then, add the following configurations.
[zeek-logger] type=logger host=your-server-ip # [zeek-manager] type=manager host=your-server-ip # [zeek-proxy] type=proxy host=your-server-ip # [zeek-worker] type=worker host=your-server-ip interface=eth0 [zeek-worker-lo] type=worker host=localhost interface=lo
Save and close the file, then apply the above configurations using the following command.
zeekctl deploy
You will see the following output.
checking configurations ... installing ... creating policy directories ... installing site policies ... generating cluster-layout.zeek ... generating local-networks.zeek ... generating zeekctl-config.zeek ... generating zeekctl-config.sh ... stopping ... stopping workers ... stopping proxy ... stopping manager ... stopping logger ... starting ... starting logger ... starting manager ... starting proxy ... starting workers ...
You can check Zeek’s status using the zeekctl command.
zeekctl status
Output.
Name Type Host Status Pid Started zeek-logger logger 209.23.10.78 running 6055 04 Mar 03:20:03 zeek-manager manager 209.23.10.78 running 6105 04 Mar 03:20:04 zeek-proxy proxy 209.23.10.78 running 6154 04 Mar 03:20:06 zeek-worker worker 209.23.10.78 running 6257 04 Mar 03:20:08 zeek-worker-lo worker localhost running 6258 04 Mar 03:20:08
Step 3 – Check Zeek Log Files
By default, Zeek stores all log files at /opt/zeek/logs/current/.
To see Zeek log files, run the following command.
ls -l /opt/zeek/logs/current/
Output.
-rw-r--r-- 1 root zeek 1780 Mar 4 03:20 broker.log -rw-r--r-- 1 root zeek 1959 Mar 4 03:20 cluster.log -rw-r--r-- 1 root zeek 5499 Mar 4 03:21 conn.log -rw-r--r-- 1 root zeek 32641 Mar 4 03:20 loaded_scripts.log -rw-r--r-- 1 root zeek 3637 Mar 4 03:21 ntp.log -rw-r--r-- 1 root zeek 209 Mar 4 03:20 packet_filter.log -rw-r--r-- 1 root zeek 1157 Mar 4 03:21 reporter.log -rw-r--r-- 1 root zeek 621 Mar 4 03:20 stats.log -rw-r--r-- 1 root zeek 0 Mar 4 03:20 stderr.log -rw-r--r-- 1 root zeek 204 Mar 4 03:20 stdout.log -rw-r--r-- 1 root zeek 10911 Mar 4 03:21 telemetry.log -rw-r--r-- 1 root zeek 723 Mar 4 03:21 weird.log
Verify the Zeek cluster log file using the following command.
tail /opt/zeek/logs/current/cluster.log
Output.
1709522449.760873 zeek-proxy got hello from zeek-worker (acda2560-8dd9-5192-9685-c430eb02c0aa) 1709522449.658879 zeek-worker got hello from zeek-proxy (d613130f-325e-5fc7-b3a1-82cf36ff604e) 1709522449.658879 zeek-worker got hello from zeek-manager (c31e3478-95d4-5eaa-8013-1953462da48b) 1709522449.658879 zeek-worker got hello from zeek-logger (0bc1f618-7d7a-53bf-b751-f2681f78ba4e) 1709522454.919369 zeek-logger got hello from zeek-worker-lo (853e3648-641e-5adb-8859-9b71f0cf4a6c) 1709522454.957199 zeek-proxy got hello from zeek-worker-lo (853e3648-641e-5adb-8859-9b71f0cf4a6c) 1709522454.915454 zeek-manager got hello from zeek-worker-lo (853e3648-641e-5adb-8859-9b71f0cf4a6c)
To check the Zeek connection status, run the following command.
tail /opt/zeek/logs/current/conn.log
Output.
1709522458.533596 CghW2m4QTLngSVYKsl fe80::eaa2:4500:df31:71a0 135 ff02::1:ff00:bee 136 icmp - 2.001871 72 0 OTH T F 0 - 3 216 0 0 - 1709522460.758169 CLHor419mmTNILP5hc 2607:f170:14:12::f60 135 ff02::1:ff00:1 136 icmp - - - - OTH F F 0- 1 72 0 0 -
If you want to stop the Zeek, run the following command.
zeekctl stop
Conclusion
By following the step-by-step installation guide outlined in this article, users can deploy Zeek on Ubuntu 22.04 and begin leveraging its capabilities to enhance their network security posture, detect malicious activities, and safeguard critical assets against cyber threats. Try to deploy Zeek on VPS hosting from Atlantic.Net!
