Follow through this tutorial to learn how to install Zeek on Debian 11. Zeek, formerly Bro IDS, is the world’s leading passive open source network security monitoring tool. Zeek is not an active security device, like a firewall or intrusion prevention system. Rather, Zeek sits on a “sensor”, a hardware, software, virtual, or cloud platform that quietly and unobtrusively observes network traffic. Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system.
Installing Zeek on Debian 11
Zeek can be installed by building it from the source code or by directly via the Zeek APT repositories.
In this tutorial, we will install Zeek via the APT repositories.
Install Zeek on Debian
To install Zeek on Debian from the Zeek APT repositories;
- Add Zeek repository to Debian 11:
apt update && apt install curl gnupg2 -yecho 'deb http://download.opensuse.org/repositories/security:/zeek/Debian_11/ /' > /etc/apt/sources.list.d/zeek.listcurl -fsSL https://download.opensuse.org/repositories/security:zeek/Debian_11/Release.key | gpg --dearmor > /etc/apt/trusted.gpg.d/security_zeek.gpg- Install Zeek on Debian
Next, run system update;
apt updateZeek 4.1.1 is the current stable release as of this writing, confirm the same by running the command below;
apt-cache policy zeekzeek:
Installed: (none)
Candidate: 4.1.1-0
Version table:
4.1.1-0 500
500 http://download.opensuse.org/repositories/security:/zeek/Debian_11 PackagesYou can then install Zeek by running the command below;
apt install zeek -yDuring the installation, you maybe prompted for some Postfix settings and if so, choose Internet Site and enter your system FQDN.
Configuring Zeek on Debian 11
Configure the Run-Time Environment
By default, Zeek is installed under /opt/zeek.
To begin the configuration with, add Zeek binaries path to PATH;
echo "export PATH=$PATH:/opt/zeek/bin" > /etc/profile.d/zeek.shsource /etc/profile.d/zeek.shDefine the Local Networks
Next, you need to tell Zeek which networks should be considered local to the monitored environment. This can be specified in the /opt/zeek/etc/networks.cfg configuration file.
The default networks defined are 10.0.0.0/8, 172.16.0.0/16, 192.168.0.0/16.
cat /opt/zeek/etc/networks.cfg# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.
10.0.0.0/8 Private IP space
172.16.0.0/12 Private IP space
192.168.0.0/16 Private IP space
So, in our case, 192.168.58.0/24 is our local network.
Hence;
vim /opt/zeek/etc/networks.cfg# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.
#10.0.0.0/8 Private IP space
#172.16.0.0/12 Private IP space
#192.168.0.0/16 Private IP space
192.168.58.0/24 Kifarunix-demo IP space
Save the file and exit once you made your network configuration changes.
Define Zeek Running Mode
Zeek can be run in standalone mode or in a clustered setup. It runs in standalone mode by default.
To define whether to run in a clustered or standalone setup, you need to edit the /opt/zeek/etc/node.cfg configuration file.
- For a standalone configuration, there must be only one Zeek node defined in this file.
- For a cluster configuration, at a minimum there must be a manager node, a proxy node, and one or more worker nodes.
According to Zeek quickstart guide, using the standalone / single process mode of Zeek is not suitable for setups with significant amounts of traffic. In these cases one will almost certainly want to make use of a Zeek cluster, even on a single system.
Therefore, we will see how to setup Zeek cluster. You can have a look at Zeek cluster architecture.
The default Zeek node configuration is like;
cat /opt/zeek/etc/node.cfg# Example ZeekControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.
# This is a complete standalone configuration. Most likely you will
# only need to change the interface.
[zeek]
type=standalone
host=localhost
interface=eth0
## Below is an example clustered configuration. If you use this,
## remove the [zeek] node above.
#[logger-1]
#type=logger
#host=localhost
#
#[manager]
#type=manager
#host=localhost
#
#[proxy-1]
#type=proxy
#host=localhost
#
#[worker-1]
#type=worker
#host=localhost
#interface=eth0
#
#[worker-2]
#type=worker
#host=localhost
#interface=eth0
Since we are running a single node Zeek Cluster in this setup, comment out the Zeek standalone configuration, section under [zeek] and define host address for your Zeek logger, manager, proxy and worker.
So what are these components;
- logger: it is an optional Zeek process that receives log messages from the rest of the nodes in the cluster. It can be used instead of the manager to reduce the load on the manager itself.
- manager: receives log messages and notices from the rest of the nodes in the Zeek cluster if no logger is defined.
- proxy: is a Zeek process that may be used to offload data storage or any arbitrary workload. A cluster may contain multiple proxy nodes.
- worker: is the Zeek process that sniffs network traffic and does protocol analysis on the reassembled traffic streams.
So below is our single node Zeek cluster configuration setup;
cat /opt/zeek/etc/node.cfg# Example ZeekControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.
# This is a complete standalone configuration. Most likely you will
# only need to change the interface.
#[zeek]
#type=standalone
#host=localhost
#interface=eth0
## Below is an example clustered configuration. If you use this,
## remove the [zeek] node above.
[kifarunix-demo-zeek-logger]
type=logger
host=192.168.58.22
#
[kifarunix-demo-zeek-manager]
type=manager
host=192.168.58.22
#
[kifarunix-demo-zeek-proxy]
type=proxy
host=192.168.58.22
#
[kifarunix-demo-zeek-worker]
type=worker
host=192.168.58.22
interface=enp0s8
#
[kifarunix-demo-worker-lo]
type=worker
host=localhost
interface=lo
Review Global ZeekControl configuration file
Next, you need to review the global ZeekControl configuration file, /opt/zeek/etc/zeekctl.cfg.
Most of the default values in configuration files should suffice. The only change you might want to make or update here is the recipient address for all emails sent out by Zeek and ZeekControl, if you have any set. The default value is root@localhost.
Validate Zeek Configuration
Before you can install and start Zeek, you need to validate the configuration file;
zeekctl checkHint: Run the zeekctl "deploy" command to get started.
kifarunix-demo-zeek-logger scripts are ok.
kifarunix-demo-zeek-manager scripts are ok.
kifarunix-demo-zeek-proxy scripts are ok.
kifarunix-demo-zeek-worker scripts are ok.
kifarunix-demo-worker-lo scripts are ok.
Installing Zeek configurations
If there are no issues with the configuration, then you can install the configuration by running the command below;
zeekctl installRunning Zeek
Once you have installed the Zeek configuration, you can start it using the command;
zeekctl startYou can combine the install and start commands using the deploy command. i.e, instead of running zeekctl install and then zeekctl start, you can combine the two using the command;
zeekctl deployCheck the status of Zeek Instance
You can check the status of Zeek instance by executing;
zeekctl statusName Type Host Status Pid Started
kifarunix-demo-zeek-logger logger 192.168.59.16 running 17911 17 May 03:52:41
kifarunix-demo-zeek-manager manager 192.168.59.16 running 17962 17 May 03:52:43
kifarunix-demo-zeek-proxy proxy 192.168.59.16 running 18011 17 May 03:52:45
kifarunix-demo-zeek-worker worker 192.168.59.16 running 18081 17 May 03:52:48
kifarunix-demo-worker-lo worker localhost running 18082 17 May 03:52:48
Other ZeekControl commands
Other zeek control/management commands are described on the zeekctl help page;
zeekctl help
ZeekControl Version 2.3.0-5
capstats [] [] - Report interface statistics with capstats
check [] - Check configuration before installing it
cleanup [--all] [] - Delete working dirs (flush state) on nodes
config - Print zeekctl configuration
cron [--no-watch] - Perform jobs intended to run from cron
cron enable|disable|? - Enable/disable "cron" jobs
deploy - Check, install, and restart
df [] - Print nodes' current disk usage
diag [] - Output diagnostics for nodes
exec - Execute shell command on all hosts
exit - Exit shell
install - Update zeekctl installation/configuration
netstats [] - Print nodes' current packet counters
nodes - Print node configuration
peerstatus [] - Print status of nodes' remote connections
print [] - Print values of script variable at nodes
process [] [-- ] - Run Zeek with options and scripts on trace
quit - Exit shell
restart [--clean] [] - Stop and then restart processing
scripts [-c] [] - List the Zeek scripts the nodes will load
start [] - Start processing
status [] - Summarize node status
stop [] - Stop processing
top [] - Show Zeek processes ala top
Commands provided by plugins:
ps.zeek [] - Show Zeek processes on nodes' systems
Checking Zeek Logs
Zeek will start analyzing traffic according to a default policy and write the log results in /opt/zeek/logs/current directory.
ls -1 /opt/zeek/logs/current/broker.log
capture_loss.log
cluster.log
conn.log
dhcp.log
known_services.log
loaded_scripts.log
notice.log
packet_filter.log
reporter.log
stats.log
stderr.log
stdout.log
weird.log
Some logs that are worth explicit mention:
conn.log: Contains an entry for every connection seen on the wire, with basic properties such as time and duration, originator and responder IP addresses, services and ports, payload size, and much more. This log provides a comprehensive record of the network’s activity.notice.log: Identifies specific activity that Zeek recognizes as potentially interesting, odd, or bad. Such activity is called a “notice”.known_services.log: This log file contains the services detected on the local network and are known to be actively used by the clients on the network. It helps in enumerating what all services are observed on a local network and if they all are intentional and known to the network administrator.weird.log: Contains unusual or exceptional activity that can indicate malformed connections, traffic that doesn’t conform to a particular protocol, malfunctioning or misconfigured hardware/services, or even an attacker attempting to avoid/confuse a sensor.(protocol).logsuch as (dns.log, dhcp.log, http.log, snmp.log): contains information for packets found in each respective protocol.
Sample conn.log logs;
tail /opt/zeek/logs/current/conn.log
1641574281.587589 Cm5WfA3pJ25s3bbZn1 192.168.58.22 47763 192.168.58.22 48316 tcp - - - - OTH T T 0 Cc 00 0 0 -
1641574281.587662 C5Wrln2Yh1Y5PhXZO4 192.168.58.22 47763 192.168.58.22 48318 tcp - - - - OTH T T 0 Cc 00 0 0 -
1641574284.454002 CxnN0kz7NeFf9g5ra 192.168.58.22 35434 192.168.58.22 47761 tcp - - - - OTH T T 0 Cc 00 0 0 -
1641574284.936654 Ch0ywkpEgDkDI4hqk 192.168.58.22 35432 192.168.58.22 47761 tcp - - - - OTH T T 0 Cc 00 0 0 -
1641574287.708293 C2qOcl1vMaYxUaDcU3 192.168.58.22 47761 192.168.58.22 35426 tcp - - - - OTH T T 0 Cc 00 0 0 -
1641574287.708323 CgSooa1flTATHu6N8g 192.168.58.22 47761 192.168.58.22 35428 tcp - - - - OTH T T 0 Cc 00 0 0 -
1641574289.602766 C96gMg3RQgvsbGmp55 192.168.58.22 47762 192.168.58.22 46776 tcp - - - - OTH T T 0 Cc 00 0 0 -
1641574289.602842 CWOj3w2erhdPzHG0d8 192.168.58.22 47762 192.168.58.22 46786 tcp - - - - OTH T T 0 Cc 00 0 0 -
1641574289.602914 CzBzwA4ITDK3ctjVNc 192.168.58.22 47762 192.168.58.22 46788 tcp - - - - OTH T T 0 Cc 00 0 0 -
1641574289.942467 CqoqDG3Bhuq7hrLeed 192.168.58.22 35432 192.168.58.22 47761 tcp - - - - OTH T T 0 Cc 00 0 0
The fields and types are;
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
Checking Zeek Node Processes
You can check processes running on each node by executing;
zeekctl ps.zeek <node>For example, to check processes on Zeek manager node;
zeekctl ps.zeek kifarunix-demo-zeek-manager
USER PID PPID %CPU %MEM VSZ RSS TT S STARTED TIME COMMAND
>>> 192.168.58.22
(-) root 783 777 0.1 10.2 824476 102352 ? S 19:21:56 00:00:02 zeek
(+) root 833 827 0.0 10.1 720236 101692 ? S 19:21:58 00:00:01 zeek
(-) root 882 876 0.0 9.9 717956 99360 ? S 19:22:00 00:00:01 zeek
(-) root 954 944 0.3 23.3 849108 233028 ? S 19:22:03 00:00:06 zeek
(-) root 955 942 0.1 23.1 849696 231068 ? S 19:22:03 00:00:02 zeek
And that brings us to the end of our tutorial on how to install Zeek on Debian.
In our next tutorials, we will learn how to analyze network traffic with Zeek.
Reference
Other Tutorials
Install and Configure AIDE on Debian 10
