Follow through this tutorial to learn how to install Zeek on Ubuntu 20.04. Zeek, formerly Bro IDS, is the world’s leading passive open source network security monitoring tool.
Zeek is not an active security device, like a firewall or intrusion prevention system. Rather, Zeek sits on a “sensor,” a hardware, software, virtual, or cloud platform that quietly and unobtrusively observes network traffic. Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system.
Install Zeek on Ubuntu 20.04
So how do you install Zeek on Ubuntu 20.04? Proceed as follows;
In this tutorial, we will choose the later.
Install Zeek on Ubuntu 20.04
To install Zeek on Ubuntu 20.04 from the Zeek APT repositories;
Add Zeek repository to Ubuntu 20.04:
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_20.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_20.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
Run system update;
Zeek 4.0.1 is the current stable release as of this writing, confirm the same by running the command below;
apt-cache policy zeek
zeek: Installed: (none) Candidate: 4.0.1-0 Version table: 4.0.1-0 500 500 http://download.opensuse.org/repositories/security:/zeek/xUbuntu_20.04 Packages
You can then install Zeek by running the command below;
apt install zeek
During the installation, you will be prompted for some Postfix settings, choose Internet Site and enter your system FQDN.
Configuring Zeek on Ubuntu 20.04
Configure the Run-Time Environment
By default, Zeek is installed under
To begin with, add Zeek binary path to PATH;
echo "export PATH=$PATH:/opt/zeek/bin" >> ~/.bashrc
Define the Local Networks to Monitor
Next, you need to tell Zeek which local networks to monitor. This can be specified in the
/opt/zeek/etc/networks.cfg configuration file.
The default networks defined are 10.0.0.0/8, 172.16.0.0/16, 192.168.0.0/16. So, in our case, the network we want to monitor is 192.168.59.0/24.
# List of local networks in CIDR notation, optionally followed by a # descriptive tag. # For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes. #10.0.0.0/8 Private IP space #172.16.0.0/12 Private IP space #192.168.0.0/16 Private IP space 192.168.59.0/24 Kifarunix-demo IP space
Save the file and exit once you made your network configuration changes.
Configure Zeek Cluster
Zeek can be run in standalone mode or in a cluster setup. To define whether to run in a cluster or standalone setup, you need to edit the
/opt/zeek/etc/node.cfg configuration file.
- For a standalone configuration, there must be only one Zeek node defined in this file.
- For a cluster configuration, at a minimum there must be a manager node, a proxy node, and one or more worker nodes.
According to Zeek quickstart guide, using the standalone / single process mode of Zeek is not suitable for setups with significant amounts of traffic. In these cases one will almost certainly want to make use of a Zeek cluster, even on a single system.
Therefore, we will see how to setup Zeek cluster. You can have a look at Zeek cluster architecture.
The default Zeek node configuration is like;
# Example ZeekControl node configuration. # # This example has a standalone node ready to go except for possibly changing # the sniffing interface. # This is a complete standalone configuration. Most likely you will # only need to change the interface. [zeek] type=standalone host=localhost interface=eth0 ## Below is an example clustered configuration. If you use this, ## remove the [zeek] node above. #[logger-1] #type=logger #host=localhost # #[manager] #type=manager #host=localhost # #[proxy-1] #type=proxy #host=localhost # #[worker-1] #type=worker #host=localhost #interface=eth0 # #[worker-2] #type=worker #host=localhost #interface=eth0
Since we are running a single node Zeek Cluster in this setup, comment out the Zeek standalone configuration, section under
[zeek] and define host address for your Zeek
So what are these components;
- logger: it is an optional Zeek process that receives log messages from the rest of the nodes in the cluster. It can be used instead of the manager to reduce the load on the manager itself.
- manager: receives log messages and notices from the rest of the nodes in the Zeek cluster if no logger is defined.
- proxy: is a Zeek process that may be used to offload data storage or any arbitrary workload. A cluster may contain multiple proxy nodes.
- worker: is the Zeek process that sniffs network traffic and does protocol analysis on the reassembled traffic streams.
So below is our single node Zeek cluster configuration setup;
# Example ZeekControl node configuration. # # This example has a standalone node ready to go except for possibly changing # the sniffing interface. # This is a complete standalone configuration. Most likely you will # only need to change the interface. #[zeek] #type=standalone #host=localhost #interface=eth0 ## Below is an example clustered configuration. If you use this, ## remove the [zeek] node above. [kifarunix-demo-zeek-logger] type=logger host=192.168.59.16 # [kifarunix-demo-zeek-manager] type=manager host=192.168.59.16 # [kifarunix-demo-zeek-proxy] type=proxy host=192.168.59.16 # [kifarunix-demo-zeek-worker] type=worker host=192.168.59.16 interface=enp0s8 # [kifarunix-demo-worker-lo] type=worker host=localhost interface=lo
Review Global ZeekControl configuration file
Next, you need to review the global ZeekControl configuration file,
Most of the default values in configuration files should suffice. The only change you might want to make or update here is the recipient address for all emails sent out by Zeek and ZeekControl, if you have any set. The default value is root@localhost.
Validate Zeek Configuration
Before you can install and start Zeek, you need to validate the configuration file;
Hint: Run the zeekctl "deploy" command to get started. kifarunix-demo-zeek-logger scripts are ok. kifarunix-demo-zeek-manager scripts are ok. kifarunix-demo-zeek-proxy scripts are ok. kifarunix-demo-zeek-worker scripts are ok. kifarunix-demo-worker-lo scripts are ok.
Deploy ZeekControl Configurations
If all is fine, install ZeekControl configuration and start the Zeek instance;
checking configurations ... installing ... creating policy directories ... installing site policies ... generating cluster-layout.zeek ... generating local-networks.zeek ... generating zeekctl-config.zeek ... generating zeekctl-config.sh ... stopping ... stopping workers ... stopping proxy ... stopping manager ... stopping logger ... starting ... starting logger ... starting manager ... starting proxy ... starting workers ...
Check the status of Zeek Instance
You can check the status of Zeek instance by executing;
Name Type Host Status Pid Started kifarunix-demo-zeek-logger logger 192.168.59.16 running 17911 17 May 03:52:41 kifarunix-demo-zeek-manager manager 192.168.59.16 running 17962 17 May 03:52:43 kifarunix-demo-zeek-proxy proxy 192.168.59.16 running 18011 17 May 03:52:45 kifarunix-demo-zeek-worker worker 192.168.59.16 running 18081 17 May 03:52:48 kifarunix-demo-worker-lo worker localhost running 18082 17 May 03:52:48
Checking Zeek Logs
Zeek will start analyzing traffic according to a default policy and write the log results in
ls -1 /opt/zeek/logs/current/
broker.log capture_loss.log cluster.log conn.log dhcp.log known_services.log loaded_scripts.log notice.log packet_filter.log reporter.log stats.log stderr.log stdout.log weird.log
Some logs that are worth explicit mention:
conn.log: Contains an entry for every connection seen on the wire, with basic properties such as time and duration, originator and responder IP addresses, services and ports, payload size, and much more. This log provides a comprehensive record of the network’s activity.
notice.log: Identifies specific activity that Zeek recognizes as potentially interesting, odd, or bad. Such activity is called a “notice”.
known_services.log: This log file contains the services detected on the local network and are known to be actively used by the clients on the network. It helps in enumerating what all services are observed on a local network and if they all are intentional and known to the network administrator.
weird.log: Contains unusual or exceptional activity that can indicate malformed connections, traffic that doesn’t conform to a particular protocol, malfunctioning or misconfigured hardware/services, or even an attacker attempting to avoid/confuse a sensor.
- (protocol).log such as (dns.log, dhcp.log, http.log, snmp.log): contains information for packets found in each respective protocol.
Sample conn.log logs;
1621277534.729878 CY3bmP18QlSIvSFxej 192.168.59.16 8132 192.168.59.16 80 tcp - - - - RSTRH T T 0 ^r 00 1 40 - 1621277534.729881 CGVzYD19RQxUT0Vzq 192.168.59.16 8133 192.168.59.16 80 tcp - - - - S0 T T 0 S 140 0 0 - 1621277534.729883 C8jp1t2D0NHoUeOiF1 192.168.59.16 8133 192.168.59.16 80 tcp - - - - RSTRH T T 0 ^r 00 1 40 - 1621277564.065743 CduRKb4f4bLM38gakl 192.168.59.16 47762 192.168.59.16 58282 tcp - - - - OTH T T 0 Ccc00 0 0 - 1621277564.065833 CRgk0dMeT9AeMyROd 192.168.59.16 47762 192.168.59.16 58288 tcp - - - - OTH T T 0 Ccc00 0 0 - 1621277564.215195 Cg09q71OaurnFkIdRe 192.168.59.16 38834 192.168.59.16 47761 tcp - - - - OTH T T 0 Cc 00 0 0 - 1621277566.725573 CG17M71tH9TV52bBe7 192.168.59.16 38836 192.168.59.16 47761 tcp - - - - OTH T T 0 Cc 00 0 0 - 1621277574.895432 C2aJF016ENvM3nF6da 192.168.59.16 34700 192.168.59.16 80 tcp - - - - OTH T T 0 C 00 0 0 - 1621277570.315909 CQp7gp31EAsSvqgIn1 192.168.59.16 38846 192.168.59.16 47761 tcp - - - - OTH T T 0 Cc 00 0 0 - 1621277574.895458 CIP6UASndf9AtymV2 192.168.59.16 34700 192.168.59.16 80 tcp - - - - OTH T T 0 ^cC00 0 0 -
The fields and types are;
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
Checking Zeek Node Processes
You can check processes running on each node by executing;
zeekctl ps.zeek <node>
For example, to check processes on Zeek manager node;
zeekctl ps.zeek kifarunix-demo-zeek-manager
USER PID PPID %CPU %MEM VSZ RSS TT S STARTED TIME COMMAND >>> 192.168.59.16 (-) root 17911 17905 0.1 4.3 821252 88788 ? S 03:52:41 00:00:02 zeek (+) root 17962 17956 0.0 4.3 642664 89200 ? S 03:52:43 00:00:01 zeek (-) root 18011 18005 0.0 4.2 640972 87516 ? S 03:52:45 00:00:01 zeek (-) root 18081 18069 0.1 10.7 772672 219204 ? S 03:52:47 00:00:03 zeek (-) root 18082 18071 0.1 10.7 772148 218668 ? S 03:52:47 00:00:03 zeek
And that brings us to the end of our tutorial on how to install Zeek on Ubuntu 20.04. Feel free to leave a comment.