Zeek is a command-line network security monitoring tool that can be installed on a server in either your local data center or a third-party cloud host. Zeek monitors and records a number of different data points, such as connections, packets received and sent, and TCP session attributes. With this tool, you can trace events across your network to better ensure its security.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Let’s get Zeek installed on an instance of Ubuntu Server 22.04, so your security teams can start checking up on the traffic bouncing in and out of your network.
Jump to:
What you’ll need to install Zeek
The only things you’ll need to install Zeek are a running instance of Ubuntu Server 22.04 or newer and a user with sudo privileges.
How to install Zeek
The first thing to be done is to log in to your Ubuntu Server instance. Once you’ve successfully logged in, install a trio of simple dependencies with the command:
sudo apt-get install curl wget gnupg2 -y
Next, change to the root user with:
sudo -s
Next, we must add the official Zeek GPG key with:
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/security_zeek.gpg
Add the Zeek repository with the command:
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | tee /etc/apt/sources.list.d/security:zeek.list
Update apt:
apt-get update
Install Zeek with the command:
apt-get install zeek -y
During the installation, you’ll be asked how you would like to configure Postfix. Unless you already have a mail server up and running on the system, I would suggest configuring it as local only. You will have to log in to the server and check the admin users’ mail account to see any reports, which is done with the command mail.
If the mail command doesn’t exist, install it with:
apt-get install mailutils -y
Before we continue, make sure to add the Zeek installation path to your $PATH with:
echo "export PATH=$PATH:/opt/zeek/bin" >> ~/.bashrc
Source the bash file with:
source ~/.bashrc
How to configure Zeek
After the Zeek installation completes, you’ll need to make some changes to the configuration file. Open the file with:
nano /opt/zeek/etc/networks.cfg
You’ll want to add your network to the bottom of the default list, which will look something like this:
10.0.0.0/8 Private IP space
172.16.0.0/12 Private IP space
192.168.0.0/16 Private IP space
192.168.1.0/16 Private IP space
Save and close the file. Next, open the main configuration file with:
nano /opt/zeek/etc/node.cfg
We will switch Zeek from the default standalone mode and into cluster mode. The first thing to do is comment out the following lines by placing a # at the beginning of each line:
[zeek]
type=standalone
host=localhost
interface=eth0
Add the following to the bottom of the file, substituting SERVER with your hosting server’s IP address, and IFACE with the name of your networking interface:
[zeek-logger]
type=logger
host=SERVER
#
[zeek-manager]
type=manager
host=SERVER
#
[zeek-proxy]
type=proxy
host=SERVER
#
[zeek-worker]
type=worker
host=SERVER
interface=IFACE
#
[zeek-worker-lo]
type=worker
host=localhost
interface=lo
Save and close the file. Run a check on the configuration with the command:
zeekctl check
You should see output similar to this:
Hint: Run the zeekctl "deploy" command to get started.
zeek-logger scripts are ok.
zeek-manager scripts are ok.
zeek-proxy scripts are ok.
zeek-worker scripts are ok.
zeek-worker-lo scripts are ok.
If everything checks out, deploy Zeek with:
zeekctl deploy
Once everything is deployed, check the status with:
zeekctl status
You should see output similar to this:
Name Type Host Status Pid Started
zeek-logger logger 192.168.1.191 running 6366 06 Feb 13:18:44
zeek-manager manager 192.168.1.191 running 6427 06 Feb 13:18:49
zeek-proxy proxy 192.168.1.191 running 6488 06 Feb 13:18:54
zeek-worker worker 192.168.1.191 running 6570 06 Feb 13:19:00
zeek-worker-lo worker localhost running 6567 06 Feb 13:19:00
Zeek stores its logs in /opt/zeek/logs/current. You’ll find a log for broker, cluster, packet_filtering, conn, loaded_scripts, reporter, stats, stderr, stdout, telemetry and weird. The best way to view these logs is using the tail command to view them updated in real-time, like so:
tail -f /opt/zeek/logs/current/conn.log
That log file will display all real-time connections to the server.
Another handy trick you can try is viewing tcpdump information with Zeek. First, capture some packets with the command:
sudo tcpdump -i IFACE -s 0 -w mypackets.trace
Where IFACE is the name of the network device on the host. After giving that a few minutes to run, end the command with CTRL+C and then analyze the traffic with:
zeek -r mypackets.trace
Zeek will dump the log files into the current working directory. You should see the following log files: conn.log, dns.log, mypackets.trace, packet_filter.log, reporter.log and weird.log. Let’s say you then want to run one of Zeek’s built-in scripts against the captured packets. For that, you could issue something like this:
zeek -r mypackets.trace /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
You can check /opt/zeek/share/zeek for the different built-in scripts it offers.
Make Zeek yours
Zeek is a very powerful network monitoring tool. You’ll want to get up to speed with the various built-in scripts and even learn how to build your own. Until you reach that point, you can continue viewing the standard log files and capturing packages that enter and leave your server.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.