How To Deploy The Zeek Network Security Monitor On Ubuntu Server 22.04
- by Tech Today News
- Posted on February 10, 2023
Zeek is a command-line network security monitoring tool that can be installed on a server in either your local data center or a third-party cloud host. Zeek monitors and records a number of different data points, such as connections, packets received and sent, and TCP session attributes. With this tool, you can trace events across your network to better ensure its security. SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic) Let’s get Zeek installed on an instance of Ubuntu Server 22.04, so your security teams can start checking up on the traffic bouncing in and out of your network. Jump to: The only things you’ll need to install Zeek are a running instance of Ubuntu Server 22.04 or newer and a user with sudo privileges. The first thing to be done is to log in to your Ubuntu Server instance. Once you’ve successfully logged in, install a trio of simple dependencies with the command:
Next, change to the root user with:
Next, we must add the official Zeek GPG key with:
Add the Zeek repository with the command:
Update apt:
Install Zeek with the command:
During the installation, you’ll be asked how you would like to configure Postfix. Unless you already have a mail server up and running on the system, I would suggest configuring it as local only. You will have to log in to the server and check the admin users’ mail account to see any reports, which is done with the command mail. If the mail command doesn’t exist, install it with:
Before we continue, make sure to add the Zeek installation path to your $PATH with:
Source the bash file with:
After the Zeek installation completes, you’ll need to make some changes to the configuration file. Open the file with:
You’ll want to add your network to the bottom of the default list, which will look something like this:
Save and close the file. Next, open the main configuration file with:
We will switch Zeek from the default standalone mode and into cluster mode. The first thing to do is comment out the following lines by placing a # at the beginning of each line:
Add the following to the bottom of the file, substituting SERVER with your hosting server’s IP address, and IFACE with the name of your networking interface:
Save and close the file. Run a check on the configuration with the command:
You should see output similar to this:
If everything checks out, deploy Zeek with:
Once everything is deployed, check the status with:
You should see output similar to this:
Zeek stores its logs in /opt/zeek/logs/current. You’ll find a log for broker, cluster, packet_filtering, conn, loaded_scripts, reporter, stats, stderr, stdout, telemetry and weird. The best way to view these logs is using the tail command to view them updated in real-time, like so:
That log file will display all real-time connections to the server. Another handy trick you can try is viewing tcpdump information with Zeek. First, capture some packets with the command:
Where IFACE is the name of the network device on the host. After giving that a few minutes to run, end the command with CTRL+C and then analyze the traffic with:
Zeek will dump the log files into the current working directory. You should see the following log files: conn.log, dns.log, mypackets.trace, packet_filter.log, reporter.log and weird.log. Let’s say you then want to run one of Zeek’s built-in scripts against the captured packets. For that, you could issue something like this:
You can check /opt/zeek/share/zeek for the different built-in scripts it offers. Zeek is a very powerful network monitoring tool. You’ll want to get up to speed with the various built-in scripts and even learn how to build your own. Until you reach that point, you can continue viewing the standard log files and capturing packages that enter and leave your server. Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.What you’ll need to install Zeek
How to install Zeek
sudo apt-get install curl wget gnupg2 -y
sudo -s
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/security_zeek.gpg
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | tee /etc/apt/sources.list.d/security:zeek.list
apt-get update
apt-get install zeek -y
apt-get install mailutils -y
echo "export PATH=$PATH:/opt/zeek/bin" >> ~/.bashrc
source ~/.bashrc
How to configure Zeek
nano /opt/zeek/etc/networks.cfg
10.0.0.0/8 Private IP space
172.16.0.0/12 Private IP space
192.168.0.0/16 Private IP space
192.168.1.0/16 Private IP space
nano /opt/zeek/etc/node.cfg
[zeek]
type=standalone
host=localhost
interface=eth0
[zeek-logger]
type=logger
host=SERVER
#
[zeek-manager]
type=manager
host=SERVER
#
[zeek-proxy]
type=proxy
host=SERVER
#
[zeek-worker]
type=worker
host=SERVER
interface=IFACE
#
[zeek-worker-lo]
type=worker
host=localhost
interface=lo
zeekctl check
Hint: Run the zeekctl "deploy" command to get started.
zeek-logger scripts are ok.
zeek-manager scripts are ok.
zeek-proxy scripts are ok.
zeek-worker scripts are ok.
zeek-worker-lo scripts are ok.
zeekctl deploy
zeekctl status
Name Type Host Status Pid Started
zeek-logger logger 192.168.1.191 running 6366 06 Feb 13:18:44
zeek-manager manager 192.168.1.191 running 6427 06 Feb 13:18:49
zeek-proxy proxy 192.168.1.191 running 6488 06 Feb 13:18:54
zeek-worker worker 192.168.1.191 running 6570 06 Feb 13:19:00
zeek-worker-lo worker localhost running 6567 06 Feb 13:19:00
tail -f /opt/zeek/logs/current/conn.log
sudo tcpdump -i IFACE -s 0 -w mypackets.trace
zeek -r mypackets.trace
zeek -r mypackets.trace /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
Make Zeek yours
Image: Gustavo/Adobe Stock Zeek is a command-line network security monitoring tool that can be installed on a server in either your local data center or a third-party cloud host. Zeek monitors and records a number of different data points, such as connections, packets received and sent, and TCP session attributes. With this tool, you can…