Zeek is a command-line network security monitoring tool that can be installed on a server in your local data center or on a third-party cloud host. Zeek monitors and records many different data points, such as connections, received and sent packets, and TCP session attributes. You can use this tool to monitor events on your network to better ensure its security.
SEE: Password Cracking: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Let’s install Zeek on an instance of Ubuntu Server 22.04 so that security teams can start checking traffic in and out of the network.
What you’ll need to install Zeek
All you need to install Zeek is a running Ubuntu Server 22.04 or later and a user with sudo privileges.
The first thing to do is log into your Ubuntu Server instance. After successfully logging in, install three simple dependencies using the following command:
sudo apt-get install curl wget gnupg2 -y
Then switch to root with:
Next, we need to add the official Zeek GPG key:
curl -fsSL | gpg --dearmor | tee /etc/apt/trusted.gpg.d/security_zeek.gpg
Add the Zeek repository with the following command:
echo 'deb /' | tee /etc/apt/sources.list.d/security:zeek.list
Upgrade suitable for:
Install Zeek with the following command:
apt-get install zeek -y
During installation, you will be asked how you want to configure Postfix. Unless you already have a mail server on your system, I recommend setting it up as local only. You must log in to the server and check the admin users’ mail accounts to see reports of what is happening with the mail command.
If the mail command does not exist, install it with:
apt-get install mailutils -y
Before we continue, make sure to add Zeek’s installation path to your $PATH with:
echo "export PATH=$PATH:/opt/zeek/bin" >> ~/.bashrc
bash file source with:
Setting up Zeek
After installing Zeek, you need to make some changes to your configuration file. Open the file with:
You need to add your network to the bottom of the default list, which will look like this:
10.0.0.0/8 Private IP space
172.16.0.0/12 Private IP space
192.168.0.0/16 Private IP space
192.168.1.0/16 Private IP space
Save and close the file. Then open the main configuration file with:
Switch Zeek from its default stand-alone mode to cluster mode. The first thing to do is to comment out the following lines by prefixing each line with a #:
Add the following to the bottom of the file, replacing SERVER with the IP address of the hosting server and replacing IFACE with the name of the network interface:
Save and close the file. Run the configuration check with the following command:
You should see output similar to this:
Hint: Run the zeekctl "deploy" command to get started.
zeek-logger scripts are ok.
zeek-manager scripts are ok.
zeek-proxy scripts are ok.
zeek-worker scripts are ok.
zeek-worker-lo scripts are ok.
If all is well, install Zeek with:
Once everything is installed, check the status with:
You should see output similar to this:
Name Type Host Status Pid Started
zeek-logger logger 192.168.1.191 running 6366 06 Feb 13:18:44
zeek-manager manager 192.168.1.191 running 6427 06 Feb 13:18:49
zeek-proxy proxy 192.168.1.191 running 6488 06 Feb 13:18:54
zeek-worker worker 192.168.1.191 running 6570 06 Feb 13:19:00
zeek-worker-lo worker localhost running 6567 06 Feb 13:19:00
Zeek stores its logs in the /opt/zeek/logs/current folder. You will find a log in the broker, cluster, packet_filtering, conn, loaded_scripts, reporter, stats, stderr, stdout, telemetry, and weird logs. The best way to view the logs is to update them in real time with the tail command, for example:
tail -f /opt/zeek/logs/current/conn.log
This log file displays all real-time connections to the server.
Another handy trick you can try is viewing tcpdump information with Zeek. First, capture some packages with the following command:
sudo tcpdump -i IFACE -s 0 -w mypackets.trace
Where IFACE is the network device name on the host. After giving it a few minutes to run, terminate the command with CTRL+C and then analyze the traffic with:
zeek -r mypackets.trace
Zeek writes the log files to the current working directory. You should see the following log files: conn.log, dns.log, mypackets.trace, packet_filter.log, reporter.log, and weird.log. Let’s say you then want to run one of Zeek’s built-in scripts against the captured packets. To do this, you can issue something like:
zeek -r mypackets.trace /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
You can check the /opt/zeek/share/zeek file for the various built-in scripts it offers.
Make Zeek yours
Zeek is a very powerful network monitoring tool. You’ll want to get up to speed with the various built-in scripts and even learn how to create your own. Until you reach this point, you can continue to view the standard log files and record packets entering and leaving the server.
Subscribe to TechRepublic How to make the technique work on YouTube Jack Wallen for all the latest technology advice for business professionals.