Deploying Zeek Network Security Monitor on Ubuntu Server 22.04

Zeek is a command-line network security monitoring tool that can be installed on a server in your local data center or on a third-party cloud host. Zeek monitors and records many different data points, such as connections, received and sent packets, and TCP session attributes. You can use this tool to monitor events on your network to better ensure its security.

SEE: Password Cracking: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

Let’s install Zeek on an instance of Ubuntu Server 22.04 so that security teams can start checking traffic in and out of the network.

Jump:

What you’ll need to install Zeek

All you need to install Zeek is a running Ubuntu Server 22.04 or later and a user with sudo privileges.

Installing Zeek

The first thing to do is log into your Ubuntu Server instance. After successfully logging in, install three simple dependencies using the following command:

sudo apt-get install curl wget gnupg2 -y

Then switch to root with:

sudo -s

Next, we need to add the official Zeek GPG key:

curl -fsSL | gpg --dearmor | tee /etc/apt/trusted.gpg.d/security_zeek.gpg

Add the Zeek repository with the following command:

echo 'deb /' | tee /etc/apt/sources.list.d/security:zeek.list

Upgrade suitable for:

apt-get update

Install Zeek with the following command:

apt-get install zeek -y

During installation, you will be asked how you want to configure Postfix. Unless you already have a mail server on your system, I recommend setting it up as local only. You must log in to the server and check the admin users’ mail accounts to see reports of what is happening with the mail command.

If the mail command does not exist, install it with:

apt-get install mailutils -y

Before we continue, make sure to add Zeek’s installation path to your $PATH with:

echo "export PATH=$PATH:/opt/zeek/bin" >> ~/.bashrc

bash file source with:

source ~/.bashrc

Setting up Zeek

After installing Zeek, you need to make some changes to your configuration file. Open the file with:

nano /opt/zeek/etc/networks.cfg

You need to add your network to the bottom of the default list, which will look like this:

10.0.0.0/8          Private IP space
172.16.0.0/12       Private IP space
192.168.0.0/16      Private IP space
192.168.1.0/16      Private IP space

Save and close the file. Then open the main configuration file with:

nano /opt/zeek/etc/node.cfg

Switch Zeek from its default stand-alone mode to cluster mode. The first thing to do is to comment out the following lines by prefixing each line with a #:

[zeek]
type=standalone
host=localhost
interface=eth0

Add the following to the bottom of the file, replacing SERVER with the IP address of the hosting server and replacing IFACE with the name of the network interface:

[zeek-logger]
type=logger
host=SERVER

#
[zeek-manager]
type=manager
host=SERVER

#
[zeek-proxy]
type=proxy
host=SERVER

#
[zeek-worker]
type=worker
host=SERVER
interface=IFACE

#
[zeek-worker-lo]
type=worker
host=localhost
interface=lo

Save and close the file. Run the configuration check with the following command:

zeekctl check

You should see output similar to this:

Hint: Run the zeekctl "deploy" command to get started.
zeek-logger scripts are ok.
zeek-manager scripts are ok.
zeek-proxy scripts are ok.
zeek-worker scripts are ok.
zeek-worker-lo scripts are ok.

If all is well, install Zeek with:

zeekctl deploy

Once everything is installed, check the status with:

zeekctl status

You should see output similar to this:

Name         Type    Host             Status    Pid    Started
zeek-logger  logger  192.168.1.191    running   6366   06 Feb 13:18:44
zeek-manager manager 192.168.1.191    running   6427   06 Feb 13:18:49
zeek-proxy   proxy   192.168.1.191    running   6488   06 Feb 13:18:54
zeek-worker  worker  192.168.1.191    running   6570   06 Feb 13:19:00
zeek-worker-lo worker  localhost        running   6567   06 Feb 13:19:00

Zeek stores its logs in the /opt/zeek/logs/current folder. You will find a log in the broker, cluster, packet_filtering, conn, loaded_scripts, reporter, stats, stderr, stdout, telemetry, and weird logs. The best way to view the logs is to update them in real time with the tail command, for example:

tail -f /opt/zeek/logs/current/conn.log

This log file displays all real-time connections to the server.

Another handy trick you can try is viewing tcpdump information with Zeek. First, capture some packages with the following command:

sudo tcpdump -i IFACE -s 0 -w mypackets.trace

Where IFACE is the network device name on the host. After giving it a few minutes to run, terminate the command with CTRL+C and then analyze the traffic with:

zeek -r mypackets.trace

Zeek writes the log files to the current working directory. You should see the following log files: conn.log, dns.log, mypackets.trace, packet_filter.log, reporter.log, and weird.log. Let’s say you then want to run one of Zeek’s built-in scripts against the captured packets. To do this, you can issue something like:

zeek -r mypackets.trace /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek

You can check the /opt/zeek/share/zeek file for the various built-in scripts it offers.

Make Zeek yours

Zeek is a very powerful network monitoring tool. You’ll want to get up to speed with the various built-in scripts and even learn how to create your own. Until you reach this point, you can continue to view the standard log files and record packets entering and leaving the server.

Subscribe to TechRepublic How to make the technique work on YouTube Jack Wallen for all the latest technology advice for business professionals.