Zeek Installation in Ubuntu

What is Zeek?

An open-source protocol analyzer and network security monitoring tool, Zeek was once known as Bro. It is intended to assist enterprises with real-time network traffic monitoring and analysis, offering information on network activity, potential security risks, and performance concerns. Due to its effectiveness in swiftly capturing and processing network data, Zeek is especially well-liked among cybersecurity experts and network managers.

How to install Zeek in Ubuntu?

Update and upgrade the Ubuntu using apt.

sudo apt-get update
sudo apt-get upgrade

Download the Zeek source code from the official website (https://zeek.org/get-zeek/).

Zeek offical download page

Install dependencies using the below command.

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python3-dev swig zlib1g-dev

Dependencies installation

Once all the dependencies are installed change the directory to the path where the Zeek source code file is downloaded and unzip the file.

cd Downloads
tar -xzf zeek-<verison>.tar.gz

Extracting zeek file

Change the directory to the extracted file

cd zeek-<version>

Configure Zeek using the below command

./configure

Configure command

Once the above command is done run the below commands. Note that this command takes time to execute.

make
make install

make
make install

To use zeek as a service we need to add the zeek home directory to the bashrc file.

nano ~/.bashrc

Add the line below or the home directory file zeek at the end of the file.

export PATH=/usr/local/zeek/bin:$PATH

Save and exit the file and to apply changes made run source command and check zeek version and directory.

source ~/.bashrc
which zeek
zeek — version

exporting zeek path

Now change the directory to /usr/local/zeek/etc check the what files are there in the directory.

cd /usr/local/zeek/etc
ls

Open new terminal window and check the ip using the below command check the network interface of the machine.

ip a

interfaces

We can see there are 2 interfaces, one is for loopback and other is for broadcast and more which is enp0s1. Note that this may vary from user to user. Note the interface name. Now in the previous window edit node.cfg file using nano and replace the interface name as shown below.

nano node.cfg

Once the file is saved check if the script is correct, using the below command.

zeekctl check

zeekctl check

Once you get “zeek scripts are ok.” at the end you can deploy zeek, using below command.

zeekctl deploy

zeekctl deploy

Once zeek is started we can check the status using.

zeekctl status

zeekctl status

Now to view logs we can change the directory to /usr/local/zeek/logs/current

cd /usr/local/zeek/logs/current

When we use the list command we can see the logs been generated.

logs

We can use tail command to view the logs,

tail -f conn.log

conn.log

Watch the tutorial in YouTube.

Youtube video tutorial

You can also read about zeek from Github.

Subscribe to our YouTube channel. https://www.youtube.com/@CyberToolGuardian/featured

Follow us on Instagram.
https://instagram.com/cybertoolguardian

Comments

Post a Comment

Popular posts from this blog

What is ELK and Installing ELK stack (elasticsearch, logstash, kibana) in Ubuntu

Image
   What is ELK Stack The ELK stack is a collection of three open-source tools — Elasticsearch, Logstash, and Kibana — that work together to collect, store, and analyze data. Here is how each tool works: Elasticsearch : Elasticsearch is a search and analytics engine that provides a distributed, real-time search and analytics platform. It stores data in a distributed index, which allows for fast, real-time search and analysis of data. Elasticsearch is highly scalable, and it can handle a large volume of data with ease. Logstash : Logstash is a data pipeline that collects, filters, and transforms data from different sources before sending it to Elasticsearch. It can collect data from different sources such as log files, databases, and message queues. Logstash can also perform data transformation and filtering to ensure that only the relevant data is sent to Elasticsearch. Kibana : Kibana is a data visualization tool that allows users to create dashboards, visualizations, and reports based
Read more

Sending Zeek logs to ELK using Filebeats

Image
Before sending logs we must modify local.zeek file and add the below line at the end of the file. @load policy/tuning/json-logs.zeek Use the find command to find local.zeek file. find / -name local.zeek local.zeek path Now copy the path and edit the file using nano and add the line. local.zeek Save and exit from editor, now check the configuration of zeekctl sudo zeekctl check zeekctl check Once the you get zeek scripts are ok, deploy zeekctl sudo zeekctl deploy zeekctl deploy Go to the zeek logs path directory which is /usr/local/zeek/logs/current. Check if logs are generated properly. logs Go to Kibana dashboard head over to integration section and search for zeek, in the integration page on bottom right go to “Also available in Beats”. You will be redirected to Filebeats Zeek integration page. Copy the commands from the Step1 and open new terminal window and run the commands. Which will download and extract the filebeats. Now edit the filebeat.yml file, change the paths to the zeek
Read more