Trying out Zeek — An Open Source Network Security Monitoring Tool
I first heard of Zeek a few years ago from a colleague when we are working on a data analytic project. That time it was known as Bro. I had only know Snort as the open source IDS prior to that.
Finally I managed to find sometime to try out Zeek. Here I will share how I set it up and got it running.
Zeek runs on Linux. I am running Ubuntu 18.04.5 on Virtualbox. Zeek version used is 3.2.3. Usually I used 2 network interfaces in Virtualbox, the default NAT and one host-only network interface so that the VMs can talk to each other and with the host OS.
Installing required dependencies
You need to install the required dependencies:
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
Installing Zeek
I chose manual installation from
https://software.opensuse.org/download.html?project=security%3Azeek&package=zeek
echo ‘deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_18.04/ /’ | sudo tee /etc/apt/sources.list.d/security:zeek.list
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_18.04/Release.key | gpg — dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
sudo apt update
sudo apt install zeek
Configuration
You need to configure 3 files under /opt/zeek/etc
For node.cfg, i used the host-only network interface of Virtualbox
I set the 192.168.56.0/24 host only network to be the local network
As for the zeekctl.cfg, i just changed the MailTo to u1@localhost
Running Zeek
Examining the log files
Zeek will sniff the network and produce log files. There are different log files, for example, conn.log, dns.log to name a few.
conn.log
From the Zeek documentation (https://docs.zeek.org/en/current/quickstart/index.html), it says
Contains an entry for every connection seen on the wire, with basic properties such as time and duration, originator and responder IP addresses, services and ports, payload size, and much more. This log provides a comprehensive record of the network’s activity.
You can see that it logs my new ssh connection to the VM running Zeek.
software.log
The software log shows that I am connecting to the VM using Putty.
I hope to explore the file inspection feature of Zeek, especially the detect-MHR.zeek script that creates and compares hashes against the Malware Hash Registry maintained by Team Cymru.
See you soon. :)
