Zeek, formerly known as Bro, is an open-source network security monitoring tool used to analyze network traffic in real-time. It captures packets and interprets their contents to provide insights into the activities and behaviors occurring on a network.
Zeek Network Security Monitoring offers a powerful and flexible solution for organizations seeking to enhance their network security posture by gaining deeper insights into network traffic and detecting potential threats in real time.
In this tutorial, we will show you how to install the Zeek tool on Ubuntu 24.04.
Step 1 – Install Zeek
The Zeek package is not included in the Ubuntu default repository, so you will need to add Zeek’s official repository to APT.
First, download the Zeek GPG key.
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/security_zeek.gpg
Next, add the Zeek repository to the APT source file.
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_24.04/ /' | tee /etc/apt/sources.list.d/security:zeek.list
Then, update the repository index and install Zeek using the following command.
apt update -y apt install zeek -y
Once the Zeek is installed, add Zeek path to .bashrc file.
echo "export PATH=$PATH:/opt/zeek/bin" >> ~/.bashrc
Reload the .bashrc file using the following command.
source ~/.bashrc
Next, verify the Zeek version using the following command.
zeek --version
Output.
zeek version 7.2.1
Step 2 – Configure Zeek
Zeek default configuration file is located at /opt/zeek/etc/networks.cfg. You can edit it using the nano editor.
nano /opt/zeek/etc/networks.cfg
Add your internal network as shown below:
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
Then, edit the Zeek node.cfg configuration file.
nano /opt/zeek/etc/node.cfg
Comment out the following line:
#[zeek] #type=standalone #host=localhost #interface=eth0
Then, add the following configurations.
[zeek-logger] type=logger host=your-server-ip # [zeek-manager] type=manager host=your-server-ip # [zeek-proxy] type=proxy host=your-server-ip # [zeek-worker] type=worker host=your-server-ip interface=eth0 [zeek-worker-lo] type=worker host=localhost interface=lo
Save and close the file, then apply the above configurations using the following command.
zeekctl deploy
You will see the following output.
checking configurations ... installing ... creating policy directories ... installing site policies ... generating cluster-layout.zeek ... generating local-networks.zeek ... generating zeekctl-config.zeek ... generating zeekctl-config.sh ... stopping ... stopping workers ... stopping proxy ... stopping manager ... stopping logger ... starting ... starting logger ... starting manager ... starting proxy ... starting workers ...
You can check Zeek’s status using the zeekctl command.
zeekctl status
Output.
Name Type Host Status Pid Started zeek-logger logger 69.28.90.163 running 36001 23 May 04:28:12 zeek-manager manager 69.28.90.163 running 36066 23 May 04:28:15 zeek-proxy proxy 69.28.90.163 running 36119 23 May 04:28:17 zeek-worker worker 69.28.90.163 running 36194 23 May 04:28:19 zeek-worker-lo worker localhost running 36193 23 May 04:28:18
Step 3 – Check Zeek Log Files
By default, Zeek stores all log files at /opt/zeek/logs/current/.
To see Zeek log files, run the following command.
ls -l /opt/zeek/logs/current/
Output.
-rw-r--r-- 1 root zeek 1780 May 23 04:28 broker.log -rw-r--r-- 1 root zeek 1959 May 23 04:28 cluster.log -rw-r--r-- 1 root zeek 7895 May 23 04:29 conn.log -rw-r--r-- 1 root zeek 34524 May 23 04:28 loaded_scripts.log -rw-r--r-- 1 root zeek 209 May 23 04:28 packet_filter.log -rw-r--r-- 1 root zeek 666 May 23 04:28 reporter.log -rw-r--r-- 1 root zeek 621 May 23 04:28 stats.log -rw-r--r-- 1 root zeek 0 May 23 04:28 stderr.log -rw-r--r-- 1 root zeek 204 May 23 04:28 stdout.log -rw-r--r-- 1 root zeek 14391 May 23 04:29 telemetry.log -rw-r--r-- 1 root zeek 373 May 23 04:28 weird.log
Verify the Zeek cluster log file using the following command.
tail /opt/zeek/logs/current/cluster.log
Output.
1709522449.760873 zeek-proxy got hello from zeek-worker (acda2560-8dd9-5192-9685-c430eb02c0aa) 1709522449.658879 zeek-worker got hello from zeek-proxy (d613130f-325e-5fc7-b3a1-82cf36ff604e) 1709522449.658879 zeek-worker got hello from zeek-manager (c31e3478-95d4-5eaa-8013-1953462da48b) 1709522449.658879 zeek-worker got hello from zeek-logger (0bc1f618-7d7a-53bf-b751-f2681f78ba4e) 1709522454.919369 zeek-logger got hello from zeek-worker-lo (853e3648-641e-5adb-8859-9b71f0cf4a6c) 1709522454.957199 zeek-proxy got hello from zeek-worker-lo (853e3648-641e-5adb-8859-9b71f0cf4a6c) 1709522454.915454 zeek-manager got hello from zeek-worker-lo (853e3648-641e-5adb-8859-9b71f0cf4a6c)
To check the Zeek connection status, run the following command.
tail /opt/zeek/logs/current/conn.log
Output.
1709522458.533596 CghW2m4QTLngSVYKsl fe80::eaa2:4500:df31:71a0 135 ff02::1:ff00:bee 136 icmp - 2.001871 72 0 OTH T F 0 - 3 216 0 0 - 1709522460.758169 CLHor419mmTNILP5hc 2607:f170:14:12::f60 135 ff02::1:ff00:1 136 icmp - - - - OTH F F 0- 1 72 0 0 -
If you want to stop the Zeek, run the following command.
zeekctl stop
Conclusion
By following the step-by-step installation guide outlined in this article, users can deploy Zeek on Ubuntu 24.04 and begin leveraging its capabilities to enhance their network security posture, detect malicious activities, and safeguard critical assets against cyber threats. Try to deploy Zeek on VPS hosting from Atlantic.Net!