Install Zeek on Ubuntu 20.04 (w GeoIP Data) - cfloquetprojects/homelab GitHub Wiki

Lab Pre-Requisites:

We will be installing Zeek on an Linux Ubuntu 20.04 LTS Core, and integrating the libmaxminddb for geo- locating IP addresses.

You will need to create a free MaxMind account here for the GeoLite2 updated database.

After creating the account, generate a (free) license key before requesting the download of GeoLite2 City

Make sure that your Ubuntu 20.04 host is properly networked (via /etc/netplan/*.yml) with DNS servers, if not it's shown below:

If you plan on monitoring several subnets, each should have it's own interface and IP.

Installation of Requisite Packages & System Preparation:

First we can confirm the distro and version we are running by using the following:

cfloquet@zeek:# lsb_release --all
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.3 LTS
Release:        20.04
Codename:       focal

We will be installing a bevy of different dependencies to run Zeek, which we can do easily with the following, followed by a system update.

$ sudo apt-get -y install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
$ sudo apt -y update
$ sudo apt -y upgrade

If you have decided to include geo-location data within the Zeek application, you can use an GUI based application such as WinSCP or simply scp the file onto your Ubuntu 20.04 host.

Once the .tar.gz file has been successfully transferred over, you can install libmaxminddb (as well as some other packages we will need) using the following, and extract the file:

$ sudo apt-get -y install libmaxminddb-dev build-essential python3-dev net-tools
$ tar --extract --verbose --gunzip --file GeoLite*

With GeoLite2 City extracted, lets copy the .mmdb file into a new directory:

$ sudo mkdir --parents /usr/share/GeoIP
$ sudo cp GeoLite2-City_20210914/GeoLite2-City.mmdb /usr/share/GeoIP/

Now that we have setup our system and configured the GeoIP dataset for later use, we can install Zeek

Installing Zeek Network Security Monitor:

We can use git to clone into the official Zeek GitHub page and pull down a copy.

$ sudo git clone --recursive https://github.com/zeek/zeek

Now we can navigate to the newly installed/added Zeek directory, and begin the configuration.

$ cd zeek/
$ sudo make distclean
$ sudo ./configure --with-geoip=/usr/share/GeoIP

Before proceeding, ensure the previous process completed without any errors. It should give a clear indication of a successful build upon completion.

Now we can move onto the make process, which will likely take a while, depending on your system resources.

$ cfloquet@zeek:/zeek:# sudo make
$ cfloquet@zeek:/zeek:# sudo make install

Now that the installation has completed, let's create a few symbolic links, and test them with which:

$ cd ~
$ sudo ln --symbolic /usr/local/zeek/bin/zeek /usr/bin/zeek
$ sudo ln --symbolic /usr/local/zeek/bin/zeekctl /usr/bin/zeekctl
$ which zeek
/usr/bin/zeek
$ which zeekctl
/usr/bin/zeekctl

Adding symbolic links works well, however incase we need to use more functionality of Zeek in the future let's add it's PATH variable

$ sudo echo "export PATH=$PATH:/usr/local/zeek/bin" >> ~/.bashrc
$ tail --lines 1 ~/.bashrc

At this point the basic installation/setup of Zeek is essentially completed, but we still need to do some manual configurations for specific networks and interfaces we will be monitoring.

Configuring & Starting Zeek Network Security Monitor:

We now need to edit the networks.cfg file, and add in an entry for a single interface, or several, that we will be monitoring with Zeek.

cfloquet@zeek:/usr/local/zeek/etc$ sudo vi networks.cfg
<..>
#10.0.0.0/8          Private IP space
#172.16.0.0/12       Private IP space
XX.XX.YY.YY/CIDR     DESC_OF_MONITORED_NETWORK

Once your networks to monitor have been defined, we can move onto editing node.cfg:

If you are using a standalone configuration to monitor a single interface, it only takes a few lines:

[zeek]
type=standalone
host=localhost
interface=ens192 # insert your interface to monitor here

For setups with a larger footprint, there is clustered configuration, which can be configured as shown below:

#
[logger-1]
type=logger
host=localhost
#
[cfloquet-zeek-manager]
type=manager
host=192.168.0.4 #insert the LAN IP of your zeek host here. 
#
[cfloquet-zeek-proxy]
type=proxy
host=192.168.0.5
#
[cfloquet-zeek-worker-int1]
type=worker
host=192.168.0.5
interface=name_of_first_interface #insert your interface to monitor here
#
[cfloquet-zeek-worker-int2]
type=worker
host=localhost
interface=name_of_second_interface

If you are planning on using a tool like Splunk to process Zeek logs, be sure to add the following line to the bottom of the file so that the logs shipped are in JSON format so Splunk can index them easily.

cfloquet@zeek:$ sudo vi /usr/local/zeek/share/zeek/site/local.zeek 
<..>
@load policy/tuning/json-logs

Now we need to change the rate in which our logs are forwarded, which can be done inside of the zeekctl.cfg file within /usr/local/zeek/etc:

Find the LogRotationInterval setting and make the appropriate change to 86400 to allow for Zeek to rotate logs every 24 hours, or whatever time length you would prefer.

💡 If you're interested in setting up a recipient email address, you can also do so by editing zeekctl.cfg:

cfloquet@zeek:/usr/local/zeek/etc$ cat zeekctl.cfg | more
<..>
# Mail Options
# Recipient address for all emails sent out by Zeek and ZeekControl.
MailTo = [email protected]

We should now be all set to use the zeekctl command to deploy our Zeek/Bro Network Security Monitor!

cfloquet@zeek:/usr/local/zeek/etc$ sudo zeekctl deploy

If everything started properly, we should now be able to test our Zeek manager/workers with zeekctl status:

cfloquet@zeek:/usr/local/zeek/etc$ sudo zeekctl status
Name                        Type    Host             Status    Pid    Started
cfloquet-zeek-manager         manager 192.168.0.5     running   403605 13 Feb 11:43:34
cfloquet-zeek-proxy           proxy   192.168.0.5      running   403644 13 Feb 11:43:35
cfloquet-zeek-worker-enp0s25  worker  192.168.0.5      running   403624 13 Feb 11:43:37
cfloquet-zeek-worker-lo       worker  localhost        running   403621 13 Feb 11:43:39

We can see if logs are being generated by first generating some traffic via DNS queries, and then using grep to tell if they appear in our dns.log or http.log within /usr/local/zeek/logs/current/:

cfloquet@zeek:$ cat /usr/local/zeek/logs/current/dns.log | grep exampleDomain.com