Lab 11.1: Zeek - squatchulator/Tech-Journal GitHub Wiki

Lab 11.1 - Zeek (Project 3 Part 1)

Downloading and Installing Zeek

  • First, we need to meet a few requirements:
    • Add second network adapter to the Zeek server in VCenter
      • Make sure that the two network adapters are on the DMZ and MGMT networks respectively
    • Boot the system up. Change the hostname to zeek-yourname. Also create a new user with adduser and add it to the sudoers group.
    • Change the IPs using Netplan (sudo nano /etc/netplan/00-installer-config.yaml): 
      network:
  ethernets:
    ens160:
      dhcp4: no
      addresses: [172.16.50.6/29]
      routes:
        - to: default
        via: 172.16.50.2
      nameservers:
        addresses: [172.16.50.2]
    ens192:
      dhcp4: no
      addresses: [172.16.200.13/28]
  version: 2
      • Then run sudo netplan apply.

DNS and Firewall

  • Create a DNS entry that points to Zeek's MGMT IP address (172.16.200.13)
  • Allow internet connections to Zeek server using the Edge firewall:
set firewall name DMZ-to-WAN rule 999 action accept
set firewall name DMZ-to-WAN rule 999 source address 172.16.50.0/29
set firewall name DMZ-to-WAN rule 50 action accept
set firewall name DMZ-to-WAN rule 50 description "Allow NTP to DMZ"
set firewall name DMZ-to-WAN rule 50 destination address 172.16.50.0/29
set firewall name DMZ-to-WAN rule 50 protocol udp
set firewall name DMZ-to-WAN rule 50 destination port 123
commit
save

NTP

  • Run sudo apt-get install ntp -y
  • Make sure it's working with ntpq -p

Installing Zeek

  • Run the following commands:
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
sudo apt update
sudo apt install zeek-lts
  • Select LocalOnly, restart devices, and now Zeek will be located in /opt/zeek
  • Rename the config file with cp /opt/zeek/etc/node.cfg /opt/zeek/etc/node.orig
  • Create a new /opt/zeek/etc/node.cfg with the following:
#SEC350
[logger]
type=logger
host=zeek-miles
#
[manager]
type=manager
host=zeek-miles
#
[proxy-1]
type=proxy
host=zeek-miles
#
[worker-1]
type=worker
host=zeek-miles
interface=ens160
#
[worker-2]
type=worker
host=zeek-miles
interface=ens192
  • Now, adjust the network settings in /opt/zeek/etc/networks.cfg:
172.16.50.0/29  SEC350-DMZ
172.16.200.0/28 SEC350-MGMT
  • We also need to adjust the logging format in /opt/zeek/share/zeek/site/local.zeek:
@load policy/tuning/json-logs.zeek
  • The log rotation value in /opt/zeek/etc/zeekctl.cfg:
LogRotationInterval = 86400
  • Adjust the root's PATH with nano /root/.profile:
# Append at the bottom:
export PATH=$PATH:/opt/zeek/bin
# Save and exit
source .profile
echo $PATH
  • Now we can deploy Zeek with:
zeekctl
deploy
# To check the status
status
  • Now if you visit some websites on Wks01, you should be able to see the logs with cat /opt/zeek/logs/current/dns.log | grep 172.16.200.11
  • We can see logs from Traveler too with cat /opt/zeek/logs/current/http.log | grep 172.16.50.3