Zeek is often used as a network analysis tool but can also be deployed as an IDS known as Intrusion Detection System.
The full documentation can be found on this website page.
Let's install this tool on Fedora 33 distro.
[root@desk mythcat]# dnf search zeek
Last metadata expiration check: 0:18:02 ago on Sun 07 Feb 2021 11:21:35 AM EET.
No matches found.
[root@desk mythcat]# dnf config-manager --add-repo
https://download.opensuse.org/repositories/security:zeek/Fedora_33/security:zeek.repo
Adding repo from: https://download.opensuse.org/repositories/security:zeek/Fedora_33/security:zeek.repo
[root@desk mythcat]# dnf install zeek
The Zeek Network Security Monitor. (Fedora_33) 105 kB/s | 128 kB 00:01
Last metadata expiration check: 0:00:01 ago on Sun 07 Feb 2021 11:40:31 AM EET.
...
Verifying : zeekctl-3.2.3-1.1.x86_64 8/8
Installed:
libbroker-devel-3.2.3-1.1.x86_64 libpcap-devel-14:1.9.1-6.fc33.x86_64
openssl-devel-1:1.1.1i-1.fc33.x86_64 zeek-3.2.3-1.1.x86_64
zeek-core-3.2.3-1.1.x86_64 zeek-devel-3.2.3-1.1.x86_64
zeek-libcaf-devel-3.2.3-1.1.x86_64 zeekctl-3.2.3-1.1.x86_64
Complete!
[root@desk mythcat]# whereis zeek
zeek: /opt/zeek/bin/zeek
[root@desk mythcat]# whereis zeekctl
zeekctl: /opt/zeek/bin/zeekctl
I found this informations into the documentation area:
ZeekControl is an interactive shell for easily operating/managing Zeek installations on a single system or even across multiple systems in a traffic-monitoring cluster.
A Minimal Starting Configuration
These are the basic configuration changes to make for a minimal ZeekControl installation that will manage a single Zeek instance on the localhost:
- In $PREFIX/etc/node.cfg, set the right interface to monitor.
- In $PREFIX/etc/networks.cfg, comment out the default settings and add the networks that Zeek will consider local to the monitored environment.
- In $PREFIX/etc/zeekctl.cfg, change the MailTo email address to a desired recipient and the LogRotationInterval to a desired log archival frequency.
Next step is to configure and adjust your PATH environment variable:
[root@desk mythcat]# export PATH=/opt/zeek/bin:$PATH
[root@desk mythcat]# zeekctl
Welcome to ZeekControl 2.2.0
Type "help" for help.
...
Use install , start and diag commands on Zeek command line to check if the Zeek tool works fine.
If you received this error on diag command , then you need to set your network interface:
==== stderr.log
fatal error: problem with interface eth0 (pcap_error: SIOCGIFHWADDR: No such device (pcap_activate))Let's fix this error using the files configuration:
[root@desk mythcat]# updatedb
[root@desk mythcat]# locate node.cfg
/opt/zeek/etc/node.cfg
[root@desk mythcat]# vi /opt/zeek/etc/node.cfgI change the row with the interface= with my network interface.
You can find your interface with these commands:
[root@desk mythcat]# ip link show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
...
[root@desk mythcat]# nmcli device status
DEVICE TYPE STATE CONNECTION
... Now I can run the zeekctl command an check if is all right.
And first issue reported by diag and zeekctl is this:
1612693272.168741 Reporter::WARNING Your interface is likely receiving invalid TCP and UDP checksums, most likely from NIC checksum offloading. By default, packets with invalid checksums are discarded by Zeek unless using the -C command-line option or toggling the 'ignore_checksums' variable. Alternatively, disable checksum offloading by the network adapter to ensure Zeek analyzes the actual checksums that are transmitted. /opt/zeek/share/zeek/base/misc/find-checksum-offloading.zeek, line 54
You can see this tool can provide good information for users.
