Pages

Showing posts with label zeek. Show all posts
Showing posts with label zeek. Show all posts

Saturday, June 11, 2022

Fedora 36 : The zeek tool.

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
Use the DNF tool to add repo for zeek tool:
[root@fedora home]# dnf config-manager --add-repo https://download.opensuse.org/repositories/security:zeek/Fedora_36/security:zeek.repo

Adding repo from: https://download.opensuse.org/repositories/security:zeek/Fedora_36/security:zeek.repo
Use DNF tool to install 
[root@fedora home]# dnf install zeek-lts
The Zeek Network Security Monitor. (Fedora_36)   18 kB/s |  77 kB     00:04    
Last metadata expiration check: 0:00:02 ago on Sat 11 Jun 2022 12:33:29 AM EEST.
Dependencies resolved.
================================================================================
 Package                    Arch     Version              Repository       Size
================================================================================
Installing:
 zeek-lts                   x86_64   4.0.7-1.1            security_zeek   7.9 k
Installing dependencies:
 libbroker-lts-devel        x86_64   4.0.7-1.1            security_zeek   1.3 M
 libpcap-devel              x86_64   14:1.10.1-3.fc36     fedora          141 k
 python3-GitPython          noarch   3.1.26-1.fc36        fedora          275 k
 python3-gitdb              noarch   4.0.9-2.fc36         fedora          107 k
 python3-semantic_version   noarch   2.8.4-9.fc36         fedora           39 k
 python3-smmap              noarch   5.0.0-1.fc36         fedora           46 k
 zeek-lts-btest             x86_64   4.0.7-1.1            security_zeek   326 k
 zeek-lts-core              x86_64   4.0.7-1.1            security_zeek   4.8 M
 zeek-lts-devel             x86_64   4.0.7-1.1            security_zeek   957 k
 zeek-lts-libcaf-devel      x86_64   4.0.7-1.1            security_zeek   1.6 M
 zeek-lts-zkg               x86_64   4.0.7-1.1            security_zeek    50 k
 zeekctl-lts                x86_64   4.0.7-1.1            security_zeek   1.8 M

Transaction Summary
================================================================================
Install  13 Packages

Total download size: 11 M
Installed size: 57 M
Is this ok [y/N]:y
Downloading Packages:
(1/13): python3-gitdb-4.0.9-2.fc36.noarch.rpm   232 kB/s | 107 kB     00:00    


Complete!
Create a script file named main.zeek:
event zeek_init()
        {
        print "Hello, World!";
        }

event zeek_done()
        {
        print "Goodbye, World!";
        }
... and run this file:
[mythcat@fedora ~]$ /opt/zeek/bin/zeek main.zeek
Hello, World!
Goodbye, World!
Posted by Labels: , , , , , , , , ,

Sunday, February 7, 2021

Fedora 33 : Running Zeek - part 001.

Zeek is often used as a network analysis tool but can also be deployed as an IDS known as Intrusion Detection System.
The full documentation can be found on this website page.
Let's install this tool on Fedora 33 distro.
[root@desk mythcat]# dnf search zeek
Last metadata expiration check: 0:18:02 ago on Sun 07 Feb 2021 11:21:35 AM EET.
No matches found.
[root@desk mythcat]# dnf config-manager --add-repo 
https://download.opensuse.org/repositories/security:zeek/Fedora_33/security:zeek.repo
Adding repo from: https://download.opensuse.org/repositories/security:zeek/Fedora_33/security:zeek.repo
[root@desk mythcat]# dnf install zeek
The Zeek Network Security Monitor. (Fedora_33)  105 kB/s | 128 kB     00:01    
Last metadata expiration check: 0:00:01 ago on Sun 07 Feb 2021 11:40:31 AM EET.
...
  Verifying        : zeekctl-3.2.3-1.1.x86_64                               8/8 

Installed:
  libbroker-devel-3.2.3-1.1.x86_64       libpcap-devel-14:1.9.1-6.fc33.x86_64  
  openssl-devel-1:1.1.1i-1.fc33.x86_64   zeek-3.2.3-1.1.x86_64                 
  zeek-core-3.2.3-1.1.x86_64             zeek-devel-3.2.3-1.1.x86_64           
  zeek-libcaf-devel-3.2.3-1.1.x86_64     zeekctl-3.2.3-1.1.x86_64              

Complete!
[root@desk mythcat]# whereis zeek
zeek: /opt/zeek/bin/zeek
[root@desk mythcat]# whereis zeekctl
zeekctl: /opt/zeek/bin/zeekctl
I found this informations into the documentation area:
ZeekControl is an interactive shell for easily operating/managing Zeek installations on a single system or even across multiple systems in a traffic-monitoring cluster.
A Minimal Starting Configuration
These are the basic configuration changes to make for a minimal ZeekControl installation that will manage a single Zeek instance on the localhost:
  • In $PREFIX/etc/node.cfg, set the right interface to monitor.
  • In $PREFIX/etc/networks.cfg, comment out the default settings and add the networks that Zeek will consider local to the monitored environment.
  • In $PREFIX/etc/zeekctl.cfg, change the MailTo email address to a desired recipient and the LogRotationInterval to a desired log archival frequency.
Next step is to configure and adjust your PATH environment variable:
[root@desk mythcat]# export PATH=/opt/zeek/bin:$PATH
[root@desk mythcat]# zeekctl

Welcome to ZeekControl 2.2.0

Type "help" for help.
...
Use install , start and diag commands on Zeek command line to check if the Zeek tool works fine.
If you received this error on diag command , then you need to set your network interface:
==== stderr.log
fatal error: problem with interface eth0 (pcap_error: SIOCGIFHWADDR: No such device (pcap_activate))
Let's fix this error using the files configuration:
[root@desk mythcat]# updatedb
[root@desk mythcat]# locate node.cfg
/opt/zeek/etc/node.cfg
[root@desk mythcat]# vi /opt/zeek/etc/node.cfg
I change the row with the interface= with my network interface.
You can find your interface with these commands:
[root@desk mythcat]# ip link show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
...
[root@desk mythcat]# nmcli device status
DEVICE  TYPE      STATE                   CONNECTION 
...
Now I can run the zeekctl command an check if is all right.
And first issue reported by diag and zeekctl is this:
1612693272.168741 Reporter::WARNING Your interface is likely receiving invalid TCP and UDP checksums, most likely from NIC checksum offloading. By default, packets with invalid checksums are discarded by Zeek unless using the -C command-line option or toggling the 'ignore_checksums' variable. Alternatively, disable checksum offloading by the network adapter to ensure Zeek analyzes the actual checksums that are transmitted. /opt/zeek/share/zeek/base/misc/find-checksum-offloading.zeek, line 54
You can see this tool can provide good information for users.
Posted by Labels: , , , , , , , , , ,
Subscribe to: Posts (Atom)