Zeek 101: Getting Started with Network Security Monitoring
Published:
Welcome to the world of Zeek! This guide is for folks who want to learn about Zeek or implement it into their system. I’ll walk you through installation, basic setup, and running your first Zeek script.
Installing Zeek from Source in Ubuntu
For other Linux variants, check the official documentation.
First, install the dependencies:
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python3 python3-dev swig zlib1g-dev
Clone the Repository:
git clone --recursive https://github.com/zeek/zeek
Build from Source:
./configure
make
make install
By default, the installation is in /usr/local/zeek/ which requires root privileges during make install. You can use the --prefix option to install in other directories. For example, to install in the .local folder in your home directory:
./configure --prefix=/home/yourusername/.local
The configuration and installation process might take a while. If you can run zeek --help, then you’ve installed it successfully.
Installing via Pre-built Binary Source Packages
You can download packages from the official repository according to your OS. For Ubuntu 22.04:
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
sudo apt update
sudo apt install zeek
Configuring the Runtime Environment
Export the installation path:
export PATH=/usr/local/zeek/bin:$PATH
Running Your First Script
Create your first Zeek script with this simple “Hello World” example:
event zeek_init() {
print "Hello, World!";
}
event zeek_done() {
print "Goodbye, World!";
}
Save this as hello.zeek and run it:
zeek hello.zeek
Capturing and Analyzing Network Traffic
Let’s capture some packets and analyze them with Zeek. First, capture some traffic:
sudo tcpdump -s 0 -w get.trace
Run this for about 5 minutes, then press Ctrl+C to stop.
Now create a script to record log files (save as main.zeek):
event zeek_init() {
Log::create_stream(Conn::LOG, [$columns=Conn::Info, $path="Conn"]);
local filter: Log::Filter = [$name="conn", $path="conn"];
Log::add_filter(Conn::LOG, filter);
Log::remove_filter(Conn::LOG, "default");
}
Analyze the captured traffic:
zeek -C -r get.trace main.zeek
This will generate several log files including conn.log, dns.log, reporter.log, ssl.log, and weird.log. These logs can be inspected for suspicious activity and further analysis.
Next Steps
To learn more about the Zeek scripting language, check out the official tutorial.
Happy Zeeking!
This post was originally published on Medium and has been adapted for this blog.
