How to Install and Configure Zeek on Ubuntu 20.04: A Comprehensive Guide
In the world of cybersecurity and network administration, visibility is everything. Understanding the traffic flowing through your network is the first step toward securing it. This is where Zeek, a powerful and open-source Network Security Monitoring (NSM) framework, becomes an indispensable tool.
Unlike traditional signature-based Intrusion Detection Systems (IDS), Zeek doesn’t just look for known threats. Instead, it provides a high-level, comprehensive record of all network activity. This rich data empowers security analysts to perform forensic investigations, detect anomalies, and gain deep insights into network behavior.
This guide will provide a clear, step-by-step process for installing and configuring Zeek on Ubuntu 20.04 LTS (Focal Fossa), transforming your server into a formidable network monitoring sensor.
Prerequisites
Before we begin, ensure you have the following:
- A server running Ubuntu 20.04.
- Root or sudo privileges to install packages and modify system configurations.
- A basic understanding of the Linux command line.
Step 1: Update Your System and Install Dependencies
First, it’s crucial to ensure your system’s package list is up-to-date and all existing packages are upgraded to their latest versions. This prevents potential conflicts and security vulnerabilities.
Open your terminal and run the following commands:
sudo apt update
sudo apt upgrade -y
Next, we need to install the essential packages that Zeek relies on for compiling and running correctly. These dependencies include tools for building software, capturing network packets, and other necessary libraries.
sudo apt install -y cmake make gcc g++ flex bison libpcap-dev libssl-dev python3 python3-dev swig zlib1g-dev
Step 2: Add the Official Zeek Repository
While you can build Zeek from source, the most efficient and recommended method is to use the official software repository. This simplifies the installation and makes future updates seamless.
First, add the official GPG key for the repository to ensure the packages you download are authentic and have not been tampered with.
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_20.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
Next, add the Zeek repository to your system’s APT sources list.
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_20.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
With the repository added, you must update your package list again to include the new packages from the Zeek source.
sudo apt update
Step 3: Install Zeek
Now that your system is prepared, installing Zeek is as simple as running a single command. We will install the zeek-lts package, which provides the Long-Term Support version for maximum stability.
sudo apt install zeek-lts
This command will download and install the Zeek framework and all its components. The default installation path for Zeek will be /opt/zeek.
Step 4: Essential Post-Installation Configuration
With Zeek installed, you must perform a few critical configuration steps to tailor it to your specific network environment.
Configure the Network Interface
You need to tell Zeek which network interface it should monitor. To find the name of your primary network interface, use the ip a command.
ip a
Look for your primary interface name, which is often eth0, ens18, or similar.
Once you have the interface name, open the Zeek node configuration file, node.cfg, with a text editor like nano.
sudo nano /opt/zeek/etc/node.cfg
Find the line that specifies the interface and change eth0 to your actual interface name.
# Example entry in node.cfg
[zeek]
type=standalone
host=localhost
interface=eth0 # <-- Change this to your interface name
Save the file and exit the editor (Ctrl+X, then Y, then Enter in nano).
Define Your Local Networks
Next, you must specify which IP address ranges belong to your local network. This allows Zeek to properly categorize traffic as originating from, or destined for, your internal network. This is crucial for context in the generated logs.
Open the network configuration file, networks.cfg:
sudo nano /opt/zeek/etc/networks.cfg
By default, this file contains common private IP address ranges. You should review this list and uncomment the ranges that apply to your local network. If your network uses a different subnet, add it to this file.
# Example entries in networks.cfg
# Private networks. These are site-local.
10.0.0.0/8 Private IP space
172.16.0.0/12 Private IP space
192.168.0.0/16 Private IP space
Save the file and exit.
Step 5: Deploy, Start, and Verify Zeek
Zeek is managed using the powerful zeekctl (ZeekControl) command-line tool. The first time you run it, you need to perform a one-time deployment to install the new configuration.
sudo /opt/zeek/bin/zeekctl install
This command will check your configuration files for errors and set up the necessary directory structures. Now, you can start the Zeek service.
sudo /opt/zeek/bin/zeekctl start
To verify that Zeek is running correctly, check its status:
sudo /opt/zeek/bin/zeekctl status
You should see output indicating that the Zeek instance is running.
Step 6: Explore the Zeek Logs
The true power of Zeek lies in its detailed logs. All logs are stored in /opt/zeek/logs/ and are organized by date. The current directory is a symbolic link to today’s logs.
Navigate to the log directory and view its contents:
cd /opt/zeek/logs/current/
ls -l
You will see numerous log files, each dedicated to a specific protocol or type of traffic. Some of the most important logs include:
conn.log: A high-level summary of every TCP, UDP, and ICMP connection.http.log: Details on all HTTP requests and responses.dns.log: Records of all DNS queries and replies.ssl.log: Information on SSL/TLS handshakes, including certificate details.weird.log: Logs unusual or potentially malicious network activity that doesn’t conform to standard protocols.
You can view a log in real-time using the tail command. For example, to watch new connections as they happen:
tail -f /opt/zeek/logs/current/conn.log
Congratulations! You now have a fully functional Zeek installation on your Ubuntu 20.04 server, providing you with invaluable visibility into your network’s activity. From here, you can explore tools to ingest and analyze these logs, set up alerts, and begin proactively hunting for threats.
Source: https://kifarunix.com/install-zeek-on-ubuntu/
