DebianNetwork

Secure Your Network: Installing Zeek on Debian 12

HomeDebianSecure Your Network: Installing Zeek on Debian 12

Introduction

In today’s digital landscape, ensuring the security of your network is of paramount importance. To achieve this, network security monitoring (NSM) tools play a crucial role. Zeek, formerly known as Bro, is a powerful open-source platform for NSM that allows you to analyze network traffic and detect any suspicious or malicious activity. In this comprehensive guide, we will walk you through the step-by-step process of installing Zeek on a Debian 12 server, configuring it, and exploring its various features. By the end of this guide, you will have a fully functional Zeek installation ready to safeguard your network.

Prerequisites

Before we dive into the installation process, let’s make sure you have everything you need. Here are the prerequisites:

  • A Debian 12 server: Make sure you have a Debian 12 server ready for the installation.
  • Non-root user with administrator privileges: It is recommended to create a non-root user with sudo privileges to perform the installation.

Adding Repository

To install Zeek on Debian 12, we will be using a third-party repository via APT. Follow the steps below to add the repository:

  1. Open the terminal on your Debian 12 server.
  2. Execute the following command to add the GPG key and repository for the Zeek package:
curl-fsSL 
https://download.opensuse.org/repositories/security:zeek/Debian_12/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
echo 'deb http://download.opensuse.org/repositories/security:/zeek/Debian_12/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
  1. Update and refresh your Debian repository by executing the following command:
sudo apt update

Installing Zeek

Now that we have added the Zeek repository, let’s proceed with the installation. Follow the steps below to install Zeek on your Debian machine:

  1. Open the terminal on your Debian 12 server.
  2. Execute the following command to install Zeek:
sudo apt install zeek-lts

This command will install the LTS (Long-Term Support) version of Zeek. You can choose to install the latest release or nightly versions as well.

  1. During the installation process, you will be prompted to confirm. Type ‘y’ and press Enter to proceed.

Once the installation is complete, Zeek will be installed in the /opt/zeek directory. We also need to add the Zeek installation directory to the system PATH so that we can access Zeek from anywhere on the system.

  1. Execute the following command to add the Zeek bin directory to the system PATH via the ~/.bashrc file:
echo "export PATH=$PATH:/opt/zeek/bin" >> ~/.bashrc
  1. Reload the ~/.bashrc file to apply the changes:
source ~/.bashrc
  1. Verify the Zeek installation by executing the following command:
which zeek

This command will display the location of the Zeek binary file. You can also check the Zeek version and print the Zeek help message using the following commands:

zeek --version
zeek --help

Congratulations! You have successfully installed Zeek on your Debian 12 server. Now let’s move on to the next step and configure Zeek to suit your needs.

Configuring Zeek

Before we can start using Zeek, we need to configure it according to our requirements. Zeek can be run in various modes, including command-line mode, standalone mode, and cluster mode. In this guide, we will focus on running Zeek in cluster mode using a single server.

  1. Open the terminal on your Debian 12 server.
  2. Execute the following command to check your network interfaces and IP address:
ip a

This command will display a list of available interfaces on your system along with detailed information, including the server’s IP address.

  1. Open the Zeek network configuration file, /opt/zeek/etc/networks.cfg, using the nano editor:
sudo nano /opt/zeek/etc/networks.cfg
  1. Insert your internal network subnet(s) in the file. You can add multiple subnets by separating them with a space. For example:
10.0.0.0/8 PrivateIP space
172.16.0.0/12 PrivateIP space
192.168.0.0/16 PrivateIP space

Save the file and exit the editor.

  1. Now open the Zeek configuration file, /opt/zeek/etc/node.cfg, using the nano editor:
sudo nano /opt/zeek/etc/node.cfg
  1. By default, Zeek is set to run in standalone mode. Comment out the standalone mode configuration by adding ‘#’ at the beginning of each line:
#[zeek]
#type=standalone
#host=localhost
#interface=eth0
  1. Add the following configuration to run Zeek in cluster mode with a single server. Replace the server IP address with your own information:
# logger
[zeek-logger]
type=logger
host=192.168.10.15

# manager
[zeek-manager]
type=manager
host=192.168.10.15

# proxy
[zeek-proxy]
type=proxy
host=192.168.10.15

# worker
[zeek-worker]
type=worker
host=192.168.10.15
interface=eth0

# worker localhost
[zeek-worker-lo]
type=worker
host=localhost
interface=lo

Save and close the file.

Now it’s time to check and validate the Zeek configuration before deploying it.

  1. Execute the following command to access the Zeek control shell:
zeekctl
  1. Run the check command to validate your Zeek configuration:
check

If everything goes well, you should see that each component of the Zeek script is marked as “ok”.

  1. Next, run the deploy command to start and run Zeek on your machine:
deploy

This command is equivalent to the install and start command in Zeek.

  1. Finally, verify the status of each component of your Zeek cluster by executing the status command:
status

If your installation is successful, you should see that each component of the Zeek cluster is running.

Great job! You have successfully configured Zeek to run in cluster mode on your Debian 12 server. In the next section, we will explore the Zeek log files and learn how to analyze them.

Guide to Zeek Logs

After configuring Zeek, it’s time to dive into the log files that Zeek generates. The log files are located in the /opt/zeek/logs/current directory. By default, Zeek generates log files in the TSV (Tab-separated values) format, which provides valuable information about network connections, DNS requests, HTTP traffic, SSH connections, and more.

Let’s take a closer look at some of the important log files and their contents:

  • conn.log: This log file provides information about TCP and UDP connections, including timestamps, connection duration, services used, and more.
  • dns.log: The DNS log file contains records of DNS queries and responses, allowing you to monitor DNS activity on your network.
  • http.log: This log file captures HTTP traffic, providing details such as the requested URL, status codes, user agents, and more.
  • ssh.log: The SSH log file tracks SSH connections, allowing you to monitor SSH activity on your network.
  • ssl.log: The SSL log file contains information about SSL/TLS connections, including certificates, cipher suites, and more.

To view the contents of a log file, you can use the cat command followed by the log file name. For example, to view the dns.log file, you would execute the following command:

cat dns.log

The output will display the contents of the log file, including various fields such as timestamps, unique identifiers (UIDs), source and destination IP addresses, protocols, and more.

Now let’s move on to analyzing the Zeek log files using the zeek-cut command line tool.

Analyzing Zeek Logs TSV via Zeek-cut

The zeek-cut command line tool allows you to parse and extract specific fields from the Zeek log files in TSV format. This can be helpful when you want to focus on specific information or perform further analysis on the log data.

To analyze Zeek log files using zeek-cut, follow these steps:

  1. Open the terminal on your Debian 12 server.
  2. Navigate to the directory containing the Zeek log files:
cd /opt/zeek/logs/current/
  1. Use the zeek-cut command to parse the log file and extract specific fields. For example, to extract the id.orig_h,query, and answers fields from the dns.log file, you would execute the following command:
zeek-cut id.orig_h query answers < dns.log

This command will display the extracted fields from the log file.

Alternatively, you can use the cat command to view the log file and then pipe (|) the output to zeek-cut. For example:

cat dns.log | zeek-cut id.orig_h query answers

Now you can analyze the log data and focus on the specific fields that are relevant to your investigation.

Configuring Zeek Log Files to JSON

By default, Zeek generates log files in the TSV format. However, you can configure Zeek to generate log files in JSON format, which can be more convenient for further analysis and integration with other tools.

To configure Zeek to generate log files in JSON format, follow these steps:

  1. Open the terminal on your Debian 12 server.
  2. Open the local.zeek file using the nano editor:
sudo nano /opt/zeek/share/zeek/site/local.zeek
  1. Add the following configuration to the file:
@load tuning/json-logs

This configuration instructs Zeek to load the json-logs script, which enables JSON output for log files.

  1. Save and close the file.
  2. Run the zeekctl command to redeploy your Zeek installation:
zeekctl deploy

This command will reinstall Zeek and generate log files in JSON format.

Now that you have configured Zeek to generate log files in JSON format, let’s explore how to analyze these JSON log files using the jq command line tool.

Analyzing Zeek Logs JSON via jq

The jq command line tool provides a powerful way to process and analyze JSON data. By usingjq, you can extract specific fields, filter data, and perform complex operations on the Zeek log files in JSON format.

To analyze Zeek log files using jq, follow these steps:

  1. Open the terminal on your Debian 12 server.
  2. Install jq using the following command:
sudo apt install jq -y
  1. Navigate to the directory containing the Zeek log files:
cd /opt/zeek/logs/current/
  1. Use the cat command to view the contents of a log file in JSON format. For example, to view the dns.log file, execute the following command:
cat dns.log

The JSON output will be displayed on your terminal screen.

  1. To process the JSON log file using jq, execute the following command:
jq . dns.log

This command will pretty-print the JSON log data.

  1. You can also use the-c option to display the compact format:
jq-c . dns.log

This command will display the log data in a more compact format.

  1. To extract specific key/value pairs from the JSON file, use the following command:
jq -c '[."id.orig_h", ."query", ."answers"]' dns.log

This command will extract the id.orig_h,query, and answers fields from the JSON file.

Congratulations! You now have a solid understanding of how to configure Zeek to generate log files in JSON format and how to analyze these JSON log files using the jq command line tool.

Conclusion

In this guide, we have walked you through the process of installing Zeek, configuring it in cluster mode, exploring the Zeek log files, and analyzing them using both TSV and JSON formats. By following this guide, you have set up a powerful network security monitoring tool that will help you detect and investigate suspicious or malicious activity on your network.

Remember to regularly monitor the Zeek log files to stay alert to any potential security threats. With the insights provided by Zeek, you can take proactive measures to protect your network and keep it secure.

If you’re looking for a reliable cloud hosting solution to complement your Zeek installation, be sure to check out Shape.host services. Their Linux SSD VPS offerings provide scalable and secure hosting environments, ensuring your Zeek installation performs optimally.

Tags:
Christian Wells

Older Post

Step-by-Step Guide to Install ownCloud on Debian 12 Server

Next Post

Automated ISPConfig Installation: The Perfect Server Setup Guide

Related Product

How to Install Focalboard on Debian 12

How to Deploy CherryPy on Debian 12