Christian WellsThe digital world can be a wild west; hence, securing our networks is critical. Today, we explore how to install and use the Zeek Network Security Monitor on Debian 12, a powerful tool for network analysis and security.
What is Zeek Network Security Monitor?
Zeek Network Security Monitor, formerly known as Bro, is an open-source network security platform. It’s not just your ordinary intrusion detection system (IDS), but a robust network analysis framework that surpasses the conventional IDS functionalities.
Zeek offers real-time insights into network operations, assisting in detecting and thwarting security incidents. It provides detailed logging of network traffic, scriptable event-driven analysis, and the capability to identify a broad spectrum of network anomalies and security incidents.
Step-by-Step Installation Guide
Step 1: Update and Refresh Debian Repository
Before installing Zeek, you need to update and refresh your Debian repository. Execute the following command:
sudo apt update sudo apt upgrade
This command will update the package lists for upgrades and new package installations.
Step 2: Install Zeek Network Security Monitor
After updating the repository, you can kick-start your Zeek installation. First, add the GPG key and repository for the Zeek package using the following commands:
curl -fsSL https://download.opensuse.org/repositories/security:zeek/Debian_12/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null echo 'deb http://download.opensuse.org/repositories/security:/zeek/Debian_12/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
Next, update your Debian repository by executing the following command:
sudo apt update
Now, you can install Zeek by executing the following command:
sudo apt install zeek-lts
After the installation, check the location of the Zeek binary file, verify the Zeek version, and print the Zeek help message using the following commands:
which zeek zeek --version zeek --help
Step 3: Configuring Zeek
The first step in configuring Zeek in standalone mode is to set the network interface that Zeek will monitor. Open the node.cfg file located in the $PREFIX/etc/ directory, where $PREFIX is the Zeek installation root directory. By default, this is /usr/local/zeek if you installed from a source, or /opt/zeek if you installed from a binary package. For example, if your network interface is eth0, the configuration would look like this:
[zeek] type=standalone host=localhost interface=eth0
If you plan to run Zeek in a cluster configuration, you need to define where the logger, manager, proxies, and workers will run. For a cluster configuration, comment out (or remove) the standalone node in the node.cfg file and either uncomment or add node entries for each node in your cluster (logger, manager, proxy, and workers).
For example, to run five Zeek nodes (two workers, one proxy, a logger, and a manager) on a cluster consisting of three machines, the cluster configuration would look like this:
[logger] type=logger host=192.168.1.1 [manager] type=manager host=192.168.1.2 [proxy-1] type=proxy host=192.168.1.2 [worker-1] type=worker host=192.168.1.3 interface=eth0 [worker-2] type=worker host=192.168.1.3 interface=eth1
After configuring Zeek, start it using the zeekctl command:
zeekctl deploy
This command is equivalent to the install and start commands in Zeek. You can check the status of each component of your Zeek cluster by executing the status command:
zeekctl status
Congratulations! You have successfully installed Zeek.
Setting up Zeek on your own VPS can be challenging if you’re not a Linux expert. But don’t worry, Shape.host offers Cloud VPS services that can save you time and effort. Starting from $3, their VPS Manage Service Offer is a great deal for those who prefer to have the installation done by professionals.
