# zeek Zeek, or bro is an amazing network analyzer tool. Personally, I love it for its ability to create custom script -> meaning that there's more flexibility for growth! Let's dig into it! ### Setting Up To set up a zeek environment, I will be using: * Debian 11 (Where Zeek runs) * Kali Linux (Generate Traffic as 'Attacker') {% hint style="info" %} Zeek can be used on other linux versions too. I simply am using Debian 11 as I happened to have a clean snapshot of it. \ You can check out the various codes and support of zeek [here](https://software.opensuse.org/download.html?project=security%3Azeek\&package=zeek). (I will be following the code from here too) {% endhint %} #### Downloading Zeek, and other necessary tools 1. Firstly, I insert the zeek project repository link into the source link so that my Debian knows where to go to obtain the repository ``` echo 'deb http://download.opensuse.org/repositories/security:/zeek/Debian_11/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list ```

Command highlighted in black

If the operation is successful, you will see the above output. 2. Next, I will try to run the following command to obtain the release key. ``` curl -fsSL https://download.opensuse.org/repositories/security:zeek/Debian_11/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null ```

Command highlighted in black

As seen, curl cannot be found (curl is not defaultly installed), so a simple fix can be done: ``` sudo apt install curl ``` The above installs curl command. Rerun the code on 'curl...'. If the command returns no output, you can then move onto the next step. {% hint style="info" %} If you hit an error that says that gpg is not found, simply install gpg. ``` sudo apt install gpg ``` {% endhint %} 3. Update Debian ``` sudo apt update ``` 4. Install zeek ``` sudo apt install zeek ``` 5. To check whether zeek is installed, run the folllwing command: ``` ls /opt/zeek ``` * The above is the path at which zeek is downloaded locally.

Command highlighted in black

6. To see the manual of zeek, run the following command: ``` /opt/zeek/bin/zeek -h ```

Command highlighted in black

7. One last thing - we will need *tcpdump,* a command that will be allow Debian to start monitoring/sniffing the packets on a specified network interface. It then prints out the detected packets for us to see :eyes: ``` sudo apt install tcpdump ``` The purpose of these is to ensure that the interface has traffic and should any issues pop up regarding zeek, it would then be a zeek issue, rather than an interface issue. (Helps in troubleshooting) To check if the interface is up and running, run the following commands: ``` ip a sudo tcpdump -n -i [interface name] ``` * ip a -> checks the network interfaces on this device * tcpdump * -n -> Leaves addresses in their device name * -i -> Specifies interface for network to be captured on

Commands and important things highlighted in yellow!

:tada: You've managed to download Zeek! ### Playing around with Zeek #### Start an Active Version Zeek First, I enter zeekcontrol, an interactive shell to perform actions or initialize Zeek. In the */opt/zeek/bin directory,* run the following command: ``` sudo ./zeekctl ``` {% hint style="info" %} This directory may differ for you, as the default zeek download directory is `/usr/local/zeek` {% endhint %} {% hint style="warning" %} \[EDIT]\ Run the following code so that zeek commands can be accessed anywhere throughout the machine ``` export PATH=/opt/zeek/bin:$PATH ``` {% endhint %} In ZeekControl (ZeekCtl), start zeek. {% hint style="danger" %} If this is your first time starting zeek, instead of `start`, use `deploy` {% endhint %} ``` start ``` ![](/files/L14bNE5YFLyawnHwU7Br)
Unable to Start Zeek? While starting up, I faced this issue where Zeek failed to start.\ ![](/files/1vj9jAhNImnYAoKc4Lpv)
So, I ran a `diag` to find out what issue occurred. Scrolling down to the ====.cmdline section, you can see that the network interface is set to eth0 (default).\ \ ![](/files/xdHTkFLFOkCltc9nZtU1)
A quick `ip a` shows that our interface is ens33, not eth0. Commands and important things highlighted in yellow! Hence, we will need to change the config file. First, `exit` on ZeekControl. Then, move over to the directory /opt/zeek and run the following command using any text editor preferred (I use nano):\ \ `nano etc/node.cfg` \ ![](/files/up79bzxXMiegzvvSvhLz) You'll be brought into the config file, where you will have to change the default interface to whatever your device uses. (ens33 in my case)\ \ ![](/files/8RtfnVkcxpmmeqOEHX43) \ Save the changes and exit.
If zeek has been sucessfully started, you will see these: ![](/files/fpxu1oulJfTLRC9eQFoj) A quick run of the command `status` would also show that zeek is running smoothly. ``` status ``` ![](/files/yPmyiWfXYpCl7L0irsgW) To stop zeek, run the command `stop` ``` stop ``` ![](/files/aJVfHhzUTM4geRmm94GH) #### Generating & Processing Logs with Zeek To start playing with Zeek, we need to capture some live network traffic to create logs. To do so, we run this command: ``` sudo tcpdump -i ens33 -s 0 -w scanedtraffic.pcap ``` * -i -> interface (to change depending on the interface you would like to listen to) * -s -> specifies number of packets to capture. By placing 0 here, it means too capture all packets here, unlimitedly. * -w -> specifies the pcap file name the results of the network traffic capture will be output into {% hint style="info" %} Ensure you are in a new directory every time you perform a live network capture, as after the network capture has been processed, multiple connection protocol log files will be generated. {% endhint %} Next, we process the network capture. ``` zeek -C -r scanedtraffic.pcap ``` * -C -> Disable checksum validation * -r -> Read the given pcap file **Logs in Zeek** After the above command has been run, several zeek log files will be generated from the network packet capture. There are several logs that may be of interest: | Log name | Its purpose | | ------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | | notice.log | Anomalies detected by Zeek are raised and a notice regarding the anomaly will be placed in this log file. | | intel.log | When Zeek detects traffic with known malicious indicators, the traffic is flagged and logged in this log file. | | signatures.log | Known malicious or faulty packet signatures detected by Zeek are logged in this log file. | | conn.log | Contains information about all TCP/UDP/ICMP connections, gathered from packet capture | | files.log | Consists of analytic result of packet counts and session duration from packet capture. | | packet\_filter.log | Lists active filters applied to Zeek upon reading packet capture | | weird.log | Contains data about packets that are non-conformant to standard protocols, or packets with corrupted/damaged header fields from the packet capture. | | x507.log | Contains public key certificates used by protocols detected by Zeek from the packet capture | |

(protocol).log
(eg. dhco.log, http.log)

| File containing information about packets found in each respective protocol from the packet capture | To view log files, we can employ several methods. 1. Use the `cat` command ``` cat conn.log ``` Replace conn.log with any of the log names. However, this method displays results in an extremely messy manner, and can be not very user friendly when your terminal is small-sized. 2. Use the zeek-cut utility to parse the log files ``` cat conn.log | zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p ``` The above command filters the connection log for the following columns, and displays the result: * id.org\_h -> Source IP address * id.org\_p -> Source port * id.resp\_h -> Destination IP address * id.resp\_p -> Destintation port {% hint style="success" %} Use `head` and `tail` instead of `cat` reduce the file contents displayed, especially if the file is large sized.\ \ The -n option can also be used to specify the number of rows to be returned. {% endhint %} 3. The output of the logs after using zeek-cut can also be output into a text file or csv file. Text file: ``` cat conn.log | zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p > output.txt ``` CSV file: ``` cat conn.log | zeek-cut -F ‘,’ id.orig_h id.orig_p id.resp_h id.resp_p > output.csv ``` * -F -> Changes the default delimiter from '\t' (tab) to ','; Separates the data values using the specified delimiter. **More Log Parsing Commands** 1. To observe what services were observed from the packet capture ``` zeek-cut service < conn.log | sort | uniq -c | sort -rn ``` * rn -> Organize rows in reverse numerical order (descending) * -c -> Removes duplicates while returning unique instances and their counts syk --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://tethra.gitbook.io/syte/terabytes/zeek.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.