zeek

july 2023

Zeek, or bro is an amazing network analyzer tool. Personally, I love it for its ability to create custom script -> meaning that there's more flexibility for growth!

Let's dig into it!

Setting Up

To set up a zeek environment, I will be using:

• Debian 11 (Where Zeek runs)

• Kali Linux (Generate Traffic as 'Attacker')

Zeek can be used on other linux versions too. I simply am using Debian 11 as I happened to have a clean snapshot of it.

You can check out the various codes and support of zeek here. (I will be following the code from here too)

Downloading Zeek, and other necessary tools

1. Firstly, I insert the zeek project repository link into the source link so that my Debian knows where to go to obtain the repository

echo 'deb http://download.opensuse.org/repositories/security:/zeek/Debian_11/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list

Command highlighted in black

If the operation is successful, you will see the above output.

1. Next, I will try to run the following command to obtain the release key.

curl -fsSL https://download.opensuse.org/repositories/security:zeek/Debian_11/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null

Command highlighted in black

As seen, curl cannot be found (curl is not defaultly installed), so a simple fix can be done:

sudo apt install curl

The above installs curl command.

Rerun the code on 'curl...'. If the command returns no output, you can then move onto the next step.

If you hit an error that says that gpg is not found, simply install gpg.

sudo apt install gpg

1. Update Debian

sudo apt update

1. Install zeek

sudo apt install zeek

1. To check whether zeek is installed, run the folllwing command:

ls /opt/zeek

• The above is the path at which zeek is downloaded locally.

Command highlighted in black

1. To see the manual of zeek, run the following command:

/opt/zeek/bin/zeek -h

Command highlighted in black

1. One last thing - we will need tcpdump, a command that will be allow Debian to start monitoring/sniffing the packets on a specified network interface. It then prints out the detected packets for us to see 👀

sudo apt install tcpdump

The purpose of these is to ensure that the interface has traffic and should any issues pop up regarding zeek, it would then be a zeek issue, rather than an interface issue. (Helps in troubleshooting)

To check if the interface is up and running, run the following commands:

ip a
sudo tcpdump -n -i [interface name]

• ip a -> checks the network interfaces on this device

• tcpdump

  • -n -> Leaves addresses in their device name

  • -i -> Specifies interface for network to be captured on

Commands and important things highlighted in yellow!

🎉 You've managed to download Zeek!

Playing around with Zeek

Start an Active Version Zeek

First, I enter zeekcontrol, an interactive shell to perform actions or initialize Zeek.

In the /opt/zeek/bin directory, run the following command:

sudo ./zeekctl

This directory may differ for you, as the default zeek download directory is /usr/local/zeek

[EDIT] Run the following code so that zeek commands can be accessed anywhere throughout the machine

export PATH=/opt/zeek/bin:$PATH

In ZeekControl (ZeekCtl), start zeek.

If this is your first time starting zeek, instead of start, use deploy

start

Unable to Start Zeek?

While starting up, I faced this issue where Zeek failed to start.

So, I ran a diag to find out what issue occurred. Scrolling down to the ====.cmdline section, you can see that the network interface is set to eth0 (default).

A quick ip a shows that our interface is ens33, not eth0.

Hence, we will need to change the config file.

First, exit on ZeekControl. Then, move over to the directory /opt/zeek and run the following command using any text editor preferred (I use nano): nano etc/node.cfg

You'll be brought into the config file, where you will have to change the default interface to whatever your device uses. (ens33 in my case)

Save the changes and exit.

If zeek has been sucessfully started, you will see these:

A quick run of the command status would also show that zeek is running smoothly.

status

To stop zeek, run the command stop

stop

Generating & Processing Logs with Zeek

To start playing with Zeek, we need to capture some live network traffic to create logs.

To do so, we run this command:

sudo tcpdump -i ens33 -s 0 -w scanedtraffic.pcap

• -i -> interface (to change depending on the interface you would like to listen to)

• -s -> specifies number of packets to capture. By placing 0 here, it means too capture all packets here, unlimitedly.

• -w -> specifies the pcap file name the results of the network traffic capture will be output into

Ensure you are in a new directory every time you perform a live network capture, as after the network capture has been processed, multiple connection protocol log files will be generated.

Next, we process the network capture.

zeek -C -r scanedtraffic.pcap

• -C -> Disable checksum validation

• -r -> Read the given pcap file

Logs in Zeek

After the above command has been run, several zeek log files will be generated from the network packet capture. There are several logs that may be of interest:

Log name	Its purpose
notice.log	Anomalies detected by Zeek are raised and a notice regarding the anomaly will be placed in this log file.
intel.log	When Zeek detects traffic with known malicious indicators, the traffic is flagged and logged in this log file.
signatures.log	Known malicious or faulty packet signatures detected by Zeek are logged in this log file.
conn.log	Contains information about all TCP/UDP/ICMP connections, gathered from packet capture
files.log	Consists of analytic result of packet counts and session duration from packet capture.
packet_filter.log	Lists active filters applied to Zeek upon reading packet capture
weird.log	Contains data about packets that are non-conformant to standard protocols, or packets with corrupted/damaged header fields from the packet capture.
x507.log	Contains public key certificates used by protocols detected by Zeek from the packet capture
(protocol).log (eg. dhco.log, http.log)	File containing information about packets found in each respective protocol from the packet capture

To view log files, we can employ several methods.

1. Use the cat command

cat conn.log

Replace conn.log with any of the log names.

However, this method displays results in an extremely messy manner, and can be not very user friendly when your terminal is small-sized.

1. Use the zeek-cut utility to parse the log files

cat conn.log | zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p

The above command filters the connection log for the following columns, and displays the result:

• id.org_h -> Source IP address

• id.org_p -> Source port

• id.resp_h -> Destination IP address

• id.resp_p -> Destintation port

Use head and tail instead of cat reduce the file contents displayed, especially if the file is large sized. The -n option can also be used to specify the number of rows to be returned.

1. The output of the logs after using zeek-cut can also be output into a text file or csv file.

Text file:

cat conn.log | zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p > output.txt

CSV file:

cat conn.log | zeek-cut -F ‘,’ id.orig_h id.orig_p id.resp_h id.resp_p >
output.csv

• -F -> Changes the default delimiter from '\t' (tab) to ','; Separates the data values using the specified delimiter.

More Log Parsing Commands

1. To observe what services were observed from the packet capture

zeek-cut service < conn.log | sort | uniq -c | sort -rn

• rn -> Organize rows in reverse numerical order (descending)

• -c -> Removes duplicates while returning unique instances and their counts

syk