Unleashing Zeek: A Step-by-Step Install Guide to Powerful Network Monitoring.

Zeek is primarily a security monitoring tool that thoroughly examines all traffic on a network link to identify any suspicious activity. It also offers a wide range of traffic analysis capabilities beyond just security-related tasks. These include performance measurements and aiding in troubleshooting network issues.

Zeek has built-in features for various analysis and detection tasks, such as detecting malware through external registries, reporting vulnerable software versions on the network, identifying popular web applications, detecting SSH brute-force attacks, and validating SSL certificate chains.

Let’s dive right into the installation steps…

For this, I will be installing as the root user.

1. To switch to the root user, run the command:

note: The user password will be asked for; type the password and press enter.

sudo su —

2. Add the repository link:

echo ‘deb http://download.opensuse.org/repositories/security:/zeek/Debian_12/ /’ | sudo tee /etc/apt/sources.list.d/security:zeek.list

3. Download the trusted keys:

curl -fsSL https://download.opensuse.org/repositories/security:zeek/Debian_12/Release.key | gpg — dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null

4. Update the mirrors:

sudo apt update -y

5. Install Zeek:

sudo apt install zeek -y

After installing Zeek with the steps above, Head to this site referenced below for steps on how to run the installed Zeek.

Reference: https://docs.zeek.org/en/master/quickstart.html

Here’s a quick summary:

• Firstly, note the installation directory of Zeek. (Installation directory: /opt/zeek/)

• Check the network interface cards’ name using the command: #ip a

• Check the Zeek configuration file, using these commands:

“cd /opt/zeek/etc”
ls

• Open the file “node.cfg”, to edit using the command: nano node.cfg

• Now that is checked and confirmed, press the following commands below to exit the editor.

- Ctrl + x

- Type “n”, if you made no changes.

- Type “y”, if you made changes. Followed by “Enter” key.

6. Now, navigate back to the “bin” directory.

• Note the current path using the command: #pwd

• Then go back one step with the command #cd ..

• Use the command “ls” to list the contents of current directory

• Now go to “bin” directory using #cd bin

• Confirm your are in the “bin” directory using #ls and #pwd.

7. Now start the ZeekControl shell like this:

#./zeekctl

• Since this is the first time using the shell, perform an initial installation of the ZeekControl configuration:

[ZeekControl] > install

• Then start up a Zeek instance with command:

[ZeekControl] > start

• To stop the zeek instance, type:

[ZeekControl] > stop

• Exit the zeekctl command screen by typing:

[ZeekControl] > exit

NOTE: To be able to run the Zeek command from any directory, you can do the following:

#echo “export PATH=/opt/zeek/bin:$PATH” >> ~/.profile

#source ~/.profile

Note: Be mindful of the syntax when copying commands from a word document especially if there are signs and symbols with that command. The recommended way is to type the command.

Zeek Log files.

• Navigating to the Zeek log directory. Use the command below:

cd /opt/zeek/logs/

• Use the commands “pwd” and “ls” to confirm you are in the correct directory.

• To view the latest log files, go to the “current” directory.

• The directory with a “date” name stores the archive of previously captured logs. Navigate as shown in the screenshot below.

• The “current” directory has the below log files once your capture has started.

NOTE: When you begin the capture, more log files will be seen too. It’s not restricted to these alone. Log files such as Conn.log, Http.log, Dns.log, etc would also be seen.

Also, note that ZEEK can be used against LIVE TRAFFIC and not only historical traffic

With the use of certain commands, you can force Zeek to bend to your will.

Congratulations! You have your Zeek up and running. Defend away! 😀