Zeek Network Security Monitor Tutorial: Part 1 (Setup)
For a complete table of contents of all the lessons please click below as it will give you a brief of each lesson in addition to the topics it will cover. https://github.com/mytechnotalent/Zeek-Network-Security-Monitor-Tutorial
Welcome to our beginner user-friendly Zeek Network Security Monitor series.
We begin by setting up a basic Ubuntu computer connected directly to an inexpensive tap which connects to your home router. I have provided products you can purchase if you do not have existing parts however please feel free to use any network tap of your choosing and/or any additional Ethernet adapters or cables of your choosing. The below are provided if you did not have an alternative such that you can follow along easily.
Step 1: OPTIONAL Purchase Dell Inspiron 15 7000 Series Gaming Edition 7567 15.6-Inch Full HD Screen Laptop @ https://www.newegg.com/p/1TS-000A-02S48?Item=9SIAEYJ8952683
— If you do NOT have an existing spare laptop, here is a machine that will work nicely. We will reformat this OS to Ubuntu in further steps below. If you DO have an existing spare laptop please use that FIRST before investing in another machine.
Step 2: OPTIONAL Purchase Multi Boot USB Flash Drive @ https://hackerwarehouse.com/product/multi-boot-usb-flash-drive
— If you do NOT have an existing spare USB drive, here is one that will work nicely to install Ubuntu to. If you DO have an existing spare USB drive please use that FIRST before investing in another one.
Step 3: Purchase LAN Tap Pro @ https://hackerwarehouse.com/product/lan-tap-pro
— The LAN Tap Pro is a passive Ethernet tap, requiring no power for operation.
Step 4: Purchase 1–2 TRENDnet USB3 Gigabit Ethernet Adapters @ https://hackerwarehouse.com/product/trendnet-usb3-gigabit-ethernet-adapter
— The device supports Full Duplex 2 Gbps transfer speeds and is compatible with older USB 2.0 and 1.1 ports.
— If your Ubuntu computer has an existing Ethernet port you will only need one of these devices.
Step 5: Purchase 3 Cat5e Network Cables @ https://hackerwarehouse.com/product/cat5e-network-cable
— These cables will assist in our setup below.
Step 6: Setup LAN Tap Pro
— Take your main modem or router Ethernet cable and plug it into the J1 port and then take the first Cat5e Network Cable and plug it into the J2 port and then take the other end of that cable and plug it in where your original main modem or router Ethernet cable was originally.
— Take the 2nd Cat5 Network Cable and connect it to the J3 monitoring port and then take the other end of that cable and plug it into your Ubuntu computer’s 1st Ethernet port as this will be your tap/monitoring port.
— Take the 3rd Cat5 Network Cable and connect it into your Ubuntu computer’s 2nd Ethernet port and plug into your router as this will be your connection so that you can get network access into your machine remotely.
Step 7: Setup Ubuntu Computer
— Download the FREE Rufus software from https://rufus.ie/ and save it to your main computer’s Desktop.
— Download the FREE ISO image from https://ubuntu.com/download/desktop/thank-you?country=US&version=18.04.3&architecture=amd64 and save it to your main computer’s Desktop.
— Plug your USB drive into your main computer.
— Double-click on the Rufus software on your Desktop and select the Ubuntu ISO and install it to your USB drive.
— Once complete, eject the USB drive from your main computer and plug it into your Ubuntu computer and boot it up.
— Upon boot hit F8, F9, F10, F11, F12 as one of those should set you into UEFI or BIOS mode in order to boot from the Ubuntu USB drive.
— Select your USB drive as your boot device and follow the step-by-step instructions to set up Ubuntu on your laptop. If you have any issues with setup, here is a handy reference to help you along @ https://tutorials.ubuntu.com/tutorial/tutorial-install-ubuntu-desktop#0 if you have any questions.
Step 8: Setup Zeek Software & Additional Tools
— Boot your Ubuntu computer and open up a terminal. We are going to complete the following commands to get you setup with everything you need to get started. With each numbered step wait until the task completes in its ENTIRETY before moving on to the next numbered step. Type the following commands one-by-one in the terminal.
sudo apt-get update && sudo apt-get dist-upgradesudo apt-get install vim
* IF YOU HAVE NOT USED VIM VISIT https://www.openvim.com IMMEDIATELY FOR A FREE TUTORIAL!
sudo apt-get install net-toolssudo apt updatesudo apt install openssh-serversudo systemctl status ssh (then q)sudo ufw allow sshsudo apt-get install sendmailsudo apt-get install gitsudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-devvim ~/.bashrc
* ADD the following line to the end of the file and then save and quit.
export PATH=/usr/local/zeek/bin:$PATHgit clone — recursive https://github.com/zeek/zeekcd zeek./configure && make && sudo make install
Step 9: Configure Zeek
— We need to identify which network interface is our tap port and our main port. Type the below into a terminal.
ifconfigFirst identify the en* series interfaces such as en0 or en1 or eno1 or something similar.
Ignore any w* interfaces as they are wireless and we do NOT want to utilize any wireless ports.
Identify the two en* interfaces. One will have an inet address such as 192.168.0.x or 192.168.1.x or something along those lines.
The en* interface which does NOT have an inet address is our tap port. Please write this down as we will use this interface in our next two steps.
Type the following into the terminal.
sudo vim /usr/local/zeek/etc/node.cfgEdit the interface= line to interface=en* where en* is the exact name of your tap port from step 4 so for example it may be interface=eno1 or interface=enx7be2de278f for example as this is just a made up example for clarification.
Type the following into the terminal.
sudo vim /usr/local/zeek/etc/zeekctl.cfgEdit the MailTo = line to MailTo = youremail.com where youremail.com is your email address where you want Zeek to send notices.
Step 10: Run Zeek
— At this point you can continue working on your Ubuntu computer directly or you can ssh into it from another computer of your choice. If you choose to use another computer to ssh into it, you would type ifconfig in your Ubuntu terminal and get the IP address of the machine.
— Revisit step https://tutorials.ubuntu.com/tutorial/tutorial-install-ubuntu-desktop#8 and recall the ‘Pick A Username’ section and write that down.
— If your IP address for example is 192.168.0.10 and your username is john then type the following in your main computer’s terminal.
ssh john@192.168.0.10— You will then see something like the following message.
The authenticity of host ‘192.168.121.111 (192.168.121.111)’ can’t be established. ECDSA key fingerprint is SHA256:Vybt22mVXuNuB5unE++yowF7lgA/9/2bLSiO3qmYWBY. Are you sure you want to continue connecting (yes/no)?— Type yes and then enter your Ubuntu username’s password and you will be logged in.
— Regardless if you are on your main computer’s terminal at this point or the Ubuntu machine’s terminal we need to set up ZeekControl at this point to finalize get our Zeek instance running. Type the following into the terminal.
sudo /usr/local/zeek/bin/zeekctl— Type the following commands in the terminal.
installdeployexit
Congratulations! You have set up Zeek and are ready to go! In our next lesson we will create our very first Zeek script! Click BELOW to continue our journey in the next lesson!
