How to install and configure Zeek IDS (formerly Bro) on macOS
An easy guide to installing, configuring, and running Zeek IDS automatically on your Mac
Zeek (formerly Bro) is a powerful open-source framework for network traffic analysis and security monitoring. In this step-by-step guide, I’ll show you how to install, configure, and run Zeek automatically on your Mac.
Installing Zeek
Prerequisites
- Xcode or the Command Line Tools. To check if either is installed run:
xcode-select -p
Note: If you get an error, install them with:
xcode-select --install
Installation
To install Zeek via Homebrew simply run:
brew install zeek
Note: If you are using MacPorts, then execute:
sudo port install zeek
Validation
To validate if Zeek was installed successfully, you can print the version withzeek -v
:
$ zeek -v
zeek version 4.0.0
Configuration
Fixing permissions
The official Zeek: FAQs documentation shows that systems using BPF (Berkeley Packet Filter) (e.g. macOS and FreeBSD) can allow users with read access to BPF devices to capture packets from it using libpcap
. Therefore, execute the following commands to manually change BPF device permissions to allow users in the admin
group to capture packets:
sudo chgrp admin /dev/bpf*
sudo chmod g+r /dev/bpf*
Important: If you don’t fix those permissions and you run the
deploy
command later on step 4, you’ll get this ugly message:Error: zeek terminated immediately after starting; check output with "diag"
Basic Configuration
Now that we fixed the permissions, let’s make some basic changes to the default configuration to start using Zeek.
- Choose the right interface to monitor in
/usr/local/etc/node.cfg
:
[zeek]
type=standalone
host=localhost
interface=en0
Remove the default value eth0
and use en0
or similar. Make sure you are using the correct interface as shown by the ifconfig
command output.
2. Add your local network in /usr/local/etc/networks.cfg
. This file already comes with 3 default networks (10.0.0.0/8
, 172.16.0.0/12
, and 192.168.0.0/16
), so adjust accordingly. For example, my IP address is 192.168.0.112
, so I’ll use one of them and remove the rest:
192.168.0.0/16 Private IP space
3. Start the ZeekControl shell:
zeekctl
4. Run the deploy
command to check the configuration, install, and start the Zeek instance:
[ZeekControl] > deploy
checking configurations ...
installing ...
removing old policies in /usr/local/var/spool/installed-scripts-do-not-touch/site ...
removing old policies in /usr/local/var/spool/installed-scripts-do-not-touch/auto ...
creating policy directories ...
installing site policies ...
generating standalone-layout.zeek ...
generating local-networks.zeek ...
generating zeekctl-config.zeek ...
generating zeekctl-config.sh ...
stopping ...
stopping zeek ...
creating crash report for previously crashed nodes: zeek
starting ...
starting zeek ...
To check if Zeek is running use the status
command:
[ZeekControl] > status
Name Type Host Status Pid Started
zeek standalone localhost running 4637 17 Mar 16:33:03
Awesome! Zeek is now up and running.
Tips
Other useful commands include:
diag
for troubleshooting errors.cleanup
for deleting files.start
orstop
for starting or stopping the Zeek process respectively.
It’s worth mentioning that you don't have to start the ZeekControl interactive shell every time you want to operate Zeek, you can just run both commands altogether, such as: zeekctl start
.
Zeek Logs
Now that Zeek is running, all the logs will be located in /usr/local/var/logs/current
. If you stop the service, this directory will be empty and the logs will be compressed and moved to the current day directory.
Also, the default output format is TSV (tab-separated values), and depending on your Mac you may have a similar list of log files:
-rw-r--r-- 1 root admin 393 Mar 17 17:45 capture_loss.log
-rw-r--r-- 1 root admin 800572 Mar 17 17:53 conn.log
-rw-r--r-- 1 root admin 771 Mar 17 17:41 dhcp.log
-rw-r--r-- 1 root admin 1482004 Mar 17 17:53 dns.log
-rw-r--r-- 1 root admin 175764 Mar 17 17:52 files.log
-rw-r--r-- 1 root admin 4685 Mar 17 17:52 http.log
-rw-r--r-- 1 root admin 914 Mar 17 17:37 notice.log
-rw-r--r-- 1 root admin 4549 Mar 17 17:47 ntp.log
-rw-r--r-- 1 root admin 481 Mar 17 17:02 software.log
-rw-r--r-- 1 root admin 219905 Mar 17 17:53 ssl.log
-rw-r--r-- 1 root admin 1879 Mar 17 17:50 stats.log
-rw-r--r-- 1 root admin 18 Mar 16 10:59 stderr.log
-rw-r--r-- 1 root admin 188 Mar 16 10:59 stdout.log
-rw-r--r-- 1 root admin 195685 Mar 17 17:53 weird.log
-rw-r--r-- 1 root admin 89646 Mar 17 17:52 x509.log
Running Zeek automatically
Running Zeek with the ZeekControl shell is great for the first few times. But what if you wanted it to be running in the background even after it crashes or your Mac reboots? I don't like dealing with services manually, so I decided to automate the Zeek service with a script.
Apple has its own framework for managing services called launchd. I’ve used it successfully in the past to create other daemons. However, I tried to set up a Zeek job this time but it didn’t work quite well. So instead, I created a good old Bash script, scheduled it to run every few minutes via crontab and it was successful.
Add the zeek.sh
script to the root crontab with sudo crontab -e
:
*/5 * * * * /Users/roberto/zeek.sh > /tmp/zeek.log 2>&1
In the above example, the script will be executed every 5 min. Modify the frequency according to your needs.
Important: If you send the output to a log, you may need to grant Full Disk Access to
cron
in Security & Privacy settings. For more details you can review this article. Otherwise, you may get the error:Operation not permitted
.
Next Steps
Bravo! I’m glad that you have a fully working Zeek instance on your Mac. Now what? You can start analyzing all the Zeek logs manually on your terminal. But what if you wanted to have more fun with your network data, like running queries, getting alerts, or viewing graphs? Then, I recommend you integrate Zeek with a SIEM/log management solution. In a future article, I’ll show you how to do it with Devo and its Data Analytics Platform. Stay tuned!