This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor.
Overview
In our Zeek journey thus far, we’ve:
Now we’ll introduce the Zeek Package Manager to extend Zeek’s functionality with packages contributed by the Zeek community. A full list of available packages can be viewed on the Zeek Package Browser. We will focus on configuring Zeek to use AF_PACKET to further optimize packet capture and analysis. We’ll also install additional useful packages.
To do this, we’ll walkthrough these steps:
- Set up Zeek Package Manager to extend Zeek’s functionality.
- [Optional] Use Zeek Package Manager to install the AF_PACKET package.
- Configure Zeek to use the AF_PACKET package to optimize Zeek’s packet capture performance.
- [Optional] Install additional useful packages including ja3 and HASSH.
- Update Zeek packages.
Set up Zeek Package Manager
- As the zeek user, make sure you’re in its respective home directory.
cd
- As the zeek user, install zkg’s dependencies. This will install two external Python modules that zkg requires to ~/.local/lib/python3.6/site-packages.
pip3 install GitPython semantic-version --user
- As the zeek user, configure Zeek Package Manager (zkg).
zkg autoconfig
This will create a configuration file in /opt/zeek/etc/zkg/config. Upon completion it should look something like the following.
zeek = https://github.com/zeek/packages [paths] state_dir = /opt/zeek/var/lib/zkg script_dir = /opt/zeek/share/zeek/site plugin_dir = /opt/zeek/lib64/zeek/plugins zeek_dist = /home/zeek/zeek-6.0.1
- If zkg is not installed or executed properly, you may see the following error:
zkg error: zkg failed to import one or more dependencies: * GitPython: https://pypi.org/project/GitPython * semantic-version: https://pypi.org/project/semantic-version If you use 'pip', they can be installed like: pip3 install GitPython semantic-version
- This is most likely due to one of the following reasons:
- You ran zkg prior to installing the required python modules via pip3.
- You ran zkg from a directory in which the zeek user does not have write permissions to.
- You do not have the git package installed.
Take the necessary steps to resolve the issue and try running it again.
[Optional] Install the AF_PACKET package
Note: As of Zeek version 5.2, AF_PACKET support is now included as part of the base Zeek installation. The following steps for installing the AF_PACKET package are now considered optional unless using a version of Zeek lower than 5.2.
- As root/sudo, run the following apt command to install kernel development files.
sudo apt-get install linux-headers-$(uname -r)
- Switch back to the zeek user and stop Zeek if it is currently running.
zeekctl stop
- Use zkg to install the AF_PACKET package.
zkg install zeek/zeek/zeek-af_packet-plugin The following packages will be INSTALLED: zeek/zeek/zeek-af_packet-plugin (4.0.0) Proceed? [Y/n] y Running unit tests for "zeek/zeek/zeek-af_packet-plugin" Installing "zeek/zeek/zeek-af_packet-plugin"....... Installed "zeek/zeek/zeek-af_packet-plugin" (4.0.0)
Configure Zeek to use AF_PACKET
- Edit /opt/zeek/etc/node.cfg to configure Zeek to use AF_PACKET. In the example configuration below we are configuring one worker, load balanced across two cores, analyzing one sniffing interface.
# Example ZeekControl node configuration. # Below is an example clustered configuration on a single host. [logger] type=logger host=localhost [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=af_packet::enp2s0 lb_method=custom lb_procs=2 pin_cpus=0,1
In the event you have two or more sniffing interfaces (e.g. enp2s0 and enp3s0), see the example configuration below which assigns each interface its own worker, load balanced across two cores, again using AF_PACKET. Note the addition of unique af_packet_fanout_id values for each of the sniffing interfaces.
# Example ZeekControl node configuration. # Below is an example clustered configuration on a single host. [logger] type=logger host=localhost [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=af_packet::enp2s0 lb_method=custom lb_procs=2 pin_cpus=0,1 af_packet_fanout_id=2 [worker-2] type=worker host=localhost interface=af_packet::enp3s0 lb_method=custom lb_procs=2 pin_cpus=2,3 af_packet_fanout_id=3
- As root/sudo, give the Zeek binaries permissions to capture packets. This was previously done in Part I, however, installing AF_PACKET requires doing this again.
sudo setcap cap_net_raw=eip /opt/zeek/bin/zeek sudo setcap cap_net_raw=eip /opt/zeek/bin/capstats
- As the zeek user, run zeekctl deploy to apply configurations and run Zeek.
zeekctl deploy
If you see the following errors, try re-running the sudo setcap commands from the previous step.
zeekctl deploy Error: worker-1-1 terminated immediately after starting; check output with "diag" Error: worker-1-2 terminated immediately after starting; check output with "diag" Error: worker-2-1 terminated immediately after starting; check output with "diag" Error: worker-2-2 terminated immediately after starting; check output with "diag"
[Optional] Install Additional Useful Packages (e.g. add-interfaces, ja3, and HASSH)
We’ll install additional Zeek packages: add-interfaces, ja3, and HASSH. The install process outlined below should work for installing other packages you may be interested in.
- As the zeek user, stop Zeek if it is currently running.
zeekctl stop
- Use zkg to install the add-interfaces package. In situations where you are monitoring multiple network interfaces on one sensor, this adds an “_interface” field to every log file which labels the particular network interface that traffic is coming from.
zkg install zeek/j-gras/add-interfaces The following packages will be INSTALLED: zeek/j-gras/add-interfaces (master) Proceed? [Y/n] y Installed "zeek/j-gras/add-interfaces" (master) Loaded "zeek/j-gras/add-interfaces"
- Edit /opt/zeek/share/zeek/site/add-interfaces/add-interfaces.bro and modify the const enable_all_logs and const include_logs: set[Log::ID] fields as shown below. Save the file when you’re finished.
export { ## Enables interfaces for all active streams const enable_all_logs = T &redef; ## Streams not to add interfaces for const exclude_logs: set[Log::ID] = { } &redef; ## Streams to add interfaces for const include_logs: set[Log::ID] = { } &redef; }
- Use zkg to install the ja3 package. This is used for profiling SSL/TLS clients.
zkg install zeek/salesforce/ja3 The following packages will be INSTALLED: zeek/salesforce/ja3 (master) Proceed? [Y/n] y Installing "zeek/salesforce/ja3" Installed "zeek/salesforce/ja3" (master) Loaded "zeek/salesforce/ja3"
- Use zkg to install the HASSH package. This is used for profiling SSH clients and servers.
zkg install zeek/salesforce/hassh The following packages will be INSTALLED: zeek/salesforce/hassh (master) Proceed? [Y/n] y Installing "zeek/salesforce/hassh" Installed "zeek/salesforce/hassh" (master) Loaded "zeek/salesforce/hassh"
- Edit /opt/zeek/share/zeek/site/local.zeek and add the following lines to the bottom. This will load all packages you’ve installed.
# Load Zeek Packages @load packages
- As the zeek user, run zeekctl deploy to apply configurations and run Zeek.
zeekctl deploy
Update Installed Zeek Packages
- As the zeek user, stop Zeek if it is currently running.
zeekctl stop
- Use zkg to check for updated packages.
zkg refresh Refresh package source: zeek No changes Refresh installed packages New outdated packages: zeek/salesforce/hassh (master)
This indicates that zeek/salesforce/hassh needs to be updated.
- Use zkg to check for updated packages.
zkg upgrade The following packages will be UPGRADED: zeek/salesforce/hassh (master) Proceed? [Y/n] y Upgraded "zeek/salesforce/hassh" (master)
- As the zeek user, run zeekctl deploy to apply configurations and run Zeek.
zeekctl deploy
Up Next
In Part III of this series, we will walkthrough how to send Zeek logs to Splunk and take advantage of the Corelight For Splunk app.