Zeekurity Zen – Part IX: How To Update Zeek

This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor.

Overview

In our Zeek journey thus far, we’ve:

Zeek is regularly updated with bug fixes and new features.  It’s a good idea to keep Zeek up to date to ensure you’re getting the latest security fixes and taking advantage of all the latest enhancements.  So how do we update Zeek and ensure that we receive the latest updates without overwriting our custom configurations?  It turns out the process to update Zeek is very similar to the initial installation process.

To do this, we’ll walkthrough these steps:

  1. Download, compile, and update Zeek.
  2. Update the Zeek Package Manager (zkg) configuration file.
  3. Update installed Zeek packages.
  4. Restart Zeek.
  5. [Optional] Reinstall previous version of Zeek if needed.

Download, Compile, and Update Zeek

Just as we did in Part I for the initial installation, we’ll download and compile the latest Zeek release.  It’s a good idea to keep the directory that includes the compiled Zeek binaries in the event that you run into issues with a particular release of Zeek and need to quickly revert back to your previous working installation.

Before we begin, note that any changes made to /opt/zeek/share/zeek/site/local.zeek the config files (network.cfg, node.cfg, and zeekctl.cfg) in /opt/zeek/etc/ will not be impacted by updating Zeek.  Changes made outside of these, may be overwritten.  Be sure that you keep this in mind before you proceed with any upgrades in the event that you’ve made changes to core Zeek files or placed files in non-standard locations.

  1. Switch to the zeek user.
    su zeek
  2. As the zeek user, stop Zeek if it is currently running.
    zeekctl stop
  3. We will download zeek to the /home/zeek directory. Then we will configure Zeek to install in the /opt/zeek directory (assuming this is where our existing installation is) and enable jemalloc to improve memory and CPU usage.  As of this writing, the latest feature release is version 5.2.1.  If the download URL referenced in the wget command below no longer works, you can download the latest stable release directly from the Get Zeek download page.
    cd
    wget https://download.zeek.org/zeek-5.2.1.tar.gz
    tar -xzvf zeek-5.2.1.tar.gz
    cd zeek-5.2.1
    ./configure --prefix=/opt/zeek --enable-jemalloc --build-type=release
    make
    make install

    Note: This will take *a while* to compile.

Update the Zeek Package Manager (zkg) configuration file

  1. As the zeek user, update the Zeek Package Manager (zkg) configuration file.
    zkg autoconfig

    This will create a configuration file in /opt/zeek/etc/zkg/config. Upon completion it should look something like the following.

    zeek = https://github.com/zeek/packages
    [paths]
    state_dir = /opt/zeek/var/lib/zkg
    script_dir = /opt/zeek/share/zeek/site
    plugin_dir = /opt/zeek/lib64/zeek/plugins
    zeek_dist = /home/zeek/zeek-5.2.1
    

Update Installed Zeek Packages

  1. Use zkg to check for updated packages.
    zkg refresh
    Refresh package source: zeek
            No changes
    Refresh installed packages
            New outdated packages:
                    zeek/salesforce/hassh (master)

    This indicates that zeek/salesforce/hassh needs to be updated.

  2. Use zkg to check for updated packages.
    zkg upgrade
    The following packages will be UPGRADED:
      zeek/salesforce/hassh (master)
    Proceed? [Y/n] y
    Upgraded "zeek/salesforce/hassh" (master)
  3. Switch back to your normal user by closing the zeek session.
    exit
  4. Since the zeek user is not root and we’ve just updated the binaries, give these new Zeek binaries permissions to capture packets.
    sudo setcap cap_net_raw=eip /opt/zeek/bin/zeek
    sudo setcap cap_net_raw=eip /opt/zeek/bin/capstats

Restart Zeek

  1. Switch back to the zeek user.
    su zeek
  2. As the zeek user, run zeekctl deploy to apply configurations and run Zeek. Just like when we first installed and deployed Zeek, we should see output similar to what is shown below.
    zeekctl deploy
    checking configurations ...
    installing ...
    removing old policies in /opt/zeek/spool/installed-scripts-do-not-touch/site ...
    removing old policies in /opt/zeek/spool/installed-scripts-do-not-touch/auto ...
    creating policy directories ...
    installing site policies ...
    generating cluster-layout.zeek ...
    generating local-networks.zeek ...
    generating zeekctl-config.zeek ...
    generating zeekctl-config.sh ...
    stopping ...
    stopping workers ...
    stopping proxy ...
    stopping manager ...
    stopping logger ...
    starting ...
    starting logger ...
    starting manager ...
    starting proxy ...
    starting workers ...
  3. Just as before, if you see the following errors:
    zeekctl deploy
    Error: worker-1-1 terminated immediately after starting; check output with "diag"
    Error: worker-1-2 terminated immediately after starting; check output with "diag"
    Error: worker-2-1 terminated immediately after starting; check output with "diag"
    Error: worker-2-2 terminated immediately after starting; check output with "diag"

    Then try re-running the sudo setcap commands from earlier.

    sudo setcap cap_net_raw=eip /opt/zeek/bin/zeek
    sudo setcap cap_net_raw=eip /opt/zeek/bin/capstats

[Optional] Reinstall previous version of Zeek if needed

  1. If you run into issues or incompatibilities with your newly installed Zeek and want to revert to a previous installation of Zeek, just reinstall a previously compiled version of Zeek (assuming you did not already delete it).  For example, assuming you just updated to the latest release of Zeek but wanted to revert back to Zeek 5.1, change into the zeek-5.1.0 directory with the already compiled Zeek 5.1 binaries and reinstall from there and then repeat the steps above to ensure the Zeek package manager and packet capture permissions are set properly.
    cd zeek-5.1.0
    make install

Related Posts

Elastic Explained: How-To Guides For The Elastic Stack

Elastic Explained: How-To Guides For The Elastic Stack

Elastic develops the popular log analytics platform, the Elastic Stack, which supports a variety of search, observability, and security use cases through its many out of the box integrations.  It's a great platform for collecting, analyzing, and visualizing data from...

How To Deploy Elastic Agent on macOS with Microsoft Intune

How To Deploy Elastic Agent on macOS with Microsoft Intune

This guide details how to deploy Elastic Agent on macOS using Intune.  For Windows, please use my companion guide. Using Elastic Agent with Elastic SIEM is a great way to secure and monitor your environment.  Not only does it provide full endpoint security...

How To Deploy Elastic Agent on Windows with Microsoft Intune

How To Deploy Elastic Agent on Windows with Microsoft Intune

This guide details how to deploy Elastic Agent on macOS using Intune.  For macOS, please use my companion guide. Using Elastic Agent with Elastic SIEM is a great way to secure and monitor your environment.  Not only does it provide full endpoint security capabilities,...

Transform Your Business & Operate at Peak Efficiency