Introduction
- Zeek is a passive network monitoring system
- zeek can be installed on a “sensor”, which can be hardware, software, virtual, or cloud platform that passively sniffs the network traffic
- zeek generates compact, high-fidelity log files bases on what it sees in the network traffic
- log files are fully customizable, suitble for manual review on disk or in a more analyst-firendly tool like a security and info event management (SIEM).
Prerequisites
Before installing Zeek, you’ll need to ensure that some dependencies are in place.
Required Dependencies
Zeek requires the following libraries and tools to be installed before you begin:
- Libpcap (http://www.tcpdump.org)
- OpenSSL libraries (https://www.openssl.org)
- BIND8 library
- Libz
- Bash (for ZeekControl)
- Python 3.5 or greater (https://www.python.org/)
To build Zeek from source, the following additional dependencies are required:
- CMake 3.5 or greater (https://www.cmake.org)
- Make
- C/C++ compiler with C++17 support (GCC 7+ or Clang 4+)
- SWIG (http://www.swig.org)
- Bison 2.5 or greater (https://www.gnu.org/software/bison/)
- Flex (lexical analyzer generator) (https://github.com/westes/flex)
- Libpcap headers (http://www.tcpdump.org)
- OpenSSL headers (http://www.openssl.org)
- zlib headers (https://zlib.net/)
- Python 3.5 or greater (https://www.python.org/)
Optional Dependencies
Zeek can make use of some optional libraries and tools if they are found at build time:
- libmaxminddb (for geolocating IP addresses)
- sendmail (enables Zeek and ZeekControl to send mail)
- curl (used by a Zeek script that implements active HTTP)
- gperftools (tcmalloc is used to improve memory and CPU usage)
- jemalloc (https://github.com/jemalloc/jemalloc)
- PF_RING (Linux only, see PF_RING Cluster Configuration)
- krb5 libraries and headers
- ipsumdump (for trace-summary; https://github.com/kohler/ipsumdump)
Installing zeek
# sudo su
● # sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig
zlib1g-dev
● # sudo sh -c "echo 'deb
http://download.opensuse.org/repositories/security:/zeek/xUbuntu_18.04/ /' >
/etc/apt/sources.list.d/security:zeek.list"
● # wget -nv
https://download.opensuse.org/repositories/security:zeek/xUbuntu_18.04/Release.key -O
Release.key
● # sudo apt-key add - < Release.key
● # sudo apt-get update
● # sudo apt-get install zeek-lts
● # /opt/zeek/bin/zeek -hInstalling from Source
The typical way to build and install from source is (for more options, run ./configure --help)
git clone --recursive https://github.com/zeek/zeek
./configure
make
make install