tail -f security.log

Zeekurity Zen – Part I: How to Install Zeek (Bro) on CentOS 7

Zeekurity Zen – Part I: How to Install Zeek (Bro) on CentOS 7

This is part of a larger series on building a Zeek (Bro) network sensor.

Overview

Zeek (formerly named Bro) is my favorite security monitoring platform, and I’ve used and promoted it throughout my career.  It generates rich network metadata that’s incredibly valuable for incident response, forensics, and general troubleshooting.

Perhaps the main challenge with using Zeek is actually setting it up.  While today there exists Corelight (an easy-to-use Zeek appliance with enterprise support), not everyone has the budget for something like this.  This series will walkthrough Zeek setup, integration with Splunk, and various tips and tricks I’ve learned over the years.

In Part I, we’ll walkthrough several steps:

  1. Disabling NetworkManager and instead using the “network” service.
  2. Disabling NIC offloading functions to ensure Zeek sees full packet data and minimizes packet loss.
  3. Enabling the “network” service to apply network sniffing optimizations.
  4. Setting interfaces to promiscuous mode to ensure all packets are captured and analyzed.
  5. Install PF_RING and libmaxminddb to improve packet capture performance and enable IP geolocation capability.
  6. Build Zeek from source with optimizations.
  7. Create a non-root Zeek user to minimize impact in the event that Zeek is compromised.
  8. Deploy and run Zeek to start analyzing traffic.
  9. Create a cron job to perform Zeek maintenance tasks.

Disable the NetworkManager service

  1. Stop and disable the NetworkManager service.
    sudo systemctl stop NetworkManager
    sudo systemctl disable NetworkManager
    Removed symlink /etc/systemd/system/multi-user.target.wants/NetworkManager.service.
    Removed symlink /etc/systemd/system/dbus-org.freedesktop.NetworkManager.service.
    Removed symlink /etc/systemd/system/dbus-org.freedesktop.nm-dispatcher.service.
    Removed symlink /etc/systemd/system/network-online.target.wants/NetworkManager-wait-online.service.
    
  2. Verify that NetworkManager has been disabled.
    sudo systemctl list-unit-files | grep NetworkManager
    NetworkManager-dispatcher.service             disabled
    NetworkManager-wait-online.service            disabled
    NetworkManager.service                        disabled

Disable NIC offloading functions

  1. Use ethtool to determine the maximum ring parameters for your sniffing interfaces.  The example below assumes an interface named enp2s0.
    sudo ethtool -g enp2s0
    Ring parameters for enp2s0:
    Pre-set maximums:
    RX:             4096
    RX Mini:        0
    RX Jumbo:       0
    TX:             4096
    Current hardware settings:
    RX:             256
    RX Mini:        0
    RX Jumbo:       0
    TX:             256
  2. As root/sudo, edit the /etc/sysconfig/network-scripts/ifcfg-<sniffinginterface> file for each sniffing network interface and change or add the following lines. Respectively, each line will disable control from NetworkManager, disable DHCP, and add appropriate ethtool options. Note that after “rx” you want to enter the maximum ring parameter as determined in the step above.
    NM_CONTROLLED=no
    BOOTPROTO=none
    ONBOOT=yes
    IPV6INIT=no
    ETHTOOL_OPTS="-G ${DEVICE} rx <max ring parameter determined from step 1 above>; -K ${DEVICE} rx off; -K ${DEVICE} tx off; -K ${DEVICE} sg off; -K ${DEVICE} tso off; -K ${DEVICE} ufo off; -K ${DEVICE} gso off; -K ${DEVICE} gro off; -K ${DEVICE} lro off"
  3. Your file should now look something like this.
    TYPE=Ethernet
    BOOTPROTO=none
    DEFROUTE=yes
    IPV4_FAILURE_FATAL=no
    IPV6INIT=no
    IPV6_AUTOCONF=yes
    IPV6_DEFROUTE=yes
    IPV6_PEERDNS=yes
    IPV6_PEERROUTES=yes
    IPV6_FAILURE_FATAL=no
    NAME=enp2s0
    UUID=b22f5d92-3f1e-430b-b660-cb9376d8c0c0
    DEVICE=enp2s0
    ONBOOT=yes
    PEERDNS=yes
    PEERROUTES=yes
    USERS=root
    NM_CONTROLLED=no
    ETHTOOL_OPTS="-G ${DEVICE} rx 4096; -K ${DEVICE} rx off; -K ${DEVICE} tx off; -K ${DEVICE} sg off; -K ${DEVICE} tso off; -K ${DEVICE} ufo off; -K ${DEVICE} gso off; -K ${DEVICE} gro off; -K ${DEVICE} lro off"

Enable “network” service

  1. As root/sudo, edit /etc/resolv.conf in your favorite text editor to add your DNS server(s) and then save the file.
    nameserver aaa.bbb.ccc.ddd
    nameserver www.xxx.yyy.zzz
  2. Still as root/sudo, enable the “network” service.
    sudo systemctl enable network
  3. Finally, restart the “network” service.
    sudo systemctl restart network

Set sniffing network interfaces to promiscuous mode

  1. As root/sudo, create /etc/systemd/system/promisc.service in your favorite text editor.
  2. Add the following lines, assuming enp2s0 is your sniffing interface.
    [Unit]
    Description=Makes an interface run in promiscuous mode at boot
    After=network.target
    
    [Service]
    Type=oneshot
    ExecStart=/usr/sbin/ip link set dev enp2s0 promisc on
    TimeoutStartSec=0
    RemainAfterExit=yes
    
    [Install]
    WantedBy=default.target
  3. Save the file and run the following commands to make the changes permanent and start on boot.
    sudo chmod u+x /etc/systemd/system/promisc.service
    sudo systemctl start promisc.service
    sudo systemctl enable promisc.service
    Created symlink from /etc/systemd/system/default.target.wants/promisc.service to /etc/systemd/system/promisc.service.
    
  4. Reboot your system and verify all the changes made thus far have persisted. Verify that PROMISC is listed in the network interface status.
    ip a show enp2s0 | grep -i promisc
    3: enp2s0: < BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP > mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

Install Zeek Dependencies

  1. Run the following yum command to download the required dependencies.
    sudo yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel gperftools jemalloc-devel kernel-devel kernel-headers
  2. Ensure all your packages are up to date and reboot your system.
    sudo yum update
    sudo reboot

Configure GeoIP Support

  1. Install the libmaxminddb development library from the EPEL repo.
    sudo yum --enablerepo=extras install epel-release
    sudo yum install libmaxminddb-devel
  2. Download and untar the GeoLite2 database.
    wget http://geolite.maxmind.com/download/geoip/database/GeoLite2-City.tar.gz
    tar xzvf GeoLite2-City.tar.gz
  3. Move the GeoLite2-City.mmdb file in the extracted GeoLite2-City_YYYYMMDD directory to /usr/share/GeoIP.
    sudo mv GeoLite2-City_YYYYMMDD/GeoLite2-City.mmdb /usr/share/GeoIP/GeoLite2-City.mmdb

Create a zeek user to install and run Zeek

  1. Create a zeek user and add it to the zeek and wheel groups.
    sudo groupadd zeek
    sudo useradd zeek -g zeek
    sudo usermod -aG wheel zeek
  2. Switch to the zeek user.
    sudo su zeek
  3. As root/sudo, set a password for the zeek user.
    sudo passwd zeek

Download, Compile, and Install Zeek

  1. We will configure Zeek to install in the /opt/bro directory and with jemalloc (for improved performance).

    As of this writing, the latest release is version 2.6.3.  If the download URL referenced in the wget command below no longer works, you can download the latest stable release directly from the Zeek download page.

    cd
    wget https://www.zeek.org/downloads/bro-2.6.3.tar.gz
    tar -xzvf bro-2.6.3.tar.gz
    cd bro-2.6.3
    ./configure --prefix=/opt/bro --enable-jemalloc
    sudo make
    sudo make install

    Note that this will take a while to compile.

  2. Give the Zeek binaries permissions to capture packets.
    sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/bro
    sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/broctl
  3. Set the zeek user as owner of the zeek directory.
    sudo chown -R zeek:zeek /opt/bro

Add Zeek to PATH

  1. As root/sudo, create /etc/profile.d/zeek.sh and add the following.
    pathmunge /opt/bro/bin
  2. Log out and log back in as the zeek user to update the PATH.

Configure Zeek

  1. Edit /opt/bro/etc/node.cfg to configure the number of nodes.  It is recommended to use a maximum of one or two less workers than the total number of CPU cores available on your sensor.  In the example configuration below we are configuring a total of two workers, analyzing one sniffing interface.
    # Example BroControl node configuration.
    # Below is an example clustered configuration on a single host.
    
    [logger]
    type=logger
    host=localhost
    
    [manager]
    type=manager
    host=localhost
    
    [proxy-1]
    type=proxy
    host=localhost
    
    [worker-1]
    type=worker
    host=localhost
    interface=enp2s0
    
    [worker-2]
    type=worker
    host=localhost
    interface=enp2s0

    In the event you have two or more sniffing interfaces (e.g. enp2s0 and enp3s0), see the example configuration below which assigns each interface its own worker.

    # Example BroControl node configuration.
    # Below is an example clustered configuration on a single host.
    
    [logger]
    type=logger
    host=localhost
    
    [manager]
    type=manager
    host=localhost
    
    [proxy-1]
    type=proxy
    host=localhost
    
    [worker-1]
    type=worker
    host=localhost
    interface=enp2s0
    
    [worker-2]
    type=worker
    host=localhost
    interface=enp3s0
  2. Edit /opt/bro/share/bro/site/local.bro to enable or disable scripts as needed.

Start Zeek

  1. As the zeek user, run broctl deploy to apply configurations and run Zeek.
    broctl deploy
    checking configurations ...
    installing ...
    removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/site ...
    removing old policies in /opt/bro/spool/installed-scripts-do-not-touch/auto ...
    creating policy directories ...
    installing site policies ...
    generating cluster-layout.bro ...
    generating local-networks.bro ...
    generating broctl-config.bro ...
    generating broctl-config.sh ...
    stopping ...
    stopping workers ...
    stopping proxy ...
    stopping manager ...
    stopping logger ...
    starting ...
    starting logger ...
    starting manager ...
    starting proxy ...
    starting workers ...
  2. If your output looks similar to what’s shown above, you should be good to go. To verify Zeek is running successfully, you can run broctl status.
    broctl status
    Name         Type    Host             Status    Pid    Started
    logger       logger  localhost        running   1774   10 Oct 23:15:31
    manager      manager localhost        running   1820   10 Oct 23:15:32
    proxy-1      proxy   localhost        running   1865   10 Oct 23:15:33
    worker-1-1   worker  localhost        running   1950   10 Oct 23:15:35
    worker-1-2   worker  localhost        running   1951   10 Oct 23:15:35
    worker-2-1   worker  localhost        running   1955   10 Oct 23:15:35
    worker-2-2   worker  localhost        running   1954   10 Oct 23:15:35

    If you see the following errors:

    broctl deploy
    Error: worker-1-1 terminated immediately after starting; check output with "diag"
    Error: worker-1-2 terminated immediately after starting; check output with "diag"
    Error: worker-2-1 terminated immediately after starting; check output with "diag"
    Error: worker-2-2 terminated immediately after starting; check output with "diag"
    

    Then try re-running the sudo setcap commands from earlier.

    sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/bro
    sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/broctl
  3. You should now see logs being generated in /opt/bro/logs/current.
    ls -l
    total 2276
    -rw-rw-r--. 1 bro bro   1573 Oct 10 23:15 broker.log
    -rw-rw-r--. 1 bro bro    593 Oct 10 23:45 capture_loss.log
    -rw-rw-r--. 1 bro bro   1970 Oct 10 23:15 cluster.log
    -rw-rw-r--. 1 bro bro 673435 Oct 10 23:52 conn.log
    -rw-rw-r--. 1 bro bro 580865 Oct 10 23:52 dns.log
    -rw-rw-r--. 1 bro bro   3830 Oct 10 23:49 dpd.log
    -rw-rw-r--. 1 bro bro   1406 Oct 10 23:47 files.log
    -rw-rw-r--. 1 bro bro  26108 Oct 10 23:48 http.log
    -rw-rw-r--. 1 bro bro  24646 Oct 10 23:15 loaded_scripts.log
    -rw-rw-r--. 1 bro bro    753 Oct 10 23:18 notice.log
    -rw-rw-r--. 1 bro bro    187 Oct 10 23:15 packet_filter.log
    -rw-rw-r--. 1 bro bro    743 Oct 10 23:46 software.log
    -rw-rw-r--. 1 bro bro  86512 Oct 10 23:51 ssl.log
    -rw-rw-r--. 1 bro bro   5446 Oct 10 23:50 stats.log
    -rw-rw-r--. 1 bro bro      0 Oct 10 23:15 stderr.log
    -rw-rw-r--. 1 bro bro    188 Oct 10 23:15 stdout.log
    -rw-rw-r--. 1 bro bro 240866 Oct 10 23:51 weird.log
  4. If you’re running into issues, broctl diag can provide more detailed output for troubleshooting purposes.
    broctl diag

BroControl Cron

BroControl features a cron command to check for and restart crashed nodes and to perform other maintenance tasks.  To take advantage of this, let’s set up a cron job.

  1. Edit the crontab of the non-root bro user.
    crontab -e
  2. Add the following to set up a cron job that runs every five minutes.  You can adjust the frequency to your liking.
    */5 * * * * /opt/bro/bin/broctl cron

Up Next

In Part II of this series, we will walkthrough how to send Zeek logs to Splunk and take advantage of the Corelight For Splunk app.

References

Adding a path in CentOS: https://serverfault.com/questions/102932/adding-a-directory-to-path-in-centos
Zeek official documentationhttps://www.zeek.org/documentation/index.html
Disabling NetworkManager: https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-networkmanager
NIC offloadinghttps://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html


Stuff I Like

Web Hosting: SiteGround

ericooi.com is proudly hosted by SiteGround. Performance and customer service are top notch. Quick and easy https implementation via built-in Let's Encrypt integration.

VPN: Private Internet Access

When I'm using a public internet access point, I use Private Internet Access to secure my connections. Easy to use, fast speeds, and no logs.

Cell Phone: Ting

I don't use many minutes or much data since I'm usually on Wi-Fi, making Ting a smart choice. It features nationwide coverage, fast LTE, and pay as you go rates.


6 thoughts on “Zeekurity Zen – Part I: How to Install Zeek (Bro) on CentOS 7”

  • Eric,
    I have this issue too;
    ==== stderr.log
    fatal error: problem with interface (pcap_error: socket: Operation not permitted (pcap_activate))

    I know it has something to do with the bro user privileges, but I cannot figure out other then the step:
    sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/bro
    sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/broctl

    but that does not seem to do the trick.
    running as root, it works.
    any suggestions?

    thnx

    • Hi Boudy — Yep, those commands are what should take care of it. I remember having similar issues and I believe some combination of running those two commands again and restarting resolved it. I know, seems silly. Also make sure that the bro user is the owner of the /opt/bro directory, which is the next step in the guide.

      • Eric, You’re a life saver.

        I executed both again as bro user, did the broctl deploy and without errors !!!! this time.
        Woohoo!

        thnx,

        Boudy

  • Disable the NetworkManager service and enable the “network” service
    1. Stop and disable the NetworkManager service.
    2. Verify that NetworkManager has been disabled.
    — I get this in reply:
    $ sudo systemctl list-unit-files | grep NetworkManager
    NetworkManager-dispatcher.service disabled
    NetworkManager-wait-online.service disabled <<< you show "enabled" for this.
    NetworkManager.service disabled

    You say … '…enable the “network” service' but there are no instructions about that.

    ———

    I went through the installation procedure and get this error:

    ==== stderr.log
    fatal error: problem with interface eno1 (pcap_error: socket: Operation not permitted (pcap_activate))

    What am I missing here?

    Thanks in advance.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.