Zeekurity Zen – Part I: How to Install Zeek on CentOS 8

Zeekurity Zen – Part I: How to Install Zeek on CentOS 8

This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor.

Overview

This guide assumes you’ll be installing Zeek on CentOS 8, given how popular CentOS tends to be in the enterprise.  However, the guide should work for any RHEL-based flavors of Linux.  For Debian-based systems, there will be some modifications required, including using apt-get vs yum for installing Linux packages.  Nothing that a search couldn’t help you figure out. 😉

Kicking things off, we’ll optimize CentOS to efficiently capture packets and then compile Zeek from source to start monitoring network traffic.

To do this, we’ll walkthrough these steps:

  1. Enable the “network” service to apply network sniffing optimizations, including disabling NIC offloading functions to ensure Zeek sees full packet data and minimizes packet loss.
  2. Setting interfaces to promiscuous mode to ensure all packets are captured and analyzed.
  3. Install libmaxminddb to enable IP geolocation capability.
  4. Build Zeek from source with optimizations.
  5. Create a non-root Zeek user to minimize impact in the event that Zeek is compromised.
  6. Deploy and run Zeek to start analyzing traffic.
  7. Create a cron job to perform Zeek maintenance tasks.

Enable “network” service and disable NIC offloading functions

  1. Install the network-scripts package.
    sudo yum install network-scripts
  2. Use ethtool to determine the maximum ring parameters for your sniffing interfaces.  The example below assumes an interface named enp2s0.
    sudo ethtool -g enp2s0
    Ring parameters for enp2s0:
    Pre-set maximums:
    RX:             4096
    RX Mini:        0
    RX Jumbo:       0
    TX:             4096
    Current hardware settings:
    RX:             256
    RX Mini:        0
    RX Jumbo:       0
    TX:             256
  3. As root/sudo, edit the /etc/sysconfig/network-scripts/ifcfg-<sniffinginterface> file for each sniffing network interface and change or add the following lines. Respectively, each line will disable control from NetworkManager, disable DHCP, and add appropriate ethtool options. Note that after “rx” you want to enter the maximum ring parameter as determined in the step above.
    NM_CONTROLLED=no
    BOOTPROTO=none
    ONBOOT=yes
    IPV6INIT=no
    ETHTOOL_OPTS="-G ${DEVICE} rx <max ring parameter determined from step 1 above>; -K ${DEVICE} rx off; -K ${DEVICE} tx off; -K ${DEVICE} sg off; -K ${DEVICE} tso off; -K ${DEVICE} ufo off; -K ${DEVICE} gso off; -K ${DEVICE} gro off; -K ${DEVICE} lro off"
  4. Your file should now look something like this.
    TYPE=Ethernet
    BOOTPROTO=none
    DEFROUTE=yes
    IPV4_FAILURE_FATAL=no
    IPV6INIT=no
    IPV6_AUTOCONF=yes
    IPV6_DEFROUTE=yes
    IPV6_PEERDNS=yes
    IPV6_PEERROUTES=yes
    IPV6_FAILURE_FATAL=no
    NAME=enp2s0
    UUID=b22f5d92-3f1e-430b-b660-cb9376d8c0c0
    DEVICE=enp2s0
    ONBOOT=yes
    PEERDNS=yes
    PEERROUTES=yes
    USERS=root
    NM_CONTROLLED=no
    ETHTOOL_OPTS="-G ${DEVICE} rx 4096; -K ${DEVICE} rx off; -K ${DEVICE} tx off; -K ${DEVICE} sg off; -K ${DEVICE} tso off; -K ${DEVICE} ufo off; -K ${DEVICE} gso off; -K ${DEVICE} gro off; -K ${DEVICE} lro off"
  5. Still as root/sudo, enable the “network” service.
    sudo systemctl enable network
  6. Finally, restart the “network” service.
    sudo systemctl restart network

Set sniffing network interfaces to promiscuous mode

  1. As root/sudo, create /etc/systemd/system/promisc.service in your favorite text editor.
  2. Add the following lines, assuming enp2s0 is your sniffing interface.
    [Unit]
    Description=Makes an interface run in promiscuous mode at boot
    After=network.target
    
    [Service]
    Type=oneshot
    ExecStart=/usr/sbin/ip link set dev enp2s0 promisc on
    TimeoutStartSec=0
    RemainAfterExit=yes
    
    [Install]
    WantedBy=default.target
  3. Save the file and run the following commands to make the changes permanent and start on boot.
    sudo chmod u+x /etc/systemd/system/promisc.service
    sudo systemctl start promisc.service
    sudo systemctl enable promisc.service
    Created symlink from /etc/systemd/system/default.target.wants/promisc.service to /etc/systemd/system/promisc.service.
  4. Reboot your system and verify all the changes made thus far have persisted. Verify that PROMISC is listed in the network interface status.
    ip a show enp2s0 | grep -i promisc
    3: enp2s0: < BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP > mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

Install Zeek Dependencies

  1. As root/sudo, edit /etc/yum.repos.d/CentOS-PowerTools.repo and set the “enabled” field to 1, to add the PowerTools repository. Your file should look something like this.
    # CentOS-PowerTools.repo
    #
    # The mirror system uses the connecting IP address of the client and the
    # update status of each mirror to pick mirrors that are updated to and
    # geographically close to the client.  You should use this for CentOS updates
    # unless you are manually picking other mirrors.
    #
    # If the mirrorlist= does not work for you, as a fall back you can try the
    # remarked out baseurl= line instead.
    #
    #
    
    [PowerTools]
    name=CentOS-$releasever - PowerTools
    mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=PowerTools&infra=$infra
    #baseurl=http://mirror.centos.org/$contentdir/$releasever/PowerTools/$basearch/os/
    gpgcheck=1
    enabled=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
  2. Add the EPEL repo.
    sudo yum --enablerepo=extras install epel-release
  3. Run the following yum command to download the required dependencies.
    sudo yum install cmake make gcc gcc-c++ flex bison jemalloc-devel libpcap-devel openssl-devel python3 python3-devel swig zlib-devel
  4. Ensure all your packages are up to date and reboot your system.
    sudo yum update
    sudo reboot

Configure GeoIP Support

  1. Install the libmaxminddb development library.
    sudo yum install libmaxminddb-devel
  2. Sign up for a free Maxmind account.  This is required as of December 2019.
  3. Download and untar the GeoLite2 database.
    tar xzvf GeoLite2-City.tar.gz
  4. Move the GeoLite2-City.mmdb file in the extracted GeoLite2-City_YYYYMMDD directory to /usr/share/GeoIP.
    sudo mv GeoLite2-City_YYYYMMDD/GeoLite2-City.mmdb /usr/share/GeoIP/GeoLite2-City.mmdb

Create the zeek user and directory to install and run Zeek

  1. Create the zeek user and add it to the zeek group.
    sudo groupadd zeek
    sudo useradd zeek -g zeek
  2. As root/sudo, set a password for the zeek user.
    sudo passwd zeek
  3. As root/sudo, create the /opt/zeek directory and set ownership to the zeek user.
    sudo mkdir /opt/zeek
    sudo chown -R zeek:zeek /opt/zeek
    sudo chmod 750 /opt/zeek

Download, Compile, and Install Zeek

  1. Switch to the zeek user.
    su zeek
  2. We will download zeek to the /home/zeek directory. Then we will configure Zeek to install in the /opt/zeek directory and enable jemalloc to improve memory and CPU usage.  As of this writing, the latest feature release is version 4.0.1.  If the download URL referenced in the wget command below no longer works, you can download the latest stable release directly from the Get Zeek download page.
    cd
    wget https://download.zeek.org/zeek-4.0.1.tar.gz
    tar -xzvf zeek-4.0.1.tar.gz
    cd zeek-4.0.1
    ./configure --prefix=/opt/zeek --enable-jemalloc
    make
    make install

    Note: This will take *a while* to compile.

  3. Switch back to your normal user by closing the zeek session.
    exit
  4. Since the zeek user is not root, give the Zeek binaries permissions to capture packets.
    sudo setcap cap_net_raw=eip /opt/zeek/bin/zeek
    sudo setcap cap_net_raw=eip /opt/zeek/bin/capstats

Add Zeek to PATH

  1. As root/sudo, create /etc/profile.d/zeek.sh and add the following.
    pathmunge /opt/zeek/bin
  2. Log out and log back in as the zeek user to update the PATH.

Configure Zeek

  1. Edit /opt/zeek/etc/node.cfg to configure the number of nodes.  It is recommended to use a maximum of one or two less workers than the total number of CPU cores available on your sensor.  In the example configuration below we are configuring a total of two workers, analyzing one sniffing interface.
    # Example ZeekControl node configuration.
    # Below is an example clustered configuration on a single host.
    
    [logger]
    type=logger
    host=localhost
    
    [manager]
    type=manager
    host=localhost
    
    [proxy-1]
    type=proxy
    host=localhost
    
    [worker-1]
    type=worker
    host=localhost
    interface=enp2s0
    
    [worker-2]
    type=worker
    host=localhost
    interface=enp2s0

    In the event you have two or more sniffing interfaces (e.g. enp2s0 and enp3s0), see the example configuration below which assigns each interface its own worker.

    # Example ZeekControl node configuration.
    # Below is an example clustered configuration on a single host.
    
    [logger]
    type=logger
    host=localhost
    
    [manager]
    type=manager
    host=localhost
    
    [proxy-1]
    type=proxy
    host=localhost
    
    [worker-1]
    type=worker
    host=localhost
    interface=enp2s0
    
    [worker-2]
    type=worker
    host=localhost
    interface=enp3s0
  2. Edit /opt/zeek/share/zeek/site/local.zeek to enable or disable scripts as needed.

Start Zeek

  1. As the zeek user, run zeekctl deploy to apply configurations and run Zeek.
    zeekctl deploy
    checking configurations ...
    installing ...
    removing old policies in /opt/zeek/spool/installed-scripts-do-not-touch/site ...
    removing old policies in /opt/zeek/spool/installed-scripts-do-not-touch/auto ...
    creating policy directories ...
    installing site policies ...
    generating cluster-layout.zeek ...
    generating local-networks.zeek ...
    generating zeekctl-config.zeek ...
    generating zeekctl-config.sh ...
    stopping ...
    stopping workers ...
    stopping proxy ...
    stopping manager ...
    stopping logger ...
    starting ...
    starting logger ...
    starting manager ...
    starting proxy ...
    starting workers ...
  2. If your output looks similar to what’s shown above, you should be good to go. To verify Zeek is running successfully, you can run zeekctl status.
    zeekctl status
    Name         Type    Host             Status    Pid    Started
    logger       logger  localhost        running   1774   10 Oct 23:15:31
    manager      manager localhost        running   1820   10 Oct 23:15:32
    proxy-1      proxy   localhost        running   1865   10 Oct 23:15:33
    worker-1-1   worker  localhost        running   1950   10 Oct 23:15:35
    worker-1-2   worker  localhost        running   1951   10 Oct 23:15:35
    worker-2-1   worker  localhost        running   1955   10 Oct 23:15:35
    worker-2-2   worker  localhost        running   1954   10 Oct 23:15:35

    If you see the following errors:

    zeekctl deploy
    Error: worker-1-1 terminated immediately after starting; check output with "diag"
    Error: worker-1-2 terminated immediately after starting; check output with "diag"
    Error: worker-2-1 terminated immediately after starting; check output with "diag"
    Error: worker-2-2 terminated immediately after starting; check output with "diag"

    Then try re-running the sudo setcap commands from earlier.

    sudo setcap cap_net_raw=eip /opt/zeek/bin/zeek
    sudo setcap cap_net_raw=eip /opt/zeek/bin/capstats
  3. You should now see logs being generated in /opt/zeek/logs/current.
    ls -l
    total 2276
    -rw-rw-r--. 1 zeek zeek   1573 Oct 10 23:15 broker.log
    -rw-rw-r--. 1 zeek zeek    593 Oct 10 23:45 capture_loss.log
    -rw-rw-r--. 1 zeek zeek   1970 Oct 10 23:15 cluster.log
    -rw-rw-r--. 1 zeek zeek 673435 Oct 10 23:52 conn.log
    -rw-rw-r--. 1 zeek zeek 580865 Oct 10 23:52 dns.log
    -rw-rw-r--. 1 zeek zeek   3830 Oct 10 23:49 dpd.log
    -rw-rw-r--. 1 zeek zeek   1406 Oct 10 23:47 files.log
    -rw-rw-r--. 1 zeek zeek  26108 Oct 10 23:48 http.log
    -rw-rw-r--. 1 zeek zeek  24646 Oct 10 23:15 loaded_scripts.log
    -rw-rw-r--. 1 zeek zeek    753 Oct 10 23:18 notice.log
    -rw-rw-r--. 1 zeek zeek    187 Oct 10 23:15 packet_filter.log
    -rw-rw-r--. 1 zeek zeek    743 Oct 10 23:46 software.log
    -rw-rw-r--. 1 zeek zeek  86512 Oct 10 23:51 ssl.log
    -rw-rw-r--. 1 zeek zeek   5446 Oct 10 23:50 stats.log
    -rw-rw-r--. 1 zeek zeek      0 Oct 10 23:15 stderr.log
    -rw-rw-r--. 1 zeek zeek    188 Oct 10 23:15 stdout.log
    -rw-rw-r--. 1 zeek zeek 240866 Oct 10 23:51 weird.log
  4. If you’re running into issues, zeekctl diag can provide more detailed output for troubleshooting purposes.
    zeekctl diag

ZeekControl Cron

ZeekControl features a cron command to check for and restart crashed nodes and to perform other maintenance tasks.  To take advantage of this, let’s set up a cron job.

  1. Edit the crontab of the non-root zeek user.
    crontab -e
  2. Add the following to set up a cron job that runs every five minutes.  You can adjust the frequency to your liking.
    */5 * * * * /opt/zeek/bin/zeekctl cron

Up Next

In Part II of this series, we will install the Zeek Package Manager to extend Zeek’s functionality.

References

Adding a path in CentOS: https://serverfault.com/questions/102932/adding-a-directory-to-path-in-centos
Zeek official documentationhttps://www.zeek.org/documentation/index.html
Disabling NetworkManager: https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-networkmanager
NIC offloadinghttps://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html


Stuff I Like

Web Hosting: SiteGround

ericooi.com is proudly hosted by SiteGround. Performance and customer service are top notch. Quick and easy https implementation via built-in Let's Encrypt integration.


50 thoughts on “Zeekurity Zen – Part I: How to Install Zeek on CentOS 8”

  • Just one comment about installing Network-scripts on CentOS 8. It’ll be deprecated so it’s not a good idea. I actually ran into networking issues with that. There is a better way, I think. Just use the NetworkManager.
    1. Disable offloading using nmcli and the change is permanent. For example:
    # nmcli con modify enp1s0 ethtool.feature-rx off ethtool.feature-tx off

    2. Tunning the ring rx buffer using a dispatcher script. Note: Change 8192 to your own max.
    $ cd /etc/NetworkManager/dispatcher.d/pre-up.d/
    $ sudo vim 01-ring-buffer
    #!/bin/bash

    INF=”$1″ # your current interface name such as eth0 and so on
    STA=”$2″ # status such as UP or DOWN

    # Send message to /var/log/messages
    logger “$0 called for interface named $INF with $STA …”

    if [ “$INF” == “eth0” ]
    then
    start=201
    ethtool -G eth0 rx 8192
    fi

    Disclaimer: I’m a beginner with limited Linux experience. So if you want to use the commands and scripts I put here, please be aware that you use them entirely at your own risk. And I accept no liability for any loss or damage arising from the use of them. You should always test any commands and scripts in a test environments if you don’t know the consequences.

    • Thanks for the tip, Lola. You’re right that it’s effectively deprecated but at the time I wrote the guide I wasn’t sure of an alternative way. Sounds like your suggestion might be a good option. 🙂

  • Thanks for these instructions, always wanted to try out Zeek.
    Sorry for knowing so little, but I do have some questions from very early in the instructions

    1) CentOS 8 is noted to be EOL early this year. I just used the CentOS 8 Stream image, but am rather new to Linux so not sure if this will impact the use of Zeek.
    2) If my motherboard has a wired and WiFi interface, is it OK to use the WiFi on the motherboard for the admin interface? Guessing that I want to use the built in wired network interface for sniffing, and cannot imagine that the admin interface is particularly sensitive to the slower WiFi connection. I also have
    3) maybe related to the first two, but when I try to use ethtool -g in step 2, I get an error: “netlink error:Operation not supported”. Is there something that I need to enable? Or some other way to do this?

    Thank you,
    Monkey

    • Hi Monkey,

      No apologies necessary, we’re all beginners at some point. 🙂

      1. Yes, unfortunately when I first wrote this guide, CentOS 8 had only been recently announced and was presumably going to have the long stable release cycle and support that previous iterations of CentOS had enjoyed. For the purposes of Zeek, you’re probably still fine unless the Zeek developers say otherwise. You could also use an LTS (long term support) release of Ubuntu, the instructions aren’t too different (apt-get vs yum/dnf) and I will likely write a guide for this eventually.

      2. Yes, that is absolutely the way I would do it and you’re exactly right on your reasoning.

      3. Hm, are you running this on the interface you want to use for sniffing? Assuming that’s the wired interface, you should only need to run it on that, not the wireless interface.

      • Thanks for the response and encouragement.

        I am thinking that the ethernet nic on my motherboard must not support the ethtool show-ring.
        I tried the same command on the WiFi interface, and in that case I do get results

        it is a rather old motherboard, ASUS specs the NIC as
        Realtek® 8111E , 1 x Gigabit LAN Controller(s)
        so maybe I just need to get a new NIC anyway.

        • sudo lshw -C network

          *-network
          description: Ethernet interface
          product: RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
          vendor: Realtek Semiconductor Co., Ltd.
          physical id: 0
          bus info: pci@0000:03:00.0
          logical name: enp3s0
          version: 06
          serial: c8:60:00:68:00:c7
          size: 1Gbit/s
          capacity: 1Gbit/s
          width: 64 bits
          clock: 33MHz
          capabilities: pm msi pciexpress msix vpd bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt 1000bt-fd autonegotiation
          configuration: autonegotiation=on broadcast=yes driver=r8169 driverversion=4.18.0-259.el8.x86_64 duplex=full firmware=rtl8168e-3_0.0.4 03/27/12 ip=192.168.1.69 latency=0 link=yes multicast=yes port=MII speed=1Gbit/s
          resources: irq:16 ioport:e000(size=256) memory:f0004000-f0004fff memory:f0000000-f0003fff

          • Ah, yeah that might be it. I know there are people using Raspberry Pi’s or Intel NUC systems to do this and that might be a cost effective solution depending on your budget.

  • Hello,
    I’m reinstalling Zeek and was wondering what was the point in step 3 here again where we disable DHCP? Once we set BOOTPROTO=none, save the config and enable/restart network service, I get no IP Address/Network connectivity. Am i seeing something wrong? Are we not supposed to use DHCP or am i supposed to set Static IP? I think before, I just left it as DHCP; would that be okay or is there a specific reason for something to work that we need to disable DHCP?

    Thanks!

    • As noted in the step, “As root/sudo, edit the /etc/sysconfig/network-scripts/ifcfg- file for each sniffing network interface and change or add the following lines.”

      You’re welcome to configure the network interface you’ll be using for administration of the server however works best for your needs.

      Hope that helps!
      Eric

      • Ohh okay, sorry. Yes I was only using a test machine with 1 NIC card and wasn’t thinking of multiple interfaces. For production is it recommended to have a couple sniffing interfaces or would 1 be good enough?
        Thanks!

  • Thank you for the great post Eric. Quick question for you.. Have you tried to install the Kafka plugin using zkg on CentOS8. I completed the installation steps you provided for Zeek. I was trying to add kafka to this but having no luck. I installed librdkafka 1.4.2 successfully. Plugin installation does not work:

    [zeek@zeek ~]$ zkg install apache/metron-bro-plugin-kafka –version master
    The following packages will be INSTALLED:
    zeek/apache/metron-bro-plugin-kafka (master)

    Verify the following REQUIRED external dependencies:
    (Ensure their installation on all relevant systems before proceeding):
    from zeek/apache/metron-bro-plugin-kafka (master):
    librdkafka ~1.4.2-RC1

    Proceed? [Y/n] Y
    zeek/apache/metron-bro-plugin-kafka asks for LIBRDKAFKA_ROOT (Path to librdkafka installation tree) ? [/usr/local/lib]
    Saved answers to config file: /home/zeek/.zkg/config
    Running unit tests for “zeek/apache/metron-bro-plugin-kafka”
    error: failed to run tests for zeek/apache/metron-bro-plugin-kafka: package build_command failed, see log in /home/zeek/.zkg/logs/metron-bro-plugin-kafka-build.log
    Proceed to install anyway? [N/y] N
    Abort.

    • I have not tried to install that plugin. I’d start by looking at the error log suggested in the output you pasted: /home/zeek/.zkg/logs/metron-bro-plugin-kafka-build.log

  • I am not sure if anyone had this issue before so here it is. I followed the steps above on CentOS8 and when I tried to compile the zeek code, I got the following error:
    [zeek@zeek zeek-3.2.1]$ ./configure –prefix=/opt/zeek –enable-jemalloc
    Build Directory : build
    Source Directory: /home/zeek/zeek-3.2.1
    — The C compiler identification is GNU 8.3.1
    — The CXX compiler identification is GNU 8.3.1
    — Check for working C compiler: /usr/bin/cc
    — Check for working C compiler: /usr/bin/cc — works
    — Detecting C compiler ABI info
    — Detecting C compiler ABI info – done
    — Detecting C compile features
    — Detecting C compile features – done
    — Check for working CXX compiler: /usr/bin/c++
    — Check for working CXX compiler: /usr/bin/c++ — works
    — Detecting CXX compiler ABI info
    — Detecting CXX compiler ABI info – done
    — Detecting CXX compile features
    — Detecting CXX compile features – done
    — Performing Test test_arch_x64
    — Performing Test test_arch_x64 – Success
    — Performing Test test_arch_aarch64
    — Performing Test test_arch_aarch64 – Failed
    — Performing Test test_arch_arm
    — Performing Test test_arch_arm – Failed
    — Performing Test test_arch_power
    — Performing Test test_arch_power – Failed
    — Determined target architecture (for hashing): x86_64
    — Found sed: /usr/bin/sed
    — Could NOT find PythonInterp (missing: PYTHON_EXECUTABLE)
    — Found FLEX: /usr/bin/flex (found version “2.6.1”)
    — Found BISON: /usr/bin/bison
    — Found PCAP: /usr/lib64/libpcap.so
    — Performing Test PCAP_LINKS_SOLO
    — Performing Test PCAP_LINKS_SOLO – Success
    — Looking for pcap_get_pfring_id
    — Looking for pcap_get_pfring_id – not found
    — Found OpenSSL: /usr/lib64/libcrypto.so (found version “1.1.1c”)
    — Performing Test ns_initparse_works_none
    — Performing Test ns_initparse_works_none – Failed
    — Performing Test res_mkquery_works_none
    — Performing Test res_mkquery_works_none – Failed
    — Performing Test ns_initparse_works_libresolv.a
    — Performing Test ns_initparse_works_libresolv.a – Failed
    — Performing Test res_mkquery_works_libresolv.a
    — Performing Test res_mkquery_works_libresolv.a – Failed
    — Performing Test ns_initparse_works_resolv
    — Performing Test ns_initparse_works_resolv – Success
    — Performing Test res_mkquery_works_resolv
    — Performing Test res_mkquery_works_resolv – Success
    — Found BIND: /usr/lib64/libresolv.so
    — Found ZLIB: /usr/lib64/libz.so (found version “1.2.11”)
    CMake Error at auxil/binpac/CMakeLists.txt:35 (message):
    Could not find prerequisite package ‘PythonInterp’

    The fix was to install python3-devel: yum install python3-devel

    • Hi Arda,

      The Python3 development package should have been installed when you installed the Zeek dependencies in the “Install Zeek Dependencies” step. Specifically this command:

      sudo yum install cmake make gcc gcc-c++ flex bison jemalloc-devel libpcap-devel openssl-devel platform-python-devel swig zlib-devel

      With the key package being “platform-python-devel.” If for whatever reason that did not install properly for you, then your fix will definitely work, too!

      – Eric

  • Hey Eric sorry, i want to ask,how to send zeek all event to syslog collector? most references refer to graylog, splunk, elk.

  • Hi Eric,
    I tried to follow your guide but on step 2 – Install the network-scripts package, the command “sudo yum install network-scripts” wont work because the network is down from the previous change. Is there something I missed from the steps you listed here?
    Thank you,
    Julian

    • Hi Julian,

      Good catch! This guide was originally written for installation on CentOS 7 and I forgot to remove the section on disabling NetworkManager. For some background, CentOS 8 no longer ships with network-scripts support and requires the use of NetworkManager for network configuration. However, NetworkManager does not provide the level of configuration required to optimize sniffing interfaces for packet capture, hence the need for the now legacy, network-scripts.

      You can however run it such that NetworkManager is used for your management interfaces, and network-scripts are used just for the sniffing interfaces. All that said, you have two choices:
      1. Re-enable NetworkManager.
      2. Edit /etc/sysconfig/network-scripts/ifcfg-management_interface to use either DHCP or static IP.

      For most people, the easier option will be number 1. To start and re-enable NetworkManager, run:

      sudo systemctl start NetworkManager
      sudo systemctl enable NetworkManager

      Apologies for the confusion and hope that helps!

      • Hi Eric,
        I did that and it worked. Thank you for the fast response.
        Another thing you may want to update on the guide is related to python-dev pre-requisite. The option I found available thru yum was python2-devel, which comes from AppStream.repo of CentOS8. I could not find the dev package for Python3 in any repos.
        Thank you,
        Julian

          • Hi Eric,
            I am not sure if this is relevant but the command “zeekctl deploy” didn’t work for me until I installed sendmail package. As soon sendmail server was up, it started without any error. I hope it helps.
            Thank you,
            Julian

      • Thanks for the article, Eric. Very helpful. Question about running NetworkMangaer on the sniffing interface. Are you saying one should run NetworkManger AND networkd at the same time? If so, isn’t this ‘bad’? Or are you saying the the config files in /etc/sysconfig/network-scripts/ifcfg-* should have NM_CONTROLLED = no vs yes? TIA!

        • Hi John,

          I’m saying you should DISABLE “NetworkManager” on the sniffing interfaces and INSTEAD ENABLE the “network” service. This is because NetworkManager doesn’t allow you to specify the configurations we want to optimize traffic capture for Zeek.

          Hope that helps!
          Eric

  • Hi Eric, Thank you for this guide, its very helpful for me. Now if i want to add second sniffing interface, i have to disable NIC Offloading Function and set the second sniffing interfaces to PROMISCUOUS MODE also?
    Thank you.

    • Hi Luqman,

      Glad to hear it’s been helpful for you!

      Yes, for each sniffing interface you want to use, you should apply the same steps under “DISABLE NIC OFFLOADING FUNCTIONS” to optimize the interface for packet capture.

      Hope that helps!

        • Hi Eric,
          May i ask why you use AF_PACKET instead of PF_RING in part 2 of this setup?
          Is there is any advantages of using AF_PACKET over PF_RING for zeek?

          Thank you in advance

          • Hi Luqman,

            Great question! Once upon a time I too used PF_RING. There are two primary reasons for my moving to AF_PACKET:

            * AF_PACKET is already built into the Linux kernel so using and maintaining it is much easier. In my experience, compiling and installing PF_RING is non-trivial, in particular updating it whenever a new version of the PF_RING package is released.

            * AF_PACKET has been shown to effectively capture packets at high speeds on modern Linux kernels. It has been recommended on the Zeek mailing list (including by the team at Mozilla that has tuned AF_PACKET to capture up to 20Gbps) and is used by notable NSM distributions such as RockNSM and Security Onion.

            You’re certainly welcome to still use PF_RING if you find it works better for you. I’ve only used the open source PF_RING packages, not the paid-for licensed versions so I can’t speak to how well those work. For experienced Linux users, PF_RING is _not too difficult_ to maintain, and it will definitely improve packet capture performance over using absolutely no optimization.

            Hope that helps!

            • Hi Eric, we want to span a 100Gbps link.So the best option would be to have a multiple physical server zeek setup? I couldn’t find the maximum Gbps af_packet can handle btw.
              Do you know if it’s possible to capture 100Gbps on a single Nic ?
              thx

              • So it is possible to capture 100 Gbps on a single NIC with the right hardware, but I don’t think most people do this. Personally, I would look into a packet broker like Gigamon to split up the 100 Gbps traffic or even filter out the traffic you don’t care about and then send this copy to Zeek. It’ll reduce noise and let you use a more reasonable server to monitor your traffic.

                As for what kind of Zeek server setup you’d want to monitor this, it depends on how much traffic is coming in. If you’re sending a full 100 Gbps with no filtering, then you’ll likely want multiple physical servers to handle the load. But again, I’d first try to cut down on traffic at the network level and send only what you really care about first. This will make sizing Zeek a lot easier.

            • And what does it actually mean what you said “…has tuned AF_PACKET to capture up to 20Gbps”?
              Do you mean AF_PACKET can’t capture total amount of 20Gbps and distribute it to different CPU cores? I guess this is the Linux kernel limit, right? So for snifferring a 100Gbps interface(Let’s assume the peak usage is 100Gbps), we should go for the cluster reference architecture showed here https://docs.zeek.org/en/current/cluster/index.html? I’d really like to know what the limitation of doing everything on only one server is and when to use a multi-nodes cluster. And it’d be great to find some real world use cases of it, one server and multiple servers deployment.

              • Sorry! “Do you mean AF_PACKET can’t capture total amount of 20Gbps and distribute it to different CPU cores?”
                should be “Do you mean AF_PACKET can capture total amount of 20Gbps maximum and distribute it to different CPU cores?”

  • Eric,
    I have this issue too;
    ==== stderr.log
    fatal error: problem with interface (pcap_error: socket: Operation not permitted (pcap_activate))

    I know it has something to do with the bro user privileges, but I cannot figure out other then the step:
    sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/bro
    sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/broctl

    but that does not seem to do the trick.
    running as root, it works.
    any suggestions?

    thnx

    • Hi Boudy — Yep, those commands are what should take care of it. I remember having similar issues and I believe some combination of running those two commands again and restarting resolved it. I know, seems silly. Also make sure that the bro user is the owner of the /opt/bro directory, which is the next step in the guide.

      • Eric, You’re a life saver.

        I executed both again as bro user, did the broctl deploy and without errors !!!! this time.
        Woohoo!

        thnx,

        Boudy

        • I had to leave a comment here, just to say thanks. I’ve been banging my head against the wall for the last two days trying to find a solution for the same Operation not permitted error Boudy mentioned. Some serious Googling brought me here after also having watched a PluralSignt course video, and I found these setcap commands.

          My remaining hair on my head thanks you, Eric.

      • Hi Eric
        I have something wrong , when after deploy zeek cluster. worker-2 did not run zeek script but only copyed those script from manage. why and how could i fixed it?

        • Hi Fang,

          Not sure I understand the issue. I suggest double checking your /opt/zeek/etc/node.cfg and making sure worker-2 is set to type=worker and not type=manager.

          Hope that helps!
          Eric

  • Disable the NetworkManager service and enable the “network” service
    1. Stop and disable the NetworkManager service.
    2. Verify that NetworkManager has been disabled.
    — I get this in reply:
    $ sudo systemctl list-unit-files | grep NetworkManager
    NetworkManager-dispatcher.service disabled
    NetworkManager-wait-online.service disabled <<< you show "enabled" for this.
    NetworkManager.service disabled

    You say … '…enable the “network” service' but there are no instructions about that.

    ———

    I went through the installation procedure and get this error:

    ==== stderr.log
    fatal error: problem with interface eno1 (pcap_error: socket: Operation not permitted (pcap_activate))

    What am I missing here?

    Thanks in advance.

    • Good catch, Dean — you’re absolutely right! I’ve added the missing steps. Please let me know if you continue to run into issues.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.