Zeekurity Zen – Part I: How to Install Zeek on Ubuntu

Zeekurity Zen – Part I: How to Install Zeek on Ubuntu

This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor.

Overview

This guide assumes you’ll be installing Zeek on Ubuntu 22.04 LTS.  However, the guide should work for any reasonably recent versions of Ubuntu.

Kicking things off, we’ll optimize Ubuntu to efficiently capture packets and then compile Zeek from source to start monitoring network traffic.

To do this, we’ll walkthrough these steps:

  1. Minimize packet loss and ensure Zeek sees full packet data by applying network sniffing optimizations: settings max ring parameters, disabling NIC offloading, and enabling promiscuous mode.
  2. Build Zeek from source with optimizations.
  3. Create a non-root Zeek user to minimize impact in the event that Zeek is compromised.
  4. Deploy and run Zeek to start analyzing traffic.
  5. Create a cron job to perform Zeek maintenance tasks.

Set max ring parameters

  1. Use ethtool to determine the maximum ring parameters for your sniffing interfaces.  The example below assumes an interface named enp2s0.
    sudo ethtool -g enp2s0
    Ring parameters for enp2s0:
    Pre-set maximums:
    RX:             4096
    RX Mini:        0
    RX Jumbo:       0
    TX:             4096
    Current hardware settings:
    RX:             256
    RX Mini:        0
    RX Jumbo:       0
    TX:             256
  2. As root/sudo, create a new file in /etc/networkd-dispatcher/routable.d/10-set-max-ring and add the following lines for each sniffing interface.
    #!/bin/sh
    # Set ring rx parameters for all sniffing interfaces
    ethtool -G en rx 4096
  3. Save the file and set its permissions to 755.
    sudo chmod 755 /etc/networkd-dispatcher/routable.d/10-set-max-ring

Disable NIC offloading functions

  1. As root/sudo, create a new file in /etc/networkd-dispatcher/routable.d/20-disable-checksum-offload and add the following lines for each sniffing interface.
    #!/bin/sh
    # Disable checksum offloading for all sniffing interfaces
    ethtool -K enp2s0 rx off tx off sg off tso off ufo off gso off gro off lro off
  2. Save the file and set its permissions to 755.
    sudo chmod 755 /etc/networkd-dispatcher/routable.d/20-disable-checksum-offload

Set sniffing network interfaces to promiscuous mode

  1. As root/sudo, create a new file in /etc/networkd-dispatcher/routable.d/30-enable-promisc-mode and add the following lines for each sniffing interface.
    #!/bin/sh
    # Enable promiscuous mode for all sniffing interfaces
    ip link set enp2s0 arp off multicast off allmulticast off promisc on
  2. Save the file and set its permissions to 755.
    sudo chmod 755 /etc/networkd-dispatcher/routable.d/30-enable-promisc-mode

Confirm changes are persistent

  1. Reboot your system and verify all the changes made thus far have persisted.Verify max ring parameters under Current hardware settings RX matches the configured maximum.
    sudo ethtool -g enp2s0
    Ring parameters for enp2s0:
    Pre-set maximums:
    RX:             4096
    RX Mini:        0
    RX Jumbo:       0
    TX:             4096
    Current hardware settings:
    RX:             4096
    RX Mini:        0
    RX Jumbo:       0
    TX:             256

    Verify NIC offloading features are turned off (this list is likely much longer on your system).

    sudo ethtool -k enp2s0
    Features for enp2s0:
    rx-checksumming: off
    tx-checksumming: off

    Verify that PROMISC is listed in the network interface status.

    ip a show enp2s0 | grep -i promisc
    3: enp2s0: <BROADCAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

Install Zeek Dependencies

  1. Run the following apt command to download the required dependencies.
    sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python3 python3-dev python3-git python3-semantic-version swig zlib1g-dev libjemalloc-dev
  2. Ensure all your packages are up to date and reboot your system.
    sudo apt-get update
    sudo apt-get dist-upgrade
    sudo reboot

Create the zeek user and directory to install and run Zeek

  1. Create the zeek user and add it to the zeek group.
    sudo groupadd zeek
    sudo useradd zeek -g zeek
  2. As root/sudo, set a password for the zeek user.
    sudo passwd zeek
  3. As root/sudo, create the /opt/zeek directory and set ownership to the zeek user.
    sudo mkdir /opt/zeek
    sudo chown -R zeek:zeek /opt/zeek
    sudo chmod 750 /opt/zeek

Download, Compile, and Install Zeek

  1. Switch to the zeek user.
    su zeek
  2. We will download zeek to the /home/zeek directory. Then we will configure Zeek to install in the /opt/zeek directory and enable jemalloc to improve memory and CPU usage.  As of this writing, the latest feature release is version 5.0.2.  If the download URL referenced in the wget command below no longer works, you can download the latest stable release directly from the Get Zeek download page.
    cd
    wget https://download.zeek.org/zeek-5.0.2.tar.gz
    tar -xzvf zeek-5.0.2.tar.gz
    cd zeek-5.0.2
    ./configure --prefix=/opt/zeek --enable-jemalloc --build-type=release
    make
    make install

    Note: This will take *a while* to compile.

  3. Switch back to your normal user by closing the zeek session.
    exit
  4. Since the zeek user is not root, give the Zeek binaries permissions to capture packets.
    sudo setcap cap_net_raw=eip /opt/zeek/bin/zeek
    sudo setcap cap_net_raw=eip /opt/zeek/bin/capstats

Add Zeek to PATH

  1. Switch back to the zeek user.
    su zeek
  2. As the zeek user, create ~/.bashrc and add the following lines.
    # Add Zeek to PATH
    export PATH="/opt/zeek/bin:$PATH"
  3. Save the file and apply the new path to the zeek user.
    source ~/.bashrc

Configure Zeek

  1. Edit /opt/zeek/etc/node.cfg to configure the number of nodes.  It is recommended to use a maximum of one or two less workers than the total number of CPU cores available on your sensor.  In the example configuration below we are configuring a total of two workers, analyzing one sniffing interface.
    # Example ZeekControl node configuration.
    # Below is an example clustered configuration on a single host.
    [logger]
    type=logger
    host=localhost
    [manager]
    type=manager
    host=localhost
    [proxy-1]
    type=proxy
    host=localhost
    [worker-1]
    type=worker
    host=localhost
    interface=enp2s0
    [worker-2]
    type=worker
    host=localhost
    interface=enp2s0

    In the event you have two or more sniffing interfaces (e.g. enp2s0 and enp3s0), see the example configuration below which assigns each interface its own worker.

    # Example ZeekControl node configuration.
    # Below is an example clustered configuration on a single host.
    [logger]
    type=logger
    host=localhost
    [manager]
    type=manager
    host=localhost
    [proxy-1]
    type=proxy
    host=localhost
    [worker-1]
    type=worker
    host=localhost
    interface=enp2s0
    [worker-2]
    type=worker
    host=localhost
    interface=enp3s0
  2. Edit /opt/zeek/share/zeek/site/local.zeek to enable or disable scripts as needed.

Start Zeek

  1. As the zeek user, run zeekctl deploy to apply configurations and run Zeek.
    zeekctl deploy
    checking configurations ...
    installing ...
    removing old policies in /opt/zeek/spool/installed-scripts-do-not-touch/site ...
    removing old policies in /opt/zeek/spool/installed-scripts-do-not-touch/auto ...
    creating policy directories ...
    installing site policies ...
    generating cluster-layout.zeek ...
    generating local-networks.zeek ...
    generating zeekctl-config.zeek ...
    generating zeekctl-config.sh ...
    stopping ...
    stopping workers ...
    stopping proxy ...
    stopping manager ...
    stopping logger ...
    starting ...
    starting logger ...
    starting manager ...
    starting proxy ...
    starting workers ...
  2. If your output looks similar to what’s shown above, you should be good to go. To verify Zeek is running successfully, you can run zeekctl status.
    zeekctl status
    Name         Type    Host             Status    Pid    Started
    logger       logger  localhost        running   1774   10 Oct 23:15:31
    manager      manager localhost        running   1820   10 Oct 23:15:32
    proxy-1      proxy   localhost        running   1865   10 Oct 23:15:33
    worker-1-1   worker  localhost        running   1950   10 Oct 23:15:35
    worker-1-2   worker  localhost        running   1951   10 Oct 23:15:35
    worker-2-1   worker  localhost        running   1955   10 Oct 23:15:35
    worker-2-2   worker  localhost        running   1954   10 Oct 23:15:35

    If you see the following errors:

    zeekctl deploy
    Error: worker-1-1 terminated immediately after starting; check output with "diag"
    Error: worker-1-2 terminated immediately after starting; check output with "diag"
    Error: worker-2-1 terminated immediately after starting; check output with "diag"
    Error: worker-2-2 terminated immediately after starting; check output with "diag"

    Then try re-running the sudo setcap commands from earlier.

    sudo setcap cap_net_raw=eip /opt/zeek/bin/zeek
    sudo setcap cap_net_raw=eip /opt/zeek/bin/capstats
  3. You should now see logs being generated in /opt/zeek/logs/current.
    ls -l
    total 2276
    -rw-rw-r--. 1 zeek zeek   1573 Oct 10 23:15 broker.log
    -rw-rw-r--. 1 zeek zeek    593 Oct 10 23:45 capture_loss.log
    -rw-rw-r--. 1 zeek zeek   1970 Oct 10 23:15 cluster.log
    -rw-rw-r--. 1 zeek zeek 673435 Oct 10 23:52 conn.log
    -rw-rw-r--. 1 zeek zeek 580865 Oct 10 23:52 dns.log
    -rw-rw-r--. 1 zeek zeek   3830 Oct 10 23:49 dpd.log
    -rw-rw-r--. 1 zeek zeek   1406 Oct 10 23:47 files.log
    -rw-rw-r--. 1 zeek zeek  26108 Oct 10 23:48 http.log
    -rw-rw-r--. 1 zeek zeek  24646 Oct 10 23:15 loaded_scripts.log
    -rw-rw-r--. 1 zeek zeek    753 Oct 10 23:18 notice.log
    -rw-rw-r--. 1 zeek zeek    187 Oct 10 23:15 packet_filter.log
    -rw-rw-r--. 1 zeek zeek    743 Oct 10 23:46 software.log
    -rw-rw-r--. 1 zeek zeek  86512 Oct 10 23:51 ssl.log
    -rw-rw-r--. 1 zeek zeek   5446 Oct 10 23:50 stats.log
    -rw-rw-r--. 1 zeek zeek      0 Oct 10 23:15 stderr.log
    -rw-rw-r--. 1 zeek zeek    188 Oct 10 23:15 stdout.log
    -rw-rw-r--. 1 zeek zeek 240866 Oct 10 23:51 weird.log
  4. If you’re running into issues, zeekctl diag can provide more detailed output for troubleshooting purposes.
    zeekctl diag

ZeekControl Cron

ZeekControl features a cron command to check for and restart crashed nodes and to perform other maintenance tasks.  To take advantage of this, let’s set up a cron job.

  1. Edit the crontab of the non-root zeek user.
    crontab -e
  2. Add the following to set up a cron job that runs every five minutes.  You can adjust the frequency to your liking.
    */5 * * * * /opt/zeek/bin/zeekctl cron

Up Next

In Part II of this series, we will install the Zeek Package Manager to extend Zeek’s functionality.

References

Zeek official documentationhttps://www.zeek.org/documentation/index.html
NIC offloading on Ubuntu with systemd-networkd: https://michael.mulqueen.me.uk/2018/08/disable-offloading-netplan-ubuntu/
NIC offloadinghttps://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html


Stuff I Like

Web Hosting: SiteGround

ericooi.com is proudly hosted by SiteGround. Performance and customer service are top notch. Quick and easy https implementation via built-in Let's Encrypt integration.


56 thoughts on “Zeekurity Zen – Part I: How to Install Zeek on Ubuntu”

  • Thank you for your blog posts, these are really helpful for installing Zeek. I wanted to ask how can we upgrade Zeek without losing any existing settings?

    • You’re welcome, John and thanks for the kind words.

      What settings are you referring to specifically? Generally speaking, any changes you make in “/opt/zeek/share/zeek/site/local.zeek” should persist through any upgrades. If you’re asking how I’d do upgrades, I see two ways.

      * Some users like to keep separate Zeek installs. So instead of installing to /opt/zeek, they instead install to /opt/zeek-4-0-0 and then when say version 4.1 is released they’ll do a new install to /opt/zeek-4-1-0. Then copy over any custom configs over as needed. In this way, should you find that the new release of Zeek isn’t working for you for whatever reason (e.g. your favorite Zeek package doesn’t support it) then you can easily revert back without having to start from scratch.

      * Install Zeek as normal and overwrite the existing installation in /opt/zeek. You’ll have to remember to run “zkg autoconfig” and confirm that your configurations and packages are all supported in the new version.

      Hope that helps!

      • Thank you for your prompt response!
        If I install Zeek to a new folder for example, /opt/zeek-4-1-0, which version would be in production, do I need to disable the older version and move the local.zeek file to the new folder?

        • It’d be whatever is in your zeek user’s path. So if the path currently has /opt/zeek-4-0-0, you’d want to update that to /opt/zeek/4-1-0, etc. You don’t necessarily need to “disable it,” but yes you’d want to copy local.zeek over to that new directory.

      • I know this is not something related to your blog posts but I was wondering if you can help me with some Suricata config as well 😃
        Can I install Suricata on the same box as Zeek, and if that is possible how can I share the network card with both Zeek and Suricata?
        Thanks!

        • It’s been YEARS since I last used Suricata, but you can definitely run both on the same box so long as it’s sized appropriately. You’d have to Google around for the specific Suricata settings to get this going as that’s a bit beyond me at this point.

  • Just one comment about installing Network-scripts on CentOS 8. It’ll be deprecated so it’s not a good idea. I actually ran into networking issues with that. There is a better way, I think. Just use the NetworkManager.
    1. Disable offloading using nmcli and the change is permanent. For example:
    # nmcli con modify enp1s0 ethtool.feature-rx off ethtool.feature-tx off

    2. Tunning the ring rx buffer using a dispatcher script. Note: Change 8192 to your own max.
    $ cd /etc/NetworkManager/dispatcher.d/pre-up.d/
    $ sudo vim 01-ring-buffer
    #!/bin/bash

    INF=”$1″ # your current interface name such as eth0 and so on
    STA=”$2″ # status such as UP or DOWN

    # Send message to /var/log/messages
    logger “$0 called for interface named $INF with $STA …”

    if [ “$INF” == “eth0” ]
    then
    start=201
    ethtool -G eth0 rx 8192
    fi

    Disclaimer: I’m a beginner with limited Linux experience. So if you want to use the commands and scripts I put here, please be aware that you use them entirely at your own risk. And I accept no liability for any loss or damage arising from the use of them. You should always test any commands and scripts in a test environments if you don’t know the consequences.

    • Thanks for the tip, Lola. You’re right that it’s effectively deprecated but at the time I wrote the guide I wasn’t sure of an alternative way. Sounds like your suggestion might be a good option. 🙂

  • Thanks for these instructions, always wanted to try out Zeek.
    Sorry for knowing so little, but I do have some questions from very early in the instructions

    1) CentOS 8 is noted to be EOL early this year. I just used the CentOS 8 Stream image, but am rather new to Linux so not sure if this will impact the use of Zeek.
    2) If my motherboard has a wired and WiFi interface, is it OK to use the WiFi on the motherboard for the admin interface? Guessing that I want to use the built in wired network interface for sniffing, and cannot imagine that the admin interface is particularly sensitive to the slower WiFi connection. I also have
    3) maybe related to the first two, but when I try to use ethtool -g in step 2, I get an error: “netlink error:Operation not supported”. Is there something that I need to enable? Or some other way to do this?

    Thank you,
    Monkey

    • Hi Monkey,

      No apologies necessary, we’re all beginners at some point. 🙂

      1. Yes, unfortunately when I first wrote this guide, CentOS 8 had only been recently announced and was presumably going to have the long stable release cycle and support that previous iterations of CentOS had enjoyed. For the purposes of Zeek, you’re probably still fine unless the Zeek developers say otherwise. You could also use an LTS (long term support) release of Ubuntu, the instructions aren’t too different (apt-get vs yum/dnf) and I will likely write a guide for this eventually.

      2. Yes, that is absolutely the way I would do it and you’re exactly right on your reasoning.

      3. Hm, are you running this on the interface you want to use for sniffing? Assuming that’s the wired interface, you should only need to run it on that, not the wireless interface.

      • Thanks for the response and encouragement.

        I am thinking that the ethernet nic on my motherboard must not support the ethtool show-ring.
        I tried the same command on the WiFi interface, and in that case I do get results

        it is a rather old motherboard, ASUS specs the NIC as
        Realtek® 8111E , 1 x Gigabit LAN Controller(s)
        so maybe I just need to get a new NIC anyway.

        • sudo lshw -C network

          *-network
          description: Ethernet interface
          product: RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
          vendor: Realtek Semiconductor Co., Ltd.
          physical id: 0
          bus info: pci@0000:03:00.0
          logical name: enp3s0
          version: 06
          serial: c8:60:00:68:00:c7
          size: 1Gbit/s
          capacity: 1Gbit/s
          width: 64 bits
          clock: 33MHz
          capabilities: pm msi pciexpress msix vpd bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt 1000bt-fd autonegotiation
          configuration: autonegotiation=on broadcast=yes driver=r8169 driverversion=4.18.0-259.el8.x86_64 duplex=full firmware=rtl8168e-3_0.0.4 03/27/12 ip=192.168.1.69 latency=0 link=yes multicast=yes port=MII speed=1Gbit/s
          resources: irq:16 ioport:e000(size=256) memory:f0004000-f0004fff memory:f0000000-f0003fff

          • Ah, yeah that might be it. I know there are people using Raspberry Pi’s or Intel NUC systems to do this and that might be a cost effective solution depending on your budget.

  • Hello,
    I’m reinstalling Zeek and was wondering what was the point in step 3 here again where we disable DHCP? Once we set BOOTPROTO=none, save the config and enable/restart network service, I get no IP Address/Network connectivity. Am i seeing something wrong? Are we not supposed to use DHCP or am i supposed to set Static IP? I think before, I just left it as DHCP; would that be okay or is there a specific reason for something to work that we need to disable DHCP?

    Thanks!

    • As noted in the step, “As root/sudo, edit the /etc/sysconfig/network-scripts/ifcfg- file for each sniffing network interface and change or add the following lines.”

      You’re welcome to configure the network interface you’ll be using for administration of the server however works best for your needs.

      Hope that helps!
      Eric

      • Ohh okay, sorry. Yes I was only using a test machine with 1 NIC card and wasn’t thinking of multiple interfaces. For production is it recommended to have a couple sniffing interfaces or would 1 be good enough?
        Thanks!

  • Thank you for the great post Eric. Quick question for you.. Have you tried to install the Kafka plugin using zkg on CentOS8. I completed the installation steps you provided for Zeek. I was trying to add kafka to this but having no luck. I installed librdkafka 1.4.2 successfully. Plugin installation does not work:

    [zeek@zeek ~]$ zkg install apache/metron-bro-plugin-kafka –version master
    The following packages will be INSTALLED:
    zeek/apache/metron-bro-plugin-kafka (master)

    Verify the following REQUIRED external dependencies:
    (Ensure their installation on all relevant systems before proceeding):
    from zeek/apache/metron-bro-plugin-kafka (master):
    librdkafka ~1.4.2-RC1

    Proceed? [Y/n] Y
    zeek/apache/metron-bro-plugin-kafka asks for LIBRDKAFKA_ROOT (Path to librdkafka installation tree) ? [/usr/local/lib]
    Saved answers to config file: /home/zeek/.zkg/config
    Running unit tests for “zeek/apache/metron-bro-plugin-kafka”
    error: failed to run tests for zeek/apache/metron-bro-plugin-kafka: package build_command failed, see log in /home/zeek/.zkg/logs/metron-bro-plugin-kafka-build.log
    Proceed to install anyway? [N/y] N
    Abort.

    • I have not tried to install that plugin. I’d start by looking at the error log suggested in the output you pasted: /home/zeek/.zkg/logs/metron-bro-plugin-kafka-build.log

  • I am not sure if anyone had this issue before so here it is. I followed the steps above on CentOS8 and when I tried to compile the zeek code, I got the following error:
    [zeek@zeek zeek-3.2.1]$ ./configure –prefix=/opt/zeek –enable-jemalloc
    Build Directory : build
    Source Directory: /home/zeek/zeek-3.2.1
    — The C compiler identification is GNU 8.3.1
    — The CXX compiler identification is GNU 8.3.1
    — Check for working C compiler: /usr/bin/cc
    — Check for working C compiler: /usr/bin/cc — works
    — Detecting C compiler ABI info
    — Detecting C compiler ABI info – done
    — Detecting C compile features
    — Detecting C compile features – done
    — Check for working CXX compiler: /usr/bin/c++
    — Check for working CXX compiler: /usr/bin/c++ — works
    — Detecting CXX compiler ABI info
    — Detecting CXX compiler ABI info – done
    — Detecting CXX compile features
    — Detecting CXX compile features – done
    — Performing Test test_arch_x64
    — Performing Test test_arch_x64 – Success
    — Performing Test test_arch_aarch64
    — Performing Test test_arch_aarch64 – Failed
    — Performing Test test_arch_arm
    — Performing Test test_arch_arm – Failed
    — Performing Test test_arch_power
    — Performing Test test_arch_power – Failed
    — Determined target architecture (for hashing): x86_64
    — Found sed: /usr/bin/sed
    — Could NOT find PythonInterp (missing: PYTHON_EXECUTABLE)
    — Found FLEX: /usr/bin/flex (found version “2.6.1”)
    — Found BISON: /usr/bin/bison
    — Found PCAP: /usr/lib64/libpcap.so
    — Performing Test PCAP_LINKS_SOLO
    — Performing Test PCAP_LINKS_SOLO – Success
    — Looking for pcap_get_pfring_id
    — Looking for pcap_get_pfring_id – not found
    — Found OpenSSL: /usr/lib64/libcrypto.so (found version “1.1.1c”)
    — Performing Test ns_initparse_works_none
    — Performing Test ns_initparse_works_none – Failed
    — Performing Test res_mkquery_works_none
    — Performing Test res_mkquery_works_none – Failed
    — Performing Test ns_initparse_works_libresolv.a
    — Performing Test ns_initparse_works_libresolv.a – Failed
    — Performing Test res_mkquery_works_libresolv.a
    — Performing Test res_mkquery_works_libresolv.a – Failed
    — Performing Test ns_initparse_works_resolv
    — Performing Test ns_initparse_works_resolv – Success
    — Performing Test res_mkquery_works_resolv
    — Performing Test res_mkquery_works_resolv – Success
    — Found BIND: /usr/lib64/libresolv.so
    — Found ZLIB: /usr/lib64/libz.so (found version “1.2.11”)
    CMake Error at auxil/binpac/CMakeLists.txt:35 (message):
    Could not find prerequisite package ‘PythonInterp’

    The fix was to install python3-devel: yum install python3-devel

    • Hi Arda,

      The Python3 development package should have been installed when you installed the Zeek dependencies in the “Install Zeek Dependencies” step. Specifically this command:

      sudo yum install cmake make gcc gcc-c++ flex bison jemalloc-devel libpcap-devel openssl-devel platform-python-devel swig zlib-devel

      With the key package being “platform-python-devel.” If for whatever reason that did not install properly for you, then your fix will definitely work, too!

      – Eric

  • Hey Eric sorry, i want to ask,how to send zeek all event to syslog collector? most references refer to graylog, splunk, elk.

  • Hi Eric,
    I tried to follow your guide but on step 2 – Install the network-scripts package, the command “sudo yum install network-scripts” wont work because the network is down from the previous change. Is there something I missed from the steps you listed here?
    Thank you,
    Julian

    • Hi Julian,

      Good catch! This guide was originally written for installation on CentOS 7 and I forgot to remove the section on disabling NetworkManager. For some background, CentOS 8 no longer ships with network-scripts support and requires the use of NetworkManager for network configuration. However, NetworkManager does not provide the level of configuration required to optimize sniffing interfaces for packet capture, hence the need for the now legacy, network-scripts.

      You can however run it such that NetworkManager is used for your management interfaces, and network-scripts are used just for the sniffing interfaces. All that said, you have two choices:
      1. Re-enable NetworkManager.
      2. Edit /etc/sysconfig/network-scripts/ifcfg-management_interface to use either DHCP or static IP.

      For most people, the easier option will be number 1. To start and re-enable NetworkManager, run:

      sudo systemctl start NetworkManager
      sudo systemctl enable NetworkManager

      Apologies for the confusion and hope that helps!

      • Hi Eric,
        I did that and it worked. Thank you for the fast response.
        Another thing you may want to update on the guide is related to python-dev pre-requisite. The option I found available thru yum was python2-devel, which comes from AppStream.repo of CentOS8. I could not find the dev package for Python3 in any repos.
        Thank you,
        Julian

          • Hi Eric,
            I am not sure if this is relevant but the command “zeekctl deploy” didn’t work for me until I installed sendmail package. As soon sendmail server was up, it started without any error. I hope it helps.
            Thank you,
            Julian

      • Thanks for the article, Eric. Very helpful. Question about running NetworkMangaer on the sniffing interface. Are you saying one should run NetworkManger AND networkd at the same time? If so, isn’t this ‘bad’? Or are you saying the the config files in /etc/sysconfig/network-scripts/ifcfg-* should have NM_CONTROLLED = no vs yes? TIA!

        • Hi John,

          I’m saying you should DISABLE “NetworkManager” on the sniffing interfaces and INSTEAD ENABLE the “network” service. This is because NetworkManager doesn’t allow you to specify the configurations we want to optimize traffic capture for Zeek.

          Hope that helps!
          Eric

  • Hi Eric, Thank you for this guide, its very helpful for me. Now if i want to add second sniffing interface, i have to disable NIC Offloading Function and set the second sniffing interfaces to PROMISCUOUS MODE also?
    Thank you.

    • Hi Luqman,

      Glad to hear it’s been helpful for you!

      Yes, for each sniffing interface you want to use, you should apply the same steps under “DISABLE NIC OFFLOADING FUNCTIONS” to optimize the interface for packet capture.

      Hope that helps!

        • Hi Eric,
          May i ask why you use AF_PACKET instead of PF_RING in part 2 of this setup?
          Is there is any advantages of using AF_PACKET over PF_RING for zeek?

          Thank you in advance

          • Hi Luqman,

            Great question! Once upon a time I too used PF_RING. There are two primary reasons for my moving to AF_PACKET:

            * AF_PACKET is already built into the Linux kernel so using and maintaining it is much easier. In my experience, compiling and installing PF_RING is non-trivial, in particular updating it whenever a new version of the PF_RING package is released.

            * AF_PACKET has been shown to effectively capture packets at high speeds on modern Linux kernels. It has been recommended on the Zeek mailing list (including by the team at Mozilla that has tuned AF_PACKET to capture up to 20Gbps) and is used by notable NSM distributions such as RockNSM and Security Onion.

            You’re certainly welcome to still use PF_RING if you find it works better for you. I’ve only used the open source PF_RING packages, not the paid-for licensed versions so I can’t speak to how well those work. For experienced Linux users, PF_RING is _not too difficult_ to maintain, and it will definitely improve packet capture performance over using absolutely no optimization.

            Hope that helps!

            • Hi Eric, we want to span a 100Gbps link.So the best option would be to have a multiple physical server zeek setup? I couldn’t find the maximum Gbps af_packet can handle btw.
              Do you know if it’s possible to capture 100Gbps on a single Nic ?
              thx

              • So it is possible to capture 100 Gbps on a single NIC with the right hardware, but I don’t think most people do this. Personally, I would look into a packet broker like Gigamon to split up the 100 Gbps traffic or even filter out the traffic you don’t care about and then send this copy to Zeek. It’ll reduce noise and let you use a more reasonable server to monitor your traffic.

                As for what kind of Zeek server setup you’d want to monitor this, it depends on how much traffic is coming in. If you’re sending a full 100 Gbps with no filtering, then you’ll likely want multiple physical servers to handle the load. But again, I’d first try to cut down on traffic at the network level and send only what you really care about first. This will make sizing Zeek a lot easier.

            • And what does it actually mean what you said “…has tuned AF_PACKET to capture up to 20Gbps”?
              Do you mean AF_PACKET can’t capture total amount of 20Gbps and distribute it to different CPU cores? I guess this is the Linux kernel limit, right? So for snifferring a 100Gbps interface(Let’s assume the peak usage is 100Gbps), we should go for the cluster reference architecture showed here https://docs.zeek.org/en/current/cluster/index.html? I’d really like to know what the limitation of doing everything on only one server is and when to use a multi-nodes cluster. And it’d be great to find some real world use cases of it, one server and multiple servers deployment.

              • Sorry! “Do you mean AF_PACKET can’t capture total amount of 20Gbps and distribute it to different CPU cores?”
                should be “Do you mean AF_PACKET can capture total amount of 20Gbps maximum and distribute it to different CPU cores?”

  • Eric,
    I have this issue too;
    ==== stderr.log
    fatal error: problem with interface (pcap_error: socket: Operation not permitted (pcap_activate))

    I know it has something to do with the bro user privileges, but I cannot figure out other then the step:
    sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/bro
    sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/broctl

    but that does not seem to do the trick.
    running as root, it works.
    any suggestions?

    thnx

    • Hi Boudy — Yep, those commands are what should take care of it. I remember having similar issues and I believe some combination of running those two commands again and restarting resolved it. I know, seems silly. Also make sure that the bro user is the owner of the /opt/bro directory, which is the next step in the guide.

      • Eric, You’re a life saver.

        I executed both again as bro user, did the broctl deploy and without errors !!!! this time.
        Woohoo!

        thnx,

        Boudy

        • I had to leave a comment here, just to say thanks. I’ve been banging my head against the wall for the last two days trying to find a solution for the same Operation not permitted error Boudy mentioned. Some serious Googling brought me here after also having watched a PluralSignt course video, and I found these setcap commands.

          My remaining hair on my head thanks you, Eric.

      • Hi Eric
        I have something wrong , when after deploy zeek cluster. worker-2 did not run zeek script but only copyed those script from manage. why and how could i fixed it?

        • Hi Fang,

          Not sure I understand the issue. I suggest double checking your /opt/zeek/etc/node.cfg and making sure worker-2 is set to type=worker and not type=manager.

          Hope that helps!
          Eric

  • Disable the NetworkManager service and enable the “network” service
    1. Stop and disable the NetworkManager service.
    2. Verify that NetworkManager has been disabled.
    — I get this in reply:
    $ sudo systemctl list-unit-files | grep NetworkManager
    NetworkManager-dispatcher.service disabled
    NetworkManager-wait-online.service disabled <<< you show "enabled" for this.
    NetworkManager.service disabled

    You say … '…enable the “network” service' but there are no instructions about that.

    ———

    I went through the installation procedure and get this error:

    ==== stderr.log
    fatal error: problem with interface eno1 (pcap_error: socket: Operation not permitted (pcap_activate))

    What am I missing here?

    Thanks in advance.

    • Good catch, Dean — you’re absolutely right! I’ve added the missing steps. Please let me know if you continue to run into issues.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.