Zeekurity Zen – Part I: How to Install Zeek on Ubuntu
If you're looking for professional services on this topic or interested in other cybersecurity consulting services, please reach out to me via my Contact page to discuss further.
This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor.
Overview
This guide assumes you’ll be installing Zeek on Ubuntu 22.04 LTS. However, the guide should work for any reasonably recent versions of Ubuntu.
Kicking things off, we’ll optimize Ubuntu to efficiently capture packets and then compile Zeek from source to start monitoring network traffic.
To do this, we’ll walkthrough these steps:
- Minimize packet loss and ensure Zeek sees full packet data by applying network sniffing optimizations: settings max ring parameters, disabling NIC offloading, and enabling promiscuous mode.
- Build Zeek from source with optimizations.
- Create a non-root Zeek user to minimize impact in the event that Zeek is compromised.
- Deploy and run Zeek to start analyzing traffic.
- Create a cron job to perform Zeek maintenance tasks.
Set max ring parameters
- Use ethtool to determine the maximum ring parameters for your sniffing interfaces. The example below assumes an interface named enp2s0.
sudo ethtool -g enp2s0 Ring parameters for enp2s0: Pre-set maximums: RX: 4096 RX Mini: 0 RX Jumbo: 0 TX: 4096 Current hardware settings: RX: 256 RX Mini: 0 RX Jumbo: 0 TX: 256 - As root/sudo, create a new file in /etc/networkd-dispatcher/routable.d/10-set-max-ring and add the following lines for each sniffing interface.
#!/bin/sh # Set ring rx parameters for all sniffing interfaces ethtool -G enp2s0 rx 4096 - Save the file and set its permissions to 755.
sudo chmod 755 /etc/networkd-dispatcher/routable.d/10-set-max-ring
Disable NIC offloading functions
- As root/sudo, create a new file in /etc/networkd-dispatcher/routable.d/20-disable-checksum-offload and add the following lines for each sniffing interface.
#!/bin/sh # Disable checksum offloading for all sniffing interfaces ethtool -K enp2s0 rx off tx off sg off tso off ufo off gso off gro off lro off - Save the file and set its permissions to 755.
sudo chmod 755 /etc/networkd-dispatcher/routable.d/20-disable-checksum-offload
Set sniffing network interfaces to promiscuous mode
- As root/sudo, create a new file in /etc/networkd-dispatcher/routable.d/30-enable-promisc-mode and add the following lines for each sniffing interface.
#!/bin/sh # Enable promiscuous mode for all sniffing interfaces ip link set enp2s0 arp off multicast off allmulticast off promisc on - Save the file and set its permissions to 755.
sudo chmod 755 /etc/networkd-dispatcher/routable.d/30-enable-promisc-mode
Confirm changes are persistent
- Reboot your system and verify all the changes made thus far have persisted.Verify max ring parameters under Current hardware settings RX matches the configured maximum.
sudo ethtool -g enp2s0 Ring parameters for enp2s0: Pre-set maximums: RX: 4096 RX Mini: 0 RX Jumbo: 0 TX: 4096 Current hardware settings: RX: 4096 RX Mini: 0 RX Jumbo: 0 TX: 256Verify NIC offloading features are turned off (this list is likely much longer on your system).
sudo ethtool -k enp2s0 Features for enp2s0: rx-checksumming: off tx-checksumming: offVerify that PROMISC is listed in the network interface status.
ip a show enp2s0 | grep -i promisc 3: enp2s0: <BROADCAST,NOARP,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
Install Zeek Dependencies
- Run the following apt command to download the required dependencies.
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python3 python3-dev python3-git python3-semantic-version swig zlib1g-dev libjemalloc-dev - Ensure all your packages are up to date and reboot your system.
sudo apt-get update sudo apt-get dist-upgrade sudo reboot
Create the zeek user and directory to install and run Zeek
- Create the zeek user and add it to the zeek group.
sudo groupadd zeek sudo adduser zeek sudo usermod -aG zeek zeek - As root/sudo, set a password for the zeek user.
sudo passwd zeek - As root/sudo, create the /opt/zeek directory and set ownership to the zeek user.
sudo mkdir /opt/zeek sudo chown -R zeek:zeek /opt/zeek sudo chmod 750 /opt/zeek
Download, Compile, and Install Zeek
- Switch to the zeek user.
su zeek - We will download zeek to the /home/zeek directory. Then we will configure Zeek to install in the /opt/zeek directory and enable jemalloc to improve memory and CPU usage. As of this writing, the latest feature release is version 5.2.0. If the download URL referenced in the wget command below no longer works, you can download the latest stable release directly from the Get Zeek download page.
cd wget https://download.zeek.org/zeek-5.2.0.tar.gz tar -xzvf zeek-5.2.0.tar.gz cd zeek-5.2.0 ./configure --prefix=/opt/zeek --enable-jemalloc --build-type=release make make installNote: This will take *a while* to compile.
- Switch back to your normal user by closing the zeek session.
exit - Since the zeek user is not root, give the Zeek binaries permissions to capture packets.
sudo setcap cap_net_raw=eip /opt/zeek/bin/zeek sudo setcap cap_net_raw=eip /opt/zeek/bin/capstats
Add Zeek to PATH
- Switch back to the zeek user.
su zeek - As the zeek user, create ~/.bashrc and add the following lines.
# Add Zeek to PATH export PATH="/opt/zeek/bin:$PATH" - Save the file and apply the new path to the zeek user.
source ~/.bashrc
Configure Zeek
- Edit /opt/zeek/etc/node.cfg to configure the number of nodes. It is recommended to use a maximum of one or two less workers than the total number of CPU cores available on your sensor. In the example configuration below we are configuring a total of two workers, analyzing one sniffing interface.
Note: The following node configuration does not use Zeek’s out of the box support for AF_PACKET (as of version 5.2). It is recommended to configure Zeek to use AF_PACKET for optimal packet capture and the configuration is covered in Part II.# Example ZeekControl node configuration. # Below is an example clustered configuration on a single host. [logger] type=logger host=localhost [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=enp2s0 [worker-2] type=worker host=localhost interface=enp2s0In the event you have two or more sniffing interfaces (e.g. enp2s0 and enp3s0), see the example configuration below which assigns each interface its own worker.
# Example ZeekControl node configuration. # Below is an example clustered configuration on a single host. [logger] type=logger host=localhost [manager] type=manager host=localhost [proxy-1] type=proxy host=localhost [worker-1] type=worker host=localhost interface=enp2s0 [worker-2] type=worker host=localhost interface=enp3s0 - Edit /opt/zeek/share/zeek/site/local.zeek to enable or disable scripts as needed.
Start Zeek
- As the zeek user, run zeekctl deploy to apply configurations and run Zeek.
zeekctl deploy checking configurations ... installing ... removing old policies in /opt/zeek/spool/installed-scripts-do-not-touch/site ... removing old policies in /opt/zeek/spool/installed-scripts-do-not-touch/auto ... creating policy directories ... installing site policies ... generating cluster-layout.zeek ... generating local-networks.zeek ... generating zeekctl-config.zeek ... generating zeekctl-config.sh ... stopping ... stopping workers ... stopping proxy ... stopping manager ... stopping logger ... starting ... starting logger ... starting manager ... starting proxy ... starting workers ... - If your output looks similar to what’s shown above, you should be good to go. To verify Zeek is running successfully, you can run zeekctl status.
zeekctl status Name Type Host Status Pid Started logger logger localhost running 1774 10 Oct 23:15:31 manager manager localhost running 1820 10 Oct 23:15:32 proxy-1 proxy localhost running 1865 10 Oct 23:15:33 worker-1-1 worker localhost running 1950 10 Oct 23:15:35 worker-1-2 worker localhost running 1951 10 Oct 23:15:35 worker-2-1 worker localhost running 1955 10 Oct 23:15:35 worker-2-2 worker localhost running 1954 10 Oct 23:15:35If you see the following errors:
zeekctl deploy Error: worker-1-1 terminated immediately after starting; check output with "diag" Error: worker-1-2 terminated immediately after starting; check output with "diag" Error: worker-2-1 terminated immediately after starting; check output with "diag" Error: worker-2-2 terminated immediately after starting; check output with "diag"Then try re-running the sudo setcap commands from earlier.
sudo setcap cap_net_raw=eip /opt/zeek/bin/zeek sudo setcap cap_net_raw=eip /opt/zeek/bin/capstats - You should now see logs being generated in /opt/zeek/logs/current.
ls -l total 2276 -rw-rw-r--. 1 zeek zeek 1573 Oct 10 23:15 broker.log -rw-rw-r--. 1 zeek zeek 593 Oct 10 23:45 capture_loss.log -rw-rw-r--. 1 zeek zeek 1970 Oct 10 23:15 cluster.log -rw-rw-r--. 1 zeek zeek 673435 Oct 10 23:52 conn.log -rw-rw-r--. 1 zeek zeek 580865 Oct 10 23:52 dns.log -rw-rw-r--. 1 zeek zeek 3830 Oct 10 23:49 dpd.log -rw-rw-r--. 1 zeek zeek 1406 Oct 10 23:47 files.log -rw-rw-r--. 1 zeek zeek 26108 Oct 10 23:48 http.log -rw-rw-r--. 1 zeek zeek 24646 Oct 10 23:15 loaded_scripts.log -rw-rw-r--. 1 zeek zeek 753 Oct 10 23:18 notice.log -rw-rw-r--. 1 zeek zeek 187 Oct 10 23:15 packet_filter.log -rw-rw-r--. 1 zeek zeek 743 Oct 10 23:46 software.log -rw-rw-r--. 1 zeek zeek 86512 Oct 10 23:51 ssl.log -rw-rw-r--. 1 zeek zeek 5446 Oct 10 23:50 stats.log -rw-rw-r--. 1 zeek zeek 0 Oct 10 23:15 stderr.log -rw-rw-r--. 1 zeek zeek 188 Oct 10 23:15 stdout.log -rw-rw-r--. 1 zeek zeek 240866 Oct 10 23:51 weird.log - If you’re running into issues, zeekctl diag can provide more detailed output for troubleshooting purposes.
zeekctl diag
ZeekControl Cron
ZeekControl features a cron command to check for and restart crashed nodes and to perform other maintenance tasks. To take advantage of this, let’s set up a cron job.
- Edit the crontab of the non-root zeek user.
crontab -e - Add the following to set up a cron job that runs every five minutes. You can adjust the frequency to your liking.
*/5 * * * * /opt/zeek/bin/zeekctl cron
Up Next
In Part II of this series, we will install the Zeek Package Manager to extend Zeek’s functionality.
References
Zeek official documentation: https://www.zeek.org/documentation/index.html
NIC offloading on Ubuntu with systemd-networkd: https://michael.mulqueen.me.uk/2018/08/disable-offloading-netplan-ubuntu/
NIC offloading: https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
If you like my content and want to support me, I'd greatly appreciate you buying me a coffee. Thanks! 🙏
Dear Eric and friends,,
Greetings! i new to zeek and trying to install on Ubuntu 20.04 – installation is done (First part) and when try to test the installation by running zeekctl
Getting following error related to state.db
/zeekctl start
Error: file is not a database: /opt/zeek/spool/state.db
Check if the user running ZeekControl has write access to the database file.
Otherwise, the database file is possibly corrupt.
Hi Chandra,
Did you follow each step in the guide? I don’t mention using “/zeekctl start” in any section. Is the user you are running Zeek as have permissions to /opt/zeek? This is covered in the “CREATE THE ZEEK USER AND DIRECTORY TO INSTALL AND RUN ZEEK” section.
Hope that helps!
Thank you for your blog posts, these are really helpful for installing Zeek. I wanted to ask how can we upgrade Zeek without losing any existing settings?
You’re welcome, John and thanks for the kind words.
What settings are you referring to specifically? Generally speaking, any changes you make in “/opt/zeek/share/zeek/site/local.zeek” should persist through any upgrades. If you’re asking how I’d do upgrades, I see two ways.
* Some users like to keep separate Zeek installs. So instead of installing to /opt/zeek, they instead install to /opt/zeek-4-0-0 and then when say version 4.1 is released they’ll do a new install to /opt/zeek-4-1-0. Then copy over any custom configs over as needed. In this way, should you find that the new release of Zeek isn’t working for you for whatever reason (e.g. your favorite Zeek package doesn’t support it) then you can easily revert back without having to start from scratch.
* Install Zeek as normal and overwrite the existing installation in /opt/zeek. You’ll have to remember to run “zkg autoconfig” and confirm that your configurations and packages are all supported in the new version.
Hope that helps!
Thank you for your prompt response!
If I install Zeek to a new folder for example, /opt/zeek-4-1-0, which version would be in production, do I need to disable the older version and move the local.zeek file to the new folder?
It’d be whatever is in your zeek user’s path. So if the path currently has /opt/zeek-4-0-0, you’d want to update that to /opt/zeek/4-1-0, etc. You don’t necessarily need to “disable it,” but yes you’d want to copy local.zeek over to that new directory.
I know this is not something related to your blog posts but I was wondering if you can help me with some Suricata config as well 😃
Can I install Suricata on the same box as Zeek, and if that is possible how can I share the network card with both Zeek and Suricata?
Thanks!
It’s been YEARS since I last used Suricata, but you can definitely run both on the same box so long as it’s sized appropriately. You’d have to Google around for the specific Suricata settings to get this going as that’s a bit beyond me at this point.
Thank you Eric. Currently im an Zeek expertise
Just one comment about installing Network-scripts on CentOS 8. It’ll be deprecated so it’s not a good idea. I actually ran into networking issues with that. There is a better way, I think. Just use the NetworkManager.
1. Disable offloading using nmcli and the change is permanent. For example:
# nmcli con modify enp1s0 ethtool.feature-rx off ethtool.feature-tx off
2. Tunning the ring rx buffer using a dispatcher script. Note: Change 8192 to your own max.
$ cd /etc/NetworkManager/dispatcher.d/pre-up.d/
$ sudo vim 01-ring-buffer
#!/bin/bash
INF=”$1″ # your current interface name such as eth0 and so on
STA=”$2″ # status such as UP or DOWN
# Send message to /var/log/messages
logger “$0 called for interface named $INF with $STA …”
if [ “$INF” == “eth0” ]
then
start=201
ethtool -G eth0 rx 8192
fi
Disclaimer: I’m a beginner with limited Linux experience. So if you want to use the commands and scripts I put here, please be aware that you use them entirely at your own risk. And I accept no liability for any loss or damage arising from the use of them. You should always test any commands and scripts in a test environments if you don’t know the consequences.
Thanks for the tip, Lola. You’re right that it’s effectively deprecated but at the time I wrote the guide I wasn’t sure of an alternative way. Sounds like your suggestion might be a good option. 🙂
Thanks for these instructions, always wanted to try out Zeek.
Sorry for knowing so little, but I do have some questions from very early in the instructions
1) CentOS 8 is noted to be EOL early this year. I just used the CentOS 8 Stream image, but am rather new to Linux so not sure if this will impact the use of Zeek.
2) If my motherboard has a wired and WiFi interface, is it OK to use the WiFi on the motherboard for the admin interface? Guessing that I want to use the built in wired network interface for sniffing, and cannot imagine that the admin interface is particularly sensitive to the slower WiFi connection. I also have
3) maybe related to the first two, but when I try to use ethtool -g in step 2, I get an error: “netlink error:Operation not supported”. Is there something that I need to enable? Or some other way to do this?
Thank you,
Monkey
Hi Monkey,
No apologies necessary, we’re all beginners at some point. 🙂
1. Yes, unfortunately when I first wrote this guide, CentOS 8 had only been recently announced and was presumably going to have the long stable release cycle and support that previous iterations of CentOS had enjoyed. For the purposes of Zeek, you’re probably still fine unless the Zeek developers say otherwise. You could also use an LTS (long term support) release of Ubuntu, the instructions aren’t too different (apt-get vs yum/dnf) and I will likely write a guide for this eventually.
2. Yes, that is absolutely the way I would do it and you’re exactly right on your reasoning.
3. Hm, are you running this on the interface you want to use for sniffing? Assuming that’s the wired interface, you should only need to run it on that, not the wireless interface.
Thanks for the response and encouragement.
I am thinking that the ethernet nic on my motherboard must not support the ethtool show-ring.
I tried the same command on the WiFi interface, and in that case I do get results
it is a rather old motherboard, ASUS specs the NIC as
Realtek® 8111E , 1 x Gigabit LAN Controller(s)
so maybe I just need to get a new NIC anyway.
sudo lshw -C network
*-network
description: Ethernet interface
product: RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
vendor: Realtek Semiconductor Co., Ltd.
physical id: 0
bus info: pci@0000:03:00.0
logical name: enp3s0
version: 06
serial: c8:60:00:68:00:c7
size: 1Gbit/s
capacity: 1Gbit/s
width: 64 bits
clock: 33MHz
capabilities: pm msi pciexpress msix vpd bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=r8169 driverversion=4.18.0-259.el8.x86_64 duplex=full firmware=rtl8168e-3_0.0.4 03/27/12 ip=192.168.1.69 latency=0 link=yes multicast=yes port=MII speed=1Gbit/s
resources: irq:16 ioport:e000(size=256) memory:f0004000-f0004fff memory:f0000000-f0003fff
Ah, yeah that might be it. I know there are people using Raspberry Pi’s or Intel NUC systems to do this and that might be a cost effective solution depending on your budget.
Hello,
I’m reinstalling Zeek and was wondering what was the point in step 3 here again where we disable DHCP? Once we set BOOTPROTO=none, save the config and enable/restart network service, I get no IP Address/Network connectivity. Am i seeing something wrong? Are we not supposed to use DHCP or am i supposed to set Static IP? I think before, I just left it as DHCP; would that be okay or is there a specific reason for something to work that we need to disable DHCP?
Thanks!
As noted in the step, “As root/sudo, edit the /etc/sysconfig/network-scripts/ifcfg- file for each sniffing network interface and change or add the following lines.”
You’re welcome to configure the network interface you’ll be using for administration of the server however works best for your needs.
Hope that helps!
Eric
Ohh okay, sorry. Yes I was only using a test machine with 1 NIC card and wasn’t thinking of multiple interfaces. For production is it recommended to have a couple sniffing interfaces or would 1 be good enough?
Thanks!
Depends on your requirements. However many port mirrors or TAPs you’re looking to monitor is how many sniffing interfaces you’ll need.
Thank you for the great post Eric. Quick question for you.. Have you tried to install the Kafka plugin using zkg on CentOS8. I completed the installation steps you provided for Zeek. I was trying to add kafka to this but having no luck. I installed librdkafka 1.4.2 successfully. Plugin installation does not work:
[zeek@zeek ~]$ zkg install apache/metron-bro-plugin-kafka –version master
The following packages will be INSTALLED:
zeek/apache/metron-bro-plugin-kafka (master)
Verify the following REQUIRED external dependencies:
(Ensure their installation on all relevant systems before proceeding):
from zeek/apache/metron-bro-plugin-kafka (master):
librdkafka ~1.4.2-RC1
Proceed? [Y/n] Y
zeek/apache/metron-bro-plugin-kafka asks for LIBRDKAFKA_ROOT (Path to librdkafka installation tree) ? [/usr/local/lib]
Saved answers to config file: /home/zeek/.zkg/config
Running unit tests for “zeek/apache/metron-bro-plugin-kafka”
error: failed to run tests for zeek/apache/metron-bro-plugin-kafka: package build_command failed, see log in /home/zeek/.zkg/logs/metron-bro-plugin-kafka-build.log
Proceed to install anyway? [N/y] N
Abort.
I have not tried to install that plugin. I’d start by looking at the error log suggested in the output you pasted: /home/zeek/.zkg/logs/metron-bro-plugin-kafka-build.log
I am not sure if anyone had this issue before so here it is. I followed the steps above on CentOS8 and when I tried to compile the zeek code, I got the following error:
[zeek@zeek zeek-3.2.1]$ ./configure –prefix=/opt/zeek –enable-jemalloc
Build Directory : build
Source Directory: /home/zeek/zeek-3.2.1
— The C compiler identification is GNU 8.3.1
— The CXX compiler identification is GNU 8.3.1
— Check for working C compiler: /usr/bin/cc
— Check for working C compiler: /usr/bin/cc — works
— Detecting C compiler ABI info
— Detecting C compiler ABI info – done
— Detecting C compile features
— Detecting C compile features – done
— Check for working CXX compiler: /usr/bin/c++
— Check for working CXX compiler: /usr/bin/c++ — works
— Detecting CXX compiler ABI info
— Detecting CXX compiler ABI info – done
— Detecting CXX compile features
— Detecting CXX compile features – done
— Performing Test test_arch_x64
— Performing Test test_arch_x64 – Success
— Performing Test test_arch_aarch64
— Performing Test test_arch_aarch64 – Failed
— Performing Test test_arch_arm
— Performing Test test_arch_arm – Failed
— Performing Test test_arch_power
— Performing Test test_arch_power – Failed
— Determined target architecture (for hashing): x86_64
— Found sed: /usr/bin/sed
— Could NOT find PythonInterp (missing: PYTHON_EXECUTABLE)
— Found FLEX: /usr/bin/flex (found version “2.6.1”)
— Found BISON: /usr/bin/bison
— Found PCAP: /usr/lib64/libpcap.so
— Performing Test PCAP_LINKS_SOLO
— Performing Test PCAP_LINKS_SOLO – Success
— Looking for pcap_get_pfring_id
— Looking for pcap_get_pfring_id – not found
— Found OpenSSL: /usr/lib64/libcrypto.so (found version “1.1.1c”)
— Performing Test ns_initparse_works_none
— Performing Test ns_initparse_works_none – Failed
— Performing Test res_mkquery_works_none
— Performing Test res_mkquery_works_none – Failed
— Performing Test ns_initparse_works_libresolv.a
— Performing Test ns_initparse_works_libresolv.a – Failed
— Performing Test res_mkquery_works_libresolv.a
— Performing Test res_mkquery_works_libresolv.a – Failed
— Performing Test ns_initparse_works_resolv
— Performing Test ns_initparse_works_resolv – Success
— Performing Test res_mkquery_works_resolv
— Performing Test res_mkquery_works_resolv – Success
— Found BIND: /usr/lib64/libresolv.so
— Found ZLIB: /usr/lib64/libz.so (found version “1.2.11”)
CMake Error at auxil/binpac/CMakeLists.txt:35 (message):
Could not find prerequisite package ‘PythonInterp’
The fix was to install python3-devel: yum install python3-devel
Hi Arda,
The Python3 development package should have been installed when you installed the Zeek dependencies in the “Install Zeek Dependencies” step. Specifically this command:
sudo yum install cmake make gcc gcc-c++ flex bison jemalloc-devel libpcap-devel openssl-devel platform-python-devel swig zlib-devel
With the key package being “platform-python-devel.” If for whatever reason that did not install properly for you, then your fix will definitely work, too!
– Eric
Hey Eric sorry, i want to ask,how to send zeek all event to syslog collector? most references refer to graylog, splunk, elk.
Hi Arief,
Depends on what syslog system you’re using, but whichever one it is, you’d want to configure it to monitor /opt/zeek/logs/current/* and forward to your desired syslog server. Assuming you’re using syslog-ng, you can refer to their administration guide for more details: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.25/administration-guide
Hope that helps!
Eric
Okay thanks eric for reference, I will try it, if there is a problem maybe I will discuss again with you here.
No reason to create a service for promiscus, you can just add to the network script PROMISC=yes
Hi Jerry,
For CentOS7 and later, this will not work as that option has been deprecated: https://unix.stackexchange.com/questions/198076/enable-promiscous-mode-in-centos-7
Hope that helps!
Eric
Hi Eric,
I tried to follow your guide but on step 2 – Install the network-scripts package, the command “sudo yum install network-scripts” wont work because the network is down from the previous change. Is there something I missed from the steps you listed here?
Thank you,
Julian
Hi Julian,
Good catch! This guide was originally written for installation on CentOS 7 and I forgot to remove the section on disabling NetworkManager. For some background, CentOS 8 no longer ships with network-scripts support and requires the use of NetworkManager for network configuration. However, NetworkManager does not provide the level of configuration required to optimize sniffing interfaces for packet capture, hence the need for the now legacy, network-scripts.
You can however run it such that NetworkManager is used for your management interfaces, and network-scripts are used just for the sniffing interfaces. All that said, you have two choices:
1. Re-enable NetworkManager.
2. Edit /etc/sysconfig/network-scripts/ifcfg-management_interface to use either DHCP or static IP.
For most people, the easier option will be number 1. To start and re-enable NetworkManager, run:
sudo systemctl start NetworkManager
sudo systemctl enable NetworkManager
Apologies for the confusion and hope that helps!
Hi Eric,
I did that and it worked. Thank you for the fast response.
Another thing you may want to update on the guide is related to python-dev pre-requisite. The option I found available thru yum was python2-devel, which comes from AppStream.repo of CentOS8. I could not find the dev package for Python3 in any repos.
Thank you,
Julian
Thanks, Julian! I just updated it, it should’ve been “platform-python-devel” and not just “python-devel.”
Hi Eric,
I am not sure if this is relevant but the command “zeekctl deploy” didn’t work for me until I installed sendmail package. As soon sendmail server was up, it started without any error. I hope it helps.
Thank you,
Julian
Thanks, Julian. I did not run into that, though my guess is that you tried to configure Zeek to send email alerts without having sendmail first installed.
Alternatively, you could have removed the mail options from the /installation_path/zeek/etc/zeekctl.conf file, or filled in the default MailTo = root@localhost.
Thanks, Tina. Great tip!
Thanks for the article, Eric. Very helpful. Question about running NetworkMangaer on the sniffing interface. Are you saying one should run NetworkManger AND networkd at the same time? If so, isn’t this ‘bad’? Or are you saying the the config files in /etc/sysconfig/network-scripts/ifcfg-* should have NM_CONTROLLED = no vs yes? TIA!
Hi John,
I’m saying you should DISABLE “NetworkManager” on the sniffing interfaces and INSTEAD ENABLE the “network” service. This is because NetworkManager doesn’t allow you to specify the configurations we want to optimize traffic capture for Zeek.
Hope that helps!
Eric
Hi Eric, Thank you for this guide, its very helpful for me. Now if i want to add second sniffing interface, i have to disable NIC Offloading Function and set the second sniffing interfaces to PROMISCUOUS MODE also?
Thank you.
Hi Luqman,
Glad to hear it’s been helpful for you!
Yes, for each sniffing interface you want to use, you should apply the same steps under “DISABLE NIC OFFLOADING FUNCTIONS” to optimize the interface for packet capture.
Hope that helps!
Okay thank you 🙂
Hi Eric,
May i ask why you use AF_PACKET instead of PF_RING in part 2 of this setup?
Is there is any advantages of using AF_PACKET over PF_RING for zeek?
Thank you in advance
Hi Luqman,
Great question! Once upon a time I too used PF_RING. There are two primary reasons for my moving to AF_PACKET:
* AF_PACKET is already built into the Linux kernel so using and maintaining it is much easier. In my experience, compiling and installing PF_RING is non-trivial, in particular updating it whenever a new version of the PF_RING package is released.
* AF_PACKET has been shown to effectively capture packets at high speeds on modern Linux kernels. It has been recommended on the Zeek mailing list (including by the team at Mozilla that has tuned AF_PACKET to capture up to 20Gbps) and is used by notable NSM distributions such as RockNSM and Security Onion.
You’re certainly welcome to still use PF_RING if you find it works better for you. I’ve only used the open source PF_RING packages, not the paid-for licensed versions so I can’t speak to how well those work. For experienced Linux users, PF_RING is _not too difficult_ to maintain, and it will definitely improve packet capture performance over using absolutely no optimization.
Hope that helps!
Great explanation eric, thank you for your guidance.
Hi Eric, we want to span a 100Gbps link.So the best option would be to have a multiple physical server zeek setup? I couldn’t find the maximum Gbps af_packet can handle btw.
Do you know if it’s possible to capture 100Gbps on a single Nic ?
thx
So it is possible to capture 100 Gbps on a single NIC with the right hardware, but I don’t think most people do this. Personally, I would look into a packet broker like Gigamon to split up the 100 Gbps traffic or even filter out the traffic you don’t care about and then send this copy to Zeek. It’ll reduce noise and let you use a more reasonable server to monitor your traffic.
As for what kind of Zeek server setup you’d want to monitor this, it depends on how much traffic is coming in. If you’re sending a full 100 Gbps with no filtering, then you’ll likely want multiple physical servers to handle the load. But again, I’d first try to cut down on traffic at the network level and send only what you really care about first. This will make sizing Zeek a lot easier.
And what does it actually mean what you said “…has tuned AF_PACKET to capture up to 20Gbps”?
Do you mean AF_PACKET can’t capture total amount of 20Gbps and distribute it to different CPU cores? I guess this is the Linux kernel limit, right? So for snifferring a 100Gbps interface(Let’s assume the peak usage is 100Gbps), we should go for the cluster reference architecture showed here https://docs.zeek.org/en/current/cluster/index.html? I’d really like to know what the limitation of doing everything on only one server is and when to use a multi-nodes cluster. And it’d be great to find some real world use cases of it, one server and multiple servers deployment.
Sorry! “Do you mean AF_PACKET can’t capture total amount of 20Gbps and distribute it to different CPU cores?”
should be “Do you mean AF_PACKET can capture total amount of 20Gbps maximum and distribute it to different CPU cores?”
Eric,
I have this issue too;
==== stderr.log
fatal error: problem with interface (pcap_error: socket: Operation not permitted (pcap_activate))
I know it has something to do with the bro user privileges, but I cannot figure out other then the step:
sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/bro
sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/broctl
but that does not seem to do the trick.
running as root, it works.
any suggestions?
thnx
Hi Boudy — Yep, those commands are what should take care of it. I remember having similar issues and I believe some combination of running those two commands again and restarting resolved it. I know, seems silly. Also make sure that the bro user is the owner of the /opt/bro directory, which is the next step in the guide.
Eric, You’re a life saver.
I executed both again as bro user, did the broctl deploy and without errors !!!! this time.
Woohoo!
thnx,
Boudy
Nice! Happy monitoring! Also, any feedback on the howto series would be great or additional ideas you’d like to see.
I had to leave a comment here, just to say thanks. I’ve been banging my head against the wall for the last two days trying to find a solution for the same Operation not permitted error Boudy mentioned. Some serious Googling brought me here after also having watched a PluralSignt course video, and I found these setcap commands.
My remaining hair on my head thanks you, Eric.
Hi Eric
I have something wrong , when after deploy zeek cluster. worker-2 did not run zeek script but only copyed those script from manage. why and how could i fixed it?
Hi Fang,
Not sure I understand the issue. I suggest double checking your /opt/zeek/etc/node.cfg and making sure worker-2 is set to type=worker and not type=manager.
Hope that helps!
Eric
Disable the NetworkManager service and enable the “network” service
1. Stop and disable the NetworkManager service.
2. Verify that NetworkManager has been disabled.
— I get this in reply:
$ sudo systemctl list-unit-files | grep NetworkManager
NetworkManager-dispatcher.service disabled
NetworkManager-wait-online.service disabled <<< you show "enabled" for this.
NetworkManager.service disabled
You say … '…enable the “network” service' but there are no instructions about that.
———
I went through the installation procedure and get this error:
==== stderr.log
fatal error: problem with interface eno1 (pcap_error: socket: Operation not permitted (pcap_activate))
What am I missing here?
Thanks in advance.
Good catch, Dean — you’re absolutely right! I’ve added the missing steps. Please let me know if you continue to run into issues.