Zeekurity Zen – Part II: Zeek Package Manager

Zeekurity Zen – Part II: Zeek Package Manager

This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor.

Overview

In our Zeek journey thus far, we’ve:

Now we’ll introduce the Zeek Package Manager to extend Zeek’s functionality with packages contributed by the Zeek community.  A full list of available packages can be viewed on the Zeek Package Browser.  We will focus on configuring Zeek to use AF_PACKET to further optimize packet capture and analysis.  We’ll also install additional useful packages.

To do this, we’ll walkthrough these steps:

  1. Install Zeek Package Manager to extend Zeek’s functionality.
  2. Use Zeek Package Manager to install the AF_PACKET package.
  3. Configure Zeek to use the AF_PACKET package to optimize Zeek’s packet capture performance.
  4. [Optional] Install additional useful packages including ja3 and HASSH.
  5. Update Zeek packages.

Install Zeek Package Manager

  1. As root/sudo install git to download Zeek packages.
    sudo yum install git
  2. As root/sudo install PIP to download Python packages.
    sudo yum install python3-pip
  3. Switch to the zeek user.
    su zeek
  4. Change directories to the zeek user’s home directory and confirm the change. Doing this ensures that we run zkg from a directory that the zeek user has access to, otherwise zkg will fail.
    cd
    pwd
    /home/zeek
  5. Install the Zeek Package Manager (zkg) as the zeek user.
    pip3 install zkg --user
  6. As the zeek user, configure Zeek Package Manager (zkg).
    zkg autoconfig

    This will create a configuration file in /home/zeek/.zkg/config. Upon completion it should look something like the following.

    zeek = https://github.com/zeek/packages
    
    [paths]
    state_dir = /home/zeek/.zkg
    script_dir = /opt/zeek/share/zeek/site
    plugin_dir = /opt/zeek/lib/zeek/plugins
    zeek_dist = /home/zeek/zeek-3.1.5
    

Install the AF_PACKET package

  1. As the zeek user, stop Zeek if it is currently running.
    zeekctl stop
  2. Use zkg to install the AF_PACKET package.
    zkg install zeek/j-gras/zeek-af_packet-plugin
    The following packages will be INSTALLED:
      zeek/j-gras/zeek-af_packet-plugin (2.0.0)
    
    Proceed? [Y/n] y
    Running unit tests for "zeek/j-gras/zeek-af_packet-plugin"
    Installing "zeek/j-gras/zeek-af_packet-plugin".......
    Installed "zeek/j-gras/bro-af_packet-plugin" (2.0.0)

Configure Zeek to use AF_PACKET

  1. Edit /opt/zeek/etc/node.cfg to configure Zeek to use AF_PACKET.  In the example configuration below we are configuring one worker, load balanced across two cores, analyzing one sniffing interface.
    # Example ZeekControl node configuration.
    # Below is an example clustered configuration on a single host.
    
    [logger]
    type=logger
    host=localhost
    
    [manager]
    type=manager
    host=localhost
    
    [proxy-1]
    type=proxy
    host=localhost
    
    [worker-1]
    type=worker
    host=localhost
    interface=af_packet::enp2s0
    lb_method=custom
    lb_procs=2
    pin_cpus=0,1
    

    In the event you have two or more sniffing interfaces (e.g. enp2s0 and enp3s0), see the example configuration below which assigns each interface its own worker, load balanced across two cores, again using AF_PACKET. Note the addition of unique af_packet_fanout_id values for each of the sniffing interfaces.

    # Example ZeekControl node configuration.
    # Below is an example clustered configuration on a single host.
    
    [logger]
    type=logger
    host=localhost
    
    [manager]
    type=manager
    host=localhost
    
    [proxy-1]
    type=proxy
    host=localhost
    
    [worker-1]
    type=worker
    host=localhost
    interface=af_packet::enp2s0
    lb_method=custom
    lb_procs=2
    pin_cpus=0,1
    af_packet_fanout_id=2
    
    [worker-2]
    type=worker
    host=localhost
    interface=af_packet::enp3s0
    lb_method=custom
    lb_procs=2
    pin_cpus=2,3
    af_packet_fanout_id=3
  2. As root/sudo, give the Zeek binaries permissions to capture packets. This was previously done in Part I, however, installing AF_PACKET requires doing this again.
    sudo setcap cap_net_raw=eip /opt/zeek/bin/zeek
    sudo setcap cap_net_raw=eip /opt/zeek/bin/capstats
  3. As the zeek user, run zeekctl deploy to apply configurations and run Zeek.
    zeekctl deploy

    If you see the following errors, try re-running the sudo setcap commands from the previous step.

    zeekctl deploy
    Error: worker-1-1 terminated immediately after starting; check output with "diag"
    Error: worker-1-2 terminated immediately after starting; check output with "diag"
    Error: worker-2-1 terminated immediately after starting; check output with "diag"
    Error: worker-2-2 terminated immediately after starting; check output with "diag"

[Optional] Install Additional Useful Packages (e.g. add-interfaces, ja3, and HASSH)

We’ll install additional Zeek packages: add-interfaces, ja3, and HASSH. The install process outlined below should work for installing other packages you may be interested in.

  1. As the zeek user, stop Zeek if it is currently running.
    zeekctl stop
  2. Use zkg to install the add-interfaces package. In situations where you are monitoring multiple network interfaces on one sensor, this adds an “_interface” field to every log file which labels the particular network interface that traffic is coming from.
    zkg install zeek/j-gras/add-interfaces
    The following packages will be INSTALLED:
      zeek/j-gras/add-interfaces (master)
    
    Proceed? [Y/n] y
    Installed "zeek/j-gras/add-interfaces" (master)
    Loaded "zeek/j-gras/add-interfaces"
  3. Edit /opt/zeek/share/zeek/site/add-interfaces/add-interfaces.bro and modify the const enable_all_logs and const include_logs: set[Log::ID] fields as shown below. Save the file when you’re finished.
    export {
            ## Enables interfaces for all active streams
            const enable_all_logs = T &redef;
            ## Streams not to add interfaces for
            const exclude_logs: set[Log::ID] = { } &redef;
            ## Streams to add interfaces for
            const include_logs: set[Log::ID] = { } &redef;
    }
  4. Use zkg to install the ja3 package. This is used for profiling SSL/TLS clients.
    zkg install zeek/salesforce/ja3
    The following packages will be INSTALLED:
      zeek/salesforce/ja3 (master)
    
    Proceed? [Y/n] y
    Installing "zeek/salesforce/ja3"
    Installed "zeek/salesforce/ja3" (master)
    Loaded "zeek/salesforce/ja3"
  5. Use zkg to install the HASSH package. This is used for profiling SSH clients and servers.
    zkg install zeek/salesforce/hassh
    The following packages will be INSTALLED:
      zeek/salesforce/hassh (master)
    
    Proceed? [Y/n] y
    Installing "zeek/salesforce/hassh"
    Installed "zeek/salesforce/hassh" (master)
    Loaded "zeek/salesforce/hassh"
  6. Edit /opt/zeek/share/zeek/site/local.zeek and add the following lines to the bottom. This will load all packages you’ve installed.
    # Load Zeek Packages
    @load packages
  7. As the zeek user, run zeekctl deploy to apply configurations and run Zeek.
    zeekctl deploy

Update Installed Zeek Packages

  1. As the zeek user, stop Zeek if it is currently running.
    zeekctl stop
  2. Use zkg to check for updated packages.
    zkg refresh
    Refresh package source: zeek
            No changes
    Refresh installed packages
            New outdated packages:
                    zeek/salesforce/hassh (master)

    This indicates that zeek/salesforce/hassh needs to be updated.

  3. Use zkg to check for updated packages.
    zkg upgrade
    The following packages will be UPGRADED:
      zeek/salesforce/hassh (master)
    
    Proceed? [Y/n] y
    Upgraded "zeek/salesforce/hassh" (master)
  4. As the zeek user, run zeekctl deploy to apply configurations and run Zeek.
    zeekctl deploy

Up Next

In Part III of this series, we will walkthrough how to send Zeek logs to Splunk and take advantage of the Corelight For Splunk app.


Stuff I Like

Web Hosting: SiteGround

ericooi.com is proudly hosted by SiteGround. Performance and customer service are top notch. Quick and easy https implementation via built-in Let's Encrypt integration.

VPN: Private Internet Access

When I'm using a public internet access point, I use Private Internet Access to secure my connections. Easy to use, fast speeds, and no logs.


15 thoughts on “Zeekurity Zen – Part II: Zeek Package Manager”

  • Hello Eric,

    When i edit node.cfg to use: (replacing enp2s0 with ens33)

    [worker-1]
    type=worker
    host=localhost
    interface=af_packet::enp2s0
    lb_method=custom
    lb_procs=2
    pin_cpus=0,1

    and run zeekctl deploy, I get this error:
    Error: worker-1-1 terminated immediately after starting; check output with “diag”
    Error: worker-1-2 terminated immediately after starting; check output with “diag”

    I tried running this command as root as suggested but still fails:
    sudo setcap cap_net_raw=eip /opt/zeek/bin/zeek
    sudo setcap cap_net_raw=eip /opt/zeek/bin/capstats

    Any thoughts?
    Thank you for this guide. Hopefully this helps with what I need to do for my job. We are in need of analyzing DNS further and have wireshark captures showing our dns server sending dns query to an external ip address for some odd reason once in awhile and source is coming from our core switch. Other than that, we don’t know what else to gain from this and how to analyze it. Hoping zeek can do something to help wit hthis.

    • Hi Kevin,

      Were you able to get Zeek running prior to trying to use AF_PACKET? In other words, was it running successfully after you completed Part I of this guide? It sounds strange, but try running those two sudo commands a couple times. For whatever reason, I’ve seen it not take initially, and then it will go. If you’re on the Zeek Slack, feel free to message me there, too.

      Appreciate the kind words on the guide! Zeek is awesome for DNS analysis. Hopefully we can figure this issue out and get you going.

      – Eric

  • I config the the node.cfg like in your articles. but i face a problem issue ” checking configurations …
    installing …
    removing old policies in /opt/zeek/spool/installed-scripts-do-not-touch/site …
    Error: failed to remove directory /opt/zeek/spool/installed-scripts-do-not-touch/site: [Errno 13] Permission denied: ‘local.zeek’
    When I run zeekctl deploy. How can i resolve this issue?
    Thanks and regards,

  • I am new to zeek, and trying to test zeek, I did the first 2 tutorial. Is there a way to test that zeek has started monitoring my network. what should I configure to send my data and check that zeek captured it correctly.
    Also, how to setup zeek to inflow and outflow of network from system to internet?

    • Hi Abhishek,

      1. My guide doesn’t cover it (and maybe it should), but you’ll need a way to send network traffic to your Zeek system. This is typically done via a network TAP or mirror/SPAN port that sends a copy of network traffic to your Zeek sensor. Once you’ve got that working, if your Zeek is installed and running successfully, you should be seeing logs generated in /opt/zeek/logs/current.
      2. I’m not sure I understand your last question.

      Hope that helps!

  • Hi Eric,
    in step 4 INSTALL ZEEK PACKAGE MANAGER
    it can’t find the file zkg autoconfig after executing pip3 install –user zeek zkg
    I’m using the zeek user, and my system is a RHEL server. Am I missing something?

      • Hi Parson,

        After you run the pip3 install command it should have installed zkg to ~/.local/bin/zkg. From there you run zkg autoconfig to automatically create and populate the zkg configuration file in /home/zeek/.zkg/config. The tricky part is that you need to install python3-pip as a user with sudo privileges and then switch users to the zeek user and install zkg.

        Hope that helps!

  • Hi Eric, nice posts! very detailed thanks! I was wondering if you ever had this errors before while setting up zkg?
    ~]# zkg autoconfig
    warning: skipped using package source named “zeek”: failed to clone git repo
    Successfully wrote config file to /root/.zkg/config

    ~]# more /root/.zkg/config
    [sources]
    zeek = https://github.com/zeek/packages

    [paths]
    state_dir = /root/.zkg
    script_dir = /opt/zeek/share/zeek/site
    plugin_dir = /opt/zeek/lib/zeek/plugins
    zeek_dist =

    whatever package I try to install, it gives me this error:
    ~]# zkg install zeek/j-gras/bro-af_packet-plugin
    warning: skipped using package source named “zeek”: failed to clone git repo
    error: invalid package “zeek/j-gras/bro-af_packet-plugin”: package name not found in sources and also not a usable git URL (invalid or inaccessible, use -vvv for details)

    Any thoughts?
    many thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.