Zeekurity Zen Zeries
If you're looking for professional services on this topic or interested in other cybersecurity consulting services, please reach out to me via my Contact page to discuss further.
Zeek is my favorite network security monitoring platform, and I’ve used it throughout my career. It generates rich network metadata that’s incredibly valuable for incident response, forensics, and general troubleshooting.
For most people, the main challenge with using Zeek is in setting it up. While today there exists Corelight (an enterprise Zeek appliance), not everyone has the budget for this. Plus, it’s fun to do it yourself and learn a thing or two. 😉
This series will walkthrough Zeek setup and a variety of tips and tricks I’ve learned over the years.
Part I: How to Install Zeek on Ubuntu
Part II: Zeek Package Manager
Part III: How to Send Zeek Logs to Splunk
Part IV: Threat Hunting with Zeek
Part V: Zeek Intelligence Framework
Part VI: Zeek File Analysis Framework
Part VII: Zeek To Understand Encryption
Part VIII: How to Send Zeek Logs to Elastic
Part IX: How To Update Zeek
If you like my content and want to support me, I'd greatly appreciate you buying me a coffee. Thanks! 🙏
Thank you so much. I love the series. It’s so valuable to beginners like me and it’s saved me so much time and headaches on getting my zeek environment up and running.
Really look forward to part viii. Any ETA about that 🙂 ?
No ETA yet as I’ve been busy the last couple months, but it is coming!
Awesome!! Can’t wait!
btw, And it’ll be great if you can share with us your experience on the architecture designs of using zeek/suricata, ELK SIEM Elk alert, etc in enterprise environment. I”m designing and building a solution for a SOC. Really interested in how core network traffic should be mirrored, how can we scale the solution(zeek clustering is easy but how about Suricata, for instance). Due to our privacy law, we can’t use cloud like Splunk, we go for our own ELK SIEM setup. Do you have experience building a complete solution using these tools or do you happen to know some good reference architectures?
I know there are solutions like Security Onion, everything works out of the box and it’s very easy to scale. It sounds almost too good to be true. But we prefer to build our own solutions similar to that.
It has also been a while since I used Security Onion, but for beginners it is a great starting point. If you want to learn more about how things work and be able to tune things specifically to your liking, then building it yourself is certainly the way to go.
I have experience with Elastic + Zeek, but not Suricata. Suricata is beyond the scope of what I will cover and to be honest, it has been years since I last used it.
At a high level, for mirroring core network traffic you’d typically want to start by mirroring internet egress and ingress traffic (“North-South”) before moving to internal traffic (“East-West”). If you have significant volumes of traffic, you can either look into using packet brokers like Gigamon to control what traffic goes where and/or leverage high bandwidth network capture cards on your Zeek sensors.
Thank you so much for the tips and suggestions.
Your website is now my go-to place for learning more about zeek and ELK. Thank you once again for sharing your knowledge with the world. Have a good day! Stay safe and healthy!