Capturing META data with Zeek
IDS/IPS are great but they only generate events when captured traffic matches a configured rule. And therefore valuable data is lost. META data. Every time you use an application; the underlying protocol is generous with META data. Agent strings, Source and Destination IP addresses, etc., etc. But how can you harvest this valuable data? One answer is to implement the Zeek software. Let’s dive into this.
--
For this installation, I am using again the virtual machine (NetworkMonitor) that I am going to expand its monitoring capabilities with Zeek. Let’s assemble it from scratch by recompiling the software. First things first, the dependencies.
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python3 python3-dev swig zlib1g-dev python3-git python3-semantic-version
The next step is to clone the source code from Github. This can be done using the following command:
git clone --recursive https://github.com/zeek/zeek
And you are ready to compile and install the Zeek software. This can be done by entering the following commands:
cd <<folder with the zeek source code>>
./configure
make
make install
Once the command ‘./configure’ is issued, the system will check if all required dependencies can be found. This step should be relatively quickly done.
Let’s compile the Zeek software itself by issuing the command ‘make’. Depending upon the CPU performance, this may take a little while to complete.
And finally, it is time to install the compiled Zeek software. Type ‘make install’ and press the enter button to initiate the installation process.
Once Zeek is installed, it is important to update/expand the PATH variable. And don’t forget to update the file ‘/etc/profile’ to ensure Zeek can also be found post a reboot or logout.
export PATH=/usr/local/zeek/bin:$PATH
The next step is to configure Zeek. By default, it is installed in ‘/usr/local/zeek’. Let’s edit ‘networks.cfg’. As I am using various RFC-1918 networks in my lab environment, the default settings are okay for me.
Now let’s edit ‘node.cfg’. By default, it is configured to run in a standalone modus with 1 network interface. That will not work in my case. I have 2 network interface cards configured in my virtual machine (enp0s3 and enp0s8). To switch to clustered configuration, I need to comment out the currently enabled lines with a pound (#) sign and remove the pound sign for the other configuration lines, change the interface for worker-1 to enp0s3 and change the interface for worker-2 to enp0s8.
The final step before activating Zeek is to check the global configuration file ‘zeekctl.cfg’. As Zeek can generate quite a lot of logging, it is important to check the logging rotation settings.
Let’s validate the configuration files. This can be done by entering the following command:
zeekctl check
It is time to deploy the configuration settings. This can be done by entering the following command:
zeekctl install
Let’s now activate the software. This can be done by entering the following command:
zeekctl start
And Zeek is now actively monitoring the configured network interface cards. By default, Zeek will store the active logs in ‘/usr/local/zeek/logs/current’.
Architecture
As described above, compiling, configuring, and installing the Zeek software is a relatively straightforward process. The key element to address is how to deal with the output of Zeek. Depending upon detected network traffic, Zeek can generate quite a lot of logging quite fast.
Don’t make the mistake of forwarding all these logging straight to the SIEM solution. It will only consume the SIEM license without providing much insight. Route the output of Zeek to a data lake solution and provide the SOC analysts with the right tools and instructions to query this data.