In the lab we will deploy Zeek as a cluster with two agents, the agents get data by duplicating traffic by setting up a port span for servers switch and Users stations switch, all network traffic that passes through the span ports is analyzed by Zeek agents, after analyzing the traffics, each agent Transferring the logs to the zeek management server and then the logs are sent by Filebeat to the elasticsearch SIEM we deployed in the previous steps of the Elasticsearch lap phases, all network traffic logs will analyzed by Kibana.
Zeek Cluster Architecture
Zeek System Requirements
Zeek IDS supported by Linux platforms like Red Hat, Debian, FreeBSD in our lab, all Zeek servers are installed on the Ubuntu 20.04 server.
| Server Name | System Requirements | Port/Service | server role |
|---|---|---|---|
| Zeek Control | 8GB memory + 4 cores + 100GB disk size | SSH-Management | Zeek cluster management server, receiving logs from the agents (sensors) and transferring them to SIEM |
| Sensor_users | 8GB memory + 4 cores + 100GB disk size | 9200 -Request 9300 -Cluster SSH – Management | User station switch monitoring, cluster member, managed by zeek control |
| Sensor_Servers | 8GB memory + 4 cores + 100GB disk size | 9200 -Request 9300 -Cluster SSH – Management | Monitoring a server switch, the server is a member of a cluster managed by Zeek control |
Installing Ubuntu server for Zeek
- Setting a static IP address
- static DNS address
- server name
- user information
Installing SSH Server
Firewall requirements
enable firewall
sudo ufw enable
Opening a management port for Zeek
sudo ufw allow ssh comment “Management port”
* SSH enabling is required to manage agents from a manager server.
it also required to open the following ports for management server only.
sudo ufw allow 47761 comment “Zeek sensors”
sudo ufw allow 47762 comment “zeek Sensors”
Software requirements
net tools is require for each server
apt install net-tools
* After installing net-tools, you can connect remotely to all servers by putty
installing Prerequisites for Zeek for all servers
sudo apt-get install cmake make gcc g ++ flex bison libpcap-dev libssl-dev python3 python3-dev swig zlib1g-dev
Download and install Zeek
Download latest version from github
git clone –recursive https://github.com/zeek/zeek
cd zeek /
Installing a Zeek can take quite a while, so it’s a good time to grab a cup of coffee 🙂
./configure
make
make install
Create a Zeek user
to manage all agents from a manager server, it is required to set up a user with the same password on all servers (Manager + sensors)
best security practices is to create a user with specific permissions, these permissions allow Zeek server manager to manage all zeek agents remotely.
Create a user named Zeek and grant permissions to the user, by the following commands:
Create a group called Infosec
groupadd ‘Infosec’
Create a user named zeek
sudo adduser zeek
Add a zeek user to an infosec group
usermod -a -G Infosec search
Add permissions to the zeek user
chown -R zeek / usr / local / zeek /
setting up the agents (sensors_users, sensors_servers)
The first step for each agent, is to make sure that each server have two network interface connected, one network interface used to access and manage the server from eek manager server and the second required for monitor traffic from switch span port.
it is necessary to set the network interface in promiscuous mode.
promiscuous mode
For each agent, we will create a new service that will load automatically when the server start, thus ensuring that the promiscuous mode setting is met after restart as well.
Checking network interface status
ip link show
ip link show
As you can see in the image below, there are two network cards, one up called enp0s3 and the other down called enp0s8
If necessary, set up the interface
ip link set enp0s8 up
We will set the enp0s3 interface in promiscuous mode automatically when the system is up, by creating a new service
nano /etc/systemd/system/promisc.service
[Unit]
Description = Control promiscuous mode for sensors interface enp0s8 # change it for your interface name
After = network.target
[Service]
Type = oneshot
ExecStart = / sbin / ip link set promisc on dev enp0s8
TimeoutStartSec = 0
RemainAfterExit = yes
[Install]
WantedBy = default.target
Add running permissions of the new service
chmod u + x /etc/systemd/system/promisc.service
systemctl daemon reload
Start promisc.service with server upgrade
systemctl enable promisc.service
Starting promisc.service
systemctl start promisc.service
As you can see in the image below, promiscuous mode has been successfully set up for the enp0s8 interface
Setting up Raw packet capture
For each agent we will enable the following permissions, the permissions allow the logs to be sent to a management server.
setcap cap_net_raw, cap_net_admin = eip / usr / local / zeek / bin / zeek
setcap cap_net_raw, cap_net_admin = eip / usr / local / zeek / bin / zeekctl
Create SSH keys
In order to allow a management server to manage the agents, it is necessary to generate a private key without a password that will be stored on the management server.
Creating keys on a management server, we will agree to the default and keep the key without a password!
su zeek
ssh-keygen
Copy a public key to the two servers (sensor_users, sensor_servers)
ssh-copy-id zeek@192.168.0.185
Checking an SSH connection without a password from Zeek management server
ssh zeek@192.168.0.185
*Repeat and test the ssh connection without any password for each agent deployed
Zeek Mangement server
Zeek default mode is set as a standalone server, to set Zeek as a cluster it is necessary to edit the node.cfg file on a management server
nano /usr/local/zeek/etc/node.cfg
pay attention! The network interface defined for each agent is the network interface we set up with promiscuous mode.
Cluster test
It’s time to check if all the settings in place and our Zeek cluster work as expected,
from zeek manager run the below commands
zeekctl deploy
*you can use “deploy” command to update agents with any policies or cluster changes
test if all servers are running by run command:
zeekctl status
As you can see in the picture below, the cluster is working properly! If you get an error, you need to go back to the previous steps and make sure everything is set up for each server in the cluster.
Zeek logs files
Each agent analyzes the traffic that arrives from span switch and passes the logs to a management server as files with different names.
if no log files are created under logs folder, it is required to make sure ports 47762 and 47761 are open on a management server.
Network Analysis by Zeek
Each log file contains information for a network packet analyzed and reviewed by Zeek, we will discuss in detail what the log files contain and how risks such as malware on the network can be identified through them.
Filebeat
installing a beat called Filebeat on a management server to collect all eek logs to elasticseach siem, Filebeat allows logging to be sent directly to Elasticsearch servers without using Logstash servers.
Filebeat software requirements
Import PGP keys
wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add –
Installing Transport-https
sudo apt-get install apt-transport-https
Add a new source for downloads
echo “deb https://artifacts.elastic.co/packages/7.x/apt stable main” | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
Installing filebeat version 7.14.2 by apt
sudo apt-get update && sudo apt-get install filebeat = 7.14.2
Save elastic user password in keystore
To keep your passwords secure, create a Keystore if it does not exist by following command:
filebeat keystore create
We keep the elastic user password we received when we enabled minimum security for Elasticsearch in keystore
filebeat keystore add ES_PWD
Change Filebeat settings
To send data to elasticsearch it is necessary to edit the filebeat default settings file
nano /etc/filebeat/filebeat.yml
Modify the following values in the filebeat.yml file
output.elasticsearch.password: “$ {ES_PWD}” setup.kibana:
host: “192.168.0.183:5601”
# Authentication credentials – either API key or username / password.
#api_key: “id: api_key”
username: “elastic”
password: “$ {ES_PWD}”
output.elasticsearch:
# Array of hosts to connect to.
hosts: [“192.168.0,180: 9200”] #cluster host / ip
Run the Filebeat Zeek module
Running a Zeek module in Filebeat is simple, by following command:
sudo filebeat modules enable zeek
Add Zeek path to zeek.yml
Editing a model file, selecting the log paths we want to transfer to elasticsearch
nano /etc/filebeat/modules.d/zeek.yml
You can add paths as needed, for example, collecting a dns.log file by
dns:
enabled: true
var.paths: [“/usr/local/zeek/logs/current/dns.log”]
Zeek logs for JSON output
change Zeek logs format to JSON, from Zeek management server
Edit a local.zeek file
/usr/local/zeek/share/zeek/site/local.zeek
Adding JSON Policies
@load policy / tuning / json-logs.zeek
After modifying the local.zeek file update the changes for the cluster by running
sudo zeekctl deploy
Set up filebeat as a system service
Check if the system uses systemd or sysvinit
ps –no-headers -o comm 1
Start filebeat with server boot
sudo / bin / systemctl daemon-reload
sudo / bin / systemctl enable filebeat
Enabling filebeat
service filebeat start
service filebeat info
If everything works fine, we will get “INFO” status
Build Kibana dashboard for Zeek IDS
Once we have successfully set up Zeek’s log collection by filebeat, it’s time to use kibana
from zeek managemet server run the flowing command:
filebeat setup -e
If everything went smoothly, you can access Kibana and view the data coming from the Zeek management server
Summary
Choosing Zeek as a free open source IDS solution for network traffic analysis is a winning security solution for many reasons, multiple protocol analysis options, integration options with other systems such as Intel, sandbox making the system Invincible.
we recommended you continue reading about Zeek in the article C2 Malware Detection and Network Anomaly by Elasticsearch
