Photo by Susann Schuster on Unsplash

Photo by Susann Schuster on Unsplash

Network monitoring with Zeek

Light into Darkness

Article from ADMIN 72/2022
By
Zeek offers an arsenal of scripts for monitoring popular network protocols and comes with its own policy scripting language for customization.

If you want to know what is happening on your network, the only way is to look at the connections between devices and to endpoints on the Internet. Popular tools such as tcpdump and Wireshark are useful for occasional analysis, but for permanent network monitoring and as an alternative to intrusion detection systems, Zeek is a very interesting tool.

Network Monitoring

Keeping track of device activity on the network is a routine task for IT administrators. Network monitoring is a large market comprising various tools, and vendors outdo each other with feature set claims, especially in the area of event processing and manual analysis.

Zeek, the first version of which was released back in 1999 (known as Bro at that time) [1], is a kind of hidden champion. The declared objective was to develop a tool for monitoring large volumes of data with a simple option for analyzing network traffic with self-programmed scripts, known as policy scripts. The name change to Zeek (think "seek") didn't happen for another 20 years or so.

Zeek offers an extensive arsenal of scripts for monitoring the popular network protocols and writing the monitoring results to various logfiles on your hard drive. From there, you can integrate the files into your existing log management or your installed security information and event management (SIEM) solution. The log data is compressed and archived at regular intervals, which is an effective way to save disc space, especially on busy networks.

Installation

Normally I use Docker when I try out software. Unfortunately, the Zeek developers do not provide their own Docker images, so my options were to find an alternative provider or create an image myself from the Dockerfiles they provided. You will need to allow some time for the Zeek build process.

The OpenSUSE Build Service is a faster approach. Developers offer ready-made packages there for the classic Linux distributions [2]. With your distribution's package manager, you can mount the required repository and install Zeek in the usual way. Of course, you can run your distribution in its own Docker container, too. To do this, start an Ubuntu container with the command:

docker run -ti --net=host --name=zeek ubuntu:latest /bin/bash

The --net=host argument gives the container direct access to the host system's network interfaces, which it will need to read all the traffic on the interface. The --name=zeek argument explicitly names the container and makes connecting with the container easier later on. Before you follow the instructions for installing Zeek [2], first use the command

apt update && apt install -y sudo curl gnupg vim net-tools

to install the dependencies in the running Ubuntu container.

Configuration and Start-Up

Fortunately, you do not need to configure Zeek extensively before using it for the first time: Just specify the name of the network interface on which you want to monitor the traffic. Of course, running the server with Zeek on a mirror port of your router or switch is a good idea. All data packets that are transmitted are also transferred to the mirror port.

Assuming the interface on this port is named eth1 , you can configure the interface and the host name in the respective line of the /opt/zeek/etc/node.cfg file:

[zeek]
type=standalone
host=localhost
interface=eth1

Now run the management tool zeekctl, install the supplied policies, and launch Zeek with:

/opt/zeek/bin/zeekctl
[ZeekControl] > deploy

The output should show the command workflow. If you see an error message, you can use the Zeek diag command to discover why. Check the name of the network interface and make sure a process is not already listening in the background on TCP port 47760, which is used by Zeek.

Now type exit to quit the management tool and begin to generate network traffic on the host. You can watch new logfiles appearing in the /opt/zeek/logs/current folder. The first file created here is conn.log, which simply lists all network connections. The list grows quickly, and files dns.log, dhcp.log, and ntp.log give you an initial idea of which logs Zeek pre-filters for you in the background.

If you run a DHCP server on your network and after some time use cat to display the content of the dhcp.log file, you will see requests from different network devices and the assigned IP addresses. If you open a web page, for example, with the

curl https://www.admin-magazine.com

command, you will then see an entry in both the dns.log and the http.log files. However, because Zeek cannot resolve TLS connections, you will find most calls to web pages in the ssl.log file.

If you let Zeek run for a little while longer during your day, you will notice that it keeps archiving the files. Each day will have a folder with the matching date in /opt/zeek/logs. Look for the weird.log file in the archive subfolders, also with the corresponding dates and compressed by gzip. If you unzip these files and take a look at the content, you will see that these logfiles contain unusual events, such as the reuse of existing connections or errors in UDP and TCP checksums.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus