tested on slackware-current May 2021
slackpkg install swig
git clone --recursive https://github.com/zeek/zeek cd zeek/ ./configure --help ./configure make -j8 # need to specify jobs manually as MAKEFLAGS doesn't work for once make -j8 install cd ../ ls -lF /usr/local/zeek/
ln -s /usr/local/zeek/etc/node.cfg ln -s /usr/local/zeek/etc/networks.cfg ln -s /usr/local/zeek/etc/zeekctl.cfg ln -s /usr/local/zeek/logs/current vi node.cfg interface=xenbr0 ifconfig | grep 'inet ' | grep -v '127.0.0.1' vi networks.cfg x.x.x.x/xx x.x.x.x/xx /usr/local/zeek/bin/zeekctl config > /usr/local/zeek/etc/zeekctl.cfg.default vi zeekctl.cfg MailTo = EMAIL@DOMAIN.TLD
/usr/local/zeek/bin/zeekctl install /usr/local/zeek/bin/zeekctl start # deploy # check tail -n0 -F /usr/local/zeek/logs/current/*
reload
/usr/local/zeek/bin/zeekctl deploy
Don’t do that, it writes to the current working directory
cd /usr/local/zeek/logs/current/ /usr/local/zeek/bin/zeek -C -i xenbr0
/usr/local/zeek/share/zeek/base/misc/find-checksum-offloading.zeek
#export CMAKE_MAKE_PROGRAM="make -j8" #cmake --build --parallel ../
Zeek https://en.wikipedia.org/wiki/Zeek
1 What is Bro? https://nsrc.org/workshops/2015/pacnog17-ws/attachments/bro-intro.htm
What is Bro IDS [Zeek]? And Why IDS Doesn’t Effectively Describe It [Overview and Resources] https://bricata.com/blog/what-is-bro-ids/
IDS/IPS: The Most Useful Threat Detection Tool You Have https://bricata.com/resources/ids-ips-threat-detection-tool/
Installing Zeek https://docs.zeek.org/en/master/install.html
Supervisor Framework https://docs.zeek.org/en/master/frameworks/supervisor.html
Intelligence Framework https://docs.zeek.org/en/master/frameworks/intel.html
ZEEK INTRUSION DETECTION SERIES http://ce.sc.edu/cyberinfra/docs/workshop/Zeek_Lab_Series.pdf
Machine Learning for a Networkbased Intrusion Detection System https://www.diva-portal.org/smash/get/diva2:1324795/FULLTEXT01.pdf
An Autonomous Intrusion Detection System Using an Ensemble of Advanced Learners https://arxiv.org/pdf/2001.11936.pdf
How Zeek IDS can Help Security Capture Institutional Knowledge for Cyber Alert Enrichment and Better Network Traffic Analysis https://bricata.com/blog/bro-ids-capture-institutional-knowledge/
BroCon 2018 - Network Data Enrichment for Analysis and Hunting https://www.youtube.com/watch?v=IquQtdk7QjM
Machine Learning for a Network-based Intrusion Detection System: An application using Zeek and the CICIDS2017 dataset http://kth.diva-portal.org/smash/record.jsf?pid=diva2%3A1324795&dswid=-7090