Setting up Zeek (Bro IDS)

tested on slackware-current May 2021

Deps

slackpkg install swig

Install

git clone --recursive https://github.com/zeek/zeek
cd zeek/
./configure --help
./configure
make -j8 # need to specify jobs manually as MAKEFLAGS doesn't work for once
make -j8 install
cd ../

ls -lF /usr/local/zeek/

Setup

ln -s /usr/local/zeek/etc/node.cfg
ln -s /usr/local/zeek/etc/networks.cfg
ln -s /usr/local/zeek/etc/zeekctl.cfg
ln -s /usr/local/zeek/logs/current

vi node.cfg

interface=xenbr0

ifconfig | grep 'inet ' | grep -v '127.0.0.1'
vi networks.cfg

x.x.x.x/xx
x.x.x.x/xx

/usr/local/zeek/bin/zeekctl config > /usr/local/zeek/etc/zeekctl.cfg.default
vi zeekctl.cfg

MailTo = EMAIL@DOMAIN.TLD

Ready to go

/usr/local/zeek/bin/zeekctl install
/usr/local/zeek/bin/zeekctl start
# deploy
# check

tail -n0 -F /usr/local/zeek/logs/current/*

Ops

reload

/usr/local/zeek/bin/zeekctl deploy

Additional notes

Don’t do that, it writes to the current working directory

cd /usr/local/zeek/logs/current/
/usr/local/zeek/bin/zeek -C -i xenbr0

More

/usr/local/zeek/share/zeek/base/misc/find-checksum-offloading.zeek

Troubleshooting

#export CMAKE_MAKE_PROGRAM="make -j8"
#cmake --build --parallel ../

Resources

Zeek https://en.wikipedia.org/wiki/Zeek

1 What is Bro? https://nsrc.org/workshops/2015/pacnog17-ws/attachments/bro-intro.htm

What is Bro IDS [Zeek]? And Why IDS Doesn’t Effectively Describe It [Overview and Resources] https://bricata.com/blog/what-is-bro-ids/

IDS/IPS: The Most Useful Threat Detection Tool You Have https://bricata.com/resources/ids-ips-threat-detection-tool/

install

Installing Zeek https://docs.zeek.org/en/master/install.html

internals

Supervisor Framework https://docs.zeek.org/en/master/frameworks/supervisor.html

Intelligence Framework https://docs.zeek.org/en/master/frameworks/intel.html

practice

ZEEK INTRUSION DETECTION SERIES http://ce.sc.edu/cyberinfra/docs/workshop/Zeek_Lab_Series.pdf

aisec

Machine Learning for a Networkbased Intrusion Detection System https://www.diva-portal.org/smash/get/diva2:1324795/FULLTEXT01.pdf

An Autonomous Intrusion Detection System Using an Ensemble of Advanced Learners https://arxiv.org/pdf/2001.11936.pdf

How Zeek IDS can Help Security Capture Institutional Knowledge for Cyber Alert Enrichment and Better Network Traffic Analysis https://bricata.com/blog/bro-ids-capture-institutional-knowledge/

BroCon 2018 - Network Data Enrichment for Analysis and Hunting https://www.youtube.com/watch?v=IquQtdk7QjM

Machine Learning for a Network-based Intrusion Detection System: An application using Zeek and the CICIDS2017 dataset http://kth.diva-portal.org/smash/record.jsf?pid=diva2%3A1324795&dswid=-7090


GUIDES | LECTURES | BENCHMARKS | SMTP HEALTH