see building zeek
cd /etc/zeek/ mv -i node.cfg node.cfg.dist mv -i networks.cfg networks.cfg.dist mv -i zeekctl.cfg zeekctl.cfg.dist zeekctl config > zeekctl.cfg.defaults grep -vE '^#|^$' node.cfg.dist > node.cfg grep -vE '^#|^$' networks.cfg.dist > networks.cfg grep -vE '^#|^$' zeekctl.cfg.dist > zeekctl.cfg vi node.cfg interface=eth0 ifconfig | grep 'inet ' | grep -v '127.0.0.1' vi networks.cfg x.x.x.x/xx x.x.x.x/xx vi zeekctl.cfg MailTo = YOUR-EMAIL
and setup outbound email as necessary.
/usr/local/bin/zeekctl install /usr/local/bin/zeekctl start tail -n0 -F /var/spool/zeek/zeek/*.log
not sure this is necessary, but it surely won’t harm
ifconfig eth0 # no PROMISC ??!? ifconfig eth0 promisc
reload
/usr/local/bin/zeekctl check /usr/local/bin/zeekctl deploy
curl -I http://testmyids.com/
starting daemon without ctl – it writes to the current working directory
/usr/local/bin/zeek -i eth0
for the record – the ctl flavor looks like this
/usr/local/zeek/bin/zeek \
-i eth0 \
-U .status \
-p zeekctl \
-p zeekctl-live \
-p standalone \
-p local \
-p zeek local.zeek zeekctl zeekctl/standalone zeekctl/auto
/usr/local/zeek/share/zeek/base/misc/find-checksum-offloading.zeek
Zeek https://en.wikipedia.org/wiki/Zeek
1 What is Bro? https://nsrc.org/workshops/2015/pacnog17-ws/attachments/bro-intro.htm
What is Bro IDS [Zeek]? And Why IDS Doesn’t Effectively Describe It [Overview and Resources] https://bricata.com/blog/what-is-bro-ids/
IDS/IPS: The Most Useful Threat Detection Tool You Have https://bricata.com/resources/ids-ips-threat-detection-tool/
Supervisor Framework https://docs.zeek.org/en/master/frameworks/supervisor.html
Intelligence Framework https://docs.zeek.org/en/master/frameworks/intel.html
ZEEK INTRUSION DETECTION SERIES http://ce.sc.edu/cyberinfra/docs/workshop/Zeek_Lab_Series.pdf
Machine Learning for a Networkbased Intrusion Detection System https://www.diva-portal.org/smash/get/diva2:1324795/FULLTEXT01.pdf
An Autonomous Intrusion Detection System Using an Ensemble of Advanced Learners https://arxiv.org/pdf/2001.11936.pdf
How Zeek IDS can Help Security Capture Institutional Knowledge for Cyber Alert Enrichment and Better Network Traffic Analysis https://bricata.com/blog/bro-ids-capture-institutional-knowledge/
BroCon 2018 - Network Data Enrichment for Analysis and Hunting https://www.youtube.com/watch?v=IquQtdk7QjM
Machine Learning for a Network-based Intrusion Detection System: An application using Zeek and the CICIDS2017 dataset http://kth.diva-portal.org/smash/record.jsf?pid=diva2%3A1324795&dswid=-7090