Zeek Red Security Monitorea
Zeek (formerly Bro) is a powerful, open-source red security monitoring platform that proporciona deep visibility into red traffic. Unlike signature-based systems that look for known threats, Zeek performs protocol analysis, behavioral detection, and generates detailed logs of red activity. Esta guía cubre installation, cluster deployment for high-traffic redes, understanding Zeek logs and output formats, writing custom detection scripts, implementing the Intel framework for threat intelligence, and analyzing protocol behavior.
Tabla de Contenidos
- System Requirements
- Instalación
- Configuración Basics
- Zeek Logs and Outputs
- Cluster Mode Despliegue
- Custom Scripts
- Intel Framework
- Protocol Analysis
- Integration with SIEM
- Performance Tuning
- Conclusión
System Requirements
Zeek requires substantial resources for analysis of high-traffic redes:
- 64-bit processor (multi-core recommended)
- 4 GB RAM minimum (8 GB+ for production)
- 100 GB+ disk space for logs and pcap files
- Linux kernel 3.10 or newer
- CMake, GCC/Clang, OpenSSL development libraries
Check system requirements:
uname -r
nproc
free -h
df -h /
Instalación
Instala Zeek from source for maximum control and latest features.
Instala dependencies:
For Ubuntu/Debian:
sudo apt-get update
sudo apt-get install -y git cmake make gcc g++ flex bison libpcap-dev libssl-dev python3 python3-dev zlib1g-dev
For CentOS/RHEL:
sudo yum groupinstall -y 'Development Tools'
sudo yum install -y libpcap-devel openssl-devel zlib-devel python3-devel
Download and compile Zeek:
cd /opt
sudo git clone --recurse-submodules https://github.com/zeek/zeek.git
cd zeek
./configure --prefix=/opt/zeek
make -j$(nproc)
sudo make install
Add Zeek to PATH:
echo 'export PATH=/opt/zeek/bin:$PATH' | sudo tee /etc/profile.d/zeek.sh
source /etc/profile.d/zeek.sh
Verifica installation:
zeek --version
zeek -h
Crea Zeek user and directories:
sudo useradd -r -s /bin/false zeek
sudo mkdir -p /var/log/zeek
sudo mkdir -p /opt/zeek/share/zeek/site
sudo chown -R zeek:zeek /var/log/zeek
Configuración Basics
Configura Zeek to monitor red interfaces and perform analysis.
Edit the main configuration file:
sudo nano /opt/zeek/etc/zeekctl.cfg
Key configuration options:
# Zeek installation prefix
zeek_dist = /opt/zeek
# Log directory
LogDir = /var/log/zeek
# Spool directory (for temporary files)
SpoolDir = /opt/zeek/spool
# Zeek user
ZeekUser = zeek
# Interface to monitor
interface = eth0
# Packet ring buffer size
lb_method = pf_ring
# DNS resolution
dns = nameserver 8.8.8.8 nameserver 8.8.4.4
Configura nodo types and cluster setup. Edit the nodos.cfg file:
sudo nano /opt/zeek/etc/nodos.cfg
For standalone setup:
[zeek]
type=standalone
host=localhost
Inicia Zeek:
sudo /opt/zeek/bin/zeekctl deploy
Check status:
sudo /opt/zeek/bin/zeekctl status
Verifica Zeek is monitoring:
sudo tail -f /var/log/zeek/conn.log
Zeek Logs and Outputs
Understand the comprehensive logging that Zeek produces.
Zeek generates specialized logs for different protocol types:
Common log files:
ls -la /var/log/zeek/
Key logs generated:
- conn.log: TCP/UDP connections
- dns.log: DNS queries and responses
- http.log: HTTP requests and responses
- ssl.log: SSL/TLS certificates and handshakes
- files.log: File activity and metadata
- ssh.log: SSH activity
- smtp.log: Email traffic
- ftp.log: FTP commands
View connection logs:
zeek-cut timestamp origin_h origin_p resp_h resp_p < /var/log/zeek/conn.log | head -20
View HTTP activity:
zeek-cut timestamp host uri user_agent < /var/log/zeek/http.log | head -20
Analiza DNS queries:
zeek-cut timestamp query < /var/log/zeek/dns.log | sort | uniq -c | sort -rn | head -20
View SSL certificates:
zeek-cut timestamp server_name subject < /var/log/zeek/ssl.log | head -20
Convert logs to JSON format for analysis:
zeek-cut -j timestamp host uri < /var/log/zeek/http.log | head -5
Configura log rotation:
sudo nano /etc/logrotate.d/zeek
Content:
/var/log/zeek/*.log {
daily
rotate 30
compress
delaycompress
notifempty
create 0640 zeek zeek
postrotate
/opt/zeek/bin/zeekctl cron
endscript
}
Cluster Mode Despliegue
Despliega Zeek in cluster mode for high-traffic redes requiring load balancing across multiple workers.
Configura cluster in nodos.cfg:
sudo nano /opt/zeek/etc/nodos.cfg
Multi-nodo cluster configuration:
[manager]
type=manager
host=192.168.1.50
[worker-1]
type=worker
host=192.168.1.51
interface=eth0
[worker-2]
type=worker
host=192.168.1.52
interface=eth0
[worker-3]
type=worker
host=192.168.1.53
interface=eth0
[proxy]
type=proxy
host=192.168.1.54
Configura zeekctl for cluster:
sudo nano /opt/zeek/etc/zeekctl.cfg
Cluster settings:
# Cluster configuration
master = 192.168.1.50
LogDir = /var/log/zeek
SpoolDir = /opt/zeek/spool
# Worker settings
lb_method = pf_ring
pin_cpus = 1,2,3,4
# Manager settings
manager_size_threshold = 2000000
manager_update_interval = 30
# Proxy settings
proxy_addr = 192.168.1.54
proxy_port = 2150
Despliega the cluster:
sudo /opt/zeek/bin/zeekctl deploy
Check cluster status:
sudo /opt/zeek/bin/zeekctl status
View worker logs:
sudo /opt/zeek/bin/zeekctl diag
Monitorea cluster health:
sudo /opt/zeek/bin/zeekctl print_id
Custom Scripts
Write Zeek scripts to detect custom threats and analyze red behavior.
Crea a custom detection script:
sudo nano /opt/zeek/share/zeek/site/custom-detection.zeek
Example script for SSH brute force detection:
# SSH Brute Force Detection
module SSH_BRUTEFORCE;
export {
redef enum Notice::Type += {
SSH::BRUTE_FORCE_DETECTED
};
global ssh_attempts: table[addr] of count &create_expire=15 mins &default=0;
global ssh_threshold: count = &redef 10;
}
event ssh::server_version(c: connection, version: string) {
if ( c$id$resp_h in ssh_attempts )
++ssh_attempts[c$id$resp_h];
else
ssh_attempts[c$id$resp_h] = 1;
if ( ssh_attempts[c$id$resp_h] > ssh_threshold ) {
NOTICE([$note=SSH::BRUTE_FORCE_DETECTED,
$conn=c,
$msg=fmt("SSH brute force from %s", c$id$orig_h)]);
}
}
Example script for detecting suspicious file downloads:
# Suspicious File Download Detection
event http_entity_data(c: connection, is_orig: bool, length: count, data: string) {
if ( !is_orig && /\.exe/ in data ) {
NOTICE([$note=Notice::POLICY_VIOLATION,
$conn=c,
$msg="Executable file downloaded from HTTP"]);
}
}
Habilita the custom script:
echo "@load custom-detection" >> /opt/zeek/share/zeek/site/local.zeek
Reload Zeek:
sudo /opt/zeek/bin/zeekctl deploy
View script syntax validation:
/opt/zeek/bin/zeek -c /opt/zeek/share/zeek/site/custom-detection.zeek
Intel Framework
Integrate threat intelligence feeds for automatic threat detection.
Crea an Intel file:
sudo nano /opt/zeek/share/zeek/site/intel-feed.txt
Format:
#indicator indicator_type meta.source meta.desc
192.0.2.1 IP CUSTOM Malware C&C Server
10.0.0.5 IP CUSTOM Known botnet nodo
malware.example.com domain CUSTOM Phishing domain
curl software CUSTOM Suspicious user agent
Load the Intel framework in local.zeek:
sudo nano /opt/zeek/share/zeek/site/local.zeek
Add:
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += { "/opt/zeek/share/zeek/site/intel-feed.txt" };
Reload Zeek:
sudo /opt/zeek/bin/zeekctl deploy
Check Intel load:
/opt/zeek/bin/zeek -C /opt/zeek/share/zeek/site/local.zeek -i eth0 -r /var/log/zeek/conn.log
View Intel notices:
grep "Intel::" /var/log/zeek/notice.log
Protocol Analysis
Analiza specific protocols to understand red behavior.
Habilita detailed HTTP logging:
sudo nano /opt/zeek/share/zeek/site/local.zeek
Add:
@load base/protocols/http
redef HTTP::log_all_headers = T;
redef HTTP::log_body = T;
redef HTTP::http_log_size_limit = 10000;
Analiza HTTP user agents:
zeek-cut user_agent < /var/log/zeek/http.log | sort | uniq -c | sort -rn
Detect DNS anomalies:
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) {
if ( query == "" || /\.\./ in query ) {
NOTICE([$note=Notice::ANOMALY_DETECTED,
$conn=c,
$msg=fmt("Anomalous DNS query: %s", query)]);
}
}
Monitorea SSL/TLS certificates:
zeek-cut timestamp subject issuer not_valid_before not_valid_after < /var/log/zeek/ssl.log
Integration with SIEM
Forward Zeek logs to SIEM systems for centralized analysis.
Configura syslog output:
sudo nano /opt/zeek/etc/zeekctl.cfg
Add:
# Send logs to syslog
send_logs = yes
syslog_server = 192.168.1.100
syslog_port = 514
syslog_facility = LOG_LOCAL0
Alternatively, configure remote syslog in local.zeek:
@load base/frameworks/logging/writers/syslog
redef Syslog::all_logs_to_syslog = T;
redef Syslog::server_address = "192.168.1.100";
redef Syslog::server_port = 514;
Configura JSON output for SIEM integration:
sudo nano /opt/zeek/share/zeek/site/local.zeek
Add:
@load base/frameworks/logging/writers/tsv
@load base/frameworks/logging/writers/json
redef Logging::default_writer = Logging::WRITER_JSON;
Forward specific logs:
sudo cat /var/log/zeek/notice.log | nc 192.168.1.100 514
Performance Tuning
Optimiza Zeek for high-traffic redes.
Habilita PF_RING for improved packet capture:
sudo apt-get install -y pfring-dkms libpfring
Adjust ring buffer sizes:
sudo ethtool -G eth0 rx 4096 tx 4096
Configura packet filter in Zeekctl:
sudo nano /opt/zeek/etc/zeekctl.cfg
Add:
# CPU affinity for workers
pin_cpus = 1,2,3,4,5,6,7
# Packet processing
packet_queue_size = 10000
load_balancing = round_robin
Tune kernel for red performance:
sudo sysctl -w net.core.rmem_max=134217728
sudo sysctl -w net.core.wmem_max=134217728
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sudo sysctl -w net.ipv4.ip_local_port_range="1024 65535"
Monitorea Zeek performance:
ps aux | grep zeek
top -p $(pgrep -f zeek | tr '\n' ',')
Check disk usage:
du -sh /var/log/zeek
Analiza Zeek CPU usage per worker:
/opt/zeek/bin/zeekctl status
/opt/zeek/bin/zeekctl profiling
Conclusión
Zeek proporciona comprehensive red security monitoring through deep protocol analysis and behavioral detection. By following this guide, you've installed Zeek, configured it to monitor red traffic, understood the diverse logs it generates, deployed cluster mode for high-traffic redes, written custom detection scripts, integrated threat intelligence feeds, analyzed protocol-specific behavior, integrated with SIEM systems, and optimized performance. Whether protecting small redes or large enterprises, Zeek scales with flexible clustering and powerful scripting capabilities to detect sophisticated threats beyond signature-based detection.