Zeek IDS Installation on Raspberry PI Part 1

(Originally posted on Peerlyst Aug 20, 2019 – Updated March 3, 2024)

Changelog:

• Changed Raspberry PI from 3B+ to 4.
• Reinstalled from scratch with Debian Bookworm.
• Downloaded source .ta.gz from zeek.org and compiled from source instead of using git due to hang in one of the modules.

A few months back I purchased a Raspberry PI 3 B+ 4 to create an IDS test lab. I’d read up and heard good things about the Zeek IDS system. I was amazed at the amount of work that security professionals had put into adapting Zeek to the Raspberry PI but I kept running into issues where I had to figure things out mostly on my own, on websites using older versions of Bro/Zeek or through resources pertaining to other software.

My objectives :

1. Update my network infrastructure to a less flat network.
2. Learn how to compile and update Zeek from source.
3. Create a point in my network where (most) network packets could be inspected.

I wanted to share what I learned through gleaning the internet. I hope this will help out with your own lab and you will be able to avoid some of the time sinks I ran into.

Introduction

I’ve worked with Linux as a user and administrator. This was my first attempt on a non-Intel platform. I’ve also built and run networks on multiple networking platforms and this had to be one of the toughest to figure out. The home and SMB network device space is not well served for documentation and HOWTOs.

What I used:

• Raspberry PI 3 B+ (and later a newer Raspberry PI 4 Model B w/ 4G RAM).
• 32 GB Samsung EVO Plus MicroSD card for fast(er) read and write speeds
• Netgear GS108Ev3, A switch that supports:
  • VLAN tagging.
  • 802.1Q VLAN trunks.
  • Port mirroring.
• TP-LINK router
  • Routed VLAN IP gateways.
  • Basic firewalling between zones.
  • Basic VLAN and trunking to the switch.
  • Gateway to the internet.
• A PC running Linux and VirtualBox as a virtual server host.

Network & Server Infrastructure Diagram

• The VLAN IDs and IP gateways are setup on the TP-Link.
• The DMZ and IoT networks cannot speak to the LAN and Server VLAN. Any Static NATs go to DMZ, IoT inside IPs are NAT’d to external IP.
• The server and LAN networks can route between themselves. The LAN segment can initiate traffic to the DMZ but not vice-versa.
• LAN & IoT VLANs are bridged into seperate wireless SSIDs.
• Wireless MGMT is uniquely for the communication to the APs and their management VM.
• The Mirror Port to the Raspberry PI is mirroring all other ports on the Netgear switch.
• The management port to the Raspberry PI is through the wireless network.

Caveats

• If you use the Netgear device, Don’t choose VLAN ID 1 for any of your other VLAN IDs. The device uses this as it’s default ‘config’ VLAN. I had to re-do the IP and VLAN schema for other VLANs and hosts to account for it.

Setting up the MicroSD card

I used a Windows computer with an SD card adapter and slot to image the microSD card with Raspbian Lite. If you’re less familiar with Linux and would like a desktop GUI I recommend getting Raspbian with Desktop.

• Raspbian Lite can be downloaded at:https://www.raspberrypi.org/downloads/raspbian/
• Download and unzip the .iso file image to setup your MicroSD card.
• To image the downloaded Raspbian image to your MicroSD card I used win32imager
• It can be downloaded at: https://sourceforge.net/projects/win32diskimager/
• Unzip and install win32diskimager, run the executable file and find the directory you unzipped your Raspian image file.
• Click on Write and wait a few minutes for the image file to write to your MicroSD card.
• Once you have downloaded your operating system and imaged it to the MicroSD card here we can begin the hardware setup.

First Boot of Raspberry PI

• Insert the MicroSD card into the card slot on the PI.
• Boot up your PI. Look for the 4 raspberries on the screen with scrolling text.
• Once confronted with a login prompt use user:pi and the default password.
• run sudo raspi-config
  • Use option 1 and CHANGE THE DEFAULT PASSWORD!!!
  • Use option 2 Network Options:
    • Change the host name of your device.
    • Configure the WiFi interface.
  • Use option 5 Interface options and setup SSH.
  • Scroll to finish.
• Your PI will reboot. Log back in with your new password and check that the wireless network is now running and has an IP via the ifconfig command. Note your IP address so you can ssh remotely into the device and configure remotely if needed.
• Install patches now that the device is networked.
  • sudo apt update -y
  • sudo apt dist-upgrade -y

Downloading and installing pre-requisites to Zeek

The Zeek docs instruct to install the following packages before installing Zeek.

• Libpcap
• OpenSSL
• Bind8 library
• Libz
• Bash
• Python 2.6 3

If you want to install Zeek from source, the following is needed:

• Cmake 2.8.12 (or greater)
• Make
• C/C++ Compiler with C++ 11 support (GCC 4.8+ or Clang 3.3+)
• SWIG
• Bison 2.5 or greater
• Flex
• Libpcap headers
• OpenSSL headers
• zlib headers
• Python

To install from packages use the following:

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python3-dev swig zlib1g-dev

or if you like to take your time, download and install all of these from source packages, compile and cross your fingers everything works.

Extra useful packages

• libmaxminddb: to use geolocation services
• sendmail or postfix to send e-mails.
• curl for Zeek scripts with http
• git to download new versions

sudo apt-get install libmaxminddb-dev postfix curl git

Download and Install Zeek From Source

I prefer downloading from GIT (update 03/03/2024 – git version seems to hang on make – I downloaded from zeek the LTS release at https://download.zeek.org/zeek-6.0.3.tar.gz and compiled from source)

git clone --recursive https://github.com/zeek/zeek

Once everything is downloaded

cd zeek
./configure
make

Go find something else to do – the make process will take a long time. You may see some cruft onscreen mentioning at the end of the lines: changed in GCC 7.1 Don’t worry about this.

Once the make is completed as an elevated user

sudo make install

Once done don’t forget to set the PATH.

export PATH=/usr/local/zeek/bin:$PATH

and then make it permanent by editing:

~/.profile

and adding

export PATH=/usr/local/zeek/bin:$PATH

Setting up Zeek

Assuming you didn’t run into any problems with the steps above you can then configure Zeek.

All the Zeek files should be installed in /usr/local/zeek, unless you changed the prefix on compilation.

etc contains the config files

Edit /usr/local/zeek/etc/node.cfg to set the interface to monitor; usually interface eth0

[zeek]
type=standalone
host=localhost
interface=eth0

Edit /usr/local/zeek/networks.cfg to add the IP addresses and short descriptions of your different routed networks. For example:

10.0.0.0/8 Private IP space
172.16.0.0/12 Private IP space 
192.168.0.0/16 Private IP space

Edit /usr/local/zeek/etc/zeekctl.cfg and set the

MailTo  = blah@blah.com

Replace to your email address to receive reports from your Zeek instance and set the LogRotationInterval to the log archiving frequency.

Starting up Zeek

Start the Zeek control shell with

zeekctl

On the first time use – we need to do the initial installation

[ZeekControl] > install

Then to start the zeek process

[ZeekControl] > start

I also like using

[ZeekControl] > deploy

to refresh settings when starting

To stop the Zeek process

[ZeekControl] > stop

Other commands in zeekctl are available with the ? notation

Also check

/usr/local/zeek/logs/current

for the latest log files and to troubleshoot Zeek e-mail reports to your e-mail address.

/var/log/mail.log

Now to make sure Zeek restarts on reboot add the following to your /etc/rc.local file before the exit 0 line. IDS functionality is better with promiscuous mode on for the network interface. This will forward all packets to the CPU and not just the ones destined for the host.

ip link set eth0 promisc on
/usr/local/zeek/bin/zeekctl start

exit 0

Last but not least, Zeek needs to occasionally perform some scheduled maintenance:

crontab -e 
(select an editor and enter the following line)
 */5 * * * * /usr/local/zeek/bin/zeekctl

I hope this tutorial helped you to get things setup in a basic way. In the next part I will show you how to :

• Setup JSON file style log writing
• Install filebeat to export the log files to a log collector
• Install some extra threat intelligence modules through intelstack.com Critical Path Security on GitHub.