Zeek IDS Installation on Raspberry PI Part 2

Updated 09-06-2021

Welcome back!

In the last episode – our intrepid adventurers setup a Raspberry Pi and got Zeek IDS, downloaded, compiled and running in a very basic way….

But what about some more advanced functions? What can this small box filled with power do more than report packets traversing switches and routers?

Changing the log file format for better ingestion

The best way for external software to ingest your zeek logs is to convert them to JSON format. In the original config, Zeek creates human readable text tables for each kind of log file created in /usr/local/zeek/logs/current such as:

 cat capture_loss.log
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   capture_loss
#open   2019-08-31-02-04-06
#fields ts      ts_delta        peer    gaps    acks    percent_lost
#types  time    interval        string  count   count   double
1567213446.308621       900.000053      zeek    0       0       0.0

This is great for people to read but less so for machines. To convert these tables into JSON format:

• Edit /usr/local/zeek/share/zeek/site/local.zeek;
• Add the following to the end of the file;

#JSON Output
@load policy/tuning/json-logs.zeek

• Save and close the site file;
• From the command-line restart zeek as the configuration has changed.

zeekctl deploy

Check to make sure your logs are now in JSON format.

 cat /usr/local/zeek/logs/current/packet_filter.log
{"ts":1567213927.478291,"node":"zeek","filter":"ip or not ip","init":true,"success":true}

This will help if you want to run scripts against the logs or export to a SIEM-type system.

Adding Intelligence from a Threat Feed & Automating the updates for the feeds.

I used to have the setup for criticalstack/intelstack.com – but it’s gone the way of the dodo.  In another post I recommend a new threat feed provided by Critical Path security, easier to update through Git.  Click here for the install instructions.

Testing the Threat Intel Feeds

A new log file will be created when using the intel threat feeds: intel.log.

To test the creation of this log file you can attempt to browse to a tor exit node (if you added a TOR nodes feed) or some other site that could be part of the feeds you’ve added.

For this example, I’ve got 35.225.94.95 that came in on my external address. If you browse to it in a browser or use curl from the command line it will trigger a log to generate a intel.log file.

cat intel.log
{"ts":1630934593.891459,"uid":"C0VM2b1tdQrrVzLYRi","id.orig_h":"35.225.94.95","id.orig_p":47322,"id.resp_h":"10.255.30.30","id.resp_p":443,"seen.indicator":"35.225.94.95","seen.indicator_type":"Intel::ADDR","seen.where":"Conn::IN_ORIG","seen.node":"zeek","matched":["Intel::ADDR"],"sources":["RUTGERS-BANLIST","CPS-ILLUMINATE"]}

In the case above, it found the request in the sources RUTGERS-BANLIST and CPS-ILLUMINATE as part of the Critical Path intel feeds in our directory that was downloaded earlier.

That’s all for now. In part 3, we will setup a logging server and export the Zeek logs to create a visualization component and dashboards.