IA612: Intrusion Detection and Prevention
St. Cloud State University
LAB-02: The Zeek (Bro) Network Security Monitor – Installation and Configuration
Sample LAB Report
Part-01: How to Install Zeek (formerly Bro) NIDS on CentOS 8.X
A. Overview
In this part of the lab we have installed Zeek on CentOS 8.3 in our VirtualBox. We have also optimized CentOS to efficiently capture packets and then compile Zeek from source to start monitoring network traffic. Below figure shows CentOS 8.3 installed on VirtualBox.
B. Enable “Network” Service and Disable NIC Offloading Functions Step 1.
First, install the network-scripts package using the following command in CentOS terminal:
Step 2.
We have used the ifconfig command to determine the interface, then used the ethtool command to determine the maximum ring parameters for our sniffing interface which is enp0s3:
Step 3.
Next we have edited the /etc/sysconfig/network-scripts/ifcfg-enp0s3 file using the following command to disable control from NetworkManager, disable DHCP and added the appropriate ethtool options.
Step 4.
Next we have enabled the network services using the following command:
Step 5.
Finally, we have restarted the network service with the following command:
C. Set Sniffing Network Interfaces to Promiscuous Mode
Step 1.
First we have created a file /etc/systemd/system/promisc.service using the following command:
Step 2.
Then we have added the following text in the file assuming our sniffing interface is enp0s3:
Step 3.
Next we have run the following commands to make the permanent changes and start on boot:
Step 4.
Next reboot the system and verify that PROMISC is listed in the network interface status using the following command:
D. Install Zeek Dependencies
Step 1.
First edit the /etc/yum.repos.d/CentOS-PowerTools.repo with sudo and set the “enabled” field to 1 to add the PowerTools repository. The file will look like below:
Step 2.
Next add the EPEL repo using the following command:
Step 3.
Next run the following command to download the required dependencies:
Step 4.
Finally, update the packages and reboot the system using the following commands:
E. Configure GeoIP Support
Step 1.
First install the libmaxminddb development library using the following commands:
Step 2.
Next Download the GeoLite2 database, untar it and move it to /usr/share/GeoIP using the following commands:
F. Create the Zeek user and directory to install and run Zeek
Step 1.
First create the zeek user and add it to zeek group and set password using the following command:
Step 2.
Next create /opt/zeek directory and set the ownership to the zeek user with sudo using the following command:
G. Download, Compile, and Install Zeek
Step 1.
First Switch to Zeek user using the following command:
Step 2.
Next download, configure and install ZEEK using the following commands:
Step 3.
Finally, switch back to normal user and give Zeek binaries permissions to capture packets using the following commands:
H. Add Zeek to PATH
Step 1.
We have created /etc/profile.d/zeek.sh with sudo using the following command, then logout and log back in as zeek user to update PATH:
I. Configure Zeek
Step 1.
Next we have edited the /opt/zeek/etc/node.cfg to configure the number of nodes using the following command and the output will look like below:
Step 3:
Next Edit /opt/zeek/share/zeek/site/local.zeek to enable or disable scripts as needed as below:
J. Start Zeek Step 1:
First run zeekctl deploy as zeek user to apply configurations and run zeek using the following command:
Step 2.
Next check Zeek is running successfully:
Step 6.
Finally, we can see the logs generated using the following command:
K. ZeekControl Cron Step 1.
Lastly we have checked, and restart crashed nodes and performed maintenance tasks using the following commands:
Part-02: Zeek Package Manager
A. Overview
In this part of the lab we have installed Zeek Package Manager to extend Zeek’s functionality. We will also install additional useful packages.
B. Install Zeek Package Manager Step 1.
As sudo install git and PIP to download Zeek and Python packages and then switch to zeek user using the following commands:
Step 2.
Next change the directory to zeek user’s home directory and install package manager using the following commands:
Step 3.
Next configure zeek package manager, the output look like below:
C. Install the AF_PACKET package
Step 1.
Next stop zeek and install AF_PACKET package using the following commands:
D. Configure Zeek to use AF_PACKET
Step 1.
Edit /opt/zeek/etc/node.cfg to configure Zeek to use AF_PACKET using the following command:
Step 2.
As root/sudo, give the Zeek binaries permissions to capture packets for installing AF_PACKET, then apply configurations and run Zeek using the following commands:
E. Install add-interfaces, ja3, and HASSH Step 1.
We have installed and configured add-interfaces, ja3 and HASSH using the following commands:
F. Update Installed Zeek Packages Step 1.
Finally, update all the installed Zeek packages using the following commands:
Part-03: Configure ELK Data Visualization Tool
Step 1.
Install OpenJDK 8 Java using the following command:
Step 2.
Next Add Elasticsearch Repositories using the following commands:
Step 3.
Next install and Set Up Elasticsearch using the following commands:
Step 4.
Now Test Elasticsearch using the following command:
Step 5.
Next Install and Set Up Kibana using the following commands:
Step 6.
Now Test Kibana by opening a web browser and enter the following address:
Step 7.
Next, Install and Set Up Logstash using the following commands:
Step 8.
Next, Install Filebeat using the following commands:
Step 9.
Launch the web browser and enter the following address to view the logs:
***************************************************************************
NOTE: You may add following sections into your LAB report to make a more comprehensive well written document based on your experiences during the LAB exercises.
***************************************************************************
Section-XX1: Conclusions/Discussion/Summary/Insights
Section-XX2: Limitations /Difficulties/Problems/Issues
Section-XX3: References
Appendixes: If available, For additional materials such as source codes and etc…!!!
1
1
1