In this tutorial, we will show you how to install Zeek Network Security Monitor on Debian 12. Zeek, formerly known as Bro, is a powerful open-source network security monitor. It’s not just a typical intrusion detection system (IDS) but a robust network analysis framework that goes beyond traditional IDS functions. Zeek provides real-time insights into your network’s operations, helping you detect and prevent security incidents. The benefits of using Zeek for network security monitoring are numerous. It offers detailed logging of network traffic, scriptable event-driven analysis, and the ability to detect a wide range of network anomalies and security incidents.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘
sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the Zeek open-source network traffic analyzer on a Debian 12 (Bookworm).
- A server running one of the following operating systems: Debian 12 (Bookworm).
- It’s recommended that you use a fresh OS install to prevent any potential issues.
- SSH access to the server (or just open Terminal if you’re on a desktop).
- You will need an active internet connection to download the Zeek Network Security Monitor package.
- A user account with sudo privileges:
sudo, or “superuser do,” is a powerful command that allows users to execute commands with the security privileges of another user (by default, the superuser).
Install Zeek Network Security Monitor on Debian 12 Bookworm
Step 1. Before installing Zeek, you need to update and refresh your Debian repository by executing the following command:
sudo apt update sudo apt upgrade
This command will update the package lists for upgrades and new package installations.
Step 2. Installing Zeek Network Security Monitor on Debian 12.
After updating the repository, you can start the Zeek installation. First, add the GPG key and repository for the Zeek package using the following commands:
curl -fsSL https://download.opensuse.org/repositories/security:zeek/Debian_12/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null echo 'deb http://download.opensuse.org/repositories/security:/zeek/Debian_12/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
Next, update your Debian repository by executing the following command:
sudo apt update
Now, you can install Zeek by executing the following command:
sudo apt install zeek-lts
After the installation, you can check the location of the Zeek binary file, check the Zeek version, and print the Zeek help message using the following commands:
which zeek zeek --version zeek --help
Step 3. Configuring Zeek.
The first step in configuring Zeek in standalone mode is to set the network interface that Zeek will monitor. Open the
node.cfg file located in the
$PREFIX/etc/ directory, where
$PREFIX is the Zeek installation root directory. By default, this is
/usr/local/zeek if you installed from a source, or
/opt/zeek if you installed from a binary package. For example, if your network interface is ‘
eth0‘, the configuration would look like this:
[zeek] type=standalone host=localhost interface=eth0
If you plan to run Zeek in a cluster configuration, you need to define where the logger, manager, proxies, and workers will run. For a cluster configuration, comment out (or remove) the standalone node in the
node.cfg file, and either uncomment or add node entries for each node in your cluster (logger, manager, proxy, and workers):
For example, to run five Zeek nodes (two workers, one proxy, a logger, and a manager) on a cluster consisting of three machines, the cluster configuration would look like this:
[logger] type=logger host=192.168.1.1 [manager] type=manager host=192.168.1.2 [proxy-1] type=proxy host=192.168.1.2 [worker-1] type=worker host=192.168.1.3 interface=eth0 [worker-2] type=worker host=192.168.1.3 interface=eth1
After configuring Zeek, you can start it using the
This command is equivalent to the
start commands in Zeek. You can check the status of each component of your Zeek cluster by executing the
Congratulations! You have successfully installed Zeek. Thanks for using this tutorial to install the latest version of Zeek open-source network traffic analyzer on Debian 12 Bookworm. For additional help or useful information, we recommend you check the official Zeek website.