RHEL BasedRocky Linux

How To Install Zeek Network Security on Rocky Linux 9

r00t

Install Zeek Network Security on Rocky Linux 9

In this tutorial, we will show you how to install Zeek Network Security on Rocky Linux 9. Zeek, formerly known as Bro, is a powerful open-source network security monitoring tool that provides real-time traffic analysis and protocol detection. This comprehensive guide will walk you through the process of installing Zeek Network Security on Rocky Linux 9, helping you enhance your network’s security posture and detect potential threats.

Introduction to Zeek Network Security

Zeek is a flexible framework for network traffic analysis and security monitoring. It offers deep packet inspection, protocol analysis, and the ability to detect complex patterns of malicious behavior. By deploying Zeek on your Rocky Linux 9 system, you’ll gain valuable insights into your network traffic and improve your ability to identify and respond to security incidents.

Prerequisites

Before we dive into the installation process, ensure you have the following:

  • A Rocky Linux 9 server with root or sudo access
  • Basic knowledge of Linux command-line operations
  • A stable internet connection
  • Sufficient system resources (recommended: 4+ CPU cores, 8GB+ RAM, 100GB+ storage)

Step 1: Update Your Rocky Linux 9 System

Begin by updating your system to ensure you have the latest packages and security patches:


sudo dnf update -y
sudo dnf upgrade -y

This step is crucial for maintaining system stability and security. It’s always a good practice to start with an up-to-date system before installing new software.

Step 2: Install Required Dependencies

Zeek requires several dependencies to function properly. Install them using the following command:

sudo dnf install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python3 python3-pip zlib-devel git -y

These packages provide essential build tools and libraries necessary for compiling and running Zeek.

Step 3: Download and Build Zeek from Source

Since Zeek isn’t available in the default Rocky Linux 9 repositories, we’ll build it from source:

cd /usr/local/src
sudo git clone --recursive https://github.com/zeek/zeek.git
cd zeek
sudo ./configure --prefix=/opt/zeek
sudo make
sudo make install

This process may take some time, depending on your system’s performance. The `–recursive` flag ensures that all submodules are also cloned.

Step 4: Configure Environment Variables

To make Zeek easily accessible from anywhere in the system, add its binary directory to your PATH:

echo "export PATH=$PATH:/opt/zeek/bin" | sudo tee -a /etc/profile.d/zeek.sh
source /etc/profile.d/zeek.sh

Verify the installation by checking Zeek’s version:

zeek --version

Step 5: Configure Zeek for Network Monitoring

Now, let’s configure Zeek to monitor your network:

sudo nano /opt/zeek/etc/node.cfg

Modify the configuration for standalone mode:

[zeek]
type=standalone
host=localhost
interface=eth0

Replace `eth0` with your actual network interface name. You can find your interface name using the `ip a` command.

Next, edit the networks configuration:

sudo nano /opt/zeek/etc/networks.cfg

Add your internal networks:

10.0.0.0/8 Private IP space
172.16.0.0/12 Private IP space
192.168.0.0/16 Private IP space

Step 6: Start and Deploy Zeek

Initialize and deploy Zeek using `zeekctl`:

sudo /opt/zeek/bin/zeekctl deploy

Verify that all components are running:

sudo /opt/zeek/bin/zeekctl status

Step 7: Accessing and Analyzing Zeek Logs

Zeek generates various log files in `/opt/zeek/logs/current/`. Here’s how to view them:

cd /opt/zeek/logs/current/
less conn.log

The `conn.log` file contains information about network connections. Other important logs include `http.log`, `dns.log`, and `files.log`.

Post-installation Configuration Tips

To enhance your Zeek setup:

1. Enable JSON Logging

For easier integration with SIEM tools, enable JSON logging:

echo '@load policy/tuning/json-logs' | sudo tee -a /opt/zeek/share/zeek/site/local.zeek
sudo /opt/zeek/bin/zeekctl deploy

2. Set Up Email Alerts

Configure Zeek to send email alerts for critical events:

sudo nano /opt/zeek/share/zeek/site/local.zeek

Add the following lines:

@load policy/tuning/send-all-notice-emails
redef Notice::emailed_types += { Notice::Type };
redef Notice::mail_dest = "your-email@example.com";

3. Regular Updates

Keep Zeek updated by periodically checking for new versions and rebuilding:

cd /usr/local/src/zeek
sudo git pull
sudo make
sudo make install
sudo /opt/zeek/bin/zeekctl deploy

Troubleshooting Common Issues

1. Zeek Fails to Start

If Zeek doesn’t start, check the error logs:

sudo /opt/zeek/bin/zeekctl diag

Common issues include incorrect interface names or permission problems.

2. High CPU Usage

If Zeek consumes excessive CPU resources, consider adjusting the `lb_procs` setting in `node.cfg` to distribute the load across multiple cores.

3. Missing Logs

Ensure that Zeek has the necessary permissions to write logs:

sudo chown -R zeek:zeek /opt/zeek/logs

Advanced Zeek Usage

Once you’re comfortable with basic Zeek operations, explore these advanced features:

1. Custom Scripts

Develop custom Zeek scripts to detect specific patterns or behaviors in your network:

sudo nano /opt/zeek/share/zeek/site/local.zeek

Add your custom logic, for example:

event http_request(c: connection, method: string, original_uri: string, unescaped_uri: string, version: string)
{
    if (original_uri == "/malicious-path")
        print fmt("Potential malicious activity detected from %s", c$id$orig_h);
}

2. Cluster Mode

For high-traffic networks, consider setting up Zeek in cluster mode. This involves configuring multiple worker nodes to distribute the processing load.

3. Integration with Other Tools

Integrate Zeek with other security tools like ELK Stack (Elasticsearch, Logstash, Kibana) for advanced log analysis and visualization.

Congratulations! You have successfully installed Zeek. Thanks for using this tutorial to install the latest version of the Zeek network traffic analyzer on the Rocky Linux 9 system. For additional help or useful information, we recommend you check the official Zeek website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved.
Back to top button