We already installed Zeek but we are not running it in real time to analyze traffic. So this is a guide to help you deploy Zeek and apply the previous script into real time. In the example below, Zeek installation's root directory defaults to /usr/local/zeek since we install it from the source.
There are basic configurations we need to change before running it. In /usr/local/zeek/etc/node.cfg, set the right interface to monitor.
[zeek]
type=standalone
host=localhost
interface=eth0 # change this according to your listening interface in ifconfig
Now start the ZeekControl shell like:
zeekctl
On the ZeekControl shell, run install then deploy.
[ZeekControl] > install
[ZeekControl] > deploy
Just that and it will load Zeek some default scripts and run automatically. If you want to stop it, run command:
[ZeekControl] > stop
Zeek generates important log files based on the network traffic statistics, interesting activity captured in the traffic, and detection focused log files. You can check all these log in /usr/local/zeek/logs.
As you can see, if you do not stop ZeekControl it will save logs each day in each repository. The /current folder contains log real time running.
Now is the exciting part. In the previous article, we created scripts to block some specific addresses. But we only run it on a history traffic file. Here is how we apply these scripts to ZeekControl.
First, create a new repository /block-thread in /usr/local/zeek/share/zeek/policy/. Then add 2 files in the /block-thread:
@load ./block_vpn.zeek
event NetControl::init() {
local debug_plugin = NetControl::create_debug(T);
NetControl::activate(debug_plugin, 0);
}
event new_connection(c: connection) {
local b = InternetDB::lookup_internetdb_api(c$id$resp_h);
if ( b?$tags ){
if ( "vpn" in b$tags ){
NetControl::drop_connection(c$id, 1min);
}
}
}
The main entry point for the default analysis configuration of a Zeek instance managed by ZeekControl is the /usr/local/zeek/share/zeek/site/local.zeek script. This is where we add our new policy to ZeekControl. Open this script and add this line at the end of the file.
@load policy/block-thread
After we did all this configuration. Just rerun ZeekControl by install and deploy command.
We can check our new deploy script has been add or not by going to /usr/local/zeek/logs/current/loaded_scripts.log.If you look up, you can see our custom policy has been loaded when deploying ZeekControl.
/usr/local/zeek/share/zeek/policy/block-thread/__load__.zeek
/usr/local/zeek/share/zeek/policy/block-thread/block_vpn.zeek
Another thing you can notice is that it generates the /usr/local/zeek/logs/current/netcontrol.log file and it will be automatically saved to history.