Building Zeek on Raspbian

The Zeek project now has prebuilt ARM binaries that can be installed directly from the repos. 

Building Zeek on Raspbian

Now that we have filebeat installed, let’s use zeek/bro to generate some logs.

This write up assumes the same file path used in my last post.  If you are not using Raspbian and following along you might need to change some file paths to match your system.

Install zeek module for filebeat

First we need to install the Zeek module, for some reason it is not installed when building filebeat from github.  The module is a collection of configuration files so we can pull it from one of the filebeat packages.  For this write up I will use the filebeat for Windows download.

Inside the zip archive we want the \module\zeek folder

Copy it to /usr/share/filebeat/module
chown -R root:root /usr/share/filebeat/*

Configure zeek module

sudo nano /etc/filebeat/filebeat.yml

{paste below into the modules section}

filebeat.modules:

- module: zeek

    #All logs

  connection:

    enabled: true

    var.paths: ["/usr/local/zeek/logs/current/conn.log"]

  dns:

    enabled: true

    var.paths: ["/usr/local/zeek/logs/current/dns.log"]

  http:

    enabled: true

    var.paths: ["/usr/local/zeek/logs/current/http.log"]

  ssl:

   enabled: true

   var.paths: ["/usr/local/zeek/logs/current/ssl.log"]

{end paste}

Let restart filebeat

sudo service filebeat restart

Build zeek

So Bro 2.5.5 is available in the Raspbian repository.  While it works it is getting old and the GeoIP database it uses is no longer supported.  Instead of downloading the current stable or latest RC let’s go all out and build the current dev version from github.  Why not I like pain…

First let’s go home. 

cd $HOME

We got some downloading to do so lets just get it all going.

git clone --recursive https://github.com/zeek/zeek

git clone https://github.com/zeek/zeekctl.git

git clone https://github.com/zeek/pysubnettree.git

We need a few more packages we need before we start building.

Needed for GeoIP, building zeek on a Raspberry PI 4 4GB that’s a long time, if this is missing it will build just no GeoIP support.  Even if you don’t need it right now you might as well add it.

sudo apt -y install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev 
sudo apt -y install libmaxminddb-dev python-setuptools

cd $HOME/zeek

This will take a while….

./configure && make && sudo make install

Enable json logs for zeek

sudo nano /usr/local/zeek/share/zeek/site/local.zeek

{Paste this at the end}

# Output to JSON

@load policy/tuning/json-logs.zeek

{end paste}

Now lets build pysubnettree
cd $HOME/pysubnettree
sudo python setup.py install

Now lets build zeekctl
cd $HOME/zeekctl
sudo cp -r $HOME/zeek/cmake/ $HOME/zeekctl/
./configure && make && sudo make install

sudo zeekctl

Install

Deploy

Stop

Exit

Configure zeek