Network Analysis with Zeek for MacOS.

  In the world of network security, visibility is vital. One of the most powerful tools for achieving this visibility is Zeek (formerly known as Bro), an open-source network analysis framework. Zeek monitors network traffic in real time, providing insights into security events and network performance. One of the primary advantages for new users is the comprehensive suite of logs that Zeek generates, providing detailed insights into network activity. In this blog post, we’ll walk through the steps to install and configure Zeek on the M series MacBook. If your using an Intel MacBook then the only difference is the file paths are slightly different.

Step 1: Install Homebrew (if not already set up)

1.  Open the Terminal application and run the following command to install Homebrew:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

a.  You will be prompted to hit enter to continue the installation.

Step 2: Install Zeek

1.  Install Zeek using Homebrew: You can install Zeek directly from Homebrew. Run the following command:

Brew install zeek

2.  Verify the installation: After installation, verify that Zeek is installed correctly by checking its version:

Zeek --version
Step 3: Configure Zeek

1.  These are the basic configuration changes to make for a minimal ZeekControl installation that will manage a single (standalone) Zeek instance on the localhost. For example, the configuration file node.cfg must be configured to the right interface to monitor. Which is located under /opt/homebrew/etc/ directory. But first you must find the right name for your interface. Run the following command:

ifconfig

a.  Note the name of your interface name you will be monitoring. The network I will be monitoring is en0 which is my wifi interface. You will need the name to enter into the node.cfg config file.


2.  Navigate to the node.cfg config file which is located in /opt/homebrew/etc/ directory. Use the ls command and you will see the node.cfg file.

a.  Now open your favorite text editor. I will be using nano for example purposes.

b.  In the beginning of the file, right under Zeek you will see interface.

c.  If you don’t see the proper name of your interface then change it to the proper name. My interface was changed to en0. That’s all that needs to be changed. Now hit CTRL X then Y then enter.


3.  For efficient and accurate analysis of network traffic in Zeek, it’s recommended to define your local networks in the networks.cfg configuration file. Navigate to the config file under /opt/homebrew/etc/ directory. Use the ls command and you will see the networks config file.

 a.  Use your favorite text editor to edit the config file.

  b.  Uncomment your local network IP address in CIDR notation.

c.  For my local network I will be using 10.0.0.0/25 and 192.168.1.0/24 so I uncommented them. When your done hit CRTL X then Y then Enter to save.

Step 4: Start Zeek

1.  To start Zeek initiate the ZeekControl shell using the command Zeekctl.

2.  Since this is the first-time use of the shell, perform an initial installation of the ZeekControl configuration by entering the command install.

3.  Then start up a Zeek instance entering the command Start.

a.  You may also use the deploy command that combines the install and start commands.

4.  To check if Zeek is running or not you can use the status command.

5.  If you want Zeek to quit then you can use the stop command, otherwise Zeek will continue to run.

6.  If you want a list of the extensive commands then you can use the help command.

Step 5: Access the logs

1.  By default, Zeek logs are stored in the /opt/homebrew/cellar/zeek/7.0.3/logs directory. The current version of Zeek is 7.0.3. So your 7.0.3 directory may be different than mine. Under the logs directory you will see your current logs directory, and older dated logs. If you want to analyze the most recent day then you would obviously access the current directory.

2. There are a few ways of viewing your logs. To view a specific log file, you can use the cat, less, tail, or grep command. For example, to view the connection log you could use cat conn.log.  The only issue with the cat command is that some logs are very large and the data can be very hard to analyze.

3.  The less command allows for interactive viewing of log files, making it easier to scroll through large files. The command would be less conn.log. 

4.  The tail command shows the last few lines of a log file. You may also use the -f option to follow the file in real-time. The commands would be tail conn.log and tail -f conn.log.

5.  You can also use grep to filter and search log entries. For example, to search for a specific IP address in the connection log you would enter grep 192.168.1.1 conn.log

***  Note that these are the basic ways of analyzing your logs. Zeek can be integrated with log management systems such as splunk, graylog, and ELK stack and visualization tools such as grafana and kibana. But these options are out of the scope of this guide.

Step 6: Run Zeek as a daemon (Optional)

To run Zeek in the background and ensure it starts automatically after restarting your macOS, you can follow these steps:

1.  Create a LaunchDaemon

a.  MacOS uses launchdaemons to manage background services. You’ll need to create a plist (Property List) file to configure Zeek to run as a daemon. If you do not create a launchdaemon then Zeek has to be manually started after every restart or shutdown of your computer.  Create a new plist file in the /Library/LaunchDaemons/ directory. You might need administrative privileges, so use sudo:

b.   Add the following content to the plist file, adjusting the paths and parameters as necessary:

c.  Make sure to adjust the path to the Zeek binary if it’s different on your system. I am using an M2 Macbook so the binary path is located in /opt/homebrew/bin/zeekctl directory. If your using an Intel Macbook then I know the directory paths are a little different and located under /usr/local/bin directory.

d.  Ensure that the plist file has the correct permissions:

2.  Load the Daemon

a.  You can load the LaunchDaemon immediately without restarting your computer:

 

3.  Check if Zeek is Running

a. To verify that Zeek is running, you can check its status:

4. Reboot and Verify

a. Now, reboot your macOS system. After the system restarts, check if Zeek is running again with the same command: sudo launchctl list | grep org.zeek.

b. By creating a LaunchDaemon plist file, you can configure Zeek to run in the background and start automatically after a system reboot on macOS.

Conclusion

That’s it!  You now have Zeek installed and running on your macOS. Feel free to explore additional configuration options and scripts to tailor it to your needs. If you run into any issues, you can refer to the Zeek documentation for more detailed information.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top