Install Zeek packages on FreeBSD
This is the fourth blog post in a series of posts about running Zeek on FreeBSD. The 3 previous posts are:
In this blog post we install Zeek Packages using the Zeek Package Manager. A Zeek Package is a third party plugin. You can read more about Zeek plugins here.
The following technical prerequisites have to be in place to be able to implement what is described in this post:
- have Zeek implemented as desribed in Implement Zeek on FreeBSD
Install the Zeek Package Manager
Before we can install Zeek Packages we have to install the Zeek Package Manager. And the latter needs Python, which we install first:
$ sudo pkg install python37
And we make a link:
$ sudo ln -s /usr/local/bin/python3.7 /usr/local/bin/python
The Zeek Package Manager is not available in the FreeBSD Ports, but we can install it through the Python Package Installer. We also need Git to install Zeek Packages. So the next commands are:
- make a link for
$ sudo pkg install git $ sudo pkg install py37-pip $ sudo ln -s /usr/local/bin/pip-3.7 /usr/local/bin/pip
Now we are ready to install the Zeek Package Manager and we install this using the
root user (!):
$ sudo -i # cd /root # pip install zkg --user # .local/bin/zkg autoconfig # ln -s /root/.local/bin/zkg /usr/local/bin/zkg
That is it! We have installed the Zeek Package Manager. Now we can progress with actually installing the needed (or wanted) Zeek Packages!
Install Zeek Packages
The Zeek Packages available can be found on the Zeek Packages Browser web site. Depending on your requirements and environment you can install any package listed here you want.
For this post we install two Zeek Packages:
Both packages create fingerprints of encrypted traffic which I find very usefull. More details on both can be found in the links provided above.
The following commands are used to install these packages:
$ sudo -i # zkg install zeek/salesforce/ja3 # zkg install zeek/salesforce/hassh
Enable the packages in Zeek
So we’ve installed the Zeek Packages we want. Now we have to enable them. We do this by adding one line of text to
/usr/local/share/zeek/site/local.zeek configuration file:
$ sudo tee -a /usr/local/share/zeek/site/local.zeek > /dev/null <<EOT ? @load packages ? EOT
This one line enables all the packages we install, now or later. So we have to do this only once. Because we have changed the Zeek configuration we have to deploy it:
$ sudo service zeek stop $ sudo service zeek deploy
Check if all ok
The ja3 package add 2 fields to the
ssl.log log file called ja3 and ja3s. And the hassh adds the following fields to the
ssh.log log file: hasshVersion, hassh, hasshServer and hasshAlgorithms.
If you see these fields in both log files the installation of both Zeek Packages succeeded!
The functionality which these packages add to Zeek is simply amazing! But that is left to the reader or maybe I’ll write more about these in the future. This post was meant to just explain how to install and enable Zeek Packages and that has been shown!
This is the fourth blog post in a series of posts about Zeek on FreeBSD. At the moment Zeek monitors only 1 network interface. In the next blog post of this series we increase the number of network interfaces for Zeek to monitor.
Some (other) resources about this subject: