Install Zeek packages on FreeBSD

Introduction

This is the fourth blog post in a series of posts about running Zeek on FreeBSD. The 3 previous posts are:

• Implement Zeek on FreeBSD
• Run Zeek as user zeek on FreeBSD
• First Zeek queries on FreeBSD

In this blog post we install Zeek Packages using the Zeek Package Manager. A Zeek Package is a third party plugin. You can read more about Zeek plugins here.

Technical prerequisites

The following technical prerequisites have to be in place to be able to implement what is described in this post:

• have Zeek implemented as desribed in Implement Zeek on FreeBSD

Install the Zeek Package Manager

Before we can install Zeek Packages we have to install the Zeek Package Manager. And the latter needs Python, which we install first:

$ sudo pkg install python37

And we make a link:

$ sudo ln -s /usr/local/bin/python3.7 /usr/local/bin/python

The Zeek Package Manager is not available in the FreeBSD Ports, but we can install it through the Python Package Installer. We also need Git to install Zeek Packages. So the next commands are:

• install git
• install pip
• make a link for pip

$ sudo pkg install git
$ sudo pkg install py37-pip
$ sudo ln -s /usr/local/bin/pip-3.7 /usr/local/bin/pip

Now we are ready to install the Zeek Package Manager and we install this using the root user (!):

$ sudo -i
# cd /root
# pip install zkg --user
# .local/bin/zkg autoconfig
# ln -s /root/.local/bin/zkg /usr/local/bin/zkg

That is it! We have installed the Zeek Package Manager. Now we can progress with actually installing the needed (or wanted) Zeek Packages!

Install Zeek Packages

The Zeek Packages available can be found on the Zeek Packages Browser web site. Depending on your requirements and environment you can install any package listed here you want.

For this post we install two Zeek Packages:

• ja3
• hassh

Both packages create fingerprints of encrypted traffic which I find very usefull. More details on both can be found in the links provided above.

The following commands are used to install these packages:

$ sudo -i
# zkg install zeek/salesforce/ja3
# zkg install zeek/salesforce/hassh

Enable the packages in Zeek

So we’ve installed the Zeek Packages we want. Now we have to enable them. We do this by adding one line of text to /usr/local/share/zeek/site/local.zeek configuration file:

$ sudo tee -a /usr/local/share/zeek/site/local.zeek > /dev/null <<EOT
? @load packages
? EOT

This one line enables all the packages we install, now or later. So we have to do this only once. Because we have changed the Zeek configuration we have to deploy it:

$ sudo service zeek stop
$ sudo service zeek deploy

Check if all ok

The ja3 package add 2 fields to the ssl.log log file called ja3 and ja3s. And the hassh adds the following fields to the ssh.log log file: hasshVersion, hassh, hasshServer and hasshAlgorithms. If you see these fields in both log files the installation of both Zeek Packages succeeded!

The functionality which these packages add to Zeek is simply amazing! But that is left to the reader or maybe I’ll write more about these in the future. This post was meant to just explain how to install and enable Zeek Packages and that has been shown!

Wrap up

This is the fourth blog post in a series of posts about Zeek on FreeBSD. At the moment Zeek monitors only 1 network interface. In the next blog post of this series we increase the number of network interfaces for Zeek to monitor.

Resources

Some (other) resources about this subject:

• Zeek User Manual
• Zeek Packages
• Zeek Package Manager
• JA3 - A method for profiling SSL/TLS Clients

Updated: February 23, 2021