[Zeek] 설치

Alexandria·2024년 3월 1일

Zeek

목록 보기

1/1

1. 설치

필요한 저장소 등록 및 패키지를 설치한다.

$ echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
$ curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
$ sudo apt -y update
$ sudo add-apt-repository "deb http://ca.archive.ubuntu.com/ubuntu jammy main"
$ sudo apt -y install libssl3
$ sudo apt -y install zeek-lts-core zeekctl-lts zeek-lts-zkg zeek-lts-client zeek-lts

환경변수에 추가시켜준다.

$ sudo vi /etc/profile
...
export PATH=$PATH:/opt/zeek/bin
$ source /etc/profile

2. 설정

네트워크 대역을 확인한다.

$ sudo vi /opt/zeek/etc/networks.cfg
10.0.0.0/8          Private IP space
172.16.0.0/12       Private IP space
192.168.0.0/24      Private IP space

node.cfg에 인터페이스 및 호스트 정보를 수정한다.

$ sudo vi /opt/zeek/etc/node.cfg
...
#[zeek]
#type=standalone
#host=localhost
#interface=eth0

## Below is an example clustered configuration. If you use this,
## remove the [zeek] node above.

[logger-1]
type=logger
host=192.168.0.26
#
[manager]
type=manager
host=192.168.0.26
#
[proxy-1]
type=proxy
host=192.168.0.26
#
[worker-1]
type=worker
host=192.168.0.26
interface=ens33
...

root 계정으로 설정이 잘못되었는지 검사한다.

# zeekctl check
Hint: Run the zeekctl "deploy" command to get started.
logger-1 scripts are ok.
manager scripts are ok.
proxy-1 scripts are ok.
worker-1 scripts are ok.

zeek을 실행한다.

# zeekctl deploy
checking configurations ...
installing ...
creating policy directories ...
installing site policies ...
generating cluster-layout.zeek ...
generating local-networks.zeek ...
generating zeekctl-config.zeek ...
generating zeekctl-config.sh ...
stopping ...
stopping worker ...
stopping proxy ...
stopping manager ...
stopping logger ...
starting ...
starting logger ...
starting manager ...
starting proxy ...
starting worker ...
# zeekctl status
Name         Type    Host             Status    Pid    Started
logger-1     logger  192.168.0.26     running   16013  18 Nov 02:25:11
manager      manager 192.168.0.26     running   16065  18 Nov 02:25:12
proxy-1      proxy   192.168.0.26     running   16129  18 Nov 02:25:14
worker-1     worker  192.168.0.26     running   16177  18 Nov 02:25:15

/opt/zeek/logs/current/에 다양한 로그파일들이 존재한다.

/opt/zeek/logs/current# ls
broker.log        cluster.log  dns.log    http.log         known_services.log  notice.log  ocsp.log           software.log  stats.log   stdout.log  x509.log
capture_loss.log  conn.log     files.log  known_hosts.log  loaded_scripts.log  ntp.log     packet_filter.log  ssl.log       stderr.log  weird.log

Alexandria

IT 도서관

[Zeek] 설치

Zeek

1. 설치

2. 설정

0개의 댓글