Bro is a Bro is a powerful network analysis framework that is much different from the typical IDS you may know.
How to install
To use this tool, please use a method listed below
In a Linux (Debian OS), run the following command(s).
git clone --recursive https://github.com/zeek/zeek.git
Download directly from the following link:
How to execute
These are the basic configuration changes to make for a minimal ZeekControl installation that will manage a single Zeek instance on the localhost:
In $PREFIX/etc/node.cfg, set the right interface to monitor.
In $PREFIX/etc/networks.cfg, comment out the default settings and add the networks that Zeek will consider local to the monitored environment.
In $PREFIX/etc/zeekctl.cfg, change the MailTo email address to a desired recipient and the LogRotationInterval to a desired log archival frequency.
Now start the ZeekControl shell like:
Since this is the first-time use of the shell, perform an initial installation of the ZeekControl configuration:
[ZeekControl] > install
Then start up a Zeek instance:
[ZeekControl] > start
If there are errors while trying to start the Zeek instance, you can can view the details with the diag command. If started successfully, the Zeek instance will begin analyzing traffic according to a default policy and output the results in $PREFIX/logs.
Note: The user starting ZeekControl needs permission to capture network traffic. If you are not root, you may need to grant further privileges to the account you’re using; see the FAQ. Also, if it looks like Zeek is not seeing any traffic, check out the FAQ entry on checksum offloading.
You can leave it running for now, but to stop this Zeek instance you would do:
[ZeekControl] > stop
This article was contributed by Gavin Dennis from Jamaica. Gavin is a member of the Caribbean CSPA.