What is a Raspberry Pi?
A Raspberry Pi is a small-form, single form computer developed by the Raspberry Pi foundation. To date, there have been five different product families produced. This post uses the newest generation termed the Raspberry Pi 4 B. The 4 B family consists of three models with varying levels of RAM between 1GB and 4GB. I used the 4GB version that cost $62 on Amazon. If you are trying to save some money, you can get the 1GB version for $46 or 2GB for $48. I usually buy the basic or starter Canakits from Amazon as the kits come with the power cable, case, and SD card that you are going to need.
What is Zeek NSM?
Zeek is a powerful platform for network security monitoring. Formerly a project by Vern Paxson out of the International Computer Science Institute at Berkley in 1994, Zeek has continued to grow as a fantastic tool for both network security monitoring and response. The open-source nature of Zeek allows for powerful expansion opportunities to adapt to new threats.
Let’s Get Building!
1) Order the Pi and Associated Parts
First, you need to order your Raspberry Pi. Make sure also to include a power cord and an SD card. As previously mentioned, I ordered the following for the setup used today:
- CanaKit Raspberry Pi 4 4GB Basic Kit (4GB RAM) [$72.99] – Includes Raspberry Pi 4 4GB Model B, power cord, heat sinks, and power switch.
- MazerPi Raspberry Pi 4 Case [$8.99]
- Samsung 128GB 100MB/s (U3) MicroSDXC Evo Select Memory Card with Adapter (MB-ME128GA/AM) [$19.99]
- GANA Micro HDMI to HDMI Adapter Cable [$7.99]
In the past, I’ve also used 256GB and 512GB Samsung SD cards. Make sure to order a Micro HDMI to HDMI adapter cable if needed.
2) Download Raspbian Lite
Once everything arrives, the first step is to download and install Raspbian Lite from the Raspberry Pi website. Rasbian is the officially supported operating system provided by the Raspberry Pi foundation. As of the writing of this post, the current version of Raspbian is named Buster. You’ll want to download Raspbian Buster from the link above.
3) Flash the OS Image to the SD Card
When Rasbpian Buster Lite is downloaded, you’ll need to flash the Raspbian image to the SD card. On OS X, I used Balena Etcher, which is a free utility recommended by the Raspberry Pi installation instructions. Once the OS image is flashed to the SD card, you are ready to insert the SD card into the Pi. Connect your peripheral devices (keyboard, mouse, ethernet, power) and get going!
4) Boot Up the Pi
Boot the Pi 4, and you should eventually see a screen indicating that the disk is expanding to fit the SD card. After a minute or two, you’ll be met with a login prompt. The default username is pi, and the default password is raspberry. Go ahead and change the default password for the pi user with the following command.
pi@raspberrypi:~ $ passwd
5) Optional: Configure SSH and WiFi
We are going to be configuring the Pi 4 to be remotely accessible. Since there’s only a single gigabit ethernet port, you will want to set up WiFi and enable SSH. SSH isn’t enabled by default in Raspbian Buster Lite.
You can configure both WiFi and SSH settings in the raspi-config menu. Raspi-config can be accessed with the following command.
pi@raspberrypi:~ $ sudo raspi-config
To enable WiFi, chose the second option titled “Network Options.” You’ll then need to provide the country the Pi is located for localization settings. Once the country is set, enter the SSID and press enter. You should then be prompted to enter the network passphrase.
To enable SSH, go back to the top raspi-config menu where you selected “Network Options.” You’ll now select the option called “Interfacing Options.” Interfacing options brings up a menu where you should see an SSH option. At the time of writing, “P2 SSH” was the menu option to select. You’ll be asked if you want to enable SSH. Tab to <yes> to enable SSH. Finally, tab to finish and exit back to the command prompt.
6) Install libpcap
We are now going to install libpcap from source code. I tend to use the newest stable version of libpcap due to bugs we’ve run into with older versions during engagements. The following set of commands will download the most recent stable version of libpcap as of the time of writing and compile the library. When a new version of libpcap comes out, you should only need to adjust the wget, tar, and cd command to use the newer version.
pi@raspberrypi:~ $ sudo apt-get install build-essential flex bison pi@raspberrypi:~ $ wget https://www.tcpdump.org/release/libpcap-1.9.1.tar.gz pi@raspberrypi:~ $ tar xzvf libpcap-1.9.1.tar.gz pi@raspberrypi:~ $ cd libpcap-1.9.1/ pi@raspberrypi:~ $ ./configure pi@raspberrypi:~ $ make pi@raspberrypi:~ $ sudo make install pi@raspberrypi:~ $ cd ..
7) Install Zeek
With libpcap installed, we are going to compile Zeek from source now. This is another step where you could just use the Debian package manager to get Zeek via apt-get, but that approach isn’t as fun as compiling yourself, and the package manager version might not be the most recent.
The commands below first install dependent libraries need to compile Zeek. Zeek is then downloaded and unpacked. Finally, the configure and make commands start the compilation process. The make command might take a few hours.
pi@raspberrypi:~ $ install zeek pi@raspberrypi:~ $ sudo apt-get install cmake make gcc g++ flex bison libpcap-dev python-dev swig zlib1g-dev libssl1.0-dev pi@raspberrypi:~ $ wget https://www.zeek.org/downloads/zeek-3.0.0.tar.gz pi@raspberrypi:~ $ tar xvzf zeek-3.0.0.tar.gz pi@raspberrypi:~ $ cd zeek-3.0.0/ pi@raspberrypi:~ $ ./configure --with-pcap=/usr/local/lib pi@raspberrypi:~ $ make && sudo make install
When the above commands successfully execute, Zeek will install to /usr/local/zeek.
8) Add Zeek’s bin Folder to the System Path
For convenience, you’ll want to add Zeek’s bin folder to your system path. This allows you to call Zeek on the command line without having to provide the full path to the executables.
Update ~/.profile of the pi account with the following line:
After updating the path, you can run the source command to update the environment.
pi@raspberrypi:~ $ source ~/.profile
9) Configure Zeek
There are three files you can update with any site-specific settings. All three files are located in /usr/local/zeek/etc. Update the following three files as needed to match your environment:
The base configuration is likely fine for a simple network, but you should take a look at additional configuration options. These options are outside of the scope of what we plan to talk about today.
10) Start Zeek
We are finally ready to start Zeek. We first need to change the owner of the Zeek folder to the pi user, so we don’t have to use the root account to access zeekctl. The following two commands change the user and group of the zeek folder.
pi@raspberrypi:~ $ sudo chown pi -R /usr/local/zeek pi@raspberrypi:~ $ sudo chgrp pi -R /usr/local/zeek
Enter the Zeek control application with the following command:
pi@raspberrypi:~ $ zeekctl
Type install in the command prompt
[ZeekControl] > install
Finally, we are going to check the cron status.
[ZeekControl] > cron ?
If cron is not enabled, you can enable cron with the following command.
[ZeekControl] > cron enable
Finally, ensure Zeek is running with the status command.
[ZeekControl] > status
If Zeek is not running, start the Zeek process by issuing the start command and recheck the status.
[ZeekControl] > start
Today we ran through the process of installing Zeek on a Raspberry Pi. You are now on a great path to starting to understand the traffic in your environment better. In future posts, we will dive into different analysis opportunities. In the meantime, you can also check out the past series I wrote on Threat Hunting with Python for some immediate ideas.