Security on a Budget: Turning a Raspberry Pi 4 into a Low-Budget, Zeek based Network Monitoring Sensor

What is a Raspberry Pi?

A Raspberry Pi is a small-form, single form computer developed by the Raspberry Pi foundation. To date, there have been five different product families produced. This post uses the newest generation termed the Raspberry Pi 4 B. The 4 B family consists of three models with varying levels of RAM between 1GB and 4GB. I used the 4GB version that cost $62 on Amazon. If you are trying to save some money, you can get the 1GB version for $46 or 2GB for $48. I usually buy the basic or starter Canakits from Amazon as the kits come with the power cable, case, and SD card that you are going to need.

What is Zeek NSM?

Zeek is a powerful platform for network security monitoring. Formerly a project by Vern Paxson out of the International Computer Science Institute at Berkley in 1994, Zeek has continued to grow as a fantastic tool for both network security monitoring and response. The open-source nature of Zeek allows for powerful expansion opportunities to adapt to new threats. 

Let’s Get Building!

1) Order the Pi and Associated Parts

First, you need to order your Raspberry Pi. Make sure also to include a power cord and an SD card. As previously mentioned, I ordered the following for the setup used today:

  • CanaKit Raspberry Pi 4 4GB Basic Kit (4GB RAM) [$72.99] – Includes Raspberry Pi 4 4GB Model B, power cord, heat sinks, and power switch.
  • MazerPi Raspberry Pi 4 Case [$8.99]
  • Samsung 128GB 100MB/s (U3) MicroSDXC Evo Select Memory Card with Adapter (MB-ME128GA/AM) [$19.99]
  • GANA Micro HDMI to HDMI Adapter Cable [$7.99]

In the past, I’ve also used 256GB and 512GB Samsung SD cards. Make sure to order a Micro HDMI to HDMI adapter cable if needed.

2) Download Raspbian Lite

Once everything arrives, the first step is to download and install Raspbian Lite from the Raspberry Pi website. Rasbian is the officially supported operating system provided by the Raspberry Pi foundation. As of the writing of this post, the current version of Raspbian is named Buster. You’ll want to download Raspbian Buster from the link above.

3) Flash the OS Image to the SD Card

When Rasbpian Buster Lite is downloaded, you’ll need to flash the Raspbian image to the SD card. On OS X, I used Balena Etcher, which is a free utility recommended by the Raspberry Pi installation instructions. Once the OS image is flashed to the SD card, you are ready to insert the SD card into the Pi. Connect your peripheral devices (keyboard, mouse, ethernet, power) and get going!

4) Boot Up the Pi

Boot the Pi 4, and you should eventually see a screen indicating that the disk is expanding to fit the SD card. After a minute or two, you’ll be met with a login prompt. The default username is pi, and the default password is raspberry. Go ahead and change the default password for the pi user with the following command. 

pi@raspberrypi:~ $ passwd

5) Optional: Configure SSH and WiFi

We are going to be configuring the Pi 4 to be remotely accessible. Since there’s only a single gigabit ethernet port, you will want to set up WiFi and enable SSH. SSH isn’t enabled by default in Raspbian Buster Lite.

You can configure both WiFi and SSH settings in the raspi-config menu. Raspi-config can be accessed with the following command.

pi@raspberrypi:~ $ sudo raspi-config

To enable WiFi, chose the second option titled “Network Options.” You’ll then need to provide the country the Pi is located for localization settings. Once the country is set, enter the SSID and press enter. You should then be prompted to enter the network passphrase.

To enable SSH, go back to the top raspi-config menu where you selected “Network Options.” You’ll now select the option called “Interfacing Options.” Interfacing options brings up a menu where you should see an SSH option. At the time of writing, “P2 SSH” was the menu option to select. You’ll be asked if you want to enable SSH. Tab to <yes> to enable SSH. Finally, tab to finish and exit back to the command prompt.

6) Install libpcap

We are now going to install libpcap from source code. I tend to use the newest stable version of libpcap due to bugs we’ve run into with older versions during engagements. The following set of commands will download the most recent stable version of libpcap as of the time of writing and compile the library. When a new version of libpcap comes out, you should only need to adjust the wget, tar, and cd command to use the newer version.

pi@raspberrypi:~ $ sudo apt-get install build-essential flex bison
pi@raspberrypi:~ $ wget
pi@raspberrypi:~ $ tar xzvf libpcap-1.9.1.tar.gz
pi@raspberrypi:~ $ cd libpcap-1.9.1/
pi@raspberrypi:~ $ ./configure
pi@raspberrypi:~ $ make
pi@raspberrypi:~ $ sudo make install
pi@raspberrypi:~ $ cd ..

7) Install Zeek

With libpcap installed, we are going to compile Zeek from source now. This is another step where you could just use the Debian package manager to get Zeek via apt-get, but that approach isn’t as fun as compiling yourself, and the package manager version might not be the most recent.

The commands below first install dependent libraries need to compile Zeek. Zeek is then downloaded and unpacked. Finally, the configure and make commands start the compilation process. The make command might take a few hours.

pi@raspberrypi:~ $ install zeek
pi@raspberrypi:~ $ sudo apt-get install cmake make gcc g++ flex bison libpcap-dev python-dev swig zlib1g-dev libssl1.0-dev
pi@raspberrypi:~ $ wget
pi@raspberrypi:~ $ tar xvzf zeek-3.0.0.tar.gz
pi@raspberrypi:~ $ cd zeek-3.0.0/
pi@raspberrypi:~ $ ./configure --with-pcap=/usr/local/lib
pi@raspberrypi:~ $ make && sudo make install

 When the above commands successfully execute, Zeek will install to /usr/local/zeek.

8) Add Zeek’s bin Folder to the System Path

For convenience, you’ll want to add Zeek’s bin folder to your system path. This allows you to call Zeek on the command line without having to provide the full path to the executables.

Update ~/.profile of the pi account with the following line:


After updating the path, you can run the source command to update the environment.

pi@raspberrypi:~ $ source ~/.profile

9) Configure Zeek

There are three files you can update with any site-specific settings. All three files are located in /usr/local/zeek/etc. Update the following three files as needed to match your environment:

  • zeekctl.cfg
  • networks.cfg
  • node.cfg

The base configuration is likely fine for a simple network, but you should take a look at additional configuration options. These options are outside of the scope of what we plan to talk about today.

10) Start Zeek

We are finally ready to start Zeek. We first need to change the owner of the Zeek folder to the pi user, so we don’t have to use the root account to access zeekctl. The following two commands change the user and group of the zeek folder.

pi@raspberrypi:~ $ sudo chown pi -R /usr/local/zeek
pi@raspberrypi:~ $ sudo chgrp pi -R /usr/local/zeek

Enter the Zeek control application with the following command:

pi@raspberrypi:~ $  zeekctl

Type install in the command prompt

[ZeekControl] > install

Finally, we are going to check the cron status.

[ZeekControl] > cron ?

If cron is not enabled, you can enable cron with the following command.

[ZeekControl] > cron enable

Finally, ensure Zeek is running with the status command.

[ZeekControl] > status

If Zeek is not running, start the Zeek process by issuing the start command and recheck the status.

[ZeekControl] > start

Wrapping Up

Today we ran through the process of installing Zeek on a Raspberry Pi. You are now on a great path to starting to understand the traffic in your environment better. In future posts, we will dive into different analysis opportunities. In the meantime, you can also check out the past series I wrote on Threat Hunting with Python for some immediate ideas.

Thanks for reading, and feel free to reach out to me if you have any questions or run into any issues. I’m available on both LinkedIn and twitter.