{"id":11262,"date":"2022-01-07T20:17:10","date_gmt":"2022-01-07T17:17:10","guid":{"rendered":"https:\/\/kifarunix.com\/?p=11262"},"modified":"2024-03-14T19:14:38","modified_gmt":"2024-03-14T16:14:38","slug":"install-zeek-on-debian-11","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-zeek-on-debian-11\/","title":{"rendered":"Install Zeek on Debian 11"},"content":{"rendered":"\n<p>Follow through this tutorial to learn how to install Zeek on Debian 11. <a aria-label=\"Zeek (opens in a new tab)\" class=\"rank-math-link\" href=\"https:\/\/zeek.org\/\" target=\"_blank\" rel=\"noreferrer noopener\">Zeek<\/a>, formerly Bro IDS, is the world&#8217;s leading passive open source&nbsp;network security monitoring tool. <em>Zeek is not an active security device, like a firewall or intrusion prevention system. Rather, Zeek sits on a &#8220;sensor\u201d, a hardware, software, virtual, or cloud platform that quietly and unobtrusively observes network traffic. Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system<\/em>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Installing Zeek on Debian 11<\/h2>\n\n\n\n<p>Zeek can be installed by <a href=\"https:\/\/docs.zeek.org\/en\/lts\/install.html#installing-zeek\" target=\"_blank\" rel=\"noreferrer noopener nofollow\" class=\"rank-math-link\">building it from the source code<\/a> or by directly via the <a href=\"#install-zeek-from-apt\" class=\"rank-math-link\">Zeek APT repositories<\/a>.<\/p>\n\n\n\n<p>In this tutorial, we will install Zeek via the APT repositories.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-zeek-from-apt\">Install Zeek on Debian<\/h3>\n\n\n\n<p>To install Zeek on Debian from the Zeek APT repositories;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Add Zeek repository to Debian 11:<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update &amp;&amp; apt install curl gnupg2 -y<\/code><\/pre>\n\n\n\n<pre id=\"block-a365d415-0482-492d-9a1f-ee13b977fc10\" class=\"wp-block-code\"><code>echo 'deb http:\/\/download.opensuse.org\/repositories\/security:\/zeek\/Debian_11\/ \/' &gt; \/etc\/apt\/sources.list.d\/zeek.list<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -fsSL https:\/\/download.opensuse.org\/repositories\/security:zeek\/Debian_11\/Release.key | gpg --dearmor &gt; \/etc\/apt\/trusted.gpg.d\/security_zeek.gpg<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Install Zeek on Debian<\/li>\n<\/ul>\n\n\n\n<p>Next, run system update;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt update<\/code><\/pre>\n\n\n\n<p>Zeek 4.1.1 is the <a href=\"https:\/\/github.com\/zeek\/zeek\/releases\" target=\"_blank\" rel=\"noreferrer noopener\">current stable release<\/a> as of this writing, confirm the same by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>apt-cache policy zeek<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>zeek:\n  Installed: (none)\n  Candidate: 4.1.1-0\n  Version table:\n     4.1.1-0 500\n        500 http:\/\/download.opensuse.org\/repositories\/security:\/zeek\/Debian_11  Packages<\/code><\/pre>\n\n\n\n<p>You can then install Zeek by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install zeek -y<\/code><\/pre>\n\n\n\n<p>During the installation, you maybe prompted for some Postfix settings and if so, choose Internet Site and enter your system FQDN.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring Zeek on Debian 11<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Configure the Run-Time Environment<\/h4>\n\n\n\n<p>By default, Zeek is installed under <code><strong>\/opt\/zeek<\/strong><\/code>.<\/p>\n\n\n\n<p>To begin the configuration with, add Zeek binaries path to PATH;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo \"export PATH=$PATH:\/opt\/zeek\/bin\" &gt; \/etc\/profile.d\/zeek.sh<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>source \/etc\/profile.d\/zeek.sh<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Define the Local Networks<\/h4>\n\n\n\n<p>Next, you need to tell Zeek which networks should be considered local to the monitored environment. This can be specified in the <code><strong>\/opt\/zeek\/etc\/networks.cfg<\/strong><\/code> configuration file.<\/p>\n\n\n\n<p>The default networks defined are <strong>10.0.0.0\/8, 172.16.0.0\/16, 192.168.0.0\/16<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/opt\/zeek\/etc\/networks.cfg<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code># List of local networks in CIDR notation, optionally followed by a\n# descriptive tag.\n# For example, \"10.0.0.0\/8\" or \"fe80::\/64\" are valid prefixes.\n\n10.0.0.0\/8          Private IP space\n172.16.0.0\/12       Private IP space\n192.168.0.0\/16      Private IP space\n<\/code><\/pre>\n\n\n\n<p>So, in our case, <strong>192.168.58.0\/24<\/strong> is our local network.<\/p>\n\n\n\n<p>Hence;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/opt\/zeek\/etc\/networks.cfg<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code># List of local networks in CIDR notation, optionally followed by a\n# descriptive tag.\n# For example, \"10.0.0.0\/8\" or \"fe80::\/64\" are valid prefixes.\n\n#10.0.0.0\/8          Private IP space\n#172.16.0.0\/12       Private IP space\n#192.168.0.0\/16      Private IP space\n<strong>192.168.58.0\/24      Kifarunix-demo IP space<\/strong>\n<\/code><\/pre>\n\n\n\n<p>Save the file and exit once you made your network configuration changes.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Define Zeek Running Mode<\/h4>\n\n\n\n<p>Zeek can be run in standalone mode or in a clustered setup. It runs in standalone mode by default.<\/p>\n\n\n\n<p>To define whether to run in a clustered or standalone setup, you need to edit the <code><strong>\/opt\/zeek\/etc\/node.cfg<\/strong><\/code> configuration file.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>For a standalone configuration, there must be only one Zeek node defined in this file.<\/em><\/li>\n\n\n\n<li><em>For a cluster configuration, at a minimum there must be a manager node, a proxy node, and one or more worker nodes.<\/em><\/li>\n<\/ul>\n\n\n\n<p>According to Zeek quickstart guide, <em>using the standalone \/ single process mode of Zeek is not suitable for setups with significant amounts of traffic. In these cases one will almost certainly want to make use of a Zeek cluster, even on a single system<\/em>.<\/p>\n\n\n\n<p>Therefore, we will see how to setup Zeek cluster. You can have a look at <a aria-label=\"Zeek cluster architecture (opens in a new tab)\" href=\"https:\/\/docs.zeek.org\/en\/master\/cluster-setup.html#architecture\" target=\"_blank\" rel=\"noreferrer noopener nofollow\" class=\"rank-math-link\">Zeek cluster architecture<\/a>.<\/p>\n\n\n\n<p>The default Zeek node configuration is like;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cat \/opt\/zeek\/etc\/node.cfg<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code># Example ZeekControl node configuration.\n#\n# This example has a standalone node ready to go except for possibly changing\n# the sniffing interface.\n\n# This is a complete standalone configuration.  Most likely you will\n# only need to change the interface.\n[zeek]\ntype=standalone\nhost=localhost\ninterface=eth0\n\n## Below is an example clustered configuration. If you use this,\n## remove the [zeek] node above.\n\n#[logger-1]\n#type=logger\n#host=localhost\n#\n#[manager]\n#type=manager\n#host=localhost\n#\n#[proxy-1]\n#type=proxy\n#host=localhost\n#\n#[worker-1]\n#type=worker\n#host=localhost\n#interface=eth0\n#\n#[worker-2]\n#type=worker\n#host=localhost\n#interface=eth0\n<\/code><\/pre>\n\n\n\n<p>Since we are running a single node Zeek Cluster in this setup, comment out the Zeek standalone configuration, section under <code><strong>[zeek]<\/strong><\/code> and define host address for your Zeek <code><strong>logger<\/strong><\/code>, <code><strong>manager<\/strong><\/code>, <code><strong>proxy<\/strong><\/code> and <code><strong>worker<\/strong><\/code>.<\/p>\n\n\n\n<p>So what are these components;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>logger<\/strong>: <em>it is an optional Zeek process that receives log messages from the rest of the nodes in the cluster. It can be used instead of the manager to reduce the load on the manager itself<\/em>.<\/li>\n\n\n\n<li><strong>manager<\/strong>:  <em>receives log messages and notices from the rest of the nodes in the Zeek cluster if no logger is defined<\/em>. <\/li>\n\n\n\n<li><strong>proxy<\/strong>: <em>is a Zeek process that may be used to offload data storage or any arbitrary workload. A cluster may contain multiple proxy nodes<\/em>.<\/li>\n\n\n\n<li><strong>worker<\/strong>: <em>is the Zeek process that sniffs network traffic and does protocol analysis on the reassembled traffic streams.<\/em><\/li>\n<\/ul>\n\n\n\n<p>So below is our single node Zeek cluster configuration setup;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/opt\/zeek\/etc\/node.cfg<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code># Example ZeekControl node configuration.\n#\n# This example has a standalone node ready to go except for possibly changing\n# the sniffing interface.\n\n# This is a complete standalone configuration.  Most likely you will\n# only need to change the interface.\n#[zeek]\n#type=standalone\n#host=localhost\n#interface=eth0\n\n## Below is an example clustered configuration. If you use this,\n## remove the [zeek] node above.\n\n[kifarunix-demo-zeek-logger]\ntype=logger\nhost=192.168.58.22\n#\n[kifarunix-demo-zeek-manager]\ntype=manager\nhost=192.168.58.22\n#\n[kifarunix-demo-zeek-proxy]\ntype=proxy\nhost=192.168.58.22\n#\n[kifarunix-demo-zeek-worker]\ntype=worker\nhost=192.168.58.22\ninterface=enp0s8\n#\n[kifarunix-demo-worker-lo]\ntype=worker\nhost=localhost\ninterface=lo\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Review Global ZeekControl configuration file<\/h4>\n\n\n\n<p>Next, you need to review the global ZeekControl configuration file, <code><strong>\/opt\/zeek\/etc\/zeekctl.cfg<\/strong><\/code>.<\/p>\n\n\n\n<p>Most of the default values in configuration files should suffice. The only change you might want to make or update here is the recipient address for all emails sent out by Zeek and ZeekControl, if you have any set. The default value is root@localhost.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Validate Zeek Configuration<\/h4>\n\n\n\n<p>Before you can install and start Zeek, you need to validate the configuration file;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>zeekctl check<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Hint: Run the zeekctl \"deploy\" command to get started.\nkifarunix-demo-zeek-logger scripts are ok.\nkifarunix-demo-zeek-manager scripts are ok.\nkifarunix-demo-zeek-proxy scripts are ok.\nkifarunix-demo-zeek-worker scripts are ok.\nkifarunix-demo-worker-lo scripts are ok.\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Installing Zeek configurations<\/h4>\n\n\n\n<p>If there are no issues with the configuration, then you can install the configuration by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>zeekctl install<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Running Zeek<\/h4>\n\n\n\n<p>Once you have installed the Zeek configuration, you can start it using the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>zeekctl start<\/code><\/pre>\n\n\n\n<p>You can combine the install and start commands using the deploy command. i.e, instead of running <code>zeekctl install<\/code> and then <code>zeekctl start<\/code>, you can combine the two using the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>zeekctl deploy<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Check the status of Zeek Instance<\/h4>\n\n\n\n<p>You can check the status of Zeek instance by executing;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>zeekctl status<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Name         Type    Host             Status    Pid    Started\nkifarunix-demo-zeek-logger logger  192.168.59.16    running   17911  17 May 03:52:41\nkifarunix-demo-zeek-manager manager 192.168.59.16    running   17962  17 May 03:52:43\nkifarunix-demo-zeek-proxy proxy   192.168.59.16    running   18011  17 May 03:52:45\nkifarunix-demo-zeek-worker worker  192.168.59.16    running   18081  17 May 03:52:48\nkifarunix-demo-worker-lo worker  localhost        running   18082  17 May 03:52:48\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Other ZeekControl commands<\/h4>\n\n\n\n<p>Other zeek control\/management commands are described on the zeekctl help page;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>zeekctl help<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nZeekControl Version 2.3.0-5\n\n  capstats [<nodes>] [<secs>]      - Report interface statistics with capstats\n  check [<nodes>]                  - Check configuration before installing it\n  cleanup [--all] [<nodes>]        - Delete working dirs (flush state) on nodes\n  config                           - Print zeekctl configuration\n  cron [--no-watch]                - Perform jobs intended to run from cron\n  cron enable|disable|?            - Enable\/disable \"cron\" jobs\n  deploy                           - Check, install, and restart\n  df [<nodes>]                     - Print nodes' current disk usage\n  diag [<nodes>]                   - Output diagnostics for nodes\n  exec <shell cmd>                 - Execute shell command on all hosts\n  exit                             - Exit shell\n  install                          - Update zeekctl installation\/configuration\n  netstats [<nodes>]               - Print nodes' current packet counters\n  nodes                            - Print node configuration\n  peerstatus [<nodes>]             - Print status of nodes' remote connections\n  print <id> [<nodes>]             - Print values of script variable at nodes\n  process <trace> [<op>] [-- <sc>] - Run Zeek with options and scripts on trace\n  quit                             - Exit shell\n  restart [--clean] [<nodes>]      - Stop and then restart processing\n  scripts [-c] [<nodes>]           - List the Zeek scripts the nodes will load\n  start [<nodes>]                  - Start processing\n  status [<nodes>]                 - Summarize node status\n  stop [<nodes>]                   - Stop processing\n  top [<nodes>]                    - Show Zeek processes ala top\n  \nCommands provided by plugins:\n\n  ps.zeek [<nodes>]                - Show Zeek processes on nodes' systems\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Checking Zeek Logs<\/h4>\n\n\n\n<p>Zeek will start analyzing traffic according to a default policy and write the log results in&nbsp;<code><strong>\/opt\/zeek\/logs\/current<\/strong><\/code>&nbsp;directory.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ls -1 \/opt\/zeek\/logs\/current\/<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>broker.log\ncapture_loss.log\ncluster.log\nconn.log\ndhcp.log\nknown_services.log\nloaded_scripts.log\nnotice.log\npacket_filter.log\nreporter.log\nstats.log\nstderr.log\nstdout.log\nweird.log\n<\/code><\/pre>\n\n\n\n<p><em>Some logs that are worth explicit mention:<\/em><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em><code><strong>conn.log<\/strong><\/code>: Contains an entry for every connection seen on the wire, with basic properties such as time and duration, originator and responder IP addresses, services and ports, payload size, and much more. This log provides a comprehensive record of the network\u2019s activity.<\/em><\/li>\n\n\n\n<li><em><code><strong>notice.log<\/strong><\/code>: Identifies specific activity that Zeek recognizes as potentially interesting, odd, or bad.  Such activity is called a \u201cnotice\u201d.<\/em><\/li>\n\n\n\n<li><em><code><strong>known_services.log<\/strong><\/code>: This log file contains the services detected on the local network and are known to be actively used by the clients on the network. It helps in enumerating what all services are observed on a local network and if they all are intentional and known to the network administrator.<\/em><\/li>\n\n\n\n<li><em><code><strong>weird.log<\/strong><\/code>: Contains unusual or exceptional activity that can indicate malformed connections, traffic that doesn\u2019t conform to a particular protocol, malfunctioning or misconfigured hardware\/services, or even an attacker attempting to avoid\/confuse a sensor.<\/em><\/li>\n\n\n\n<li><strong><em><code>(protocol).log<\/code><\/em><\/strong> such as (dns.log, dhcp.log, http.log, snmp.log):  contains information for packets found in each respective protocol. <\/li>\n<\/ul>\n\n\n\n<p>Sample <strong>conn.log<\/strong> logs;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tail \/opt\/zeek\/logs\/current\/conn.log<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n1641574281.587589\tCm5WfA3pJ25s3bbZn1\t192.168.58.22\t47763\t192.168.58.22\t48316\ttcp\t-\t-\t-\t-\tOTH\tT\tT\t0\tCc\t00\t0\t0\t-\n1641574281.587662\tC5Wrln2Yh1Y5PhXZO4\t192.168.58.22\t47763\t192.168.58.22\t48318\ttcp\t-\t-\t-\t-\tOTH\tT\tT\t0\tCc\t00\t0\t0\t-\n1641574284.454002\tCxnN0kz7NeFf9g5ra\t192.168.58.22\t35434\t192.168.58.22\t47761\ttcp\t-\t-\t-\t-\tOTH\tT\tT\t0\tCc\t00\t0\t0\t-\n1641574284.936654\tCh0ywkpEgDkDI4hqk\t192.168.58.22\t35432\t192.168.58.22\t47761\ttcp\t-\t-\t-\t-\tOTH\tT\tT\t0\tCc\t00\t0\t0\t-\n1641574287.708293\tC2qOcl1vMaYxUaDcU3\t192.168.58.22\t47761\t192.168.58.22\t35426\ttcp\t-\t-\t-\t-\tOTH\tT\tT\t0\tCc\t00\t0\t0\t-\n1641574287.708323\tCgSooa1flTATHu6N8g\t192.168.58.22\t47761\t192.168.58.22\t35428\ttcp\t-\t-\t-\t-\tOTH\tT\tT\t0\tCc\t00\t0\t0\t-\n1641574289.602766\tC96gMg3RQgvsbGmp55\t192.168.58.22\t47762\t192.168.58.22\t46776\ttcp\t-\t-\t-\t-\tOTH\tT\tT\t0\tCc\t00\t0\t0\t-\n1641574289.602842\tCWOj3w2erhdPzHG0d8\t192.168.58.22\t47762\t192.168.58.22\t46786\ttcp\t-\t-\t-\t-\tOTH\tT\tT\t0\tCc\t00\t0\t0\t-\n1641574289.602914\tCzBzwA4ITDK3ctjVNc\t192.168.58.22\t47762\t192.168.58.22\t46788\ttcp\t-\t-\t-\t-\tOTH\tT\tT\t0\tCc\t00\t0\t0\t-\n1641574289.942467\tCqoqDG3Bhuq7hrLeed\t192.168.58.22\t35432\t192.168.58.22\t47761\ttcp\t-\t-\t-\t-\tOTH\tT\tT\t0\tCc\t00\t0\t0\n<\/code><\/pre>\n\n\n\n<p>The fields and types are;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n#fields\tts\tuid\tid.orig_h\tid.orig_p\tid.resp_h\tid.resp_p\tproto\tservice\tduration\torig_bytes\tresp_bytes\tconn_state\tlocal_orig\tlocal_resp\tmissed_bytes\thistory\torig_pkts\torig_ip_bytes\tresp_pkts\tresp_ip_bytes\ttunnel_parents\n#types\ttime\tstring\taddr\tport\taddr\tport\tenum\tstring\tinterval\tcount\tcount\tstring\tbool\tbool\tcount\tstring\tcount\tcount\tcount\tcount\tset[string]\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Checking Zeek Node Processes<\/h4>\n\n\n\n<p>You can check processes running on each node by executing;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>zeekctl ps.zeek &lt;node&gt;<\/code><\/pre>\n\n\n\n<p>For example, to check processes on Zeek manager node;<\/p>\n\n\n\n<pre id=\"block-549cf091-8fdc-4abb-b81c-1d8846ea937e\" class=\"wp-block-preformatted\">zeekctl ps.zeek kifarunix-demo-zeek-manager <\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n        USER         PID    PPID %CPU %MEM    VSZ   RSS TT       S  STARTED     TIME COMMAND\n>>> 192.168.58.22\n   (-) root         783     777  0.1 10.2 824476 102352 ?       S 19:21:56 00:00:02 zeek\n   (+) root         833     827  0.0 10.1 720236 101692 ?       S 19:21:58 00:00:01 zeek\n   (-) root         882     876  0.0  9.9 717956 99360 ?        S 19:22:00 00:00:01 zeek\n   (-) root         954     944  0.3 23.3 849108 233028 ?       S 19:22:03 00:00:06 zeek\n   (-) root         955     942  0.1 23.1 849696 231068 ?       S 19:22:03 00:00:02 zeek\n<\/code><\/pre>\n\n\n\n<p>And that brings us to the end of our tutorial on how to install Zeek on Debian.<\/p>\n\n\n\n<p>In our next tutorials, we will learn how to analyze network traffic with Zeek.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Reference<\/h3>\n\n\n\n<p><a aria-label=\"Zeek Quick Start Guide (opens in a new tab)\" href=\"https:\/\/docs.zeek.org\/en\/lts\/quickstart.html\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Installing Zee<\/a><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/docs.zeek.org\/en\/lts\/install.html\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">k<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-configure-aide-on-debian-10\/\" target=\"_blank\" aria-label=\" (opens in a new tab)\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install and Configure AIDE on Debian 10<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-modsecurity-3-with-apache-in-a-docker-container\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install ModSecurity 3 with Apache in a Docker Container<\/a><\/p>\n\n\n\n<p><a aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-setup-suricata-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"noreferrer noopener\" class=\"rank-math-link\">Install and Setup Suricata on Ubuntu 18.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Follow through this tutorial to learn how to install Zeek on Debian 11. Zeek, formerly Bro IDS, is the world&#8217;s leading passive open source&nbsp;network security<\/p>\n","protected":false},"author":3,"featured_media":8852,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121],"tags":[4419,4420,3958,4416,4418,3549,4421,3550,4417],"class_list":["post-11262","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","tag-analyze-traffic-using-zeek","tag-check-zeek-configuration-file","tag-debian-11","tag-install-zeek-on-debian","tag-zeek","tag-zeekctl","tag-zeekctl-check","tag-zeekctl-deploy","tag-zeekctl-install","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11262"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=11262"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11262\/revisions"}],"predecessor-version":[{"id":21319,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11262\/revisions\/21319"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/8852"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=11262"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=11262"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=11262"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}