At Ignite 2022, Microsoft announced their partnership with Zeek, and its corporate sponsor, Corelight, which resulted in Zeek being integrated as a component within Microsoft Defender for Endpoint (MDE).
What it means for the rest is that Zeek has finally come to Windows, provided it is still in experimental phase and lacks many features compared to its *nix counterpart. Gradually, this feature parity will reduce over time.
Brief review of Zeek
Zeek (formerly Bro) is a passive, open-source network traffic analyzer commonly used as a network security monitor (NSM) to support investigations of suspicious or malicious activity.
Zeek is very versatile and supports a wide range of traffic analysis tasks beyond the security domain, including performance measurement and troubleshooting. For a detailed treatment, I recommend you to go through their docs.
Why build Zeek?
Because, Zeek support for Windows came in version 5.2 (Feb 3), and is still in development. There are no installers available so to play around with it, you need to build the EXE yourself from source which is not straightforward.
Let’s build it then
Zeek’s doc has steps for building from source for Windows but it requires slight changes for it to work.
First step is to get the Zeek 5.2 source (zeek-5.2.0.tar.gz) from the releases page. Unzip it in a location; for example, mine is C:\Users\admin\Repos\zeek.
Next step is to install Chocolately, a popular package manager for Windows, in order to install the dependencies.
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString( 'https://community.chocolatey.org/install.ps1'))
I am compiling Zeek using only the command-line tools of Visual Studio 2019. If you desire, you can install the full UI version.
choco install -y --no-progress visualstudio2019buildtools
--version=16.11.11.0
choco install -y --no-progress visualstudio2019-workload-vctools
--version=1.0.0 --package-parameters '--add Microsoft.VisualStudio.Component.VC.ATLMFC'
choco install -y --no-progress sed
choco install -y --no-progress winflexbison3
choco install -y --no-progress msysgit
choco install -y --no-progress python
choco install -y --no-progress openssl
Here I am diverging from the doc. If you go ahead and directly install conan (as in the doc), you will install version 2.X. This will break things as two generators (cmake and cmake_find_package) used by Zeek’s conan file for Windows are deprecated in version 2.X. The purpose of cmake generators is to prepare the build, generating the necessary files.
So, as a workaround, you will have to install version 1.X as shown below:
choco install -y --no-progress conan --version 1.58.0
Once the dependencies are installed, you will need to add the Git installation to your PATH (C:\Program Files\Git\bin by default). This is needed for the sh
command to be available during the build.
Once all of the dependencies are in place, you will need to open a shell and add the development environment to it.
"C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Auxiliary\Build\vcvarsall.bat" x86_amd64
Before using cmake to build the source, we need to use Npcap instead of libpcap because the latter does not support Windows network interfaces.
You will need to install Npcap and download the SDK as well. Note down the SDK path as we will supply it in cmake’s DPCAP_ROOT_DIR
argument.
mkdir build cd build cmake.exe .. -DCMAKE_BUILD_TYPE=release -DENABLE_ZEEK_UNIT_TESTS=yes -DPCAP_ROOT_DIR:PATH=C:\Users\admin\Downloads\npcap-sdk-1.13 -G Ninja cmake.exe --build .
Running Zeek
cmake will produce the Zeek binary in build/src directory. Before you can run it, you will need to prepare the necessary environment variables required by Zeek. This will help Zeek to identify the directories for policy, scripts, etc.
SPICY_PATH=C:\Users\admin\Repos\zeek\build\spicy-path ZEEKPATH=C:\Users\admin\Repos\zeek\build\zeek-path-dev;C:\Users\admin\Repos\zeek\scripts;C:\Users\admin\Repos\zeek\scripts\policy;C:\Users\admin\Repos\zeek\scripts\site;C:\Users\admin\Repos\zeek\build\scripts;C:\Users\admin\Repos\zeek\build\scripts\builtin-plugins; ZEEK_PLUGIN_PATH=C:\Users\admin\Repos\zeek\build\src HILTI_CXX_INCLUDE_DIRS=C:\Users\admin\Repos\zeek\build\hilti-cxx-include-dirs Path={PATH};C:\Users\admin\Repos\zeek\build;C:\Users\admin\Repos\zeek\build\src;C:\Users\admin\Repos\zeek\build\auxil\spicy\spicy\bin;C:\Users\admin\Repos\zeek\build\src\builtin-plugins\spicy-plugin\bin
In order to run Zeek live on network interface, you will need the interface adapter name. The interface name obtained from ipconfig, Get-NetAdapter, etc. will not work. That means just specifying “Ethernet” will not work if you want to run Zeek on the Ethernet interface.
The actual name of the network adapters under Windows are quite unreadable and have the format of \Device\NPF_{GUID}.
One easy way to print all the interfaces name is using this simple zeek script.
event zeek_init()
{
print Pcap::findalldevs();
}
Save it as print_iface_names.zeek and run it through Zeek.
zeek print_iface_names.zeek
Choose the correct interface name either based on the description or the IP address assigned to the interface.
[name=\Device\NPF_{436C9885-057E-4D8A-A856-693A3F481EC9}, description=Microsoft Hyper-V Network Adapter, addrs={ 10.10.10.100, fe80::a821:525c:e1c8:A811 }, is_loopback=F, is_up=T, is_running=T]
All that is left is to run Zeek and point it to capture and analyze traffic on the Ethernet interface.
zeek -i \Device\NPF_{436C9885-057E-4D8A-A856-693A3F481EC9}
And, if you want JSON logs instead of the default TSV, you can simply add the following in the local.zeek file.
# Switch to JSON format @load policy/tuning/json-logs.zeek
A sample DNS JSON log is shown below.
{ "ts": 1680159944.018034, "uid": "C0eZ1t3tFDZdJRHNw1", "id.orig_h": "10.10.10.100", "id.orig_p": 60477, "id.resp_h": "168.63.129.16", "id.resp_p": 53, "proto": "udp", "trans_id": 18949, "query": "www.wikibooks.org", "rcode": 0, "rcode_name": "NOERROR", "AA": false, "TC": false, "RD": false, "RA": true, "Z": 0, "answers": [ "dyna.wikimedia.org", "103.102.166.224" ], "TTLs": [ 1800.0, 234.0 ], "rejected": false }
I would like to extend great thanks to @timwoj for helping me through the build process. You can find him in the #windows channel of Zeek’s slack.