-
Notifications
You must be signed in to change notification settings - Fork 4
Setting Up
Complete documentation at the following link. Below is a quick installation and launch guide for Ubuntu.
ZEEK 4.0 or greater
$sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev
$sudo apt-get install libmaxminddb-dev
Zeek can use the city or country database. The city database includes cities and regions in addition to countries. First, signup for a MaxMind account, which is now required to download even free/public GeoIP databases. Then, you can download databases. For example, download the GeoLite2-City database and decompress it.
Next, the file GeoLite2-City_YYYYMMDD/GeoLite2-City.mmdb needs to be moved to the GeoIP database directory. This directory might already exist and will vary depending on which platform and package you are using. Use /usr/share/GeoIP or /var/lib/GeoIP (choose whichever one already exists).
$mv <extracted subdir>/GeoLite2-City.mmdb <path_to_database_dir>/GeoLite2-City.mmdb
For xUbuntu 20.04 do the following:
$echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_20.04/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
$curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_20.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
$sudo apt update
$sudo apt install zeek-lts
Furthermore, you can download the packages for the latest LTS release build here.
By default the binary package install location is /opt/zeek. Under /opt/zeek/bin there is the executable of the tool, we can launch it from here. Then you can add the Zeek binary path to PATH, so we can launch it without going into its folder. To do it:
$export PATH="/opt/zeek/bin:$PATH"
Now you can check that everything went well:
$zeek --version
Press here to back on the home documentation page.