Zeek and Rita Part 1

I am still on this quest to control the web traffic that comes into my home, and I decided I needed to go deeper. When I attended John Strand’s ‘Intro to SOC’ class through Wild West Hackin’ Fest he spoke about having Zeek and Rita installed on a Raspberry Pi. Zeek is a network security monitor (zeek.org) and Rita is an open source framework for traffic analysis (https://www.activecountermeasures.com/free-tools/rita/). Rita will play nice with Zeek if you use the ‘nice’ option when starting the program. Rita will wait for processor time to free up before trying to use it.

With these two pieces of software installed on my subnet my hope was to be able to analyze packets in real time and drop the ones that contain the traffic I am trying to block (ads). It’s a good way to keep my toddler daughter safe online. We do a good job monitoring the content that she is watching, but this would go a long way toward making me feel better those time when she clicks on an ad thinking it’s a video and spams that button and 6 or 8 windows pop up on her tablet all going to the same webpage.

I am using Ubuntu Server 20.04 Command Line version again. I was able to get Zeek installed after only one hiccup. I was following their install from source instructions (https://docs.zeek.org/en/master/install.html#installing-from-source) and my ./configure command was failing in the zeek directory. The problem it kept pointing out was that I didn’t the required PythonDev dependency. After doing some research, I ran sudo apt-get install python3-dev command and I was able to get this resolved.

The other problem I ran into when I was getting Zeek configured was folder permissions. There are a few that it needs read/write access to, and I finally set my user account as owner for the entire Zeek directory to resolve this. The zeekctl command would fail when I tried to use sudo reporting “sudo: zeekctl: command not found”, but zeekctl on it’s own executes without complaint.

To be continued. I am still working through my project, and I think this one will be a multipart series.

*Following up on my sudo zeekctl comment.It actually does work, I just needed to be in the /usr/local/zeek/bin directory. I added this to my ~/.bashrc file and also to the secure_path variable in the /etc/sudoers file. After making these changes I can run the command as regular user or sudoer without having to use the entire directory path from whatever directory I am working in.