I have no idea why this woman has circuit boards on her eyes, but she grabbed my attention. Maybe she grabbed yours, too?

Introduction

Call me old fashioned, but there is something great about hardware. Virtualization is great and all, but I really like having something that I can touch and feel, knowing “This object in my hand is doing X”. Not only that, but there is a serious gap in network security capabilities when focusing on small businesses – sometimes profit margins are small, but that doesn’t make security any less valuable. This is why I chose to experiment with Zeek (formerly known as ‘Bro’) on the Asus Tinkerboard.

What is Zeek?

Formerly known as Bro, Zeek is a flexible, non-traditional intrusion detection system (IDS). While many intrusion detection systems are some flavor of Snort or Suricata with proprietary or custom signatures, I think of Zeek as more of a traffic analyzer. I think Zeek is more suitable for characterizing and analyzing network traffic, while Snort/Suricata are better for signature-based detections.

Screenshot from http://www.icir.org/robin/rwth/bro-tour.pdf

Collect Packets, Not Dust: Why Use the TinkerBoard?

I love all varieties of the Raspberry Pi – but they all have one thing in common: They are incredibly limited on memory. Even the Raspberry Pi 3 B+ only has 1GB of RAM. Additionally, it seems that the USB/Ethernet bus on the Pi is shared. The ASUS TinkerBoard is a bit pricier ($60 from MicroCenter, $61 from Amazon), but it has gigabit Ethernet port and 2GB of RAM. Not to mention – I had a TinkerBoard sitting on the shelf, collecting dust. Why not collect packets instead?

Installing Zeek on the ASUS TinkerBoard

Tossing Armbian on the TinkerBoard (TB) was easy enough – just write it to an SD card like you would with any Pi image. I used a 64GB microSD card so I have a little bit of room to work with – I wasn’t sure how fast the Zeek logs would grow on the TB.

You don’t need to add any fancy SSH files like you do with a Pi. It will pull down DHCP automatically, and you can SSH with username root and password 1234 . You will then be prompted to setup a new user account (that is sudo enabled)

Once the user account is created, I suggest you go ahead and update the device:

sudo apt-get update
sudo apt-get upgrade

Zeek has a number of prerequisites; here they are in a single line, with a couple extra (such as tmux) to make life simpler:

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev python-ipaddress libmaxminddb0 tmux

Next, you’ll want to use tmux to create a new session since compiling Zeek can take a bit. When I originally tried this on the EspressoBin it took five hours to compile. On the TinkerBoard it was only 106 minutes.

tmux new -s zeekinstall

I suggest creating a directory to work out of, and then you’ll need to clone Zeek’s git repo.

mkdir git
cd git
git clone --recursive https://github.com/zeek/zeek
cd zeek
./configure

(this should take less than a minute)

make

(This took 106 minutes – if you are in tmux, you can hit ctrl+b and then d to break out of the tmux session. A simple “tmux attach” will reattach you later.)

sudo make install

And boom – that is it. Bro/Zeek is now installed in /usr/local/bro. I used a simple USB ethernet adaptor to give my TinkerBoard a second ethernet port that was a span off my switch.

I strongly encourage you to follow the Bro Quick Start Guide for additional configuration

So How Does it Perform?

I have my TinkerBoard receiving traffic from a span port configured on my switch. I have 150/150 internet from Verizon Fios, and the TB does a pretty good job keeping up. There are times when it misses traffic, but I’m OK with that – this is meant to be an opportunity for me to get more familiar with Bro without spending a ton of cash on hardware.

Here is a snippet from the capture_loss.log

1551921231.159806    900.000043  bro 792 17256   4.589708
1551922131.159836 900.000030 bro 1301 19797 6.571703
1551923031.159886 900.000050 bro 423 13806 3.063885

A Note About Other Single Board Computers

The TinkerBoard wasn’t my first choice for this project – in fact, I had attempted to deploy Zeek on the EspressoBin. With 2GB of RAM and three gigabit ethernet ports, the EspressoBin seemed to be a natural fit…until I tried to actually make it work. It took five hours to compile Zeek on the EspressoBin, and that was after an initial failure (insufficient memory) so I had to make a big ‘ole swap file. Anyway, I ran into problem after problem on the EspressoBin so I took a break from it and managed to get Zeek going on the TinkerBoard in only a few hours.