Building and Running Zeek on Windows Server 2022

Today, we are going to build and run Zeek on a Windows Server 2022 and process a PCAP file. This can be helpful if you don’t have an available Linux box to run Zeek or if you just need to do local processing on a Windows PC. (These steps should be the same for Windows 10/11.)

DISCLAIMER: Zeek builds on Windows are still experimental. [The project really needs help if you have spare developer cycles to contribute.]

 

Open a new PowerShell console with administrator privileges.

First, we verify PowerShell’s current policy.

  • Run Get-ExecutionPolicy
    • If it returns Restricted, then run Set-ExecutionPolicy AllSigned or Set-ExecutionPolicy Bypass -Scope Process

We will need a package manager for Windows called Chocolatey. We can install it using the following command:

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

Now, close the PowerShell console and open a new one with administrator privileges.

 

We are installing the Visual Studio Tools to use for compilation because currently building Zeek on Windows with GCC is not supported.

  • Run choco install -y --no-progress visualstudio2019buildtools
  • Run choco install -y --no-progress visualstudio2019-workload-vctools --version=1.0.0 --package-parameters '--add Microsoft.VisualStudio.Component.VC.ATLMFC'

Now, we need to install other packages needed to build Zeek.

  • Run choco install -y --no-progress sed
  • Run choco install -y --no-progress swig
  • Run choco install -y --no-progress winflexbison3
  • Run choco install -y --no-progress msysgit
  • Run choco install -y --no-progress python
  • Run choco install -y --no-progress openssl --version=3.1.1
  • Run choco install -y --no-progress cmake --version 3.28.3
  • Run choco install -y --no-progress mingw
  • Run choco install -y --no-progress ninja
  • Run choco install -y --no-progress conan --version 1.58.0
  • Run choco install -y --no-progress wget
  • Run choco install -y --no-progress unzip

 

We are going to use NPCAP based on the recommendation from Raj Bhabesh’s blog post: https://bhabeshraj.com/post/breaking-barriers-building-zeek-for-windows

Download the NPCAP SDK* from here: https://www.npcap.com/dist/npcap-sdk-1.13.zip

Extract the zip file to a folder (we will need this path later, so make a note of it!)

Example: C:\Users\Administrator\Downloads\npcap-sdk-1.13

Now, close the PowerShell console and add the following directories to your PATH:

C:\Program Files\Git
C:\Program Files\CMake\bin

If it is not already there, create an environment variable called “OPENSSL_CONF” and point it to C:\Program Files\OpenSSL-Win64\bin\openssl.cfg

If it is not already there, create an environment variable called “OPENSSL_ROOT_DIR” and point it to C:\Program Files\OpenSSL-Win64

Open a new PowerShell console with administrator privileges.

  • Run git
  • Run cmake

If you get the default help output for each of these, you know your path is setup correctly. If not, check the previous steps to see if you missed something.

If all is working well, close the PowerShell console.

Next, enter the development environment by running the following from a new Command Line (cmd.exe) with administrative privileges:

call "C:\Program Files (x86)\Microsoft Visual Studio\2019\BuildTools\VC\Auxiliary\Build\vcvars64.bat"

 

Now, let’s get the actual code! Enter the directory you want to put the Zeek files to (i.e., cd Downloads)

  • Run git clone https://github.com/zeek/zeek.git
  • Run cd zeek
  • Run git submodule update --init --recursive
  • Run mkdir build
  • Run cd build
  • Run cmake .. -DPCAP_ROOT_DIR:PATH=C:\Users\Administrator\Downloads\npcap-sdk-1.13 -DCMAKE_BUILD_TYPE=release -DENABLE_ZEEK_UNIT_TESTS=yes -DVCPKG_TARGET_TRIPLET="x64-windows-static" -G Ninja

Output should look like this:

  • Run cmake.exe --build .

If you see the following output, you’ve done it! You built Zeek on Windows!

WARNING: Some users have mentioned this process will fail with an “Access Denied” error during the linking process. If this occurs please turn off your anti-virus software during the build process.

 

Now, we need to set up the environment variables so that Windows knows where everything is. If you try to run the binary before these are set up, you might see the following message:

failed to get path to executable ‘zeek’

Add the following variables if they are not there:

SPICY_PATH=C:\Users\Administrators\Downloads\zeek\build\spicy-path
ZEEKPATH=C:\Users\Administrator\Downloads\zeek\build\zeek-path-dev;C:\Users\Administrator\Downloads\zeek\scripts;C:\Users\Administrator\Downloads\zeek\scripts\policy;C:\Users\Administrator\Downloads\zeek\scripts\site;C:\Users\Administrator\Downloadss\zeek\build\scripts;C:\Users\Administrator\Downloads\zeek\build\scripts\builtin-plugins;
ZEEK_PLUGIN_PATH=C:\Users\Administrator\Downloads\zeek\build\src
HILTI_CXX_INCLUDE_DIRS=C:\Users\Administrator\Downloads\zeek\build\hilti-cxx-include-dirs
Path={PATH};C:\Users\Administrator\Downloads\zeek\build;C:\Users\Administrator\Downloads\zeek\build\src;C:\Users\Administrator\Downloads\zeek\build\auxil\spicy\spicy\bin;C:\Users\Administrator\Downloads\zeek\build\src\builtin-plugins\spicy-plugin\bin

Before these steps, your user variables will look something like this:

After these steps, your environment variables should look something like this:

Now, close and reopen your command prompt.

 

You should be able to run the following command from any directory now:

zeek --help

Let’s make a test directory in your home folder to test Zeek’s functionality.

mkdir zeek_test
cd zeek_test

Now, let’s grab a PCAP to test processing. There are samples at www.malware-traffic-analysis.net that we will use for this exercise.

Let’s download the file by running

wget https://www.malware-traffic-analysis.net/2024/03/14/2024-03-14-AsyncRAT-and-XWorm-infection-traffic.pcap.zip

Then, we need to unzip it using the password ‘infected_20240314’

unzip -P infected_20240314 2024-03-14-AsyncRAT-and-XWorm-infection-traffic.pcap.zip

Now, we can run Zeek against our PCAP file by running

zeek -C -r 2024-03-14-AsyncRAT-and-XWorm-infection-traffic.pcap

Depending on the speed of your computer, this could take awhile!!

Once that is (finally) done, you can look through all the log files and see them in Zeek format(TM).

****The free edition of NPCAP is limited to five systems!

Special thanks to Tim Wojtulewicz and Roy Achinta for answering my questions in the “#windows” channel of the Zeek’s Slack Instance. And thanks to Raj Bhbabesh for his blog post where most of these instructions were taken from!

 

References

  1. Installing Zeek – Building Zeek from Source, https://docs.zeek.org/en/master/install.html#building-from-source
  2. “Breaking Barriers: Building Zeek for Windows”, Raj Bhabesh , https://bhabeshraj.com/post/breaking-barriers-building-zeek-for-windows
  3. “Ninja not found by CMAKE”, Stack Overflow comment by adentinger, https://stackoverflow.com/questions/38658014/ninja-not-found-by-cmake#:~:text=This%20error%20also,at%2020%3A20

 

 

Interested in threat hunting tools? Check out AC-Hunter

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!

Share this:
AC-Hunter Datasheet
AC-Hunter Personal Demo
What We’re up To
Archives