Running Zeek and RITA on Windows
Configure Zeek to monitor the network interface on a Windows system??? I’ve had plenty of folks tell me it cannot be done. That just motivated me even more to figure out how to get it working. In this blog, I’ll document all the steps necessary to capture packets on a Windows network interface and get those packets processed by Zeek. This solution will work for both Wi-Fi and wired connections.
Total Hacky Hack Alert
This solution is a total hack. It is not something you want to deploy in production or run as a regular solution on all of your endpoints. There is also a latency of about 24 hours before the data can be reviewed. The solution works, but it is not an “install it and forget it” solution.
Zeek Support for Windows
Back in 2022, the folks that maintain Zeek announced experimental support for Windows. This was focused on processing pcaps, with no support for doing live captures. Segue to 2024 and there is still no support for live captures. The Zeek team is small, so they have to balance their priorities. They are currently looking for help to move things forward. So, as of the time of this writing, I’m not aware of any solution that permits Zeek to directly listen on the network interface of a Windows system.
This leaves one of two options:
- Collect pcaps on the Windows system’s network interface and process them with Zeek running on Windows.
- Collect pcaps on the Windows system’s network interface and process them with Zeek running within a VM, like the Windows Subsystem for Linux (WSL2).
I’m going to focus on the second solution, as the code is more mature and it incorporates running RITA. However, you can modify my steps to incorporate Zeek running natively on Windows. Aaron Clark wrote an excellent article on building Zeek on Windows from the source code. You would want to start with that article first.
Overview of the Process
Here are the general steps we are going to follow:
- Install TShark/dumpcap on Windows
- Install Zeek to process the pcaps
- Install RITA to process the Zeek logs
- Run dumpcap to capture traffic
- Have Zeek and RITA process the captures in 24-hour blocks
- Define a number of scheduled tasks to automate the process
Pretty easy, eh? 😉
Installing dumpcap on Windows
We will be using dumpcap to capture packets off of the Windows network interface. Dumpcap is one of the command line tools available if you choose TShark as part of the Wireshark installer. In fact, you don’t need to install all of Wireshark, just TShark to get it.
Start by downloading the Wireshark installer. As mentioned, you only need the TShark tools, but you can choose to install more if you wish.
As part of the install, you will be prompted to also install Npcap. This is needed by dumpcap to interact with the network interface.
By default, dumpcap gets installed in the directory “C:\Program Files\Wireshark”. Since this is not in our path, you will need to specify the full path when using the tool. The other options are to add “C:\Program Files\Wireshark” to your path statement, or copy dumpcap to a directory that is already in your path. If you try to run dumpcap and you get the error “not recognized as an internal or external command,” this is most likely your problem.
Install Zeek/RITA Within WSL2
We are going to run Zeek and RITA within a virtual machine. While any hypervisor that can share folders with the host operating system should work, it probably makes the most sense to use Windows Subsystem for Linux V2 since that is built right in. If you have never run WSL2 before, the install is pretty straight forward. I’m going to assume you are using the default operating system, which at the time of this writing is Ubuntu 22.04 LTS.
I created a video on how to install Zeek and RITA. You can check it out if you prefer to watch another install while you perform the install yourself. However, the process is extremely easy. First, we need to pull down the install script. Copy/paste this command into your WSL2 session:
wget https://github.com/activecm/rita/releases/download/v5.0.8/install-rita-zeek-here.sh
We then need to make the script executable:
chmod +x install-rita-zeek-here.sh
And then we need to run it:
./install-rita-zeek-here.sh
When you are prompted for your “BECOME” password, it actually wants your sudo password in order to complete the install. You will also be prompted to identify which interface Zeek should monitor. Since Zeek cannot see the host system’s NIC, just select the interface for the current virtual machine. We will not be using this feature. When the install is complete, you will be prompted to run “zeek start”. This is not needed and you should not run this command.
Which Windows Interface to Monitor?
Next, we will need to identify which Windows network interface we wish to monitor. Open a Windows command prompt (you cannot do this within WSL2) and type the command:
dumpcap -D
Your output should look similar to the following:
Identify the network interface you wish to monitor. For example, in this case, I would pick “5,” as this system connects to the network almost exclusively via Wi-Fi. If this was a server, I would instead pick the Ethernet interface (10). Make a note of the interface number.
Shared Directories
When you are using WSL2, the “C” drive is available via the mount point “/mnt/c”. I found it much easier to create a directory structure on “C:\” where all of the shared files can be easily accessed. That way all of our files are in one place.
I first created the directory “C:\rita” (or “/mnt/c/rita” if you want to create it under Linux). Under this main directory, I created three subdirectories:
- bat – Location to store our Windows and Linux scripts
- pcaps – Location to store our pcap files
- zeek – Location to store our Zeek logs
The zeek directory will get additional subdirectories added later.
Batch Files and Scripts
We are going to create a batch file that runs the dumpcap command. We will also create two scripts, one to run Zeek and the other to run RITA. These will be executed via Task Scheduler and cron. You can create these files with a Windows or Linux text editor, whichever you prefer. They should all be stored in “C:\rita\bat” (or “/mnt/c/rita/bat” on Linux).
sniff.bat
I’ve named the first file “sniff.bat”. This will run our dumpcap command, which I’ve copied to the C:\rita\bat directory. This is the same location where we will save sniff.bat. Here is the command to put in this batch file. (Note that this is all a single command, even if it appears line wrapped on your display.)
c:\rita\bat\dumpcap.exe -F pcap -b interval:86400 -b files:2 -s 512 -i 5 -Q -w C:\rita\pcaps\desktop.pcap
The “-F” switch identifies that we want to store the data in pcap format. The “interval” switch tells dumpcap to capture traffic for 86,400 seconds, or 24 hours, and write that data to a single file. Once 24 hours is up, a new file will be created. The “files” switch tells dumpcap to never have more than two pcap files. If a third is to be created, the oldest pcap must first be deleted. This will help to minimize the use of disk space.
The “-s” switch identifies that we only want to capture the first 512 bytes of each packet. Since Zeek processes very little application data, this will reduce storage requirements with a minimal impact on the fidelity of data within Zeek. Feel free to set this number higher if you prefer. If you set it to zero, full packets will always be captured.
The “-i” switch identifies which interface number we want to monitor. We want to use the correct interface we identified when running “dumpcap -D” earlier. The “-Q” switch removes the output headers. Since we will be running dumpcap in the background, they are not useful. Finally, the “-w” switch identifies the name of the pcap file and where to save it. Note that dumpcap will append a date/time stamp to the end of the file name we specify. This keeps the name unique when multiple files have been written.
writezeek
Next, we need to create a Linux script that will convert the pcaps into Zeek logs. In my example I’ve named this script “writezeek” and stored it in the same “bat” directory. Here are the contents of that script:
#!/bin/bash mkdir -p /mnt/c/rita/zeek/$(date +"%Y%m%d") /usr/local/bin/zeek readpcap /mnt/c/rita/pcaps/*.pcap /mnt/c/rita/zeek/$(date +"%Y%m%d")
If we try to store all of our Zeek logs to the same directory, they will overwrite each other. With this in mind, the “mkdir” command creates a subdirectory under /mnt/c/rita/zeek that is the current date. We then store that day’s files in this location.
In the second command, we are running Zeek with the “readpcap” switch. If you are an old school Zeek/Bro user, you are probably thinking “Hey! That’s not a valid switch!”.
When we installed RITA and Zeek, they were actually installed in Docker containers. So what we are interacting with is actually a script that can reach into the Zeek container as needed. I have a video where I explain this in more detail if you want to get into the weeds. For now, let’s just say that this will tell Zeek to process the specified pcap file. We also need to identify where Zeek should write its log files. Note that we are specifying the directory that gets created with the “mkdir” command.
writerita
This step is optional if you are only interested in the raw Zeek logs and don’t want to use RITA. However, RITA is already installed so you might as well leverage it for reviewing traffic. 😉
I’ve created a script named “writerita” which will import the Zeek logs into a RITA database. This is also stored in the “bat” directory. Here’s what’s inside that script:
#!/bin/bash screen -S ritaroll -d -m /usr/local/bin/rita import --rolling -l /mnt/c/rita/zeek -d rolling
The new version of RITA sports an ASCII graphical interface based on Bubble Tea. While this makes for a user-friendly interface, it does mean that RITA expects to run inside of a terminal. When commands are executed via cron, there is no terminal. So in this script, we are using the “screen” utility to fool RITA into thinking it has a terminal interface. The “-d -m” switches tell screen to run in the background. The “-S” switch gives the session a descriptive name (ritaroll) which can be used to connect to the session while it is running. With these switches set, we then tell screen to run the “rita” command.
We are telling RITA that we want to “import” Zeek logs and that we want to create a “rolling” database. This will permit us to append additional long files later. This way we will only have one database we ever need to check. The “-l” switch tells RITA where to find the Zeek logs. The “-d” switch tells RITA that we want to name the database “rolling”.
Task Scheduler
Next, we need to configure two tasks under Task Scheduler. The first should start wsl.exe at system boot. The executable can be found in the System32 directory. The second task should also be run at system boot. This will run the sniff.bat script that we created.
Once complete, dumpcap should start capturing packets and writing them out to the C:\rita\pcaps directory.
Cron Jobs
We are in the home stretch! Next, we need to create a cron job that will run our Linux scripts. With Ubuntu, we do this by adding a file to /etc/cron.d/ that includes the cron entries we wish to process. Please note that this file should be owned by root and does not need execution permissions.
We can name the file whatever we want. I decided to name mine “rita”, as these jobs will pull data into RITA for analysis. Here’s what the file looks like:
The first five fields tell cron when to execute the specified command. Reading from left to right, these values are:
- Minute – Values can be 0-59
- Hour – Values can be 0-23
- Day of the month – Values can be 1-31
- Month of the year – Values can be 1-12
- Day of the week – Sun=1, Mon=2, … Sat=7
- Year – Valid four digit year, like 2024
With these settings, we can trigger a command to be executed anytime that we want. For example, the “writezeek” command will be executed at 1:00 AM every single day. The “writerita” command will be executed at 1:20 AM every day. This will process the prior day’s logs and have them ready for review at the beginning of each day.
Collecting Data
Once we complete each of the above steps, it will take a day before the data is ready for review. We should immediately see a pcap file get created under c:\rita\pcaps. This will grow in size throughout the day. The Zeek logs and RITA database will appear the following morning.
Reviewing Zeek Logs
As mentioned above, the Zeek logs will get saved to a date stamped directory. To review the Zeek logs, simply navigate into the appropriate directory.
Reviewing the RITA Data
We can review the RITA data by running the command:
rita view rolling
This will start up the RITA interface which will look similar to the following:
Hmmm… If I review my first entry, there is a pretty strong beacon going to “completelysafe.honestimnotevil.com”. This consisted of 61 TCP/80/HTTP connections. The user agent string claims to be a Mosaic Web browser running on OS/2 Warp. Given that I’m monitoring my Windows desktop, this does not sound correct and warrants further evaluation. It may be time to do a deep dive on the Zeek logs we’ve collected.
Conclusion
As you can see, it takes a few steps to get everything running. However, once you do, you get full network visibility as to what’s being transmitted and received by the Windows system’s network interface. Hopefully we will eventually see Zeek released as a binary for Windows that includes the ability to monitor live network traffic. Until that happens, this hack can give you a decent workaround.
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.