KNOWLEDGE VALIDATION
Let’s test your understanding of the architectural concepts covered in this lesson:
Question 1: The Processing Pipeline
Trace the path of a single HTTP packet through Zeek’s architecture. Start from “packet arrives at network interface” and describe each stage it passes through, what happens at each stage, and what output is ultimately produced. This tests your understanding of the complete pipeline.
Question 2: Event-Driven vs. Packet-Based
Explain why Zeek’s event-driven architecture is better suited for detecting C2 beaconing than packet-by-packet analysis. Think about what information is available at the event level that isn’t available when examining individual packets.
Question 3: Cluster Roles
You’re deploying a 15-worker Zeek cluster. Do you need proxy nodes? Why or why not? What factors would influence this decision? This tests your understanding of when proxies provide value.
Question 4: Memory Management
Your Zeek sensor is using 16 GB of RAM to monitor a 2 Gbps network with approximately 50,000 concurrent connections. Is this reasonable? If you needed to reduce memory usage, what configuration changes could you make? This tests your ability to apply the memory sizing formulas and understand tuning options.
Question 5: Performance Troubleshooting
You notice your Zeek sensor is dropping 5% of packets. What are the three most likely causes, and what would you check to diagnose each one? How would you fix each problem? This tests your understanding of performance bottlenecks.
Question 6: Sensor Placement
You want to detect lateral movement (compromised workstations attacking internal servers). Should you place your Zeek sensor at the internet gateway or on the internal network? Justify your answer. This tests your understanding of how sensor placement affects visibility.
Take time to think through these questions. If you’re unsure about any of them, review the relevant sections before moving on.
PREPARING FOR LESSON 1.3
Congratulations! You’ve completed the architecture deep dive and now have a comprehensive understanding of how Zeek works internally. Let’s summarize what you’ve learned and prepare for the next lesson.
What You’ve Mastered:
You now understand Zeek’s complete processing pipeline, from packet acquisition through protocol analysis to event generation and script execution. You’ve learned why the event-driven architecture enables behavioural analysis that would be impossible with packet-level inspection. You understand how Zeek maintains rich state about connections and protocols, providing the context necessary for sophisticated threat detection.
You’ve explored Zeek’s cluster architecture, understanding how multiple nodes work together to analyze high-bandwidth networks. You know the roles of workers, managers, proxies, and loggers, and how they coordinate through the Broker communication framework. You understand load balancing strategies and can design cluster deployments for different scales and requirements.
You’ve learned about memory management and performance optimization, understanding how Zeek uses memory, how to size deployments appropriately, and how to tune configuration for optimal performance. You can diagnose performance problems and understand the trade-offs in different optimization strategies.
Most importantly, you’ve applied this knowledge through practical exercises, designing network architectures, planning sensor placements, and calculating resource requirements. These are the skills you’ll use when deploying Zeek in real environments.
What’s Coming in Lesson 1.3:
In the next lesson, we’re moving from theory to hands-on practice. You’re going to install Zeek on your Ubuntu droplet, going through the complete installation and configuration process. We’ll cover three different installation methods (package manager, source compilation, and containers) so you understand the trade-offs and can choose the right approach for different scenarios.
You’ll configure network interfaces for monitoring, set up AF_PACKET for improved performance, and make your first captures of network traffic. You’ll learn to start and stop Zeek, monitor its operation, and troubleshoot common issues. By the end of Lesson 1.3, you’ll have a fully functional Zeek sensor capturing and analyzing traffic.
Before the Next Lesson:
Make sure your Digital Ocean droplet is ready. If you haven’t created it yet, do so now:
- Ubuntu 22.04 LTS
- At least 4 vCPUs
- At least 8 GB RAM
- At least 80 GB storage
- Note the IP address for SSH access
Think about what network traffic you’ll analyze. Do you have:
- A home network you can monitor?
- Lab VMs you can use to generate traffic?
- Sample PCAP files for analysis?
Having traffic to analyze will make the next lesson much more engaging than just installing software.
Review your notes from this lesson, especially the cluster architecture and performance tuning sections. This knowledge will inform the configuration choices you make during installation.
Final Thought:
Architecture might seem like dry material, but it’s the foundation everything else is built on. When you’re writing detection scripts in later modules and wondering why something works the way it does, you’ll refer back to this architectural knowledge. When you’re troubleshooting a production issue, understanding the architecture will help you diagnose and fix it quickly. The time you’ve invested understanding Zeek’s internals will pay dividends throughout your career.
Take a break, let this knowledge settle, and when you’re ready, we’ll dive into Lesson 1.3 and get our hands dirty with an actual Zeek installation!