Zeek Behavioral Monitor on an Anubiz Offshore VPS
Zeek is not a signature IDS like Suricata - it builds high-fidelity logs of every network event (connections, DNS, TLS handshakes, HTTP, file transfers) which you analyze after the fact. On an Anubiz VPS Zeek answers questions like which destination did this server talk to last Thursday at 02:00 better than any other tool. This guide installs Zeek 6.x on Ubuntu 24.04 with the standard logs plus a TLS fingerprint plugin.
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Step 1: Install
OpenSUSE Build Service has fresh Zeek for Ubuntu. echo 'deb ...' > /etc/apt/sources.list.d/zeek.list per the official guide. apt install zeek.
Step 2: Interface Config
Edit /opt/zeek/etc/node.cfg: standalone node, interface ens3 (or whatever ip a shows). Networks.cfg: list your local subnet to mark local traffic.
Step 3: Start and Verify
zeekctl deploy. Check /opt/zeek/logs/current/conn.log is being written. Each line is one connection summary.
Step 4: TLS Fingerprinting
Load the JA3/JA4 plugin in local.zeek. ssl.log gains ja3, ja3s, ja4 fields letting you spot abnormal client stacks.
Step 5: Log Shipping
Ship to a log host with Vector or rsyslog. Local rotation: zeekctl already rotates hourly. Keep 30 days on a small disk by gzipping.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.