Practical Guide: Zeek with Labshock - Simple & Easy

?? Intro

You want to practice ICS security. You need a safe place to test ideas, try tools and learn. Labshock gives you that. No need for hardware, no risk to live systems.

In this guide, you set up Zeek IDS inside Labshock. You monitor network traffic, detect issues & see what’s happening in your ICS setup. Step by step, you get it running.

Simple. Fast. No extra tools.

?? Let’s go.

?? What is Labshock?

your virtual friend

Labshock is your virtual ICS lab. It’s built to help you practice and explore ICS and OT security in a safe, controlled environment. You don’t need expensive hardware or risk breaking live systems. It works for anyone, whether you’re just starting or already experienced.

Here’s what you can do with Labshock:

• create IDS rules: build and test custom IDS rules tailored for OT environments
• practice detection and response: simulate attacks or anomalies and develop strategies to detect and respond to them using IDS
• learn ICS networks: explore network setups common in industrial systems, including switches, firewalls, and protocols
• work with PLCs: set up, configure, and test programmable logic controllers to understand how they work in ICS environments
• configure SCADA systems: practice with SCADA interfaces, simulate industrial processes, and learn how data flows between components
• test pentesting tools: safely use security tools to identify vulnerabilities and learn how attackers might exploit them

?? Setting Up Labshock

simple as possible

Getting Labshock up and running is simple. You only need Docker, Docker Compose, and optional Git installed on your system. No extra libraries or tools are required.

Check Labshock Github page: GitHub

Full Readme guide can be found here: Wiki

git clone https://github.com/zakharb/labshock.git
cd labshock/labshock
docker-compose build
docker-compose up        

?? What is Zeek IDS

powerful network monitoring

Zeek IDS is a powerful network security monitoring tool designed to analyze and log network traffic in depth. Unlike traditional intrusion detection systems (IDS) that rely on predefined signatures, Zeek provides a flexible scripting engine to detect anomalies, track protocol behavior, and generate detailed logs for further analysis. This makes it especially useful for OT/ICS environments, where custom detections are often needed. With Zeek, you can monitor industrial protocols, identify suspicious activities, and enhance visibility into your ICS network - helping you secure your environment effectively.

website

quick-start-guide

?? Zeek Setup

easy as possible

0. Change IDS service in docker-compose.yml to use zeek official image:

  ids:
    image: zeek/zeek:latest
    network_mode: host
    command: tail -f /dev/null        

1. Login to Zeek terminal using bash:

2. Install Nano to change configuration:

apt update
apt install nano
nano /usr/local/zeek/etc/node.cfg        

3. Change interface to your name with 192.168.3.0/24 network.

In my case its "br-c3e850affc42":

4. Enter zeekctl, deploy configuration

zeekctl
deploy        

5. Check Zeek logs, for example conn.log:

cat /usr/local/zeek/logs/current/conn.log        

?? Wrapping Up

You set up Labshock. You added Zeek IDS. Now you can monitor traffic, detect issues, and test ideas safely.

Keep exploring. Try different ICS protocols. Write custom detection rules. Break things, fix them, and learn.

Labshock is your space. Use it.

?? please put Stars here ??