Zeek

Zeek's purpose is to inspect network traffic and generate a variety of logs describing the activity it sees.{{Cite web|url=https://www.socinvestigation.com/zeek-network-traffic-analysis-and-security-monitoring-tool/|title=Zeek Network Security Monitor|date=22 December 2021 |access-date=2022-08-01}} A complete list of log files is available at the project documentation site.{{cite web|url=https://docs.zeek.org/en/master/script-reference/log-files.html|title=Zeek Script Reference Log Files|website=Zeek Documentation|language=en-US|access-date=2022-08-01}}

The following is an example of one entry in JSON format from the conn.log:{{cite web|url=https://www.sans.org/blog/parsing-zeek-json-logs-with-jq/|title=Parsing Zeek JSON Logs with JQ|last=Wright|first=Joshua|website=SANS|language=en-US|access-date=2022-08-01|date=2019-12-09}}

{{sxhl|

{

"ts": 1554410064.698965,

"uid": "CMreaf3tGGK2whbqhh",

"id.orig_h": "192.168.144.130",

"id.orig_p": 64277,

"id.resp_h": "192.168.144.2",

"id.resp_p": 53,

"proto": "udp",

"service": "dns",

"duration": 0.320463,

"orig_bytes": 94,

"resp_bytes": 316,

"conn_state": "SF",

"missed_bytes": 0,

"history": "Dd",

"orig_pkts": 2,

"orig_ip_bytes": 150,

"resp_pkts": 2,

"resp_ip_bytes": 372,

"tunnel_parents": []

}

|zeek}}

One of Zeek's primary use cases involves cyber threat hunting.{{Cite web|url= https://ooiventures.com/zeekurity-zen-part-iv-threat-hunting-with-zeek/|title=Zeekurity Zen - Part IV: Threat Hunting with Zeek|last=Ooi|first=Eric|website=Eric Ooi|date=22 November 2023|language=en-US|access-date=2023-11-20}}

The principal author, Paxson, originally named the software "Bro" as a warning regarding George Orwell's Big Brother from the novel Nineteen Eighty-Four. In 2018 the project leadership team decided to rename the software. At LBNL in the 1990s, the developers ran their sensors as a pseudo-user named "zeek", thereby inspiring the name change in 2018.{{cite web|url=https://zeek.org/2018/10/11/renaming-the-bro-project/|title=Renaming the Bro Project|date=2018-10-11|first=Vern|last=Paxson|author-link=Vern Paxson}}

Security teams identify locations on their network where they desire visibility. They deploy one or more network taps or enable switch SPAN ports for port mirroring to gain access to traffic. They deploy Zeek on servers with access to those visibility points.{{cite web|url=https://corelight.com/blog/enabling-soho-network-security-monitoring|title=Enabling SOHO Network Monitoring|date=2020-04-07|access-date=2022-08-01}} The Zeek software on the server deciphers network traffic as logs, writing them to local disk or remote storage.{{cite web|url=https://www.ericooi.com/zeekurity-zen-part-iii-how-to-send-zeek-logs-to-splunk/|title=Zeekurity Zen Part III: How to Send Zeek Logs to Splunk|last=Ooi|first=Eric|website=Eric Ooi|date=3 January 2019 |language=en-US|access-date=2022-08-01}}

Zeek's event engine analyzes live or recorded network traffic to generate neutral event logs. Zeek uses common ports and dynamic protocol detection (involving signatures as well as behavioral analysis) to identify network protocols.{{Cite arXiv|title=Attacks on Dynamic Protocol Detection of Open Source Network Security Monitoring Tools|eprint=1912.03962 |last1=Grashöfer |first1=Jan |last2=Titze |first2=Christian |last3=Hartenstein |first3=Hannes |year=2019 |class=cs.NI }}

Developers write Zeek policy scripts in the Turing complete Zeek scripting language. By default Zeek logs information about events to files, but analysts can also configure Zeek to take other actions, such as sending an email, raising an alert, executing a system command, updating an internal metric, or calling another Zeek script.

Zeek analyzers perform application layer decoding, anomaly detection, signature matching and connection analysis.{{Cite CiteSeerX |title=Bro: An Open Source Network Intrusion Detection System|last=Sommer|first=Robin|date=2003 |citeseerx=10.1.1.60.5410}} Zeek's developers designed the software to incorporate additional analyzers. The latest method for creating new protocol analyzers relies on the Spicy framework.{{Cite web|url=https://github.com/zeek/spicy|title=Spicy|website=GitHub |date=11 June 2022 |access-date=2022-08-01}}

{{reflist}}

• {{official website|| The Zeek Network Security Monitor}}
• [http://www.icir.org/vern/papers/bro-CN99.html Bro: A System for Detecting Network Intruders in Real-Time] – Vern Paxson
• [https://kernelblog.org/2022/06/zeek-nedir-nasil-kurulur/ Zeek Nedir? Nasıl Kurulur?] – KernelBlog Emre Yılmaz (in Turkish)

Category:Free security software

Category:Computer security software

Category:Unix security software

Category:Intrusion detection systems

Category:Software using the BSD license