Zeek
Original author(s) | Vern Paxson |
---|---|
Initial release | 24 January 1998[1] |
Stable release | 6.2.0[2]
/ 20 February 2024 |
Repository | |
Written in | BSD license |
Website | zeek |
Zeek is a
Output
Zeek's purpose is to inspect network traffic and generate a variety of logs describing the activity it sees.[5] A complete list of log files is available at the project documentation site.[6]
Log example
The following is an example of one entry in JSON format from the conn.log:[7]
{
"ts": 1554410064.698965,
"uid": "CMreaf3tGGK2whbqhh",
"id.orig_h": "192.168.144.130",
"id.orig_p": 64277,
"id.resp_h": "192.168.144.2",
"id.resp_p": 53,
"proto": "udp",
"service": "dns",
"duration": 0.320463,
"orig_bytes": 94,
"resp_bytes": 316,
"conn_state": "SF",
"missed_bytes": 0,
"history": "Dd",
"orig_pkts": 2,
"orig_ip_bytes": 150,
"resp_pkts": 2,
"resp_ip_bytes": 372,
"tunnel_parents": []
}
Threat hunting
One of Zeek's primary use cases involves cyber threat hunting.[8]
Name
The principal author, Paxson, originally named the software "Bro" as a warning regarding
Zeek deployment
Security teams identify locations on their network where they desire visibility. They deploy one or more network taps or enable switch SPAN ports for port mirroring to gain access to traffic. They deploy Zeek on servers with access to those visibility points.[10] The Zeek software on the server deciphers network traffic as logs, writing them to local disk or remote storage.[11]
Zeek application architecture and analyzers
Zeek's event engine analyzes live or recorded network traffic to generate neutral event logs. Zeek uses common ports and dynamic protocol detection (involving signatures as well as behavioral analysis) to identify network protocols.[12]
Developers write Zeek policy scripts in the
Zeek analyzers perform application layer decoding, anomaly detection, signature matching and connection analysis.[13] Zeek's developers designed the software to incorporate additional analyzers. The latest method for creating new protocol analyzers relies on the Spicy framework.[14]
References
- ^ "Bro 0.3-alpha". Retrieved 2022-08-01.
- ^ "Release 6.2.0". 20 February 2024. Retrieved 26 March 2024.
- ^ Paxson, Vern (1998-01-26). "Bro: A System for Detecting Network Intruders in Real-Time" (PDF). USENIX. Retrieved 2022-08-01.
- ^ McCarty, Ronald. "Bro IDS » ADMIN Magazine". ADMIN Magazine. Retrieved 2023-07-06.
- ^ "Zeek Network Security Monitor". 22 December 2021. Retrieved 2022-08-01.
- ^ "Zeek Script Reference Log Files". Zeek Documentation. Retrieved 2022-08-01.
- ^ Wright, Joshua (2019-12-09). "Parsing Zeek JSON Logs with JQ". SANS. Retrieved 2022-08-01.
- ^ Ooi, Eric (22 November 2023). "Zeekurity Zen - Part IV: Threat Hunting with Zeek". Eric Ooi. Retrieved 2023-11-20.
- ^ Paxson, Vern (2018-10-11). "Renaming the Bro Project".
- ^ "Enabling SOHO Network Monitoring". 2020-04-07. Retrieved 2022-08-01.
- ^ Ooi, Eric (3 January 2019). "Zeekurity Zen Part III: How to Send Zeek Logs to Splunk". Eric Ooi. Retrieved 2022-08-01.
- arXiv:1912.03962 [cs.NI].
- CiteSeerX 10.1.1.60.5410.
- ^ "Spicy". GitHub. 11 June 2022. Retrieved 2022-08-01.
External links
- The Zeek Network Security Monitor
- Bro: A System for Detecting Network Intruders in Real-Time – Vern Paxson
- Zeek Nedir? Nasıl Kurulur? – KernelBlog Emre Yılmaz (in Turkish)