LinuxCommandLibrary

zeek

Network traffic analysis and security monitoring

TLDR

Analyze live traffic from a network interface

$ sudo zeek --iface [interface]
copy

Analyze live traffic from a network interface and load custom scripts
$ sudo zeek --iface [interface] [script1] [script2]
copy

Analyze live traffic from a network interface, without loading any scripts
$ sudo zeek --bare-mode --iface [interface]
copy

Analyze live traffic from a network interface, applying a tcpdump filter
$ sudo zeek --filter [path/to/filter] --iface [interface]
copy

Analyze live traffic from a network interface using a watchdog timer
$ sudo zeek --watchdog --iface [interface]
copy

Analyze traffic from a PCAP file
$ zeek --readfile [path/to/file.trace]
copy

SYNOPSIS

zeek [options] [scripts]

PARAMETERS

-C
    Ignore checksum errors.

-b filter
    Specify a BPF filter for traffic capture.

-i interface
    Specify the network interface to listen on.

-r file
    Read packets from a pcap file.

-w directory
    Specify directory for writing packet captures (when using a live interface).

-N
    Disable name resolution.

-v
    Increase verbosity.

scripts
    Specify Zeek scripts to load and execute. These scripts define the analysis logic and policies to be applied to the network traffic.

DESCRIPTION

Zeek (formerly Bro) is a powerful network analysis framework that provides comprehensive network monitoring and security analysis. It analyzes network traffic in real-time, providing insights into network behavior and potential security threats. Zeek operates by passively monitoring network traffic, extracting relevant information, and applying customizable scripts and policies to identify suspicious activities, anomalies, and policy violations. Zeek's event-driven architecture allows it to handle high traffic volumes and complex network environments efficiently. It generates detailed logs and alerts, providing security analysts and network administrators with actionable intelligence to investigate and respond to security incidents.

Zeek differs from traditional intrusion detection systems (IDS) as it's more of a passive analyzer. It doesn't inherently block or actively intervene in network traffic flow, but provides context-rich data for further investigation. Its scripting language offers extensive customization capabilities, allowing users to define custom detection rules and analysis workflows tailored to their specific network environment and security requirements.

<B>KEY CONCEPTS</B>

Zeek leverages several key concepts, including:
Event-Driven Architecture: Zeek operates based on events triggered by network traffic.
Policy Framework: Customizable Zeek scripts define analysis logic and policies.
Extensive Logging: Zeek generates detailed logs providing insights into network behavior.

<B>CONFIGURATION</B>

Zeek's behavior is configured through various configuration files, including zeekctl.cfg, networks.cfg, and script files.

HISTORY

Zeek was originally known as Bro. The name was changed to Zeek in 2018. It was developed by Vern Paxson at Lawrence Berkeley National Laboratory in the mid-1990s. Zeek has evolved into a widely used open-source network analysis framework.

Its initial purpose was to provide a flexible and extensible platform for network monitoring and intrusion detection. Over the years, Zeek has gained popularity in academia, research, and industry due to its powerful analysis capabilities and customizable scripting language.

SEE ALSO

Copied to clipboard