zeek

Analyze live traffic from a network interface

$ sudo zeek --iface [interface]

$ sudo zeek --iface [interface] [script1] [script2]

$ sudo zeek --bare-mode --iface [interface]

$ sudo zeek --filter [path/to/filter] --iface [interface]

$ sudo zeek --watchdog --iface [interface]

$ zeek --readfile [path/to/file.trace]

zeek [options] [scripts]

-C
    Ignore checksum errors.

-b filter
    Specify a BPF filter for traffic capture.

-i interface
    Specify the network interface to listen on.

-r file
    Read packets from a pcap file.

-w directory
    Specify directory for writing packet captures (when using a live interface).

-N
    Disable name resolution.

-v
    Increase verbosity.

scripts
    Specify Zeek scripts to load and execute. These scripts define the analysis logic and policies to be applied to the network traffic.

Zeek (formerly Bro) is a powerful network analysis framework that provides comprehensive network monitoring and security analysis. It analyzes network traffic in real-time, providing insights into network behavior and potential security threats. Zeek operates by passively monitoring network traffic, extracting relevant information, and applying customizable scripts and policies to identify suspicious activities, anomalies, and policy violations. Zeek's event-driven architecture allows it to handle high traffic volumes and complex network environments efficiently. It generates detailed logs and alerts, providing security analysts and network administrators with actionable intelligence to investigate and respond to security incidents.

Zeek differs from traditional intrusion detection systems (IDS) as it's more of a passive analyzer. It doesn't inherently block or actively intervene in network traffic flow, but provides context-rich data for further investigation. Its scripting language offers extensive customization capabilities, allowing users to define custom detection rules and analysis workflows tailored to their specific network environment and security requirements.

Zeek leverages several key concepts, including:
Event-Driven Architecture: Zeek operates based on events triggered by network traffic.
Policy Framework: Customizable Zeek scripts define analysis logic and policies.
Extensive Logging: Zeek generates detailed logs providing insights into network behavior.

Zeek's behavior is configured through various configuration files, including zeekctl.cfg, networks.cfg, and script files.

Zeek was originally known as Bro. The name was changed to Zeek in 2018. It was developed by Vern Paxson at Lawrence Berkeley National Laboratory in the mid-1990s. Zeek has evolved into a widely used open-source network analysis framework.

Its initial purpose was to provide a flexible and extensible platform for network monitoring and intrusion detection. Over the years, Zeek has gained popularity in academia, research, and industry due to its powerful analysis capabilities and customizable scripting language.

tcpdump(1), wireshark(1)