zeek
Network traffic analysis and security monitoring
TLDR
Analyze live traffic from a network interface
Analyze live traffic from a network interface and load custom scripts
Analyze live traffic from a network interface, without loading any scripts
Analyze live traffic from a network interface, applying a tcpdump filter
Analyze live traffic from a network interface using a watchdog timer
Analyze traffic from a PCAP file
SYNOPSIS
zeek [options] [scripts]
PARAMETERS
-C
Ignore checksum errors.
-b filter
Specify a BPF filter for traffic capture.
-i interface
Specify the network interface to listen on.
-r file
Read packets from a pcap file.
-w directory
Specify directory for writing packet captures (when using a live interface).
-N
Disable name resolution.
-v
Increase verbosity.
scripts
Specify Zeek scripts to load and execute. These scripts define the analysis logic and policies to be applied to the network traffic.
DESCRIPTION
Zeek (formerly Bro) is a powerful network analysis framework that provides comprehensive network monitoring and security analysis. It analyzes network traffic in real-time, providing insights into network behavior and potential security threats. Zeek operates by passively monitoring network traffic, extracting relevant information, and applying customizable scripts and policies to identify suspicious activities, anomalies, and policy violations. Zeek's event-driven architecture allows it to handle high traffic volumes and complex network environments efficiently. It generates detailed logs and alerts, providing security analysts and network administrators with actionable intelligence to investigate and respond to security incidents.
Zeek differs from traditional intrusion detection systems (IDS) as it's more of a passive analyzer. It doesn't inherently block or actively intervene in network traffic flow, but provides context-rich data for further investigation. Its scripting language offers extensive customization capabilities, allowing users to define custom detection rules and analysis workflows tailored to their specific network environment and security requirements.
<B>KEY CONCEPTS</B>
Zeek leverages several key concepts, including:
Event-Driven Architecture: Zeek operates based on events triggered by network traffic.
Policy Framework: Customizable Zeek scripts define analysis logic and policies.
Extensive Logging: Zeek generates detailed logs providing insights into network behavior.
<B>CONFIGURATION</B>
Zeek's behavior is configured through various configuration files, including zeekctl.cfg, networks.cfg, and script files.
HISTORY
Zeek was originally known as Bro. The name was changed to Zeek in 2018. It was developed by Vern Paxson at Lawrence Berkeley National Laboratory in the mid-1990s. Zeek has evolved into a widely used open-source network analysis framework.
Its initial purpose was to provide a flexible and extensible platform for network monitoring and intrusion detection. Over the years, Zeek has gained popularity in academia, research, and industry due to its powerful analysis capabilities and customizable scripting language.