Zeek
Network Traffic Monitoring and Analysis Framework
Introduction
Zeek (formerly Bro) is an open-source network analysis tool designed for security monitoring, intrusion detection, and generating detailed logs of network activity. It provides deep visibility into protocols, connections, and anomalies in real time.
Features
- Comprehensive Logging: Tracks HTTP, DNS, SSL/TLS, FTP, and other protocol activities.
- Intrusion Detection: Identifies suspicious behavior (e.g., port scans, brute-force attacks).
- Customizable Scripts: Extend functionality with Zeek’s domain-specific scripting language.
- Offline Analysis: Process PCAP files for post-capture investigation.
- Scalability: Suitable for small networks to large enterprise deployments.
Installation
- Open a terminal.
- Install Zeek using:
sudo pacman -S zeek
Install Verification
Check the version to confirm installation:
zeek -v
Uninstall
sudo pacman -R zeek
Usage
Analyze Live Traffic
sudo zeek -i eth0
Process a PCAP File
zeek -r capture.pcap
Inspect Generated Logs
List logs:
ls -l *.log
View connection logs:
cat conn.log | zeek-cut id.orig_h id.resp_h service
Example Workflow
Detect SSH Brute-Force Attacks
- Analyze traffic:
sudo zeek -i eth0 local "Site::local_nets += { 192.168.1.0/24 }"
- Check
notice.log
for alerts:cat notice.log | grep "SSH::Bruteforce"
Configuration
Main Configuration Files
- Global settings:
/usr/local/zeek/etc/zeekctl.cfg
- Custom scripts:
/usr/local/zeek/share/zeek/site/local.zeek
Example: Add a Custom Network Range
Edit local.zeek
:
nano /usr/local/zeek/share/zeek/site/local.zeek
Add:
redef Site::local_nets += { 10.0.0.0/8 };
Official Documentation & More Info
Contributing
- Contribute scripts or report issues via GitHub.
- Follow the contributing guidelines.
Support
- Join the Zeek Slack Community.
- Ask questions on the Zeek Discourse Forum.
License
Zeek is released under the BSD 3-Clause License.