HOME

TheInfoList



Click Here for Items Related To - Zeek
OR:
Zeek on:   [Wikipedia]   [Google]   [Amazon]

Zeek is a
free and open-source software Free and open-source software (FOSS) is a term used to refer to groups of software consisting of both free software and open-source software where anyone is freely licensed to use, copy, study, and change the software in any way, and the source ...
network analysis framework.
Vern Paxson Vern Edward Paxson is a Professor of Computer Science at the University of California, Berkeley. He also leads the Networking and Security Group at the International Computer Science Institute in Berkeley, California. His interests range from tr ...
began development work on Zeek in 1995 at
Lawrence Berkeley National Lab Lawrence Berkeley National Laboratory (LBNL), commonly referred to as the Berkeley Lab, is a United States national laboratory that is owned by, and conducts scientific research on behalf of, the United States Department of Energy. Located in ...
. Zeek is a network security monitor (NSM) but can also be used as a
network intrusion detection system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...
(NIDS). The Zeek project releases the software under the
BSD license BSD licenses are a family of permissive free software licenses, imposing minimal restrictions on the use and distribution of covered software. This is in contrast to copyleft licenses, which have share-alike requirements. The original BSD lic ...
.


Output

Zeek's purpose is to inspect network traffic and generate a variety of logs describing the activity it sees. A complete list of log files is available at the project documentation site.


Log example

The following is an example of one entry in
JSON JSON (JavaScript Object Notation, pronounced ; also ) is an open standard file format and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute–value pairs and arrays (or other ser ...
format from the conn.log:


Threat hunting

One of Zeek's primary use cases involves
cyber threat hunting Cyber threat hunting is a proactive cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions." This is in contrast to tradit ...
.


Name

Dr. Paxson originally named the software "Bro" as a warning regarding
George Orwell Eric Arthur Blair (25 June 1903 – 21 January 1950), better known by his pen name George Orwell, was an English novelist, essayist, journalist, and critic. His work is characterised by lucid prose, social criticism, opposition to totalitar ...
's Big Brother from the novel ''
Nineteen Eighty-Four ''Nineteen Eighty-Four'' (also stylised as ''1984'') is a dystopian social science fiction novel and cautionary tale written by the English writer George Orwell. It was published on 8 June 1949 by Secker & Warburg as Orwell's ninth and final ...
''. In 2018 the project leadership team decided to rename the software. At
LBNL Lawrence Berkeley National Laboratory (LBNL), commonly referred to as the Berkeley Lab, is a United States national laboratory that is owned by, and conducts scientific research on behalf of, the United States Department of Energy. Located in ...
in the 1990s, the developers ran their sensors as a pseudo-user named “zeek”, thereby inspiring the name change in 2018.


Zeek deployment

Security teams identify locations on their network where they desire visibility. They deploy one or more
network tap A network tap is a system that monitors events on a local network. A tap is typically a dedicated hardware device, which provides a way to access the data flowing across a computer network. The network tap has (at least) three ports: an ''A port ...
s or enable switch SPAN ports for
port mirroring Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. This is commonly used for network appliances that require monitor ...
to gain access to traffic. They deploy Zeek on servers with access to those visibility points. The Zeek software on the server deciphers network traffic as logs, writing them to local disk or remote storage.


Zeek application architecture and analyzers

Zeek's event engine analyzes live or recorded network traffic to generate neutral event logs. Zeek uses common ports and dynamic protocol detection (involving signatures as well as behavioral analysis) to identify network protocols. Developers write Zeek policy scripts in the
Turing complete Alan Mathison Turing (; 23 June 1912 – 7 June 1954) was an English mathematician, computer scientist, logician, cryptanalyst, philosopher, and theoretical biologist. Turing was highly influential in the development of theoretical co ...
Zeek scripting language. By default Zeek logs information about events to files, but analysts can also configure Zeek to take other actions, such as sending an email, raising an alert, executing a system command, updating an internal metric, or calling another Zeek script. Zeek analyzers perform application layer decoding, anomaly detection, signature matching and connection analysis. Zeek's developers designed the software to incorporate additional analyzers. The latest method for creating new protocol analyzers relies on the Spicy framework.


References


External links

* {{official website, , The Zeek Network Security Monitor
Bro: A System for Detecting Network Intruders in Real-Time
– Vern Paxson
Zeek Nedir? Nasıl Kurulur?
– KernelBlog Emre Yılmaz (in Turkish) Free security software Computer security software Unix security software Intrusion detection systems Software using the BSD license