Thiago Teixeira
EN | PT

Zeek

Zeek Project

Network security monitor that turns traffic into rich, structured connection logs.

Network Recon & Monitoring Free & Open Source Platform / Suite Learning Linux
Homepage Docs

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Detection / Monitoring
9 Containment & Eradication
10 Post-incident Forensics

Description

Zeek (formerly Bro) is a passive network security monitor. Unlike Snort/Suricata (signature-based), Zeek describes traffic in deep semantic logs: conn.log, http.log, dns.log, ssl.log, files.log, x509.log, notice.log. These logs are gold for threat hunting in a SIEM.

Why a SOC loves Zeek:

  • JA3/JA3S/JARM TLS fingerprints out of the box.
  • File extraction with MIME-type recognition.
  • Scriptable in its own policy language — write detections that match behaviour, not just bytes.
  • Pairs perfectly with Suricata in Security Onion / Corelight builds.

Use cases

  • Threat hunting in connection/protocol logs
  • DNS tunneling and beaconing detection
  • File-extraction pipelines for malware analysis
  • Long-retention behavioural baselining

Example

# Run Zeek against a PCAP and inspect the connection log
zeek -r capture.pcap
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p service duration