monitoring network zeek

A Sneak Peek at Zeek, the Flexible Network Security Monitor

Security is the most necessary parameter that folks contemplate when choosing IT infrastructure. Examine Zeek – an open supply, versatile community visitors analyser that was earlier generally known as Bro. It is efficient, highly stateful and comes with open interfaces. This article explores the scripting element of Zeek.

Networks render essential providers to customers so it’s obligatory to safe them. With every passing day, the quantity and nature of attacks made on networks is growing exponentially.

Zeek, earlier referred to as Bro, was developed by Vern Paxson and Robin Sommer along with a robust staff of researchers at the International Pc Science Institute at Berkeley CA and the Nationwide Centre for Supercomputing Purposes in Urbana Champaign, Illinois, USA. Zeek is the result of 20 lengthy years of intensive research. The speciality of Zeek is that it has the best of each academia and industrial practitioners backing it.

Figure 1: Zeek’s advantages

The primary advantages of Zeek are shown in Figure 1.

  • Adaptable: Certainly one of the outstanding benefits of Zeek is that it offers a domain-specific scripting language. This makes it potential to determine site-specific security monitoring policies.
  • Efficient: Zeek is aimed at offering security options for high-performance networks.
  • Flexible: It is totally different from other instruments in that it doesn’t rely upon a selected detection strategy. One other essential level is that it isn’t dependent on traditional signatures.
  • Forensics: Zeek’s comprehensive logging allows forensics.
  • In-depth evaluation: The evaluation is offered by quite a lot of analysers and is therefore in-depth.
  • Open interfaces: Zeek supplies open interfaces for exchanging real-time info.
  • Open Supply: It’s released beneath the BSD licence. This makes it simpler and efficient to use Zeek for numerous situations.

Figure 2: Historical past of Zeek

Historical past and architecture

The evolution of Zeek is proven in Figure 2 (you’ll be able to seek advice from Zeek’s official documentation).

The earliest work on Zeek dates again to 1995. Over 20 years of analysis has made Zeek very powerful and efficient. Wonderful contributions by individuals from both academia and business have made Zeek a strong safety mechanism.

Zeek is designed with a two-layer architecture, as shown in Determine three (the source is official documentation).

Occasion engine: The primary layer of Zeek is the occasion engine that observes the incoming packet stream and converts it into a collection of events. Based mostly on the nature of the incoming packet sequence, an event is detected. For instance, if an HTTP request is raised, it converts it into an http_request event. The raised http_request incorporates the following knowledge gadgets along with it:

  • The IP handle
  • The port handle
  • The request URI
  • The HTTP version info.

The position of the occasion engine is to easily convert the incoming sequence into an occasion. The event engine doesn’t associate any interpretation to the detected occasion.

Script interpreter: The script interpreter receives the enter from the event handler. The position of the script interpreter is to interpret the occasions detected by the occasion engine. The script interpreter executes the respective event handlers which are inbuilt Zeek’s scripting language. Hence, the script interpreter is the most essential element that permits the era of real-time alerts.

Set up

To put in Zeek in your system, the following dependencies must be glad:

  • Lipcap
  • Open SSL libraries
  • Libz
  • BIND8 library
  • Python 2.6 or above

Run the following command to install Zeek:

sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev

Primarily, Zeek requires a UNIX platform. Help is offered for Linux, FreeBSD and MacOS X. The Linux binaries could be downloaded from the official link: (The secure launch is Zeek 2.6.1, which was released in December 2018.)

In addition to the binaries, Zeek could be compiled from supply as properly. Detailed instructions and the dependencies record may be collected from

To start out learning Zeek, the easiest method is to use the interactive tutorial out there at A detailed tutorial with an in depth listing of examples is obtainable at

Figure three: The Zeek architectureDetermine four: HelloWorld

HelloWorld makes it very straightforward to check out Zeek’s functionalities. A screenshot of is proven in Figure four.

You possibly can simply enter the Zeek script in the code window and click on on Run. You’ll be able to see the output showing in the output field.

Word that the documentation and code makes use of the phrase Bro as an alternative of Zeek. Throughout the documentation and official website, the words Bro and Zeek are used in tandem.

occasion bro_init()

print “Hello, World!”;

occasion bro_done()

print “Goodbye, World!”;

As said earlier, Zeek is event-driven. There are two Zeek events which might be raised all the time. They’re bro_init() and bro_done(). bro_init() is executed when Zeek is began and bro_done() known as when it terminates.

A code instance with the perform calling in Zeek script is given under:

# Perform implementation.

perform emphasize(s: string, p: string &default = “*”): string

return p + s + p;

event bro_init()

# Perform calls.

print emphasize(“yes”);

print emphasize(“no”, “_”);

A code snippet to make use of looping with Zeek can also be proven under:

event bro_init()

for ( character in “OSFY” )

print character;

The output of the above code is:





A simple logging instance with Bro script is as proven under. It makes two logs — one for Mod 5 and one other for non-Mod 5.

@load factorial

event bro_init()

Log::create_stream(Factor::LOG, [$columns=Factor::Info, $path=”factor”]);

local filter: Log::Filter = [$name=”split-mod5s”, $path_func=Factor::mod5];

Log::add_filter(Issue::LOG, filter);

Log::remove_filter(Factor::LOG, “default”);

event bro_done()

native numbers: vector of rely = vector(1, 2, three, four, 5, 6, 7, eight, 9, 10);

for ( n in numbers)

Log::write( Issue::LOG, [$num=numbers[n],


A code snippet to boost a discover for specific occasions is as proven under:

@load factorial

occasion bro_init()

Log::create_stream(Factor::LOG, [$columns=Factor::Info, $path=”factor”]);

local filter: Log::Filter = [$name=”split-mod5s”, $path_func=Factor::mod5];

Log::add_filter(Issue::LOG, filter);

Log::remove_filter(Issue::LOG, “default”);

occasion bro_done()

native numbers: vector of rely = vector(1, 2, three, 4, 5, 6, 7, 8, 9, 10);

for ( i in numbers)

native outcome = Issue::factorial(numbers[i]);


$factorial_num=end result]);

if (end result == Factor::interesting_result)


$msg = “Something happened!”,

$sub = fmt(“result = %d”, outcome)]);

The examples illustrate the core scripting options of the Zeek script. Although the functionality coded is straightforward, the goal was to showcase the talents of Zeek akin to writing logs, scanning and raising notices for fascinating events.

Zeek frameworks

Zeek offers many frameworks. These allow us to carry out particular tasks simply and effectively. The Zeek frameworks are listed under:

  • Configuration framework
  • File analysis
  • Geo-location
  • Enter framework
  • Logging framework
  • NetControl framework
  • Discover framework
  • Signature framework
  • Summary statistics
  • Cluster framework

Overlaying all these frameworks shouldn’t be potential on account of area constraints. The Intel framework that’s used together with Zeek can be used to perform fascinating duties. One such example is shown under:

@load frameworks/intel/seen

redef Intel::read_files +=

fmt(“%s/intel-1.dat”, @DIR)


ntel-1.dat consists of the following: Intel::DOMAIN my_special_source

This easy code generates an in depth output. The output consists of the following elements:

  • Capture_loss
  • Connection
  • Information
  • Http
  • Intel
  • Known_Hosts
  • Known_Services
  • Software program
  • Stats

Detailed directions on the intelligent framework are available at

Figure 5: Zeek Intel output

Considered one of the major benefits of Zeek is that it comes with comprehensive documentation. Detailed educating and coaching modules can be found at Zeek videos are available at

This text is just a sneak peek into the world of Zeek. With the assets listed above, interested readers can easily explore it.

About the author