Zeek (formerly Bro) is a free and open-source software network analysis framework; it was originally developed in 1994 by Vern Paxson and was named in reference to George Orwell's Big Brother from his novel Nineteen Eighty-Four. It can be used as a network intrusion detection system (NIDS) but with additional live analysis of network events. It is released under the BSD license.
|Original author(s)||Vern Paxson|
|Operating system||Linux, FreeBSD, macOS|
|Type||Network intrusion detection system|
Zeek's application architecture
IP packets captured with pcap are transferred to an event engine which accepts or rejects them. The accepted packets are forwarded to the policy script interpreter.
The event engine analyzes live or recorded network traffic or trace files to generate neutral events. It generates events when "something" happens. This can be triggered by the Zeek process, such as just after initialization or just before termination of the Zeek process, as well as by something taking place on the network (or trace file) being analyzed, such as Zeek witnessing an HTTP request or a new TCP connection. Zeek uses common ports and dynamic protocol detection (involving signatures as well as behavioral analysis) to make a best guess at interpreting network protocols. Events are policy neutral in that they are not good or bad but simply signals to script land that something happened.
Events are handled by policy scripts, which analyze events to create action policies. The scripts are written in the Turing complete Zeek scripting language. By default Zeek simply logs information about events to files (Zeek also supports logging events in binary output); however, it can be configured to take other actions such as sending an email, raising an alert, executing a system command, updating an internal metric and even calling another Zeek script. The default behavior produces NetFlow-like output (conn log) as well as application event information. Zeek scripts are able to read in data from external files, such as blacklists, for use within Zeek policy scripts.
Most Zeek analyzers are located in Zeek's event engine with an accompanying policy script. The policy script can be customized by the user. The analyzers perform application layer decoding, anomaly detection, signature matching and connection analysis. Zeek has been designed so that it is easy to add additional analyzers. Some application layer analyzers included with Zeek are HTTP, FTP, SMTP and DNS amongst others. Other non-application layer analyzers include analyzers that detect host or port scans, intermediary hosts and syn-floods. Zeek also includes signature detection and allows the import of Snort signatures.
- "Releases - zeek/zeek". Retrieved 10 December 2019 – via GitHub.
- Paxson, Vern (11 October 2018). "Renaming the Bro Project".
- McCarty, Ronald. "Bro IDS » ADMIN Magazine". ADMIN Magazine. Retrieved 2018-07-11.
- Sommer, Robin (2003). "Bro: An Open Source Network Intrusion Detection System". citeseerx.ist.psu.edu. Munich, Germany: Computer Science Department TU München. CiteSeerX 10.1.1.60.5410. Retrieved 2018-07-11.
- The Zeek Network Security Monitor
- Bro: A System for Detecting Network Intruders in Real-Time – Vern Paxson
- The NSA is Not Made Of Magic – Bruce Schneier