Zeek Fundamentals

Zeek is an open-source network traffic analyzer widely used for identifying suspicious or malicious network activity. However, Zeek is also effective for network troubleshooting and measurement. It generates log files that provide detailed insights into all network activities, making it invaluable for cybersecurity teams (blue teams). Logs produced by Zeek include detailed records of connections and application-layer activities, such as DNS queries, HTTP sessions, etc. Additionally, Zeek’s functions support extensive analysis and detection capabilities beyond logging.

Zeek’s standout feature is its powerful scripting language, enabling users to create custom scripts akin to Suricata rules. This language allows blue teams to develop tailored network analysis and intrusion detection strategies.

Rather than relying solely on signature-based detection, Zeek offers semantic misuse detection, anomaly detection, and behavioral analysis.

Zeek's Operation Modes

Zeek operates in several modes:

• Fully passive traffic analysis

• libpcap interface for packet capture

• Real-time and offline analysis (e.g., PCAP-based)

• Cluster support for large-scale deployments

Zeek's Architecture

Zeek's architecture consists of two main components:

1. Event Engine (Core):

   • Transforms the incoming packet stream into a series of high-level events describing network activity.

   • These events are policy-neutral; they describe what happened without interpreting it (e.g., an HTTP request is recorded as an http_request event).

2. Script Interpreter:

   • Executes event handlers written in Zeek's scripting language (Zeek scripts), which specify site security policies.

   • Events generated by Zeek’s core are processed sequentially.

Zeek events are mainly defined in .bif files located in /scripts/base/bif/plugins/. For a comprehensive event list, refer to Zeek Events Documentation.

Zeek Logs

When running Zeek in offline mode with a PCAP file, logs are saved to the current directory. Common logs include:

• conn.log: Logs details on IP, TCP, UDP, and ICMP connections.

• dns.log: Logs DNS queries and responses.

• http.log: Logs HTTP request and response details.

• ftp.log: Logs FTP requests and responses.

• smtp.log: Logs SMTP transactions, including sender and recipient details.

Example (http.log): Contains data fields like host, uri, referrer, user_agent, and status_code.

For a complete list of Zeek logs and fields, see Zeek Logs Documentation.

Zeek compresses log files hourly using gzip and moves older logs to a date-named directory (YYYY-MM-DD format). To manage these compressed logs, use tools like gzcat (for printing) and zgrep (for searching within logs). Learn more here.

Zeek also provides zeek-cut, a utility for extracting specific columns from Zeek logs, facilitating easier log analysis.

Zeek Key Features

Key features enhancing Zeek's effectiveness:

• Extensive logging of network activities

• Analysis of application-layer protocols (e.g., HTTP, DNS, FTP, SMTP, SSH, SSL)

• Ability to inspect file contents exchanged over application-layer protocols

• IPv6 support

• Detection and analysis of tunnels

• Sanity checks in protocol analysis

• IDS-like pattern matching

• Powerful scripting language supporting custom analysis tasks and state management

• ASCII log output by default, with options for ElasticSearch and DataSeries

• Real-time integration of external inputs

• C library interface for sharing Zeek events with other programs

• Ability to trigger external processes from within the scripting language

For Zeek examples, scripting basics, and use cases, visit Zeek Examples. For a quick start, check the Zeek Quick Start Guide.