fbpx
Wikipedia

Zeek

December 02, 2023

Zeek is a free and open-source software network analysis framework. Vern Paxson began development work on Zeek in 1995 at Lawrence Berkeley National Lab.[3] Zeek is a network security monitor (NSM) but can also be used as a network intrusion detection system (NIDS).[4] The Zeek project releases the software under the BSD license.

Zeek
Original author(s)Vern Paxson
Initial release24 January 1998; 25 years ago (1998-01-24)[1]
Stable release
6.1.0[2] / 13 October 2023; 44 days ago (13 October 2023)
Repository
  • github.com/zeek/zeek
Written inC++
Operating systemLinux, FreeBSD, macOS
TypeNetwork intrusion detection system
LicenseBSD license
Websitezeek.org

Output edit

Zeek's purpose is to inspect network traffic and generate a variety of logs describing the activity it sees.[5] A complete list of log files is available at the project documentation site.[6]

Log example edit

The following is an example of one entry in JSON format from the conn.log:[7]

{  "ts": 1554410064.698965,  "uid": "CMreaf3tGGK2whbqhh",  "id.orig_h": "192.168.144.130",  "id.orig_p": 64277,  "id.resp_h": "192.168.144.2",  "id.resp_p": 53,  "proto": "udp",  "service": "dns",  "duration": 0.320463,  "orig_bytes": 94,  "resp_bytes": 316,  "conn_state": "SF",  "missed_bytes": 0,  "history": "Dd",  "orig_pkts": 2,  "orig_ip_bytes": 150,  "resp_pkts": 2,  "resp_ip_bytes": 372,  "tunnel_parents": [] }

Threat hunting edit

One of Zeek's primary use cases involves cyber threat hunting.[8]

Name edit

The principal author, Paxson, originally named the software "Bro" as a warning regarding George Orwell's Big Brother from the novel Nineteen Eighty-Four. In 2018 the project leadership team decided to rename the software. At LBNL in the 1990s, the developers ran their sensors as a pseudo-user named "zeek", thereby inspiring the name change in 2018.[9]

Zeek deployment edit

Security teams identify locations on their network where they desire visibility. They deploy one or more network taps or enable switch SPAN ports for port mirroring to gain access to traffic. They deploy Zeek on servers with access to those visibility points.[10] The Zeek software on the server deciphers network traffic as logs, writing them to local disk or remote storage.[11]

Zeek application architecture and analyzers edit

Zeek's event engine analyzes live or recorded network traffic to generate neutral event logs. Zeek uses common ports and dynamic protocol detection (involving signatures as well as behavioral analysis) to identify network protocols.[12]

Developers write Zeek policy scripts in the Turing complete Zeek scripting language. By default Zeek logs information about events to files, but analysts can also configure Zeek to take other actions, such as sending an email, raising an alert, executing a system command, updating an internal metric, or calling another Zeek script.

Zeek analyzers perform application layer decoding, anomaly detection, signature matching and connection analysis.[13] Zeek's developers designed the software to incorporate additional analyzers. The latest method for creating new protocol analyzers relies on the Spicy framework.[14]

References edit

  1. ^ "Bro 0.3-alpha". Retrieved 2022-08-01.
  2. ^ "Release 6.1.0". 13 October 2023. Retrieved 19 November 2023.
  3. ^ Paxson, Vern (1998-01-26). "Bro: A System for Detecting Network Intruders in Real-Time" (PDF). USENIX. Retrieved 2022-08-01.
  4. ^ McCarty, Ronald. "Bro IDS » ADMIN Magazine". ADMIN Magazine. Retrieved 2023-07-06.
  5. ^ "Zeek Network Security Monitor". 22 December 2021. Retrieved 2022-08-01.
  6. ^ "Zeek Script Reference Log Files". Zeek Documentation. Retrieved 2022-08-01.
  7. ^ Wright, Joshua (2019-12-09). "Parsing Zeek JSON Logs with JQ". SANS. Retrieved 2022-08-01.
  8. ^ Ooi, Eric (22 November 2023). "Zeekurity Zen - Part IV: Threat Hunting with Zeek". Eric Ooi. Retrieved 2023-11-20.
  9. ^ Paxson, Vern (2018-10-11). "Renaming the Bro Project".
  10. ^ "Enabling SOHO Network Monitoring". 2020-04-07. Retrieved 2022-08-01.
  11. ^ Ooi, Eric (3 January 2019). "Zeekurity Zen Part III: How to Send Zeek Logs to Splunk". Eric Ooi. Retrieved 2022-08-01.
  12. ^ Grashöfer, Jan; Titze, Christian; Hartenstein, Hannes (2019). "Attacks on Dynamic Protocol Detection of Open Source Network Security Monitoring Tools". arXiv:1912.03962 [cs.NI].
  13. ^ Sommer, Robin (2003). "Bro: An Open Source Network Intrusion Detection System". CiteSeerX 10.1.1.60.5410.
  14. ^ "Spicy". GitHub. 11 June 2022. Retrieved 2022-08-01.

External links edit

  • The Zeek Network Security Monitor  
  • Bro: A System for Detecting Network Intruders in Real-Time – Vern Paxson
  • Zeek Nedir? Nasıl Kurulur? – KernelBlog Emre Yılmaz (in Turkish)

December 02, 2023
zeek, free, open, source, software, network, analysis, framework, vern, paxson, began, development, work, 1995, lawrence, berkeley, national, network, security, monitor, also, used, network, intrusion, detection, system, nids, project, releases, software, unde. Zeek is a free and open source software network analysis framework Vern Paxson began development work on Zeek in 1995 at Lawrence Berkeley National Lab 3 Zeek is a network security monitor NSM but can also be used as a network intrusion detection system NIDS 4 The Zeek project releases the software under the BSD license ZeekOriginal author s Vern PaxsonInitial release24 January 1998 25 years ago 1998 01 24 1 Stable release6 1 0 2 13 October 2023 44 days ago 13 October 2023 Repositorygithub wbr com wbr zeek wbr zeekWritten inC Operating systemLinux FreeBSD macOSTypeNetwork intrusion detection systemLicenseBSD licenseWebsitezeek wbr orgFree and open source software portal Contents 1 Output 2 Log example 3 Threat hunting 4 Name 5 Zeek deployment 6 Zeek application architecture and analyzers 7 References 8 External linksOutput editZeek s purpose is to inspect network traffic and generate a variety of logs describing the activity it sees 5 A complete list of log files is available at the project documentation site 6 Log example editThe following is an example of one entry in JSON format from the conn log 7 ts 1554410064 698965 uid CMreaf3tGGK2whbqhh id orig h 192 168 144 130 id orig p 64277 id resp h 192 168 144 2 id resp p 53 proto udp service dns duration 0 320463 orig bytes 94 resp bytes 316 conn state SF missed bytes 0 history Dd orig pkts 2 orig ip bytes 150 resp pkts 2 resp ip bytes 372 tunnel parents Threat hunting editOne of Zeek s primary use cases involves cyber threat hunting 8 Name editThe principal author Paxson originally named the software Bro as a warning regarding George Orwell s Big Brother from the novel Nineteen Eighty Four In 2018 the project leadership team decided to rename the software At LBNL in the 1990s the developers ran their sensors as a pseudo user named zeek thereby inspiring the name change in 2018 9 Zeek deployment editSecurity teams identify locations on their network where they desire visibility They deploy one or more network taps or enable switch SPAN ports for port mirroring to gain access to traffic They deploy Zeek on servers with access to those visibility points 10 The Zeek software on the server deciphers network traffic as logs writing them to local disk or remote storage 11 Zeek application architecture and analyzers editZeek s event engine analyzes live or recorded network traffic to generate neutral event logs Zeek uses common ports and dynamic protocol detection involving signatures as well as behavioral analysis to identify network protocols 12 Developers write Zeek policy scripts in the Turing complete Zeek scripting language By default Zeek logs information about events to files but analysts can also configure Zeek to take other actions such as sending an email raising an alert executing a system command updating an internal metric or calling another Zeek script Zeek analyzers perform application layer decoding anomaly detection signature matching and connection analysis 13 Zeek s developers designed the software to incorporate additional analyzers The latest method for creating new protocol analyzers relies on the Spicy framework 14 References edit Bro 0 3 alpha Retrieved 2022 08 01 Release 6 1 0 13 October 2023 Retrieved 19 November 2023 Paxson Vern 1998 01 26 Bro A System for Detecting Network Intruders in Real Time PDF USENIX Retrieved 2022 08 01 McCarty Ronald Bro IDS ADMIN Magazine ADMIN Magazine Retrieved 2023 07 06 Zeek Network Security Monitor 22 December 2021 Retrieved 2022 08 01 Zeek Script Reference Log Files Zeek Documentation Retrieved 2022 08 01 Wright Joshua 2019 12 09 Parsing Zeek JSON Logs with JQ SANS Retrieved 2022 08 01 Ooi Eric 22 November 2023 Zeekurity Zen Part IV Threat Hunting with Zeek Eric Ooi Retrieved 2023 11 20 Paxson Vern 2018 10 11 Renaming the Bro Project Enabling SOHO Network Monitoring 2020 04 07 Retrieved 2022 08 01 Ooi Eric 3 January 2019 Zeekurity Zen Part III How to Send Zeek Logs to Splunk Eric Ooi Retrieved 2022 08 01 Grashofer Jan Titze Christian Hartenstein Hannes 2019 Attacks on Dynamic Protocol Detection of Open Source Network Security Monitoring Tools arXiv 1912 03962 cs NI Sommer Robin 2003 Bro An Open Source Network Intrusion Detection System CiteSeerX 10 1 1 60 5410 Spicy GitHub 11 June 2022 Retrieved 2022 08 01 External links editThe Zeek Network Security Monitor nbsp Bro A System for Detecting Network Intruders in Real Time Vern Paxson Zeek Nedir Nasil Kurulur KernelBlog Emre Yilmaz in Turkish Retrieved from https en wikipedia org w index php title Zeek amp oldid 1186091174, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.