In today’s cybersecurity landscape, network traffic analysis plays a critical role in threat hunting, incident response, and security monitoring. One of the most powerful open-source tools for this purpose is Zeek (formerly known as Bro).

In this article, we will explore what Zeek is, how to install it, and how it can be used to analyze network traffic through its detailed logging system.

What is Zeek?

Zeek is an open-source network traffic analyzer designed for security monitoring and threat detection. Unlike other network analysis tools that require specialized hardware, Zeek is scalable, clusterable, and runs on commodity hardware. It can process traffic from PCAP files or live network captures, generating detailed log files to help security professionals analyze and detect suspicious activity.

Key Features of Zeek:

✔ Works with both PCAP files and live network traffic
✔ Generates detailed security logs for various network activities
✔ Scalable and runs on commodity hardware
✔ Modular and extensible, allowing users to create custom analyzers
✔ Widely used in network security monitoring, incident response, and threat hunting

Installing Zeek on macOS and Linux

Installing Zeek is straightforward, with pre-built packages available for macOS and Linux.

Installation on macOS (Using Homebrew)

If you are using macOS, Zeek can be installed easily using Homebrew:

xcode-select --install # Install Xcode dependencies (if not already installed)brew install zeek # Install Zeek via Homebrew

After installation, you can start using Zeek immediately.

Installation on Ubuntu/Linux

For Ubuntu and other Linux distributions, Zeek can be installed by adding the official repository and running the following commands:

sudo apt update sudo apt install zeek

Alternatively, you can build Zeek from source, but this is usually unnecessary as pre-built packages are available.

Using Zeek for Network Traffic Analysis

Once installed, Zeek can be used to analyze PCAP files or live network traffic. The basic command for analyzing a PCAP file is:

zeek -r filename.pcap

This command processes the PCAP file and generates log files in the current working directory. These logs provide valuable insights into network activity.

Understanding Zeek Log Files

Zeek generates a variety of logs, each capturing different aspects of network traffic. Let’s take a look at some of the most important log files:

1. Connection Log (con.log) – Network Metadata

The connection log records essential network details such as:

• Source and destination IP addresses
• Ports and protocols used
• Session duration and byte count

This log is useful for tracking network activity patterns and identifying unusual connections.

2. HTTP Log (http.log) – Web Traffic Analysis

The HTTP log contains valuable information about web traffic, including:

• URLs and user agents
• HTTP methods (GET, POST, etc.)
• Response status codes

This log helps in detecting suspicious HTTP requests and analyzing malicious web activity.

3. DNS Log (dns.log) – Domain Name System Monitoring

The DNS log records all DNS queries and responses, which is useful for:

• Identifying connections to malicious domains
• Tracking domain resolution behavior
• Detecting command-and-control (C2) communications

4. SSH Log (ssh.log) – Secure Shell Traffic

The SSH log provides information on client and server SSH connections, helping to:

• Detect unauthorized SSH access attempts
• Monitor SSH usage within the network

5. FTP Log (ftp.log) – File Transfer Monitoring

The FTP log captures:

• Usernames and passwords used in FTP sessions
• Transferred files and commands executed

This log is helpful for identifying weak credentials and detecting unauthorized file transfers.

6. Dynamic Protocol Detection (dpd.log) – Identifying Non-Standard Traffic

The DPD log helps detect:

• Protocols running on non-standard ports
• Potential malware using unusual network configurations

This log is valuable for identifying stealthy threats that attempt to evade detection by masquerading as legitimate traffic.

7. Industrial Protocol Logs (Modbus, DNP3) – Monitoring Critical Infrastructure

Zeek also supports industrial protocols such as:

• Modbus and DNP3 – Used in industrial control systems (ICS)
• SMB (Server Message Block) – Used in Windows file sharing

These logs are crucial for protecting critical infrastructure from cyber threats.

Zeek for Threat Hunting and Incident Response

Zeek is widely used for threat hunting and incident response. Here’s how it helps to disrupt attacks and enhance cyber defense:

1. Unmatched Network Visibility and Log Correlation Using the UID Field

Achieving comprehensive network visibility is crucial for identifying threats swiftly. Each log entry in Zeek contains a UID (unique identifier) that allows security analysts to link events across different logs, providing a panoramic view of network activities. For example:

• A connection in con.log can be traced to DNS queries in dns.log
• An SSH login attempt in ssh.log can be correlated with network activity in con.log

2. Rapid Detection of Anomalies and Suspicious Activity

Zeek excels in enabling rapid response by making it easier to identify unusual network behaviors, such as:

• Unauthorized remote access attempts
• Malware communication with external servers
• Suspicious file transfers and login attempts

This swift identification helps in disrupting ongoing attacks, minimizing potential damage, and enhancing the overall security posture.

3. Customizing Zeek for Advanced Threat Detection

Zeek is highly modular and allows users to create custom analyzers and scripts to detect specific threats. Security teams can tailor Zeek to:

• Monitor specific protocols
• Flag abnormal behaviors
• Automate incident detection and response

By empowering security defenses with customized threat detection, Zeek allows for a more adaptive and robust cyber defense strategy. This adaptability ensures that the network remains resilient against evolving threats, fortifying the defense framework and enabling proactive threat management.

Unlocking Threat Hunting Advantages with Open NDR and MITRE ATT&CK

Discover a proactive approach to cyber defense by leveraging the powerful combination of Open Network Detection and Response (NDR) and the MITRE ATT&CK framework. Here’s how these tools enhance threat hunting capabilities:

1. Enhanced Threat Detection: Open NDR systems offer real-time visibility into network traffic, empowering you to identify anomalies and potential threats swiftly. By using these systems, you can spot suspicious activities before they escalate into serious security breaches.
2. Comprehensive Network Insight: Gain deep insights into network behavior and performance. With Open NDR, you get a clear understanding of what is normal in your network, making it easier to spot irregularities that could indicate a threat.
3. Structured Framework for Analysis: MITRE ATT&CK provides a detailed, systematic approach to understanding adversary behavior. This framework helps threat hunters to categorize and analyze threats, aligning them with known tactics, techniques, and procedures (TTPs).
4. Proactive Defense Strategy: By integrating these tools, organizations can shift from reactive to proactive defense strategies. Recognize and mitigate threats before they exploit vulnerabilities, thanks to the predictive insights offered by MITRE ATT&CK.
5. Streamlined Investigations: Reduce the time and resources spent on understanding threats. Open NDR and MITRE ATT&CK streamline the investigation process, delivering precise information, so you can focus on remediation efforts rather than data gathering.
6. Enhanced Collaboration and Learning: Share insights and learnings with a community of practice. Utilizing MITRE ATT&CK promotes collaboration across security teams, fostering an environment of continuous learning and improvement.

By incorporating Open NDR and the MITRE ATT&CK framework into your security operations, you can bolster your threat hunting initiatives, ensuring a resilient and informed cyber defense posture.

Unlocking SOC Efficiency: Tackling SMB Challenges

An energy company’s Security Operations Center (SOC) faced numerous challenges with Server Message Block (SMB) protocol issues, which often obscured network visibility. By addressing these SMB-related problems, the SOC significantly enhanced its operational effectiveness.

Key Improvements:

• Enhanced Network Visibility: By resolving SMB protocol issues, the company gained a clearer and more comprehensive view of their network operations. This allowed for quicker identification of unusual activities or potential threats.
• Improved Alert Accuracy: With improved protocol handling, the number of false positives in threat alerts decreased. This meant that analysts could focus on real concerns, reducing wasted time and effort in validating each alert.
• Faster Incident Response: With a more efficient network insight, the SOC streamlined its incident response process. Analysts could pinpoint the source of issues more rapidly, enabling faster mitigation and recovery.

Through these targeted improvements, the energy company’s SOC transformed its approach, leading to a more robust defensive posture and increased resilience in handling cyber threats.

Conclusion

Zeek is a powerful tool for network security monitoring, threat hunting, and incident response. With its ability to analyze network traffic, generate detailed logs, and support modular extensions, Zeek is an essential tool for cybersecurity professionals.

By leveraging Zeek, security teams can detect threats, investigate incidents, and improve network visibility, making it a crucial component of any modern security operations center (SOC).

Watch the full video here, featuring Dan Gunter, CEO of Insane Cyber.