In today’s cybersecurity landscape, network traffic analysis plays a critical role in threat hunting, incident response, and security monitoring. One of the most powerful open-source tools for this purpose is Zeek (formerly known as Bro).

In this article, we will explore what Zeek is, how to install it, and how it can be used to analyze network traffic through its detailed logging system.

What is Zeek?

Zeek is an open-source network traffic analyzer designed for security monitoring and threat detection. Unlike other network analysis tools that require specialized hardware, Zeek is scalable, clusterable, and runs on commodity hardware. It can process traffic from PCAP files or live network captures, generating detailed log files to help security professionals analyze and detect suspicious activity.

Key Features of Zeek:

✔ Works with both PCAP files and live network traffic
✔ Generates detailed security logs for various network activities
✔ Scalable and runs on commodity hardware
✔ Modular and extensible, allowing users to create custom analyzers
✔ Widely used in network security monitoring, incident response, and threat hunting

Installing Zeek on macOS and Linux

Installing Zeek is straightforward, with pre-built packages available for macOS and Linux.

Installation on macOS (Using Homebrew)

If you are using macOS, Zeek can be installed easily using Homebrew:

After installation, you can start using Zeek immediately.

Installation on Ubuntu/Linux

For Ubuntu and other Linux distributions, Zeek can be installed by adding the official repository and running the following commands:

Alternatively, you can build Zeek from source, but this is usually unnecessary as pre-built packages are available.

Using Zeek for Network Traffic Analysis

Once installed, Zeek can be used to analyze PCAP files or live network traffic. The basic command for analyzing a PCAP file is:

This command processes the PCAP file and generates log files in the current working directory. These logs provide valuable insights into network activity.

Understanding Zeek Log Files

Zeek generates a variety of logs, each capturing different aspects of network traffic. Let’s take a look at some of the most important log files:

1. Connection Log (con.log) – Network Metadata

The connection log records essential network details such as:

• Source and destination IP addresses
• Ports and protocols used
• Session duration and byte count

This log is useful for tracking network activity patterns and identifying unusual connections.

2. HTTP Log (http.log) – Web Traffic Analysis

The HTTP log contains valuable information about web traffic, including:

• URLs and user agents
• HTTP methods (GET, POST, etc.)
• Response status codes

This log helps in detecting suspicious HTTP requests and analyzing malicious web activity.

3. DNS Log (dns.log) – Domain Name System Monitoring

The DNS log records all DNS queries and responses, which is useful for:

• Identifying connections to malicious domains
• Tracking domain resolution behavior
• Detecting command-and-control (C2) communications

4. SSH Log (ssh.log) – Secure Shell Traffic

The SSH log provides information on client and server SSH connections, helping to:

• Detect unauthorized SSH access attempts
• Monitor SSH usage within the network

5. FTP Log (ftp.log) – File Transfer Monitoring

The FTP log captures:

• Usernames and passwords used in FTP sessions
• Transferred files and commands executed

This log is helpful for identifying weak credentials and detecting unauthorized file transfers.

6. Dynamic Protocol Detection (dpd.log) – Identifying Non-Standard Traffic

The DPD log helps detect:

• Protocols running on non-standard ports
• Potential malware using unusual network configurations

This log is valuable for identifying stealthy threats that attempt to evade detection by masquerading as legitimate traffic.

7. Industrial Protocol Logs (Modbus, DNP3) – Monitoring Critical Infrastructure

Zeek also supports industrial protocols such as:

• Modbus and DNP3 – Used in industrial control systems (ICS)
• SMB (Server Message Block) – Used in Windows file sharing

These logs are crucial for protecting critical infrastructure from cyber threats.

Zeek for Threat Hunting and Incident Response

Zeek is widely used for threat hunting and incident response. Here’s how it helps:

1. Correlating Logs Using the UID Field

Each log entry in Zeek contains a UID (unique identifier) that allows security analysts to link events across different logs. For example:

• A connection in con.log can be traced to DNS queries in dns.log
• An SSH login attempt in ssh.log can be correlated with network activity in con.log

2. Detecting Anomalies and Suspicious Activity

Zeek makes it easier to identify unusual network behaviors, such as:

• Unauthorized remote access attempts
• Malware communication with external servers
• Suspicious file transfers and login attempts

3. Customizing Zeek for Advanced Threat Detection

Zeek is highly modular and allows users to create custom analyzers and scripts to detect specific threats. Security teams can tailor Zeek to:

• Monitor specific protocols
• Flag abnormal behaviors
• Automate incident detection and response

Conclusion

Zeek is a powerful tool for network security monitoring, threat hunting, and incident response. With its ability to analyze network traffic, generate detailed logs, and support modular extensions, Zeek is an essential tool for cybersecurity professionals.

By leveraging Zeek, security teams can detect threats, investigate incidents, and improve network visibility, making it a crucial component of any modern security operations center (SOC).

Watch the full video here, featuring Dan Gunter, CEO of Insane Cyber.