Zeek/Bro

Zeek started off life called Bro, but was renamed to Zeek in 2018.

Zeek is a passive, open-source network traffic analysis platform. It provides compact, high-fidelity transaction logs, file content, and full-customized output to analysts. Operators can leverage its programmable nature to use Zeek as a security monitor that inspects all traffic on a link in depth, to identify signs of suspicious activity. Zeek can also support a wide range of traffic analysis tasks outside of the security domain, including performance measurements and helping with troubleshooting.

Zeek’s history goes back much further than many people realize. Vern Paxson began designing and implementing the initial version in 1995 as a researcher at the Lawrence Berkeley National Laboratory (LBNL). In 2003, the National Science Foundation (NSF) began supporting research and advanced development on Bro at the International Computer Science Institute (ICSI) in Berkeley. Over the years, a growing team of ICSI researchers and students kept adding novel functionality, while LBNL continued its support with funding from the Department of Energy (DOE).

In 2010, NSF’s SDCI program set out to greatly strengthen Zeek’s applicability for use by R&E (Research and Education) sites by awarding ICSI a grant dedicated solely to Zeek development. With that support in place, the National Center for Supercomputing Applications (NCSA) joined the team as a core partner, and the Project began to completely overhaul many of the user-visible facets of the system for the 2.0 release.

In 2013, the initial developers founded a company now named Corelight to provide ongoing support for the open-source project. Corelight continues to be the primary (though not only) contributor to, and steward of, open-source Zeek.

Over the past 10 years, Zeek has experienced tremendous adoption and performance gains in new deployments across a diverse range of deployment scenarios and industry/government sectors.

Feature Set

Zeek supports a wide range of analysis through its scripting language. It comes with a powerful set of features that users can further extend and customize as needed.

Deployment

Runs on commodity hardware on standard UNIX-style systems.
Fully passive traffic analysis off a network tap or monitoring port.
Standard libpcap interface for capturing packets or reading packets traces.
Real-time and offline analysis.
Cluster-support for large-scale deployments.
Unified management framework for operating both standalone and cluster setups.
Open-source under a BSD license.

Analysis

Comprehensive logging of activity for offline analysis, forensics, and threat-hunting.
Port-independent analysis of application-layer protocols.
Support for many application-layer protocols (including DNS, FTP, HTTP, IRC, SMTP, SSH, TLS).
Broad industry support for additional protocols.
Analysis of file content exchanged over application-layer protocols, including MD5/SHA1 computation for fingerprinting.
Comprehensive IPv6 support.
Tunnel detection and analysis (including Ayiya, Teredo, GTPv1). Zeek decapsulates the tunnels and then proceeds to analyze their content as if no tunnel was in place.
Extensive sanity checks during protocol analysis.
Support for IDS-style signature matching.

Scripting Language

Turing-complete language for expressing complex analysis tasks.
Event-based programming model.
Domain-specific data types such as IP addresses (transparently handling both IPv4 and IPv6), port numbers, and timers.
Extensive support for tracking and managing network state over time.

Interfacing

Default output to well-structured ASCII logs.
Alternative backends for ElasticSearch and DataSeries.
Real-time integration of external input into analyses. Live database input in preparation.
External C library for exchanging Zeek events with external programs.
Ability to trigger arbitrary external processes from within the scripting language.