Zeek
Zeek (formerly Bro)[2] is a free and open-source software network analysis framework; it was first developed in 1994 by Vern Paxson and was originally named in reference to George Orwell's Big Brother from his novel Nineteen Eighty-Four. It can be used as a network intrusion detection system (NIDS) but with additional live analysis of network events.[3] It is released under the BSD license.
Original author(s) | Vern Paxson |
---|---|
Stable release | 3.2.3[1]
/ 15 December 2020 |
Repository | |
Written in | C++ |
Operating system | Linux, FreeBSD, macOS |
Type | Network intrusion detection system |
License | BSD license |
Website | zeek |
Zeek's application architecture
IP packets captured with pcap are transferred to an event engine which accepts or rejects them. The accepted packets are forwarded to the policy script interpreter.
The event engine analyzes live or recorded network traffic or trace files to generate neutral events. It generates events when "something" happens. This can be triggered by the Zeek process, such as just after initialization or just before termination of the Zeek process, as well as by something taking place on the network (or trace file) being analyzed, such as Zeek witnessing an HTTP request or a new TCP connection. Zeek uses common ports and dynamic protocol detection (involving signatures as well as behavioral analysis) to make a best guess at interpreting network protocols. Events are policy neutral in that they are not good or bad but simply signals to script land that something happened.
Events are handled by policy scripts, which analyze events to create action policies. The scripts are written in the Turing complete Zeek scripting language. By default Zeek simply logs information about events to files (Zeek also supports logging events in binary output); however, it can be configured to take other actions such as sending an email, raising an alert, executing a system command, updating an internal metric and even calling another Zeek script. The default behavior produces NetFlow-like output (conn log) as well as application event information. Zeek scripts are able to read in data from external files, such as blacklists, for use within Zeek policy scripts.
Zeek analyzers
Most Zeek analyzers are located in Zeek's event engine with an accompanying policy script. The policy script can be customized by the user. The analyzers perform application layer decoding, anomaly detection, signature matching and connection analysis.[4] Zeek has been designed to easily incorporate additional analyzers. Some application layer analyzers included with Zeek are HTTP, FTP, SMTP and DNS amongst others. Other non-application layer analyzers include analyzers that detect host or port scans, intermediary hosts and syn-floods. Zeek also includes signature detection and allows the import of Snort signatures.
References
- "Release 3.2.3". 15 December 2020. Retrieved 19 December 2020.
- Paxson, Vern (11 October 2018). "Renaming the Bro Project".
- McCarty, Ronald. "Bro IDS » ADMIN Magazine". ADMIN Magazine. Retrieved 2018-07-11.
- Sommer, Robin (2003). "Bro: An Open Source Network Intrusion Detection System". Munich, Germany: Computer Science Department TU München. CiteSeerX 10.1.1.60.5410. Cite journal requires
|journal=
(help)
External links
- The Zeek Network Security Monitor
- Bro: A System for Detecting Network Intruders in Real-Time – Vern Paxson
- The NSA is Not Made Of Magic – Bruce Schneier