Zeek Network Security Monitor
Zeek (formerly Bro) is a powerful, open-source network security monitoring platform that provides deep visibility into network traffic. Unlike signature-based systems that look for known threats, Zeek performs protocol analysis, behavioral detection, and generates detailed logs of network activity. This guide covers installation, cluster deployment for high-traffic networks, understanding Zeek logs and output formats, writing custom detection scripts, implementing the Intel framework for threat intelligence, and analyzing protocol behavior.
Table of Contents
- System Requirements
- Installation
- Configuration Basics
- Zeek Logs and Outputs
- Cluster Mode Deployment
- Custom Scripts
- Intel Framework
- Protocol Analysis
- Integration with SIEM
- Performance Tuning
- Conclusion
System Requirements
Zeek requires substantial resources for analysis of high-traffic networks:
- 64-bit processor (multi-core recommended)
- 4 GB RAM minimum (8 GB+ for production)
- 100 GB+ disk space for logs and pcap files
- Linux kernel 3.10 or newer
- CMake, GCC/Clang, OpenSSL development libraries
Check system requirements:
uname -r
nproc
free -h
df -h /
Installation
Install Zeek from source for maximum control and latest features.
Install dependencies:
For Ubuntu/Debian:
sudo apt-get update
sudo apt-get install -y git cmake make gcc g++ flex bison libpcap-dev libssl-dev python3 python3-dev zlib1g-dev
For CentOS/RHEL:
sudo yum groupinstall -y 'Development Tools'
sudo yum install -y libpcap-devel openssl-devel zlib-devel python3-devel
Download and compile Zeek:
cd /opt
sudo git clone --recurse-submodules https://github.com/zeek/zeek.git
cd zeek
./configure --prefix=/opt/zeek
make -j$(nproc)
sudo make install
Add Zeek to PATH:
echo 'export PATH=/opt/zeek/bin:$PATH' | sudo tee /etc/profile.d/zeek.sh
source /etc/profile.d/zeek.sh
Verify installation:
zeek --version
zeek -h
Create Zeek user and directories:
sudo useradd -r -s /bin/false zeek
sudo mkdir -p /var/log/zeek
sudo mkdir -p /opt/zeek/share/zeek/site
sudo chown -R zeek:zeek /var/log/zeek
Configuration Basics
Configure Zeek to monitor network interfaces and perform analysis.
Edit the main configuration file:
sudo nano /opt/zeek/etc/zeekctl.cfg
Key configuration options:
# Zeek installation prefix
zeek_dist = /opt/zeek
# Log directory
LogDir = /var/log/zeek
# Spool directory (for temporary files)
SpoolDir = /opt/zeek/spool
# Zeek user
ZeekUser = zeek
# Interface to monitor
interface = eth0
# Packet ring buffer size
lb_method = pf_ring
# DNS resolution
dns = nameserver 8.8.8.8 nameserver 8.8.4.4
Configure node types and cluster setup. Edit the nodes.cfg file:
sudo nano /opt/zeek/etc/nodes.cfg
For standalone setup:
[zeek]
type=standalone
host=localhost
Start Zeek:
sudo /opt/zeek/bin/zeekctl deploy
Check status:
sudo /opt/zeek/bin/zeekctl status
Verify Zeek is monitoring:
sudo tail -f /var/log/zeek/conn.log
Zeek Logs and Outputs
Understand the comprehensive logging that Zeek produces.
Zeek generates specialized logs for different protocol types:
Common log files:
ls -la /var/log/zeek/
Key logs generated:
- conn.log: TCP/UDP connections
- dns.log: DNS queries and responses
- http.log: HTTP requests and responses
- ssl.log: SSL/TLS certificates and handshakes
- files.log: File activity and metadata
- ssh.log: SSH activity
- smtp.log: Email traffic
- ftp.log: FTP commands
View connection logs:
zeek-cut timestamp origin_h origin_p resp_h resp_p < /var/log/zeek/conn.log | head -20
View HTTP activity:
zeek-cut timestamp host uri user_agent < /var/log/zeek/http.log | head -20
Analyze DNS queries:
zeek-cut timestamp query < /var/log/zeek/dns.log | sort | uniq -c | sort -rn | head -20
View SSL certificates:
zeek-cut timestamp server_name subject < /var/log/zeek/ssl.log | head -20
Convert logs to JSON format for analysis:
zeek-cut -j timestamp host uri < /var/log/zeek/http.log | head -5
Configure log rotation:
sudo nano /etc/logrotate.d/zeek
Content:
/var/log/zeek/*.log {
daily
rotate 30
compress
delaycompress
notifempty
create 0640 zeek zeek
postrotate
/opt/zeek/bin/zeekctl cron
endscript
}
Cluster Mode Deployment
Deploy Zeek in cluster mode for high-traffic networks requiring load balancing across multiple workers.
Configure cluster in nodes.cfg:
sudo nano /opt/zeek/etc/nodes.cfg
Multi-node cluster configuration:
[manager]
type=manager
host=192.168.1.50
[worker-1]
type=worker
host=192.168.1.51
interface=eth0
[worker-2]
type=worker
host=192.168.1.52
interface=eth0
[worker-3]
type=worker
host=192.168.1.53
interface=eth0
[proxy]
type=proxy
host=192.168.1.54
Configure zeekctl for cluster:
sudo nano /opt/zeek/etc/zeekctl.cfg
Cluster settings:
# Cluster configuration
master = 192.168.1.50
LogDir = /var/log/zeek
SpoolDir = /opt/zeek/spool
# Worker settings
lb_method = pf_ring
pin_cpus = 1,2,3,4
# Manager settings
manager_size_threshold = 2000000
manager_update_interval = 30
# Proxy settings
proxy_addr = 192.168.1.54
proxy_port = 2150
Deploy the cluster:
sudo /opt/zeek/bin/zeekctl deploy
Check cluster status:
sudo /opt/zeek/bin/zeekctl status
View worker logs:
sudo /opt/zeek/bin/zeekctl diag
Monitor cluster health:
sudo /opt/zeek/bin/zeekctl print_id
Custom Scripts
Write Zeek scripts to detect custom threats and analyze network behavior.
Create a custom detection script:
sudo nano /opt/zeek/share/zeek/site/custom-detection.zeek
Example script for SSH brute force detection:
# SSH Brute Force Detection
module SSH_BRUTEFORCE;
export {
redef enum Notice::Type += {
SSH::BRUTE_FORCE_DETECTED
};
global ssh_attempts: table[addr] of count &create_expire=15 mins &default=0;
global ssh_threshold: count = &redef 10;
}
event ssh::server_version(c: connection, version: string) {
if ( c$id$resp_h in ssh_attempts )
++ssh_attempts[c$id$resp_h];
else
ssh_attempts[c$id$resp_h] = 1;
if ( ssh_attempts[c$id$resp_h] > ssh_threshold ) {
NOTICE([$note=SSH::BRUTE_FORCE_DETECTED,
$conn=c,
$msg=fmt("SSH brute force from %s", c$id$orig_h)]);
}
}
Example script for detecting suspicious file downloads:
# Suspicious File Download Detection
event http_entity_data(c: connection, is_orig: bool, length: count, data: string) {
if ( !is_orig && /\.exe/ in data ) {
NOTICE([$note=Notice::POLICY_VIOLATION,
$conn=c,
$msg="Executable file downloaded from HTTP"]);
}
}
Enable the custom script:
echo "@load custom-detection" >> /opt/zeek/share/zeek/site/local.zeek
Reload Zeek:
sudo /opt/zeek/bin/zeekctl deploy
View script syntax validation:
/opt/zeek/bin/zeek -c /opt/zeek/share/zeek/site/custom-detection.zeek
Intel Framework
Integrate threat intelligence feeds for automatic threat detection.
Create an Intel file:
sudo nano /opt/zeek/share/zeek/site/intel-feed.txt
Format:
#indicator indicator_type meta.source meta.desc
192.0.2.1 IP CUSTOM Malware C&C Server
10.0.0.5 IP CUSTOM Known botnet node
malware.example.com domain CUSTOM Phishing domain
curl software CUSTOM Suspicious user agent
Load the Intel framework in local.zeek:
sudo nano /opt/zeek/share/zeek/site/local.zeek
Add:
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += { "/opt/zeek/share/zeek/site/intel-feed.txt" };
Reload Zeek:
sudo /opt/zeek/bin/zeekctl deploy
Check Intel load:
/opt/zeek/bin/zeek -C /opt/zeek/share/zeek/site/local.zeek -i eth0 -r /var/log/zeek/conn.log
View Intel notices:
grep "Intel::" /var/log/zeek/notice.log
Protocol Analysis
Analyze specific protocols to understand network behavior.
Enable detailed HTTP logging:
sudo nano /opt/zeek/share/zeek/site/local.zeek
Add:
@load base/protocols/http
redef HTTP::log_all_headers = T;
redef HTTP::log_body = T;
redef HTTP::http_log_size_limit = 10000;
Analyze HTTP user agents:
zeek-cut user_agent < /var/log/zeek/http.log | sort | uniq -c | sort -rn
Detect DNS anomalies:
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) {
if ( query == "" || /\.\./ in query ) {
NOTICE([$note=Notice::ANOMALY_DETECTED,
$conn=c,
$msg=fmt("Anomalous DNS query: %s", query)]);
}
}
Monitor SSL/TLS certificates:
zeek-cut timestamp subject issuer not_valid_before not_valid_after < /var/log/zeek/ssl.log
Integration with SIEM
Forward Zeek logs to SIEM systems for centralized analysis.
Configure syslog output:
sudo nano /opt/zeek/etc/zeekctl.cfg
Add:
# Send logs to syslog
send_logs = yes
syslog_server = 192.168.1.100
syslog_port = 514
syslog_facility = LOG_LOCAL0
Alternatively, configure remote syslog in local.zeek:
@load base/frameworks/logging/writers/syslog
redef Syslog::all_logs_to_syslog = T;
redef Syslog::server_address = "192.168.1.100";
redef Syslog::server_port = 514;
Configure JSON output for SIEM integration:
sudo nano /opt/zeek/share/zeek/site/local.zeek
Add:
@load base/frameworks/logging/writers/tsv
@load base/frameworks/logging/writers/json
redef Logging::default_writer = Logging::WRITER_JSON;
Forward specific logs:
sudo cat /var/log/zeek/notice.log | nc 192.168.1.100 514
Performance Tuning
Optimize Zeek for high-traffic networks.
Enable PF_RING for improved packet capture:
sudo apt-get install -y pfring-dkms libpfring
Adjust ring buffer sizes:
sudo ethtool -G eth0 rx 4096 tx 4096
Configure packet filter in Zeekctl:
sudo nano /opt/zeek/etc/zeekctl.cfg
Add:
# CPU affinity for workers
pin_cpus = 1,2,3,4,5,6,7
# Packet processing
packet_queue_size = 10000
load_balancing = round_robin
Tune kernel for network performance:
sudo sysctl -w net.core.rmem_max=134217728
sudo sysctl -w net.core.wmem_max=134217728
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=4096
sudo sysctl -w net.ipv4.ip_local_port_range="1024 65535"
Monitor Zeek performance:
ps aux | grep zeek
top -p $(pgrep -f zeek | tr '\n' ',')
Check disk usage:
du -sh /var/log/zeek
Analyze Zeek CPU usage per worker:
/opt/zeek/bin/zeekctl status
/opt/zeek/bin/zeekctl profiling
Conclusion
Zeek provides comprehensive network security monitoring through deep protocol analysis and behavioral detection. By following this guide, you've installed Zeek, configured it to monitor network traffic, understood the diverse logs it generates, deployed cluster mode for high-traffic networks, written custom detection scripts, integrated threat intelligence feeds, analyzed protocol-specific behavior, integrated with SIEM systems, and optimized performance. Whether protecting small networks or large enterprises, Zeek scales with flexible clustering and powerful scripting capabilities to detect sophisticated threats beyond signature-based detection.