Performing Network Traffic Analysis with Zeek Overview Zeek (formerly Bro) is an open-source network analysis framework that operates as a passive network security monitor. Unlike traditional signature-based IDS tools, Zeek generates high-fidelity structured logs from observed network traffic, capturing detailed metadata for protocols including HTTP, DNS, TLS, SSH, SMTP, FTP, and dozens more. Zeek's extensible scripting language enables custom detection logic, behavioral analysis, and automated response. This skill covers deploying Zeek, understanding its log architecture, writing custom dete…

\\t' -k2 -rn | head -20\n\n# Find long-duration connections (potential C2)\ncat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p duration | awk '$4 > 3600' | sort -t

Performing Network Traffic Analysis with Zeek Overview Zeek (formerly Bro) is an open-source network analysis framework that operates as a passive network security monitor. Unlike traditional signature-based IDS tools, Zeek generates high-fidelity structured logs from observed network traffic, capturing detailed metadata for protocols including HTTP, DNS, TLS, SSH, SMTP, FTP, and dozens more. Zeek's extensible scripting language enables custom detection logic, behavioral analysis, and automated response. This skill covers deploying Zeek, understanding its log architecture, writing custom dete…

\\t' -k4 -rn\n\n# Find connections with unusual ports\ncat conn.log | zeek-cut id.resp_p proto | sort | uniq -c | sort -rn | head -30\n```\n\n### TLS Analysis\n\n```bash\n# Find self-signed certificates\ncat ssl.log | zeek-cut server_name validation_status | grep \"self signed\"\n\n# Extract JA3 fingerprints for known malware\ncat ssl.log | zeek-cut ja3 server_name | sort | uniq -c | sort -rn\n\n# Find expired certificates\ncat ssl.log | zeek-cut server_name not_valid_after | awk -F'\\t' '$2 \u003c systime()'\n```\n\n## Best Practices\n\n- **TAP Over SPAN** - Use network TAPs instead of SPAN ports to avoid packet loss under load\n- **Worker Scaling** - Assign 1 Zeek worker per 1 Gbps of monitored traffic\n- **AF_PACKET Clusters** - Use AF_PACKET with load balancing for multi-core processing\n- **Log Rotation** - Configure automatic log rotation and archival (default: hourly)\n- **Intel Updates** - Automate threat intelligence feed updates at least daily\n- **Packet Loss Monitoring** - Monitor `capture_loss.log` for dropped packets\n- **Custom Scripts** - Develop organization-specific detections based on threat landscape\n\n## References\n\n- [Zeek Documentation](https://docs.zeek.org/en/master/)\n- [Zeek Scripting Reference](https://docs.zeek.org/en/master/script-reference/index.html)\n- [Zeek Intel Framework](https://docs.zeek.org/en/master/frameworks/intel.html)\n- [CISA Zeek Resources](https://www.cisa.gov/resources-tools/services/kismet)\n- [Zeek GitHub Repository](https://github.com/zeek/zeek)\n---","attachment_filenames":["references/api-reference.md","scripts/agent.py"],"attachments":[{"filename":"references/api-reference.md","content":"# API Reference — Performing Network Traffic Analysis with Zeek\n\n## Libraries Used\n- **pathlib**: Read Zeek TSV log files\n- **subprocess**: Execute Zeek on PCAP files\n- **collections.Counter**: Traffic pattern aggregation\n\n## CLI Interface\n```\npython agent.py conn --log conn.log\npython agent.py dns --log dns.log\npython agent.py http --log http.log\npython agent.py notice --log notice.log\npython agent.py run --pcap capture.pcap [--output-dir /tmp/zeek_output]\n```\n\n## Core Functions\n\n### `parse_zeek_log(log_file)` — Generic Zeek TSV parser\nParses `#fields` header and data rows. Returns headers and record list.\n\n### `analyze_conn_log(conn_log)` — Connection analysis\nStatistics: protocols, services, top IPs/ports, total bytes, long connections (>1hr).\n\n### `analyze_dns_log(dns_log)` — DNS query analysis\nDetects: long queries (>50 chars), TXT queries, NXDOMAIN responses.\nFlags potential DNS tunneling indicators.\n\n### `analyze_http_log(http_log)` — Web traffic analysis\nTracks: methods, status codes, top hosts, user agents.\nFlags suspicious UAs: curl, wget, python, powershell, certutil, bitsadmin.\n\n### `analyze_notice_log(notice_log)` — Security alert review\nParses Zeek notice.log for detected security events.\n\n### `run_zeek_on_pcap(pcap_file, output_dir)` — Generate Zeek logs from PCAP\nExecutes Zeek against PCAP to produce conn.log, dns.log, http.log, etc.\n\n## Zeek Log Fields\n| Log | Key Fields |\n|-----|-----------|\n| conn.log | id.orig_h, id.resp_h, id.resp_p, proto, service, duration, orig_bytes |\n| dns.log | query, qtype_name, rcode_name |\n| http.log | method, host, uri, status_code, user_agent |\n| notice.log | note, msg, src, dst |\n\n## Dependencies\nSystem: zeek (for PCAP processing)\nNo Python packages required.\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":1752,"content_sha256":"7587af317fc4272680c246ac8d3c33c08a17d74296b6cba900983fe277cf3f0c"},{"filename":"scripts/agent.py","content":"#!/usr/bin/env python3\n\"\"\"Agent for performing network traffic analysis with Zeek (Bro) log files.\"\"\"\n\nimport json\nimport argparse\nimport subprocess\nfrom pathlib import Path\nfrom collections import Counter\n\n\ndef parse_zeek_log(log_file, delimiter=\"\\t\"):\n \"\"\"Parse a Zeek TSV log file into structured records.\"\"\"\n lines = Path(log_file).read_text(encoding=\"utf-8\", errors=\"replace\").splitlines()\n headers = []\n records = []\n for line in lines:\n if line.startswith(\"#fields\"):\n headers = line.split(delimiter)[1:]\n elif line.startswith(\"#\"):\n continue\n elif headers:\n values = line.split(delimiter)\n record = dict(zip(headers, values))\n records.append(record)\n return headers, records\n\n\ndef analyze_conn_log(conn_log):\n \"\"\"Analyze Zeek conn.log for network connection patterns.\"\"\"\n headers, records = parse_zeek_log(conn_log)\n total = len(records)\n protocols = Counter(r.get(\"proto\", \"\") for r in records)\n services = Counter(r.get(\"service\", \"-\") for r in records)\n src_ips = Counter(r.get(\"id.orig_h\", \"\") for r in records)\n dst_ips = Counter(r.get(\"id.resp_h\", \"\") for r in records)\n dst_ports = Counter(r.get(\"id.resp_p\", \"\") for r in records)\n total_bytes = sum(int(r.get(\"orig_bytes\", 0) or 0) + int(r.get(\"resp_bytes\", 0) or 0) for r in records)\n long_connections = [r for r in records if float(r.get(\"duration\", 0) or 0) > 3600]\n return {\n \"log_file\": conn_log, \"total_connections\": total,\n \"protocols\": dict(protocols), \"services\": dict(services.most_common(10)),\n \"top_src_ips\": dict(src_ips.most_common(10)),\n \"top_dst_ips\": dict(dst_ips.most_common(10)),\n \"top_dst_ports\": dict(dst_ports.most_common(15)),\n \"total_bytes\": total_bytes,\n \"long_connections\": len(long_connections),\n }\n\n\ndef analyze_dns_log(dns_log):\n \"\"\"Analyze Zeek dns.log for DNS query patterns and anomalies.\"\"\"\n headers, records = parse_zeek_log(dns_log)\n queries = Counter(r.get(\"query\", \"\") for r in records)\n qtypes = Counter(r.get(\"qtype_name\", r.get(\"qtype\", \"\")) for r in records)\n rcodes = Counter(r.get(\"rcode_name\", r.get(\"rcode\", \"\")) for r in records)\n long_queries = [r for r in records if len(r.get(\"query\", \"\")) > 50]\n txt_queries = [r for r in records if r.get(\"qtype_name\", \"\") == \"TXT\"]\n nxdomain = [r for r in records if r.get(\"rcode_name\", \"\") == \"NXDOMAIN\"]\n top_domains = Counter()\n for r in records:\n query = r.get(\"query\", \"\")\n parts = query.rsplit(\".\", 2)\n if len(parts) >= 2:\n top_domains[\".\".join(parts[-2:])] += 1\n return {\n \"log_file\": dns_log, \"total_queries\": len(records),\n \"query_types\": dict(qtypes),\n \"response_codes\": dict(rcodes),\n \"top_queried_domains\": dict(top_domains.most_common(15)),\n \"long_queries\": len(long_queries),\n \"txt_queries\": len(txt_queries),\n \"nxdomain_count\": len(nxdomain),\n \"potential_tunneling\": len(long_queries) + len(txt_queries),\n }\n\n\ndef analyze_http_log(http_log):\n \"\"\"Analyze Zeek http.log for web traffic patterns.\"\"\"\n headers, records = parse_zeek_log(http_log)\n methods = Counter(r.get(\"method\", \"\") for r in records)\n status_codes = Counter(r.get(\"status_code\", \"\") for r in records)\n hosts = Counter(r.get(\"host\", \"\") for r in records)\n user_agents = Counter(r.get(\"user_agent\", \"\")[:100] for r in records)\n suspicious_ua = [r for r in records if any(kw in r.get(\"user_agent\", \"\").lower()\n for kw in [\"curl\", \"wget\", \"python\", \"powershell\", \"certutil\", \"bitsadmin\"])]\n return {\n \"log_file\": http_log, \"total_requests\": len(records),\n \"methods\": dict(methods), \"status_codes\": dict(status_codes),\n \"top_hosts\": dict(hosts.most_common(15)),\n \"top_user_agents\": dict(user_agents.most_common(10)),\n \"suspicious_user_agents\": len(suspicious_ua),\n \"suspicious_requests\": [{\"host\": r.get(\"host\"), \"uri\": r.get(\"uri\", \"\")[:100],\n \"ua\": r.get(\"user_agent\", \"\")[:100]} for r in suspicious_ua[:10]],\n }\n\n\ndef analyze_notice_log(notice_log):\n \"\"\"Analyze Zeek notice.log for security alerts.\"\"\"\n headers, records = parse_zeek_log(notice_log)\n notice_types = Counter(r.get(\"note\", r.get(\"msg\", \"\")) for r in records)\n return {\n \"log_file\": notice_log, \"total_notices\": len(records),\n \"notice_types\": dict(notice_types),\n \"notices\": [{\"note\": r.get(\"note\"), \"msg\": r.get(\"msg\", \"\")[:200],\n \"src\": r.get(\"src\", r.get(\"id.orig_h\", \"\")),\n \"dst\": r.get(\"dst\", r.get(\"id.resp_h\", \"\"))} for r in records[:20]],\n }\n\n\ndef run_zeek_on_pcap(pcap_file, output_dir=\"/tmp/zeek_output\"):\n \"\"\"Run Zeek on a PCAP file to generate logs.\"\"\"\n Path(output_dir).mkdir(parents=True, exist_ok=True)\n cmd = [\"zeek\", \"-r\", pcap_file, f\"Log::default_logdir={output_dir}\"]\n try:\n result = subprocess.run(cmd, capture_output=True, text=True, timeout=300, cwd=output_dir)\n logs = list(Path(output_dir).glob(\"*.log\"))\n return {\n \"pcap_file\": pcap_file, \"output_dir\": output_dir,\n \"logs_generated\": [l.name for l in logs],\n \"success\": result.returncode == 0,\n \"stderr\": result.stderr[:300] if result.stderr else \"\",\n }\n except FileNotFoundError:\n return {\"error\": \"zeek not found in PATH\"}\n except Exception as e:\n return {\"error\": str(e)}\n\n\ndef main():\n parser = argparse.ArgumentParser(description=\"Zeek Network Traffic Analysis Agent\")\n sub = parser.add_subparsers(dest=\"command\")\n c = sub.add_parser(\"conn\", help=\"Analyze conn.log\")\n c.add_argument(\"--log\", required=True)\n d = sub.add_parser(\"dns\", help=\"Analyze dns.log\")\n d.add_argument(\"--log\", required=True)\n h = sub.add_parser(\"http\", help=\"Analyze http.log\")\n h.add_argument(\"--log\", required=True)\n n = sub.add_parser(\"notice\", help=\"Analyze notice.log\")\n n.add_argument(\"--log\", required=True)\n r = sub.add_parser(\"run\", help=\"Run Zeek on PCAP\")\n r.add_argument(\"--pcap\", required=True)\n r.add_argument(\"--output-dir\", default=\"/tmp/zeek_output\")\n args = parser.parse_args()\n if args.command == \"conn\":\n result = analyze_conn_log(args.log)\n elif args.command == \"dns\":\n result = analyze_dns_log(args.log)\n elif args.command == \"http\":\n result = analyze_http_log(args.log)\n elif args.command == \"notice\":\n result = analyze_notice_log(args.log)\n elif args.command == \"run\":\n result = run_zeek_on_pcap(args.pcap, args.output_dir)\n else:\n parser.print_help()\n return\n print(json.dumps(result, indent=2, default=str))\n\n\nif __name__ == \"__main__\":\n main()\n","content_type":"text/x-python; charset=utf-8","language":"python","size":6839,"content_sha256":"41a1cbcb9f782d0e7599f256904c62783997fccc02770363811e0fac7d2502f4"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"Performing Network Traffic Analysis with Zeek","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"Zeek (formerly Bro) is an open-source network analysis framework that operates as a passive network security monitor. Unlike traditional signature-based IDS tools, Zeek generates high-fidelity structured logs from observed network traffic, capturing detailed metadata for protocols including HTTP, DNS, TLS, SSH, SMTP, FTP, and dozens more. Zeek's extensible scripting language enables custom detection logic, behavioral analysis, and automated response. This skill covers deploying Zeek, understanding its log architecture, writing custom detection scripts, and integrating outputs with SIEM platforms.","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"When to Use","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When conducting security assessments that involve performing network traffic analysis with zeek","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When following incident response procedures for related security events","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When performing scheduled security testing or auditing activities","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"When validating security controls through hands-on testing","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Prerequisites","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Linux server (Ubuntu 22.04+ or CentOS 8+) with 4+ CPU cores and 8GB+ RAM","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Network TAP or SPAN port mirroring configured for traffic capture","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Zeek 6.0+ installed (via package manager or source compilation)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Root or capture group privileges for packet capture","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"SIEM platform (Splunk, ELK Stack, or QRadar) for log ingestion","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Core Concepts","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Zeek Architecture","type":"text"}]},{"type":"paragraph","content":[{"text":"Zeek operates in two main modes:","type":"text"}]},{"type":"ordered_list","attrs":{"order":1,"listStyle":"number"},"content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Live Capture","type":"text","marks":[{"type":"strong"}]},{"text":" - Monitors traffic in real-time on one or more network interfaces","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Offline Analysis","type":"text","marks":[{"type":"strong"}]},{"text":" - Processes saved PCAP files for retrospective analysis","type":"text"}]}]}]},{"type":"paragraph","content":[{"text":"The processing pipeline consists of:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Packet Capture Layer","type":"text","marks":[{"type":"strong"}]},{"text":" - Reads raw packets from interfaces or PCAP files","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Event Engine","type":"text","marks":[{"type":"strong"}]},{"text":" - Reassembles TCP streams and generates protocol events","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Script Interpreter","type":"text","marks":[{"type":"strong"}]},{"text":" - Executes Zeek scripts that process events and generate logs","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Log Framework","type":"text","marks":[{"type":"strong"}]},{"text":" - Writes structured logs in TSV, JSON, or custom formats","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Log Architecture","type":"text"}]},{"type":"paragraph","content":[{"text":"Zeek generates protocol-specific log files:","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Log File","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"conn.log","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"TCP/UDP/ICMP connection summaries with duration, bytes, state","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"dns.log","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DNS queries and responses with query type, answers, TTL","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"http.log","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"HTTP requests/responses with URIs, user agents, MIME types","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ssl.log","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"TLS handshake details including certificate chain, JA3/JA3S","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"files.log","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"File transfers with MIME types, hashes (MD5, SHA1, SHA256)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"notice.log","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Alerts generated by Zeek detection scripts","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"weird.log","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Protocol anomalies and unexpected behaviors","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"x509.log","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Certificate details from TLS connections","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"smtp.log","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Email metadata including sender, recipient, subject","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ssh.log","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"SSH connection details and authentication results","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"pe.log","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Portable Executable file metadata","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"dpd.log","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Dynamic Protocol Detection failures","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Workflow","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 1: Install and Configure Zeek","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Install Zeek on Ubuntu\nsudo apt-get install -y zeek\n\n# Or install from Zeek repository\necho 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | \\\n sudo tee /etc/apt/sources.list.d/zeek.list\nsudo apt-get update && sudo apt-get install -y zeek-lts\n\n# Verify installation\nzeek --version","type":"text"}]},{"type":"paragraph","content":[{"text":"Configure the node layout in ","type":"text"},{"text":"/opt/zeek/etc/node.cfg","type":"text","marks":[{"type":"code_inline"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"ini"},"content":[{"text":"[manager]\ntype=manager\nhost=localhost\n\n[proxy-1]\ntype=proxy\nhost=localhost\n\n[worker-1]\ntype=worker\nhost=localhost\ninterface=eth0\nlb_method=pf_ring\nlb_procs=4\n\n[worker-2]\ntype=worker\nhost=localhost\ninterface=eth1\nlb_method=pf_ring\nlb_procs=4","type":"text"}]},{"type":"paragraph","content":[{"text":"Configure network definitions in ","type":"text"},{"text":"/opt/zeek/etc/networks.cfg","type":"text","marks":[{"type":"code_inline"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"# Internal network ranges\n10.0.0.0/8 Private RFC1918\n172.16.0.0/12 Private RFC1918\n192.168.0.0/16 Private RFC1918","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 2: Configure Logging and Output","type":"text"}]},{"type":"paragraph","content":[{"text":"Edit ","type":"text"},{"text":"/opt/zeek/share/zeek/site/local.zeek","type":"text","marks":[{"type":"code_inline"}]},{"text":":","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"zeek"},"content":[{"text":"# Load standard detection scripts\n@load base/protocols/conn\n@load base/protocols/dns\n@load base/protocols/http\n@load base/protocols/ssl\n@load base/protocols/ssh\n@load base/protocols/smtp\n@load base/protocols/ftp\n\n# Load file analysis\n@load base/files/hash-all-files\n@load base/files/extract-all-files\n\n# Load detection frameworks\n@load base/frameworks/notice\n@load base/frameworks/intel\n@load base/frameworks/files\n@load base/frameworks/software\n\n# Load additional protocol analyzers\n@load policy/protocols/ssl/validate-certs\n@load policy/protocols/ssl/log-hostcerts-only\n@load policy/protocols/ssh/detect-bruteforcing\n@load policy/protocols/dns/detect-external-names\n@load policy/protocols/http/detect-sqli\n\n# Enable JA3 fingerprinting\n@load policy/protocols/ssl/ja3\n\n# Enable JSON output for SIEM ingestion\n@load policy/tuning/json-logs\n\nredef LogAscii::use_json = T;\n\n# Configure file extraction directory\nredef FileExtract::prefix = \"/opt/zeek/extracted/\";\n\n# Set notice email\nredef Notice::mail_dest = \"[email protected]\";","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 3: Write Custom Detection Scripts","type":"text"}]},{"type":"paragraph","content":[{"text":"Create detection scripts for common threats:","type":"text"}]},{"type":"paragraph","content":[{"text":"Detect DNS Tunneling","type":"text","marks":[{"type":"strong"}]},{"text":" (","type":"text"},{"text":"/opt/zeek/share/zeek/site/detect-dns-tunnel.zeek","type":"text","marks":[{"type":"code_inline"}]},{"text":"):","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"zeek"},"content":[{"text":"@load base/protocols/dns\n\nmodule DNSTunnel;\n\nexport {\n redef enum Notice::Type += {\n DNS_Tunnel_Suspected\n };\n\n # Threshold for suspicious DNS query length\n const query_len_threshold = 50 &redef;\n\n # Track query counts per host per domain\n global dns_query_counts: table[addr, string] of count &default=0 &create_expire=5min;\n\n # High query volume threshold\n const query_volume_threshold = 100 &redef;\n}\n\nevent dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)\n{\n if ( |query| > query_len_threshold )\n {\n local parts = split_string(query, /\\./);\n if ( |parts| > 3 )\n {\n local base_domain = cat(parts[|parts|-2], \".\", parts[|parts|-1]);\n dns_query_counts[c$id$orig_h, base_domain] += 1;\n\n if ( dns_query_counts[c$id$orig_h, base_domain] > query_volume_threshold )\n {\n NOTICE([$note=DNS_Tunnel_Suspected,\n $msg=fmt(\"Possible DNS tunneling: %s queries to %s with long query names\",\n c$id$orig_h, base_domain),\n $conn=c,\n $identifier=cat(c$id$orig_h, base_domain),\n $suppress_for=30min]);\n }\n }\n }\n}","type":"text"}]},{"type":"paragraph","content":[{"text":"Detect Beaconing Behavior","type":"text","marks":[{"type":"strong"}]},{"text":" (","type":"text"},{"text":"/opt/zeek/share/zeek/site/detect-beaconing.zeek","type":"text","marks":[{"type":"code_inline"}]},{"text":"):","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"zeek"},"content":[{"text":"@load base/protocols/conn\n\nmodule Beaconing;\n\nexport {\n redef enum Notice::Type += {\n C2_Beacon_Detected\n };\n\n # Track connection intervals\n global conn_intervals: table[addr, addr, port] of vector of time &create_expire=1hr;\n\n const min_connections = 20 &redef;\n const jitter_threshold = 0.15 &redef;\n}\n\nevent connection_state_remove(c: connection)\n{\n if ( c$id$resp_p == 80/tcp || c$id$resp_p == 443/tcp )\n {\n local key = [c$id$orig_h, c$id$resp_h, c$id$resp_p];\n\n if ( key !in conn_intervals )\n conn_intervals[key] = vector();\n\n conn_intervals[key] += network_time();\n\n if ( |conn_intervals[key]| >= min_connections )\n {\n local intervals: vector of interval = vector();\n local i = 1;\n while ( i \u003c |conn_intervals[key]| )\n {\n intervals += conn_intervals[key][i] - conn_intervals[key][i-1];\n i += 1;\n }\n\n # Calculate mean and standard deviation\n local sum_val = 0.0;\n for ( idx in intervals )\n sum_val += interval_to_double(intervals[idx]);\n\n local mean_val = sum_val / |intervals|;\n\n local variance = 0.0;\n for ( idx in intervals )\n {\n local diff = interval_to_double(intervals[idx]) - mean_val;\n variance += diff * diff;\n }\n variance = variance / |intervals|;\n local stddev = sqrt(variance);\n\n if ( mean_val > 0 && (stddev / mean_val) \u003c jitter_threshold )\n {\n NOTICE([$note=C2_Beacon_Detected,\n $msg=fmt(\"Possible C2 beaconing: %s -> %s:%s (interval=%.1fs, jitter=%.2f)\",\n c$id$orig_h, c$id$resp_h, c$id$resp_p,\n mean_val, stddev/mean_val),\n $conn=c,\n $identifier=cat(c$id$orig_h, c$id$resp_h),\n $suppress_for=1hr]);\n }\n }\n }\n}","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 4: Configure Intel Framework","type":"text"}]},{"type":"paragraph","content":[{"text":"Load threat intelligence feeds into Zeek:","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"zeek"},"content":[{"text":"# In local.zeek\n@load frameworks/intel/seen\n@load frameworks/intel/do_notice\n\nredef Intel::read_files += {\n \"/opt/zeek/intel/malicious-ips.intel\",\n \"/opt/zeek/intel/malicious-domains.intel\",\n \"/opt/zeek/intel/malicious-hashes.intel\",\n};","type":"text"}]},{"type":"paragraph","content":[{"text":"Intel file format (","type":"text"},{"text":"/opt/zeek/intel/malicious-ips.intel","type":"text","marks":[{"type":"code_inline"}]},{"text":"):","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"#fields\tindicator\tindicator_type\tmeta.source\tmeta.desc\tmeta.do_notice\n198.51.100.50\tIntel::ADDR\tabuse.ch\tKnown C2 server\tT\n203.0.113.100\tIntel::ADDR\tthreatfeed\tRansomware infrastructure\tT","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 5: Deploy and Operate","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Deploy Zeek cluster\nsudo /opt/zeek/bin/zeekctl deploy\n\n# Check cluster status\nsudo /opt/zeek/bin/zeekctl status\n\n# Process offline PCAP\nzeek -r capture.pcap local.zeek\n\n# View logs\ncat /opt/zeek/logs/current/conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto service duration orig_bytes resp_bytes\n\n# Search for specific connections\ncat /opt/zeek/logs/current/dns.log | zeek-cut query answers | grep -i \"suspicious\"\n\n# Rotate logs\nsudo /opt/zeek/bin/zeekctl cron","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 6: SIEM Integration","type":"text"}]},{"type":"paragraph","content":[{"text":"Filebeat configuration for ELK Stack:","type":"text","marks":[{"type":"strong"}]}]},{"type":"code_block","attrs":{"wrap":false,"language":"yaml"},"content":[{"text":"filebeat.inputs:\n - type: log\n enabled: true\n paths:\n - /opt/zeek/logs/current/*.log\n json.keys_under_root: true\n json.add_error_key: true\n fields:\n source: zeek\n fields_under_root: true\n\noutput.elasticsearch:\n hosts: [\"https://elasticsearch:9200\"]\n index: \"zeek-%{+yyyy.MM.dd}\"\n\nsetup.template.name: \"zeek\"\nsetup.template.pattern: \"zeek-*\"","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Analysis Techniques","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Connection Analysis","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Find top talkers by bytes\ncat conn.log | zeek-cut id.orig_h orig_bytes | sort -t

Performing Network Traffic Analysis with Zeek Overview Zeek (formerly Bro) is an open-source network analysis framework that operates as a passive network security monitor. Unlike traditional signature-based IDS tools, Zeek generates high-fidelity structured logs from observed network traffic, capturing detailed metadata for protocols including HTTP, DNS, TLS, SSH, SMTP, FTP, and dozens more. Zeek's extensible scripting language enables custom detection logic, behavioral analysis, and automated response. This skill covers deploying Zeek, understanding its log architecture, writing custom dete…

\\t' -k2 -rn | head -20\n\n# Find long-duration connections (potential C2)\ncat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p duration | awk '$4 > 3600' | sort -t

Performing Network Traffic Analysis with Zeek Overview Zeek (formerly Bro) is an open-source network analysis framework that operates as a passive network security monitor. Unlike traditional signature-based IDS tools, Zeek generates high-fidelity structured logs from observed network traffic, capturing detailed metadata for protocols including HTTP, DNS, TLS, SSH, SMTP, FTP, and dozens more. Zeek's extensible scripting language enables custom detection logic, behavioral analysis, and automated response. This skill covers deploying Zeek, understanding its log architecture, writing custom dete…

\\t' -k4 -rn\n\n# Find connections with unusual ports\ncat conn.log | zeek-cut id.resp_p proto | sort | uniq -c | sort -rn | head -30","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"TLS Analysis","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Find self-signed certificates\ncat ssl.log | zeek-cut server_name validation_status | grep \"self signed\"\n\n# Extract JA3 fingerprints for known malware\ncat ssl.log | zeek-cut ja3 server_name | sort | uniq -c | sort -rn\n\n# Find expired certificates\ncat ssl.log | zeek-cut server_name not_valid_after | awk -F'\\t' '$2 \u003c systime()'","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Best Practices","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"TAP Over SPAN","type":"text","marks":[{"type":"strong"}]},{"text":" - Use network TAPs instead of SPAN ports to avoid packet loss under load","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Worker Scaling","type":"text","marks":[{"type":"strong"}]},{"text":" - Assign 1 Zeek worker per 1 Gbps of monitored traffic","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"AF_PACKET Clusters","type":"text","marks":[{"type":"strong"}]},{"text":" - Use AF_PACKET with load balancing for multi-core processing","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Log Rotation","type":"text","marks":[{"type":"strong"}]},{"text":" - Configure automatic log rotation and archival (default: hourly)","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Intel Updates","type":"text","marks":[{"type":"strong"}]},{"text":" - Automate threat intelligence feed updates at least daily","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Packet Loss Monitoring","type":"text","marks":[{"type":"strong"}]},{"text":" - Monitor ","type":"text"},{"text":"capture_loss.log","type":"text","marks":[{"type":"code_inline"}]},{"text":" for dropped packets","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Custom Scripts","type":"text","marks":[{"type":"strong"}]},{"text":" - Develop organization-specific detections based on threat landscape","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"References","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Zeek Documentation","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.zeek.org/en/master/","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Zeek Scripting Reference","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.zeek.org/en/master/script-reference/index.html","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Zeek Intel Framework","type":"text","marks":[{"type":"link","attrs":{"href":"https://docs.zeek.org/en/master/frameworks/intel.html","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"CISA Zeek Resources","type":"text","marks":[{"type":"link","attrs":{"href":"https://www.cisa.gov/resources-tools/services/kismet","title":null}}]}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Zeek GitHub Repository","type":"text","marks":[{"type":"link","attrs":{"href":"https://github.com/zeek/zeek","title":null}}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"performing-network-traffic-analysis-with-zeek","tags":["zeek","network-monitoring","traffic-analysis","ids","nids","pcap","threat-detection","forensics","siem-integration"],"author":"@skillopedia","domain":"cybersecurity","source":{"stars":13207,"repo_name":"anthropic-cybersecurity-skills","origin_url":"https://github.com/mukul975/anthropic-cybersecurity-skills/blob/HEAD/skills/performing-network-traffic-analysis-with-zeek/SKILL.md","repo_owner":"mukul975","body_sha256":"f47abb7544242b61321e7af3a49b8e84903ff06fdbaa218241b667731f9a30f1","cluster_key":"94f0d5afb113b5d3e262e8cf2095c2f98459ad80e3f3a611100ad8dd9937e5a4","clean_bundle":{"format":"clean-skill-bundle-v1","source":"mukul975/anthropic-cybersecurity-skills/skills/performing-network-traffic-analysis-with-zeek/SKILL.md","attachments":[{"id":"d624b223-7814-5e22-a207-05c4455006a5","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/d624b223-7814-5e22-a207-05c4455006a5/attachment.md","path":"references/api-reference.md","size":1752,"sha256":"7587af317fc4272680c246ac8d3c33c08a17d74296b6cba900983fe277cf3f0c","contentType":"text/markdown; charset=utf-8"},{"id":"afc8b852-7cd4-5353-8d1b-31f147ef1552","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/afc8b852-7cd4-5353-8d1b-31f147ef1552/attachment.py","path":"scripts/agent.py","size":6839,"sha256":"41a1cbcb9f782d0e7599f256904c62783997fccc02770363811e0fac7d2502f4","contentType":"text/x-python; charset=utf-8"}],"bundle_sha256":"60be73e4ffb6048a6218f7891c313701d3ba17b68d564686e5af7f7dcb636e88","attachment_count":2,"text_attachments":2,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/performing-network-traffic-analysis-with-zeek/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"license":"Apache-2.0","version":"v1","category":"security","nist_csf":["PR.IR-01","DE.CM-01","ID.AM-03","PR.DS-02"],"subdomain":"network-security","import_tag":"clean-skills-v1","description":"Deploy Zeek network security monitor to capture, parse, and analyze network traffic metadata for threat detection, anomaly identification, and forensic investigation."}},"renderedAt":1782981695410}

Performing Network Traffic Analysis with Zeek Overview Zeek (formerly Bro) is an open-source network analysis framework that operates as a passive network security monitor. Unlike traditional signature-based IDS tools, Zeek generates high-fidelity structured logs from observed network traffic, capturing detailed metadata for protocols including HTTP, DNS, TLS, SSH, SMTP, FTP, and dozens more. Zeek's extensible scripting language enables custom detection logic, behavioral analysis, and automated response. This skill covers deploying Zeek, understanding its log architecture, writing custom dete…