Zeek Sheck
   HOME

TheInfoList



Click Here for Items Related To - Zeek Sheck
OR:
Zeek Sheck on:   [Wikipedia]   [Google]   [Amazon]

Zeek is a
free and open-source software Free and open-source software (FOSS) is software available under a license that grants users the right to use, modify, and distribute the software modified or not to everyone free of charge. FOSS is an inclusive umbrella term encompassing free ...
network analysis framework.
Vern Paxson Vern Edward Paxson is a professor of computer science at the University of California, Berkeley. He also leads the Networking and Security Group at the International Computer Science Institute in Berkeley, California. His interests range from tr ...
began development work on Zeek in 1995 at
Lawrence Berkeley National Lab Lawrence Berkeley National Laboratory (LBNL, Berkeley Lab) is a Federally funded research and development centers, federally funded research and development center in the Berkeley Hills, hills of Berkeley, California, United States. Established i ...
. Zeek is a network security monitor (NSM) but can also be used as a
network intrusion detection system An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collec ...
(NIDS). The Zeek project releases the software under the
BSD license BSD licenses are a family of permissive free software licenses, imposing minimal restrictions on the use and distribution of covered software. This is in contrast to copyleft licenses, which have share-alike requirements. The original BSD lic ...
.


Output

Zeek's purpose is to inspect network traffic and generate a variety of logs describing the activity it sees. A complete list of log files is available at the project documentation site.


Log example

The following is an example of one entry in
JSON JSON (JavaScript Object Notation, pronounced or ) is an open standard file format and electronic data interchange, data interchange format that uses Human-readable medium and data, human-readable text to store and transmit data objects consi ...
format from the conn.log:


Threat hunting

One of Zeek's primary use cases involves cyber threat hunting.


Name

The principal author, Paxson, originally named the software "Bro" as a warning regarding
George Orwell Eric Arthur Blair (25 June 1903 – 21 January 1950) was an English novelist, poet, essayist, journalist, and critic who wrote under the pen name of George Orwell. His work is characterised by lucid prose, social criticism, opposition to a ...
's Big Brother from the novel ''
Nineteen Eighty-Four ''Nineteen Eighty-Four'' (also published as ''1984'') is a dystopian novel and cautionary tale by the English writer George Orwell. It was published on 8 June 1949 by Secker & Warburg as Orwell's ninth and final completed book. Thematically ...
''. In 2018 the project leadership team decided to rename the software. At
LBNL Lawrence Berkeley National Laboratory (LBNL, Berkeley Lab) is a federally funded research and development center in the hills of Berkeley, California, United States. Established in 1931 by the University of California (UC), the laboratory is spo ...
in the 1990s, the developers ran their sensors as a pseudo-user named "zeek", thereby inspiring the name change in 2018.


Zeek deployment

Security teams identify locations on their network where they desire visibility. They deploy one or more
network tap A network tap is a system that monitors events on a local network. A tap is typically a dedicated hardware device, which provides a way to access the data flowing across a computer network. The network tap has (at least) three ports: an ''A port ...
s or enable switch SPAN ports for
port mirroring Port mirroring is used on a network switch to send a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. This is commonly used for network appliances that require moni ...
to gain access to traffic. They deploy Zeek on servers with access to those visibility points. The Zeek software on the server deciphers network traffic as logs, writing them to local disk or remote storage.


Zeek application architecture and analyzers

Zeek's event engine analyzes live or recorded network traffic to generate neutral event logs. Zeek uses common ports and dynamic protocol detection (involving signatures as well as behavioral analysis) to identify network protocols. Developers write Zeek policy scripts in the
Turing complete Alan Mathison Turing (; 23 June 1912 – 7 June 1954) was an English mathematician, computer scientist, logician, cryptanalyst, philosopher and theoretical biologist. He was highly influential in the development of theoretical comput ...
Zeek scripting language. By default Zeek logs information about events to files, but analysts can also configure Zeek to take other actions, such as sending an email, raising an alert, executing a system command, updating an internal metric, or calling another Zeek script. Zeek analyzers perform application layer decoding, anomaly detection, signature matching and connection analysis. Zeek's developers designed the software to incorporate additional analyzers. The latest method for creating new protocol analyzers relies on the Spicy framework.


References


External links

* {{official website, , The Zeek Network Security Monitor
Bro: A System for Detecting Network Intruders in Real-Time
– Vern Paxson
Zeek Nedir? Nasıl Kurulur?
– KernelBlog Emre Yılmaz (in Turkish) Free security software Computer security software Unix security software Intrusion detection systems Software using the BSD license