Zeek
Unix-based network security monitoring framework
title: "Zeek" type: doc version: 1 created: 2026-02-28 author: "Wikipedia contributors" status: active scope: public tags: ["free-security-software", "computer-security-software", "unix-security-software", "intrusion-detection-systems", "software-using-the-bsd-license"] description: "Unix-based network security monitoring framework" topic_path: "technology/computing" source: "https://en.wikipedia.org/wiki/Zeek" license: "CC BY-SA 4.0" wikipedia_page_id: 0 wikipedia_revision_id: 0
::summary Unix-based network security monitoring framework ::
::data[format=table title="Infobox software"]
| Field | Value |
|---|---|
| name | Zeek |
| logo | |
| screenshot | |
| author | Vern Paxson |
| released | |
| latest release version | |
| latest release date | |
| programming language | C++ |
| operating system | Linux, FreeBSD, macOS |
| genre | Network intrusion detection system |
| license | BSD license |
| website | |
| :: |
| name = Zeek | logo = | screenshot = | caption = | collapsible = | author = Vern Paxson | developer = | released = | discontinued = | latest release version = | latest release date = | latest preview version = | latest preview date = | programming language = C++ | operating system = Linux, FreeBSD, macOS | platform = | size = | language = | genre = Network intrusion detection system | license = BSD license | website = Zeek is a free and open-source software network analysis framework. Vern Paxson began development work on Zeek in 1995 at Lawrence Berkeley National Lab. Zeek is a network security monitor (NSM) but can also be used as a network intrusion detection system (NIDS). The Zeek project releases the software under the BSD license.
Output
Zeek's purpose is to inspect network traffic and generate a variety of logs describing the activity it sees. A complete list of log files is available at the project documentation site.
Log example
The following is an example of one entry in JSON format from the conn.log: { "ts": 1554410064.698965, "uid": "CMreaf3tGGK2whbqhh", "id.orig_h": "192.168.144.130", "id.orig_p": 64277, "id.resp_h": "192.168.144.2", "id.resp_p": 53, "proto": "udp", "service": "dns", "duration": 0.320463, "orig_bytes": 94, "resp_bytes": 316, "conn_state": "SF", "missed_bytes": 0, "history": "Dd", "orig_pkts": 2, "orig_ip_bytes": 150, "resp_pkts": 2, "resp_ip_bytes": 372, "tunnel_parents": [] } |zeek}}
Threat hunting
One of Zeek's primary use cases involves cyber threat hunting.
Name
The principal author, Paxson, originally named the software "Bro" as a warning regarding George Orwell's Big Brother from the novel Nineteen Eighty-Four. In 2018 the project leadership team decided to rename the software. At LBNL in the 1990s, the developers ran their sensors as a pseudo-user named "zeek", thereby inspiring the name change in 2018.
Zeek deployment
Security teams identify locations on their network where they desire visibility. They deploy one or more network taps or enable switch SPAN ports for port mirroring to gain access to traffic. They deploy Zeek on servers with access to those visibility points. The Zeek software on the server deciphers network traffic as logs, writing them to local disk or remote storage.
Zeek application architecture and analyzers
Zeek's event engine analyzes live or recorded network traffic to generate neutral event logs. Zeek uses common ports and dynamic protocol detection (involving signatures as well as behavioral analysis) to identify network protocols.
Developers write Zeek policy scripts in the Turing complete Zeek scripting language. By default Zeek logs information about events to files, but analysts can also configure Zeek to take other actions, such as sending an email, raising an alert, executing a system command, updating an internal metric, or calling another Zeek script.
Zeek analyzers perform application layer decoding, anomaly detection, signature matching and connection analysis. Zeek's developers designed the software to incorporate additional analyzers. The latest method for creating new protocol analyzers relies on the Spicy framework.
References
References
- "Bro 0.3-alpha".
- Paxson, Vern. (1998-01-26). "Bro: A System for Detecting Network Intruders in Real-Time".
- McCarty, Ronald. (2014). "Network analysis with the Bro Network Security Monitor".
- (22 December 2021). "Zeek Network Security Monitor".
- "Zeek Script Reference Log Files".
- Wright, Joshua. (2019-12-09). "Parsing Zeek JSON Logs with JQ".
- Ooi, Eric. (22 November 2023). "Zeekurity Zen - Part IV: Threat Hunting with Zeek".
- Paxson, Vern. (2018-10-11). "Renaming the Bro Project".
- (2020-04-07). "Enabling SOHO Network Monitoring".
- Ooi, Eric. (3 January 2019). "Zeekurity Zen Part III: How to Send Zeek Logs to Splunk".
- (2019). "Attacks on Dynamic Protocol Detection of Open Source Network Security Monitoring Tools".
- Sommer, Robin. (2003). "Bro: An Open Source Network Intrusion Detection System".
- (11 June 2022). "Spicy".
::callout[type=info title="Wikipedia Source"] This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page. ::