Using Zeek for Network Analysis and Detections

What is Zeek?

Zeek (formerly known as Bro) is an open-source network traffic analyzer. The tool sits on a sensor and observes network traffic. It is free, open-source software designed to extract hundreds of fields in network data in real-time. The tool has pre-built parsers for numerous protocols such as (HTTP, SSL, DNS, FTP etc.) and allows for the creation of custom parsers for protocols not yet supported. Zeek can detect anomalies, but not in the same fashion as a traditional IDS (like Suricata). 

The tool mirrors (or SPAN) a router within your network to collect a copy of the traffic. It then takes that traffic and processes, parses and structures the network data based on protocols. The processed data is then stored into various log files (dns.log, http.log, con.log etc.). We will explore a few of these in the below sections to learn how they can be used. A common use of these files is to ingest them into a SIEM platform to craft detections.

Network data. Who cares?

Good network data is key when investigating security events and crafting good detections. To create a complete picture of what’s occurring in your network, you must first understand what systems

Read More: https://resources.infosecinstitute.com/topic/using-zeek-for-network-analysis-and-detections/