Skills2026年5月3日·1 分钟阅读

Zeek — Powerful Network Analysis Framework for Security Monitoring

A passive network traffic analyzer that turns raw packets into structured logs, enabling security monitoring, forensics, and protocol analysis at scale.

Agent 就绪

Agent 可直接安装

这个资产可安装;Agent 先选择当前运行时、检查安装计划,再运行匹配命令。

Native · 98/100策略:允许
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
Zeek Overview
直接安装命令
npx -y tokrepo@latest install aba19366-4686-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run 确认安装计划,再运行此命令。

Introduction

Zeek (formerly Bro) is a passive network traffic analyzer that produces detailed, structured logs of network activity. Unlike signature-based IDS tools, Zeek focuses on understanding what is happening on a network by parsing protocols and generating rich event data for security analysts.

What Zeek Does

  • Parses 30+ network protocols (HTTP, DNS, TLS, SMB, SSH, etc.) into structured logs
  • Generates connection summaries, file extraction, and certificate inventories
  • Provides a domain-specific scripting language for custom analysis logic
  • Produces JSON or TSV logs consumable by SIEMs and log platforms
  • Detects anomalies through protocol analysis rather than signature matching

Architecture Overview

Zeek runs as a cluster of worker processes supervised by a manager node. Each worker receives raw packets from a network tap or mirror port via a packet capture library (libpcap or AF_PACKET). Workers parse protocol state machines and emit events, which Zeek scripts process to generate log entries and raise notices.

Self-Hosting & Configuration

  • Install from binary packages for major Linux distributions or build from source
  • Configure monitored interfaces and cluster topology in node.cfg
  • Customize analysis by writing or loading Zeek scripts (.zeek files)
  • Use zeekctl to deploy, start, stop, and manage cluster nodes
  • Forward logs to Elasticsearch, Splunk, or any SIEM via JSON output or Kafka

Key Features

  • Protocol-level visibility into HTTP headers, DNS queries, TLS certificates, and more
  • Automatic file extraction from network traffic (binaries, documents, images)
  • Extensible scripting language for writing custom detectors and log enrichment
  • Cluster mode for monitoring multi-gigabit network links
  • Community-maintained package ecosystem via the Zeek Package Manager

Comparison with Similar Tools

  • Suricata — Signature-based IDS/IPS; Zeek focuses on protocol analysis and logging
  • Wireshark — Interactive packet inspector; Zeek is designed for continuous automated monitoring
  • Snort — Classic signature-based IDS; less protocol parsing depth than Zeek
  • Arkime (Moloch) — Full packet capture and search; complements Zeek logs with raw pcap storage
  • NetworkMiner — Forensic analysis tool; GUI-based, not designed for continuous operation

FAQ

Q: Is Zeek an IDS? A: Zeek is a network analysis framework, not a traditional signature-based IDS. It excels at protocol parsing and log generation, which analysts use for detection and investigation.

Q: Can Zeek handle high-speed links? A: Yes. In cluster mode, Zeek distributes traffic across workers and can monitor 10 Gbps+ links with appropriate hardware.

Q: What happened to Bro? A: Zeek was renamed from Bro in 2018. The software and community are the same; only the name changed.

Q: Can I write custom detections? A: Yes. Zeek includes a full scripting language for writing custom protocol analyzers, detectors, and log generators.

Sources

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产