Zeek Instrument
Zeek (formerly Bro) is an open source network security monitoring tool. It is capable of stateful inspection of network traffic on a wide variety of protocols. Zeek is configured with Zeek scripting language and utilizes the IDS Rule Manager Instrument for scripts and blacklists.
When compared to the similar, but different, Suricata IDS Instrument, the main difference is that Zeek supports a more complex scripting language. For example, packet analyzer can perform complex database lookups and complex conditional logic. Suricata is meant for analyzing higher amount of traffic but not as deep level as Zeek.
Two types of customizable rules are supported by the Zeek Instrument:
-
Zeek Scripts. For details, see Zeek Scripting. Scripts can be configured by IDS Rule Manager Instrument.
-
Blacklists which utilize Zeek Intel Framework. Blacklists can be configured by IDS Rule Manager Instrument.
Loadable module and log suppression
Zeek Instrument integrates functionality to selectively load modules and suppress log output. For example, you can load the base/protocols/dns module for other purposes but suppress all of its log output.
Properties
| Developer | SensorFleet Oy (Open Source integration) |
| Categories | Attack Detection, Traffic Analysis, IDS |
| Network access type | Passive |
| Required interfaces |
|
| Dependencies | None |
| Related Instruments | Rule Manager, Rule Importer |
| Data retention | The latest scripts and blacklists are stored in the instrument’s persistent data. |
| Management UI | No |