Zeek Instrument

Zeek (formerly Bro) is an open source network security monitoring tool. It is capable of stateful inspection of network traffic on a wide variety of protocols. Zeek is configured with Zeek scripting language and utilizes the IDS Rule Manager Instrument for scripts and blacklists.

When compared to the similar, but different, Suricata IDS Instrument, the main difference is that Zeek supports a more complex scripting language. For example, packet analyzer can perform complex database lookups and complex conditional logic. Suricata is meant for analyzing higher amount of traffic but not as deep level as Zeek.

Two types of customizable rules are supported by the Zeek Instrument:

  1. Zeek Scripts. For details, see Zeek Scripting. Scripts can be configured by IDS Rule Manager Instrument.

  2. Blacklists which utilize Zeek Intel Framework. Blacklists can be configured by IDS Rule Manager Instrument.

Loadable module and log suppression

Zeek Instrument integrates functionality to selectively load modules and suppress log output. For example, you can load the base/protocols/dns module for other purposes but suppress all of it’s log output.

Properties

Developer SensorFleet Oy (Open Source integration)
Categories Attack Detection, Traffic Analysis, IDS
Network access type Passive
Required interfaces
  • Monitored network
Dependencies None
Related Instruments Rule Manager, Rule Importer
Data retention The latest scripts and blacklists are stored in the instrument’s persistent data.
Management UI No