Zeek Network Security Monitor:
Zeek (formerly Bro) is a popular and powerful network traffic analysis framework, which is used by a wide variety of security professionals. Like Virustotal, Bro is offered free as an open-source, UNIX-based network monitoring framework that can be used for detecting network intrusion, collecting network measurements, and generating an extensive set of log files that records a network’s activity in high-level terms.
These logs include not only a comprehensive record of every connection seen on the network, but also application layer transcripts such as all HTTP sessions and their requested URIs (Uniform Resource Identifier), key headers, MIME (Multipurpose Internet Mail Extensions) types, and server responses. Bro also provides analysts with a scripting language similar to Python’s functionality, that allows users to customize network analysis.
Key Features of Zeek:
● In-depth Analysis – Zeek ships with analyzers for many protocols, enabling high-level semantic analysis at the application layer.
● Adaptable and Flexible – Zeek’s domain-specific scripting language enables site-specific monitoring policies and means that it is not restricted to any particular detection approach.
● Efficient – Zeek targets high-performance networks and is used operationally at a variety of large sites.
● Highly Stateful – Zeek keeps an extensive application-layer state about the network it monitors and provides a high-level archive of a network’s activity.
Installation:
To work with the most recent code from the development branch of Zeek, clone the master git repository:
| git clone –recursive https://github.com/zeek/zeek |
With all dependencies in place, build and install:
| ./configure && make && sudo make install |
Write your first Zeek script:
| #File “hello.zeek” event zeek_init() { print “Hello World!”; } |
And run it:
| zeek hello.zeek |
For learning more about the Zeek scripting language, try.zeek.org is a great resource.
Log Files Details:
Listed below are the log files generated by Zeek, including a brief description of the log file and links to descriptions of the fields for each log type.
Network Protocols:
| Log File | Description | Field Descriptions |
|---|---|---|
| conn.log | TCP/UDP/ICMP connections | Conn::Info |
| dce_rpc.log | Distributed Computing Environment/RPC | DCE_RPC::Info |
| dhcp.log | DHCP leases | DHCP::Info |
| dnp3.log | DNP3 requests and replies | DNP3::Info |
| dns.log | DNS activity | DNS::Info |
| ftp.log | FTP activity | FTP::Info |
| http.log | HTTP requests and replies | HTTP::Info |
| irc.log | IRC commands and responses | IRC::Info |
| kerberos.log | Kerberos | KRB::Info |
| modbus.log | Modbus commands and responses | Modbus::Info |
| modbus_register_change.log | Tracks changes to Modbus holding registers | Modbus::MemmapInfo |
| mysql.log | MySQL | MySQL::Info |
| ntlm.log | NT LAN Manager (NTLM) | NTLM::Info |
| ntp.log | Network Time Protocol | NTP::Info |
| radius.log | RADIUS authentication attempts | RADIUS::Info |
| rdp.log | RDP | RDP::Info |
| rfb.log | Remote Framebuffer (RFB) | RFB::Info |
| sip.log | SIP | SIP::Info |
| smb_cmd.log | SMB commands | SMB::CmdInfo |
| smb_files.log | SMB files | SMB::FileInfo |
| smb_mapping.log | SMB trees | SMB::TreeInfo |
| smtp.log | SMTP transactions | SMTP::Info |
| snmp.log | SNMP messages | SNMP::Info |
| socks.log | SOCKS proxy requests | SOCKS::Info |
| ssh.log | SSH connections | SSH::Info |
| ssl.log | SSL/TLS handshake info | SSL::Info |
| syslog.log | Syslog messages | Syslog::Info |
| tunnel.log | Tunneling protocol events | Tunnel::Info |
Files:
| Log File | Description | Field Descriptions |
|---|---|---|
| files.log | File analysis results | Files::Info |
| ocsp.log | Online Certificate Status Protocol (OCSP). Only created if policy script is loaded. | OCSP::Info |
| pe.log | Portable Executable (PE) | PE::Info |
| x509.log | X.509 certificate info | X509::Info |
NetControl:
| Log File | Description | Field Descriptions |
|---|---|---|
| netcontrol.log | NetControl actions | NetControl::Info |
| netcontrol_drop.log | NetControl actions | NetControl::DropInfo |
| netcontrol_shunt.log | NetControl shunt actions | NetControl::ShuntInfo |
| netcontrol_catch_release.log | NetControl catch and release actions | NetControl::CatchReleaseInfo |
| openflow.log | OpenFlow debug log | OpenFlow::Info |
Detections:
| Log File | Description | Field Descriptions |
|---|---|---|
| intel.log | Intelligence data matches | Intel::Info |
| notice.log | Zeek notices | Notice::Info |
| notice_alarm.log | The alarm stream | Notice::Info |
| signatures.log | Signature matches | Signatures::Info |
| traceroute.log | Traceroute detection | Traceroute::Info |
Network Observations:
| Log File | Description | Field Descriptions |
|---|---|---|
| known_certs.log | SSL certificates | Known::CertsInfo |
| known_hosts.log | Hosts that have completed TCP handshakes | Known::HostsInfo |
| known_modbus.log | Modbus masters and slaves | Known::ModbusInfo |
| known_services.log | Services running on hosts | Known::ServicesInfo |
| software.log | Software being used on the network | Software::Info |
Miscellaneous:
| Log File | Description | Field Descriptions |
|---|---|---|
| barnyard2.log | Alerts received from Barnyard2 | Barnyard2::Info |
| dpd.log | Dynamic protocol detection failures | DPD::Info |
| unified2.log | Interprets Snort’s unified output | Unified2::Info |
| weird.log | Unexpected network-level activity | Weird::Info |
| weird_stats.log | Statistics about unexpected activity | WeirdStats::Info |
Zeek Diagnostics:
| Log File | Description | Field Descriptions |
|---|---|---|
| broker.log | Peering status events between Zeek or Broker-enabled processes | Broker::Info |
| capture_loss.log | Packet loss rate | CaptureLoss::Info |
| cluster.log | Zeek cluster messages | Cluster::Info |
| config.log | Configuration option changes | Config::Info |
| loaded_scripts.log | Shows all scripts loaded by Zeek | LoadedScripts::Info |
| packet_filter.log | List packet filters that were applied | PacketFilter::Info |
| print.log | Print statements that were redirected to a log stream. | Log::PrintLogInfo |
| prof.log | Profiling statistics (to create this log, load policy/misc/profiling.zeek | N/A |
| reporter.log | Internal error/warning/info messages | Reporter::Info |
| stats.log | Memory/event/packet/lag statistics | Stats::Info |
| stderr.log | Captures standard error when Zeek is started from ZeekControl | N/A |
| stdout.log | Captures standard output when Zeek is started from ZeekControl | N/A |
Conclusion:
Zeek is an Open-source network security monitoring tool, which provides you a clear vision of Network monitoring such as Traffic logging, File extraction, Analysis Automation. Also, it provides a free platform to create your own scripting in try.zeek.org for a better hands-on experience.