Zeek is an open-source network analysis framework. Unlike an active security device such as a firewall, Zeek operates on a versatile ‘sensor’ that can be a hardware, software, virtual, or cloud platform.
This flexibility allows Zeek to quietly monitor network traffic, interpret it, and generate transaction logs, file content, and customized output. These outputs are suitable for manual review on disk or in an analyst-friendly tool such as SIEM, providing a comprehensive view of network activity.
Key features
- Zeek includes analyzers for many protocols, allowing for high-level semantic analysis at the application layer.
- Zeek’s domain-specific scripting language supports site-specific monitoring policies and is not limited to any particular detection method.
- Zeek is designed for high-performance networks and is used at various large sites.
- Zeek maintains an extensive application-layer state about the monitored network and offers a high-level archive of network activity.
Download
Zeek is available for free on GitHub. Zeek is part of many package repositories, including various Linux distributions, FreshPorts on FreeBSD, and MacPorts / Homebrew on macOS. For Linux, binaries are available through the openSUSE Build Service.
The developers aim to publish a new Zeek release about every four months.
Must read: