Zeek – Network Traffic Analysis and Security Monitoring Tool

0

Zeek Network Security Monitor:

Zeek (formerly Bro) is a popular and powerful network traffic analysis framework, which is used by a wide variety of security professionals. Like Virustotal, Bro is offered free as an open-source, UNIX-based network monitoring framework that can be used for detecting network intrusion, collecting network measurements, and generating an extensive set of log files that records a network’s activity in high-level terms.

These logs include not only a comprehensive record of every connection seen on the network, but also application layer transcripts such as all HTTP sessions and their requested URIs (Uniform Resource Identifier), key headers, MIME (Multipurpose Internet Mail Extensions) types, and server responses. Bro also provides analysts with a scripting language similar to Python’s functionality, that allows users to customize network analysis.


Key Features of Zeek:

In-depth Analysis – Zeek ships with analyzers for many protocols, enabling high-level semantic analysis at the application layer.

Adaptable and Flexible – Zeek’s domain-specific scripting language enables site-specific monitoring policies and means that it is not restricted to any particular detection approach.

Efficient – Zeek targets high-performance networks and is used operationally at a variety of large sites.

Highly Stateful – Zeek keeps an extensive application-layer state about the network it monitors and provides a high-level archive of a network’s activity.

Installation:

To work with the most recent code from the development branch of Zeek, clone the master git repository:

git clone –recursive https://github.com/zeek/zeek

With all dependencies in place, build and install:

./configure && make && sudo make install

Write your first Zeek script:

#File “hello.zeek”
event zeek_init()
{
print “Hello World!”;
}

And run it:

zeek hello.zeek

For learning more about the Zeek scripting language, try.zeek.org is a great resource.

Log Files Details:

Listed below are the log files generated by Zeek, including a brief description of the log file and links to descriptions of the fields for each log type.

Network Protocols:

Log FileDescriptionField Descriptions
conn.logTCP/UDP/ICMP connectionsConn::Info
dce_rpc.logDistributed Computing Environment/RPCDCE_RPC::Info
dhcp.logDHCP leasesDHCP::Info
dnp3.logDNP3 requests and repliesDNP3::Info
dns.logDNS activityDNS::Info
ftp.logFTP activityFTP::Info
http.logHTTP requests and repliesHTTP::Info
irc.logIRC commands and responsesIRC::Info
kerberos.logKerberosKRB::Info
modbus.logModbus commands and responsesModbus::Info
modbus_register_change.logTracks changes to Modbus holding registersModbus::MemmapInfo
mysql.logMySQLMySQL::Info
ntlm.logNT LAN Manager (NTLM)NTLM::Info
ntp.logNetwork Time ProtocolNTP::Info
radius.logRADIUS authentication attemptsRADIUS::Info
rdp.logRDPRDP::Info
rfb.logRemote Framebuffer (RFB)RFB::Info
sip.logSIPSIP::Info
smb_cmd.logSMB commandsSMB::CmdInfo
smb_files.logSMB filesSMB::FileInfo
smb_mapping.logSMB treesSMB::TreeInfo
smtp.logSMTP transactionsSMTP::Info
snmp.logSNMP messagesSNMP::Info
socks.logSOCKS proxy requestsSOCKS::Info
ssh.logSSH connectionsSSH::Info
ssl.logSSL/TLS handshake infoSSL::Info
syslog.logSyslog messagesSyslog::Info
tunnel.logTunneling protocol eventsTunnel::Info

Files:

Log FileDescriptionField Descriptions
files.logFile analysis resultsFiles::Info
ocsp.logOnline Certificate Status Protocol (OCSP). Only created if policy script is loaded.OCSP::Info
pe.logPortable Executable (PE)PE::Info
x509.logX.509 certificate infoX509::Info

NetControl:

Log FileDescriptionField Descriptions
netcontrol.logNetControl actionsNetControl::Info
netcontrol_drop.logNetControl actionsNetControl::DropInfo
netcontrol_shunt.logNetControl shunt actionsNetControl::ShuntInfo
netcontrol_catch_release.logNetControl catch and release actionsNetControl::CatchReleaseInfo
openflow.logOpenFlow debug logOpenFlow::Info

Detections:

Log FileDescriptionField Descriptions
intel.logIntelligence data matchesIntel::Info
notice.logZeek noticesNotice::Info
notice_alarm.logThe alarm streamNotice::Info
signatures.logSignature matchesSignatures::Info
traceroute.logTraceroute detectionTraceroute::Info

Network Observations:

Log FileDescriptionField Descriptions
known_certs.logSSL certificatesKnown::CertsInfo
known_hosts.logHosts that have completed TCP handshakesKnown::HostsInfo
known_modbus.logModbus masters and slavesKnown::ModbusInfo
known_services.logServices running on hostsKnown::ServicesInfo
software.logSoftware being used on the networkSoftware::Info

Miscellaneous:

Log FileDescriptionField Descriptions
barnyard2.logAlerts received from Barnyard2Barnyard2::Info
dpd.logDynamic protocol detection failuresDPD::Info
unified2.logInterprets Snort’s unified outputUnified2::Info
weird.logUnexpected network-level activityWeird::Info
weird_stats.logStatistics about unexpected activityWeirdStats::Info

Zeek Diagnostics:

Log FileDescriptionField Descriptions
broker.logPeering status events between Zeek or Broker-enabled processesBroker::Info
capture_loss.logPacket loss rateCaptureLoss::Info
cluster.logZeek cluster messagesCluster::Info
config.logConfiguration option changesConfig::Info
loaded_scripts.logShows all scripts loaded by ZeekLoadedScripts::Info
packet_filter.logList packet filters that were appliedPacketFilter::Info
print.logPrint statements that were redirected to a log stream.Log::PrintLogInfo
prof.logProfiling statistics (to create this log, load policy/misc/profiling.zeekN/A
reporter.logInternal error/warning/info messagesReporter::Info
stats.logMemory/event/packet/lag statisticsStats::Info
stderr.logCaptures standard error when Zeek is started from ZeekControlN/A
stdout.logCaptures standard output when Zeek is started from ZeekControlN/A

Conclusion:

Zeek is an Open-source network security monitoring tool, which provides you a clear vision of Network monitoring such as Traffic logging, File extraction, Analysis Automation. Also, it provides a free platform to create your own scripting in try.zeek.org for a better hands-on experience.


Previous articleHybrid Analysis – Free Automated Malware Analysis Sandbox
Next articleNikto – Web Server Vulnerability Scanner for Security Enthusiast
A passionate security researcher in Malware and Penetration Testing.

LEAVE A REPLY

Please enter your comment!
Please enter your name here