Questions tagged [zeek]

Appropriate Zeek related questions could include things such as:

Installation issues
Operational issues
Script writing difficulties
"How would I detected...?" questions related to event correlation

From the Zeek website:

Adaptable

Zeek's domain-specific scripting language enables site-specific monitoring policies.

Efficient

Zeek targets high-performance networks and is used operationally at a variety of large sites.

Flexible

Zeek is not restricted to any particular detection approach and does not rely on traditional signatures.

Forensics

Zeek comprehensively logs what it sees and provides a high-level archive of a network's activity.

In-depth Analysis

Zeek comes with analyzers for many protocols, enabling high-level semantic analysis at the application layer.

Highly Stateful

Zeek keeps extensive application-layer state about the network it monitors.

Open Interfaces

Zeek interfaces with other applications for real-time exchange of information.

Open Source

Zeek comes with a BSD license, allowing for free use with virtually no restrictions.

References:

37 questions

votes

1 answer

Error while installing Zeek-aux : Unknown CMake command "FindRequiredPackage"

I've downloaded the zeek-aux zipped source-code from 'https://github.com/zeek/zeek-aux'. While comipiling i'm getting the following error. 'Unknown CMake command "FindRequiredPackage"' Any help is appreciated.

zeek

asked Apr 09 '20 at 05:03

Phani B

votes

0 answers

Missing logs in current folder

I am using security onion image 16.04.5.6. I am new to Bro and according to this in current folder I should be albe to find http.logs file. However I only see : loaded_scripts.log reporter.log stderr.log packet_filter.log stats.log …

bro zeek

asked May 09 '19 at 13:13

roffensive

votes

0 answers

Opening a file that has colons in the filename with Java (displayed as slashes in MacOs Finder)

This issue is for Linux/Mac; I don't even think the files could exist with slashes if they were unzipped onto a Windows box. Hi, I have a requirement to open log files which were output by the popular BRO IDS system. The files are read only and I…

java file bro zeek

asked Jan 27 '17 at 17:49

PHY6

vote

1 answer

In Zeek (e.g. main.zeek), how can I use the variable from another script (e.g .sh file) with packet_source() or any function?

My command in the .sh file is running. The command is: ($ZEEK -C -r $i dir) i: pcap (file) name to be processed dir: directory to be extracted When the command is running, there are the extract files in desired location. It works pretty well. But I…

function shell filenames zeek

asked Jan 16 '23 at 06:41

SFD

vote

0 answers

Kafka Connect to Cassandra Mapping Problem

While trying to push Zeek logs to Kafka (3.1.0) topics, which works fine and works as intended. Then I was trying writing them from Kafka to Cassandra (4.0.1) via the DataStax Apache Kafka® Connector (kafka-connect-cassandra-sink-1.4.0) where I am…

apache-kafka cassandra apache-kafka-connect datastax-java-driver zeek

asked Feb 09 '22 at 12:52

kafkaconnecth8

vote

1 answer

Does Zeek allow to inspect RTP headers?

Does Zeek allow to inspect RTP headers? As far as I see here no RTP analizer has been added yet. So I have an another question regarding this topic. Is there any existing guide or tutorial explaining how I can develop an analizer for a protocol…

rtp bro zeek

asked Apr 08 '20 at 19:37

roffensive

vote

1 answer

Is it possible to inspect TCP reserved bits with Zeek?

I'm testing Zeek/Bro capabilities in terms of detecting different types of steganography. After working with the ICMP protocol now I am trying to inspect the TCP protocol. I want to detect if the reserved bits in TCP are changed with help of TCP…

bro zeek

asked Mar 23 '20 at 22:02

roffensive

vote

1 answer

Steps for running a custom script in Zeek(bro) NSM and generating notice in log files?

I am a beginner with Zeek NSM. I have written a script that generates simply notice logs. I don't know where should I place this script or which steps should I follow to generate notice logs or my custom logs I have already go through the…

logging network-analysis bro zeek

asked Nov 13 '19 at 19:12

404-Err

vote

1 answer

about BRO: how to intercept AMQP messages(RabbitMQ) in OpenStack

I've been doing some experiment with BRO in OpenStack, and first of all, i need to intercept all the RabbitMQ messages with BRO, but i'm not really familiar with this tool and I've followed the step of the following git…

rabbitmq openstack bro zeek

asked Mar 05 '18 at 09:31

Sherry Li

vote

0 answers

Bro IDS Signature file error

I am trying to run bro in my bash terminal. I have got a duplicate local.bro file which i renamed as localv2.bro, and put it in my working directory /home/bibin, so its not in default path. I am just trying to do a simple signature match, therefore…

bash intrusion-detection bro zeek

asked Jan 24 '18 at 18:35

BiBiN

vote

0 answers

rsync multiple files from multiple directories in linux

I have multiple directories named by date (ex: 2017-09-05) and inside those directories multiple log.gz files from BRO IDS. I am trying to enter each directory, and get only specific log.gz files by name, and send those to a remote system using…

linux bash unix bro zeek

asked Sep 05 '17 at 16:54

Blitzkrieg

votes

0 answers

Is the detect-MHR script by Team Cymru still working for Zeek version 6.0.0?

New to Zeek here, tried to follow this walkthrough to enable malware detection https://www.ericooi.com/zeekurity-zen-part-vi-zeek-file-analysis-framework/ Zeek is not detecting the malwares I have downloaded over HTTP (live capture and in pcap…

zeek

asked Aug 27 '23 at 04:06

45tera

votes

1 answer

Zeek Upgrade from 3..1.4 to latest

We have Zeek running in our environment. It's pretty outdated with 3.1.4 version. What is the best way to upgrade ZEEK? Should I start it from scratch? Or, is it possible somehow to upgrade it from the current version? TIA Tried to search about it,…

zeek

asked Jul 07 '23 at 13:54

Vlad Dodin

votes

0 answers

Check if a request has a response in Zeek language

Good Morning, I have a Zeek machine generating logs on a Modbus traffic. Currently, my script generates logs looking like this : ts tid id.orig_h id.orig_p id.resp_h id.resp_p unit_id func …

scripting request modbus zeek

asked Dec 01 '22 at 13:26

Leviath

votes

0 answers

Grok configuration pattern

I'm trying to parse the Zeek IDS log using telegraf and influxdb. In the logs that zeek uses, they are separated by tabs, but when telegraf reads these logs, it adds \t. I am not able to create a pattern to perform the separation of fields Log…

logstash-grok telegraf grok zeek

asked Nov 29 '22 at 14:47

Mateus Soares

2 3 Next