We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
SAINTCON 2023 - Dustin Lee - A Beginner's Guide to Zeek
Discover the power of Zeek, a network traffic analysis system with 70+ protocol parsers, extensible scripting framework, and distributed architecture for real-time monitoring, threat hunting, and event reconstruction.
- Zeek (formerly Bro) is a network traffic analysis system with a distributed event-based system.
- It has over 70 protocol parsers and can detect over 500 types of events.
- Zeek is equipped with a procedural strong type DSL and can be easily extended using its scripting framework.
- The system logs various network data, including PCAP, ID, timestamp, and other information.
- Zeek can be used for real-time network monitoring, threat hunting, and event reconstruction.
- It has a strong focus on extensibility and has been widely adopted in the industry.
- Zeek’s architecture is designed to be distributed, modular, and scalable.
- The system provides various output formats, including ASCII, TSV, JSON, Kafka, and S3.
- Zeek is open source and has a community-driven development process.
- It has been used in various use cases, including network intrusion detection, threat hunting, and security operations.
- Zeek’s policy piece is its most extensible part, allowing users to create custom policies.
- Zeek’s event engine is event-driven and can handle high volumes of events.
- The system can be used for surface-based and deep packet inspection.
- Zeek can be used with various operating systems and has support for customizable engines.
- Zeek provides real-time visibility into network traffic and can be used for incident response.
- The system has been used to detect various types of attacks and has a strong focus on threat hunting.
- Zeek’s data enrichment capabilities allow users to gain more insight into network data.