Zeek Network Security Monitor: Complete Deployment and Usage Guide 2026

Introduction

Zeek (formerly known as Bro) is a powerful open-source network security monitor that provides comprehensive network traffic analysis and logging capabilities. Unlike traditional intrusion detection systems that focus on signature matching, Zeek generates rich, high-fidelity logs about network activity, enabling both real-time alerting and forensic analysis.

This comprehensive guide covers Zeek deployment, configuration, log analysis, threat detection, custom scripting, and integration with security operations workflows. Whether you’re building a new security monitoring capability or enhancing existing infrastructure, Zeek provides the foundation for effective network defense.

Understanding Zeek Architecture

How Zeek Works

Zeek operates as a passive network sensor that:

Captures network traffic (from interface or PCAP)
Processes traffic through event engine
Applies policy scripts for analysis
Generates structured log files

The architecture separates traffic analysis from detection logic, making Zeek highly customizable.

Key Components

Component	Function
libpcap	Packet capture interface
Core Engine	Event generation from packets
Policy Scripts	Analysis and detection logic
Logging	Structured output to files
Manager	Distributed deployment coordination

Zeek vs Traditional IDS

Zeek differs from signature-based IDS in several key ways:

Behavioral Analysis: Detects anomalies rather than just signatures
Rich Logging: Generates multiple log types with detailed context
Extensible: Fully programmable scripting language
Protocol Awareness: Understands application-layer protocols

Installation

Ubuntu/Debian Installation

# Add Zeek repository
echo 'deb http://download.opensuse.org/repositories/network:/zeek/xUbuntu_24.04/ /' | sudo tee /etc/apt/sources.list.d/zeek.list
curl -fsSL https://download.opensuse.org/repositories/network:/zeek/xUbuntu_24.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/zeek.gpg > /dev/null

# Install Zeek
sudo apt-get update
sudo apt-get install zeek

# Verify installation
zeek --version

CentOS/RHEL Installation

# Add EPEL and Zeek repository
sudo yum install epel-release
cat << EOF | sudo tee /etc/yum.repos.d/zeek.repo
[zeek]
name=Zeek Repository
baseurl=https://download.opensuse.org/repositories/network:/zeek/RedHat_RHEL-8/
enabled=1
gpgcheck=0
EOF

# Install Zeek
sudo yum install zeek

# Verify
zeek --version

From Source

# Install dependencies
sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev zlib1g-dev

# Download source
wget https://github.com/zeek/zeek/releases/download/v6.0.0/zeek-6.0.0.tar.gz
tar -xzf zeek-6.0.0.tar.gz
cd zeek-6.0.0

# Configure and build
./configure --prefix=/opt/zeek
make -j$(nproc)
sudo make install

# Add to PATH
export PATH=$PATH:/opt/zeek/bin

Configuration

Basic Configuration

Edit the Zeek configuration:

# Main configuration
sudo vi /etc/zeek/zeekctl.cfg

# Set network interfaces
sudo vi /etc/zeek/node.cfg

Example node configuration:

# Standalone deployment
[zeek]
type=standalone
host=localhost
interface=eth0

# Cluster deployment
[manager]
type=manager
host=manager.local

[proxy]
type=proxy
host=proxy.local

[sensor]
type=worker
host=worker1.local
interface=eth0

Network Configuration

Define local networks:

# /etc/zeek/networks.cfg
# Format: IP/CIDR   Name
10.0.0.0/8          Corporate
192.168.0.0/16      Internal
172.16.0.0/12       Guest

Starting Zeek

# Deploy configuration
sudo zeekctl deploy

# Check status
sudo zeekctl status

# Start/Stop
sudo zeekctl start
sudo zeekctl stop

# Check logs
sudo zeekctl logs

Log Analysis

Understanding Zeek Logs

Zeek generates multiple log types:

Log File	Description
conn.log	Connection summaries (TCP/UDP/ICMP)
http.log	HTTP requests and responses
dns.log	DNS queries and responses
ssl.log	TLS/SSL handshake information
files.log	File transfer metadata
notice.log	Security alerts
weird.log	Unexpected network behavior
dpd.log	Protocol detection failures

Analyzing Connection Logs

The conn.log provides comprehensive connection data:

# View recent connections
tail -f /var/log/zeek/current/conn.log

# Filter with bro-cut
cat conn.log | bro-cut -d ts id.orig_h id.resp_h id.resp_p proto service duration orig_bytes resp_bytes

# Query specific connections
zeek-cut conn.log < conn.log | awk '$7 > 1000' | head

Log field explanations:

ts: Timestamp
id.orig_h: Origin IP
id.resp_h: Responder IP
id.resp_p: Responder port
proto: Protocol (TCP/UDP/ICMP)
service: Detected service (HTTP, DNS, etc.)
duration: Connection duration
orig_bytes: Bytes from origin
resp_bytes: Bytes from responder

HTTP Log Analysis

Analyze web traffic:

# Most visited domains
cat http.log | bro-cut host uri | cut -d'?' -f1 | sort | uniq -c | sort -rn | head

# Largest downloads
cat http.log | bro-cut ts host resp_fuids orig_fuids | awk '$4 != "-" {print}'

# HTTP methods
cat http.log | bro-cut method | sort | uniq -c | sort -rn

DNS Log Analysis

Monitor DNS queries:

# Unique queries per domain
cat dns.log | bro-cut query | sort | uniq -c | sort -rn | head

# Queries to specific domain
cat dns.log | bro-cut query | grep "evil.com"

# DNS responses
cat dns.log | bro-cut query answer | head

SSL/TLS Analysis

Examine encrypted traffic:

# Certificate issuers
cat ssl.log | bro-cut issuer subject | sort | uniq -c | sort -rn | head

# TLS versions
cat ssl.log | bro-cut version | sort | uniq -c

# Cipher suites
cat ssl.log | bro-cut cipher | sort | uniq -c | sort -rn

Threat Detection

Built-in Detection Scripts

Zeek includes numerous detection capabilities:

# Enable specific scripts
sudo vi /etc/zeek/local.zeek

# Add detection rules
@load-sigs ./detections.sig

# Scan detection
@load policy/protocols/conn/known-slash24
@load policy/protocols/conn/known-services

Signature Detection

Create custom signatures:

# /etc/zeek/detections.sig
signature malware-c2 {
    ip-proto == tcp
    payload /.*evil\.com\/c2\/.*/
    event "Malware C2 detected"
}

Enable signature matching:

# In local.zeek
@load-sigs ./detections.sig

Behavioral Detection

Detect anomalous behavior:

# Detect port scanning
@load policy/protocols/conn/ Track all connections and detect scanning patterns

# Detect brute force
@load policy/protocols/ssh/detect-bruteforcing

# Detect password guessing
@load policy/protocols/ftp/detect-password-guessing

Threat Intelligence Integration

Integrate with threat feeds:

# In local.zeek
redef Intel::read_files += { "/etc/zeek/intel/malicious-domains.txt" };

# Intel file format (OTX format example)
# fields: indicator, indicator_type, meta.source, meta.desc
evil.com, Domain, ThreatFeed, Known malware domain
185.1.1.1, Intel::ADDR, ThreatFeed, C2 IP address

Custom Scripting

Zeek Scripting Basics

Zeek uses its own scripting language:

# Example: Detect SSH connections to unusual ports
event ssh_requested(c: connection, service: count)
{
    if (c$id$resp_p != 22)
        print fmt("SSH on non-standard port: %s", c$id);
}

Creating Custom Scripts

# /etc/zeek/myscripts/custom-detect.zeek
module CustomDetect;

export {
    # Define custom logging
    redef LogAscii::use_json = T;
}

# Event handler for new connections
event connection_established(c: connection)
{
    # Check for specific conditions
    if (c$id$resp_p == 4444 && c$id$resp_h == 10.0.0.50)
    {
        # Log suspicious activity
        NOTICE([$note=Suspicious$conn=c,
                $msg="Suspicious connection detected"]);
    }
}

Enable custom scripts:

# In local.zeek
@load /etc/zeek/myscripts/custom-detect

Extracting Files

# Enable file extraction
@load policy/protocols/http/detect-webapps
@load policy/files/all-files

# Configure extraction
redef FileExtract::prefix = "/var/zeek/extracted/";
redef FileExtract::extract_all_files = F;
redef FileExtract::whitelist += /example\.com/;

HTTP Analysis Scripts

Analyze HTTP traffic programmatically:

event http_request(c: connection, method: string, original_URI: string,
                   unescaped_URI: string, version: string)
{
    # Log all HTTP requests
    print fmt("%s - %s %s", c$id$orig_h, method, unescaped_URI);

    # Detect suspicious URIs
    if (/shell|\.php$/ in unescaped_URI)
    {
        NOTICE([$note=SuspiciousURI,
                $msg=fmt("Suspicious URI: %s", unescaped_URI)]);
    }
}

Deployment Scenarios

Standalone Deployment

For small environments:

# Single sensor configuration
# /etc/zeek/node.cfg
[zeek]
type=standalone
host=localhost
interface=eth0

# Deploy
sudo zeekctl deploy

Cluster Deployment

For high-throughput environments:

# Manager node
[manager]
type=manager
host=zeek-manager.local

# Logger node
[logger]
type=logger
host=zeek-logger.local

# Proxy nodes
[proxy-1]
type=proxy
host=zeek-proxy-1.local

[proxy-2]
type=proxy
host=zeek-proxy-2.local

# Worker nodes (capture on multiple interfaces)
[worker-1]
type=worker
host=zeek-worker-1.local
interface=eth0
lb_method=pf_ring
lb_procs=4

[worker-2]
type=worker
host=zeek-worker-2.local
interface=eth1
lb_method=pf_ring
lb_procs=4

Cloud Deployment

Deploy in cloud environments:

# AWS EC2 deployment
# Enable packet mirroring from VPC traffic
# Install Zeek on monitoring instance

# Azure deployment
# Use Network Watcher packet capture
# Analyze with Zeek offline

# GCP deployment
# Use Packet Mirroring
# Process with Zeek cluster

Integration

SIEM Integration

Send Zeek logs to SIEM platforms:

# JSON logging
redef LogAscii::use_json = T;

# Syslog integration
@load policy/tuning/skip-stats
@load policy/frameworks/cluster

# Enable syslog
redef Logger::destination = SYSLOG;

Elastic Stack Integration

# Configure JSON logging
redef LogAscii::use_json = T;

# Filebeat configuration
filebeat.inputs:
- type: log
  paths:
    - /var/log/zeek/*.log
  json.keys_under_root: true
  json.overwrite_keys: true
  processors:
    - add_host_metadata:
        when.not.contains.tags: forwarded

Splunk Integration

# Use Splunk Add-on for Zeek/Corelight
# Configure inputs.conf
[monitor:///var/log/zeek/*.log]
sourcetype = zeek:*

# Use CEF output
@load policy/frameworks/cluster
redef Notice::emails = qw();

Threat Intelligence Platforms

# MISP integration
@load policy/frameworks/intel
redef Intel::read_files += {"/misp/feeds/all.json"};

# OTX AlienVault
# Export IoCs from OTX
# Convert to Zeek Intel format

Performance Optimization

Tuning for High Throughput

# /etc/zeek/zeekctl.cfg
[zeek]
# Increase worker processes
NumWorkers=4

# Enable PF_RING
lb_method=pf_ring

# Adjust buffer sizes
pin_cpus=0,1,2,3

# /etc/zeek/node.cfg
[worker]
lb_method=pf_ring
lb_procs=8
buffer_size=128

Memory Optimization

# Limit connection table size
redef max_connection_state = 100000;

# Reduce log rotation interval
redef default_rotation_interval = 1hr;

# Disable unused protocols
unload protocol/ftp
unload protocol/smtp

Packet Loss Prevention

# Increase capture buffer
ifconfig eth0 txqueuelen 10000

# Disable NIC offloading
ethtool -K eth0 gro off
ethtool -K eth0 gso off
ethtool -K eth0 tso off

# Use appropriate snapshot length
redef snaplen = 128;

Best Practices

Deployment Checklist

Follow these deployment best practices:

Network Planning: Identify monitoring points (tap, span, mirror)
Sizing: Calculate bandwidth and storage requirements
Retention: Define log retention policies
Tuning: Adjust for environment-specific traffic
Alerting: Configure critical alerts
Integration: Connect to SIEM and threat intelligence
Testing: Validate detection capabilities

Operational Procedures

# Regular maintenance
# Check disk space
df -h /var/log/zeek

# Monitor performance
zeekctl diagnostics

# View status
zeekctl status

# Check for errors
grep Error /var/log/zeek/current/stderr.log

Security Considerations

Secure your Zeek deployment:

# Restrict access to logs
chmod 700 /var/log/zeek

# Enable encryption
redef ssl_ca_certificate = "/path/to/ca.crt";

# Audit configuration Regularly
# review loaded scripts
zeekctl scripts

Troubleshooting

Common Issues

Diagnosis and resolution:

# No logs being generated
# Check: zeekctl status, interface configuration

# High packet loss
# Fix: Increase buffer, use PF_RING, reduce load

# Memory exhaustion
# Fix: Reduce connection tracking, disable unused protocols

# Errors in logs
# Check: /var/log/zeek/current/stderr.log

Debugging

# Enable debugging
zeekctl stop
zeek -d <script> <pcap>

# Check loaded scripts
zeekctl scripts

# View configuration
zeekctl config

External Resources

Zeek Official Documentation - Complete reference
Zeek GitHub - Source code
Zeek Packages - Community scripts
Corelight Blog - Use cases and tutorials
ThreatHunter Playbook - Detection strategies

Conclusion

Zeek provides powerful network security monitoring capabilities that extend far beyond traditional IDS solutions. Its comprehensive logging, extensible scripting framework, and behavioral analysis capabilities make it essential for security operations. Master these deployment and usage techniques to build effective network defense and forensic analysis capabilities.