Zeek
What is Zeek?
ZeekAn open-source network security monitor (formerly Bro) that turns network traffic into structured, protocol-aware logs and scripts for threat detection.
Zeek, originally written by Vern Paxson at LBNL in 1995 as Bro, is an open-source network security monitor that parses high-volume traffic into structured logs (conn, http, dns, ssl, kerberos, files, etc.) and exposes a powerful event-driven scripting language. Unlike pure signature-based IDS, Zeek emphasizes behavior, baselining, and protocol semantics, which makes it ideal for SOC analytics, incident response, threat hunting, and research. It is deployed at network taps in enterprises, ISPs, and academic networks, and integrates with Suricata, SIEMs, and platforms like Corelight. Operators use Zeek scripts to enrich data, raise notices, and feed downstream detection pipelines.
● Examples
- 01
Using Zeek conn.log and ssl.log to detect unusual TLS server names indicative of C2 domain fronting.
- 02
Writing a Zeek script that flags large outbound DNS responses indicative of DNS tunneling.
● Frequently asked questions
What is Zeek?
An open-source network security monitor (formerly Bro) that turns network traffic into structured, protocol-aware logs and scripts for threat detection. It belongs to the Defense & Operations category of cybersecurity.
What does Zeek mean?
An open-source network security monitor (formerly Bro) that turns network traffic into structured, protocol-aware logs and scripts for threat detection.
How does Zeek work?
Zeek, originally written by Vern Paxson at LBNL in 1995 as Bro, is an open-source network security monitor that parses high-volume traffic into structured logs (conn, http, dns, ssl, kerberos, files, etc.) and exposes a powerful event-driven scripting language. Unlike pure signature-based IDS, Zeek emphasizes behavior, baselining, and protocol semantics, which makes it ideal for SOC analytics, incident response, threat hunting, and research. It is deployed at network taps in enterprises, ISPs, and academic networks, and integrates with Suricata, SIEMs, and platforms like Corelight. Operators use Zeek scripts to enrich data, raise notices, and feed downstream detection pipelines.
How do you defend against Zeek?
Defences for Zeek typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Zeek?
Common alternative names include: Bro, Zeek NSM, Corelight.
● Related terms
- forensics-ir№ 722
Network Forensics
The capture, recording, and analysis of network traffic and metadata to investigate security events and reconstruct adversary activity.
- network-security№ 547
Intrusion Detection System (IDS)
A passive security control that monitors network or host activity for malicious behaviour and raises alerts without blocking traffic.
- defense-ops№ 1117
Suricata
An open-source, high-performance network IDS, IPS, and security-monitoring engine maintained by the Open Information Security Foundation (OISF).
- defense-ops№ 1147
Threat Hunting
Proactive, hypothesis-driven search through telemetry to uncover threats that have evaded existing detections.
- network-security№ 295
Deep Packet Inspection (DPI)
An inspection technique that examines the full payload of network packets — not just headers — to identify applications, content, and threats.
- network-security№ 048
Anomaly-Based Detection
A detection approach that builds a baseline of normal activity and flags deviations from it as potentially malicious.
● See also
- № 1245Wireshark