Professional Documents
Culture Documents
Zeek
Zeek
Introduction
Zeek is the world’s leading platform for network security monitoring. Flexible,
open-source, and powered by defenders. Zeek is a passive, open-source network
traffic analyser. Many operators use Zeek as a network security monitor to support
suspicious or malicious activity investigations. It also supports a wide range of
traffic analysis tasks beyond the security domain, including performance
measurement and troubleshooting.
Advantages of Zeek
As a network security tool based on the use of metadata, Zeek provide several
advantages.
• Powerful Security Language: Zeek logs provides a powerful set of flow-
based information that can be leveraged by network security tools.
• Open-Source Tool: You can easily create integrate 3rd party tools for
analyzing network data.
• Threat Hunting: Zeek enables detection of active threats through
behavioral-based analysis. Zeek logs provide a more effective foundation for
proactive threat hunting versus traditional methods.
• Encrypted Traffic Analysis: Privacy concerns have led to a sharp rise
in encrypted traffic volume. Zeek provides a mechanism to analyze encrypted traffic
using specific raw indicators like JA3 fingerprints and TLS ciphers.
Conclusion
Cyber attacks are rising at rates never before seen, therefore security measures
must be adjusted accordingly. Thanks to the Zeek programming language, businesses
can easily customize the metadata interpretation accordingly. With the help of Zeek
and other forms of enriched metadata, you can easily monitor any and all network
activity to the finest of detail.
Zeek vs Snort
While both are called IDS/NIDS, it is good to know the cons and pros of each tool
and use them in a specific manner. While there are some overlapping
functionalities, they have different purposes for usage.
Tool Zeek Snort
Capabilities IDS framework. It is heavily focused on network analysis. It is
more focused on specific threats to trigger alerts. The detection mechanism is
focused on events An IDS/IPS system. It is heavily focused on signatures to detect
vulnerabilities. The detection mechanism is focused on signature patterns and
packets
Cons The analysis is done out of the Zeek manually or by automation which makes it
hard to use Hard to detect complex threats
Pros It provides in-depth traffic visibility
Useful for threat hunting
Ability to detect complex threats Easy to write rules
Cisco supported rules
Community support
Common Use Case Network monitoring
In depth traffic investigation
Intrusion detecting in chained events Intrusion detection and prevention
Stop known attacks/threats