Zeek Network Security Monitor

Formerly Bro

The Zeek Network Security Monitor is an open-source tool designed for comprehensive network security monitoring. According to the vendor, it enables organizations of various sizes, from small businesses to large enterprises, to analyze network traffic and detect potential security threats. Zeek is utilized by a wide range of professionals and industries, including security analysts, network administrators, incident responders, threat hunters, and security operations center (SOC) teams.

Key Features

Real-time Network Traffic Monitoring: According to the vendor, Zeek passively observes network traffic in real-time, providing continuous monitoring to detect and analyze potential security threats. It captures and interprets network traffic to generate detailed logs and transaction records.

Flexible and Customizable Framework: Zeek offers a flexible framework that, according to the vendor, allows users to customize and extend its functionality. Users can create their own scripts and plugins to enhance Zeek's capabilities and tailor it to their specific needs. The framework supports the development of custom analyzers and protocols for in-depth network analysis.

Comprehensive Network Protocol Analysis: Zeek supports the analysis of various network protocols, including TCP, UDP, DNS, HTTP, FTP, and more. According to the vendor, it can decode and analyze network protocols to extract valuable information from network traffic. Zeek provides protocol-specific analyzers for deep inspection and analysis of network communication.

Threat Detection and Intrusion Detection: Zeek includes a set of built-in analyzers and detection scripts for identifying potential security threats. According to the vendor, it can detect and alert on various types of network-based attacks, such as port scans, malware infections, and suspicious behavior. Zeek's detection capabilities aim to help organizations identify and respond to security incidents in a timely manner.

Traffic Analysis and Forensics: Zeek generates detailed logs and transaction records that provide a source of information for traffic analysis and forensics. It captures network traffic data, including packet payloads, connection metadata, and file transfers, for further analysis. According to the vendor, Zeek's log files enable analysts to investigate network incidents, perform post-incident forensics, and gain insights into network activity.

Integration with SIEM and Security Tools: Zeek's output can be easily integrated with security information and event management (SIEM) systems. It can generate logs in various formats, such as JSON or CSV, which can be ingested by SIEM solutions for centralized analysis and correlation. According to the vendor, Zeek's compatibility with other security tools and platforms allows for seamless integration into existing security infrastructures.

Network Performance Monitoring: Zeek provides insights into network performance by monitoring network traffic patterns and statistics. It tracks network events, such as bandwidth usage, packet loss, latency, and throughput, to identify performance issues. According to the vendor, Zeek's performance monitoring capabilities aim to help organizations optimize their network infrastructure and ensure efficient network operations.