Performing Network Traffic Analysis with Zeek

Overview

Zeek (formerly Bro) is an open-source network analysis framework that operates as a passive network security monitor. Unlike traditional signature-based IDS tools, Zeek generates high-fidelity structured logs from observed network traffic, capturing detailed metadata for protocols including HTTP, DNS, TLS, SSH, SMTP, FTP, and dozens more. Zeek's extensible scripting language enables custom detection logic, behavioral analysis, and automated response. This skill covers deploying Zeek, understanding its log architecture, writing custom detection scripts, and integrating outputs with SIEM platforms.

Prerequisites

• Linux server (Ubuntu 22.04+ or CentOS 8+) with 4+ CPU cores and 8GB+ RAM
• Network TAP or SPAN port mirroring configured for traffic capture
• Zeek 6.0+ installed (via package manager or source compilation)
• Root or capture group privileges for packet capture
• SIEM platform (Splunk, ELK Stack, or QRadar) for log ingestion

Core Concepts

Zeek Architecture

Zeek operates in two main modes:

1. Live Capture - Monitors traffic in real-time on one or more network interfaces
2. Offline Analysis - Processes saved PCAP files for retrospective analysis

The processing pipeline consists of:

• Packet Capture Layer - Reads raw packets from interfaces or PCAP files
• Event Engine - Reassembles TCP streams and generates protocol events
• Script Interpreter - Executes Zeek scripts that process events and generate logs
• Log Framework - Writes structured logs in TSV, JSON, or custom formats

Log Architecture

Zeek generates protocol-specific log files:

Implementation Steps

Step 1: Install and Configure Zeek

# Install Zeek on Ubuntu
sudo apt-get install -y zeek

# Or install from Zeek repository
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | \
    sudo tee /etc/apt/sources.list.d/zeek.list
sudo apt-get update && sudo apt-get install -y zeek-lts

# Verify installation
zeek --version

Configure the node layout in /opt/zeek/etc/node.cfg:

[manager]
type=manager
host=localhost

[proxy-1]
type=proxy
host=localhost

[worker-1]
type=worker
host=localhost
interface=eth0
lb_method=pf_ring
lb_procs=4

[worker-2]
type=worker
host=localhost
interface=eth1
lb_method=pf_ring
lb_procs=4

Configure network definitions in /opt/zeek/etc/networks.cfg:

# Internal network ranges
10.0.0.0/8         Private RFC1918
172.16.0.0/12      Private RFC1918
192.168.0.0/16     Private RFC1918

Step 2: Configure Logging and Output

Edit /opt/zeek/share/zeek/site/local.zeek:

# Load standard detection scripts
@load base/protocols/conn
@load base/protocols/dns
@load base/protocols/http
@load base/protocols/ssl
@load base/protocols/ssh
@load base/protocols/smtp
@load base/protocols/ftp

# Load file analysis
@load base/files/hash-all-files
@load base/files/extract-all-files

# Load detection frameworks
@load base/frameworks/notice
@load base/frameworks/intel
@load base/frameworks/files
@load base/frameworks/software

# Load additional protocol analyzers
@load policy/protocols/ssl/validate-certs
@load policy/protocols/ssl/log-hostcerts-only
@load policy/protocols/ssh/detect-bruteforcing
@load policy/protocols/dns/detect-external-names
@load policy/protocols/http/detect-sqli

# Enable JA3 fingerprinting
@load policy/protocols/ssl/ja3

# Enable JSON output for SIEM ingestion
@load policy/tuning/json-logs

redef LogAscii::use_json = T;

# Configure file extraction directory
redef FileExtract::prefix = "/opt/zeek/extracted/";

# Set notice email
redef Notice::mail_dest = "soc@example.com";

Step 3: Write Custom Detection Scripts

Create detection scripts for common threats:

Detect DNS Tunneling (/opt/zeek/share/zeek/site/detect-dns-tunnel.zeek):

@load base/protocols/dns

module DNSTunnel;

export {
    redef enum Notice::Type += {
        DNS_Tunnel_Suspected
    };

    # Threshold for suspicious DNS query length
    const query_len_threshold = 50 &redef;

    # Track query counts per host per domain
    global dns_query_counts: table[addr, string] of count &default=0 &create_expire=5min;

    # High query volume threshold
    const query_volume_threshold = 100 &redef;
}

event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
{
    if ( |query| > query_len_threshold )
    {
        local parts = split_string(query, /\./);
        if ( |parts| > 3 )
        {
            local base_domain = cat(parts[|parts|-2], ".", parts[|parts|-1]);
            dns_query_counts[c$id$orig_h, base_domain] += 1;

            if ( dns_query_counts[c$id$orig_h, base_domain] > query_volume_threshold )
            {
                NOTICE([$note=DNS_Tunnel_Suspected,
                        $msg=fmt("Possible DNS tunneling: %s queries to %s with long query names",
                                 c$id$orig_h, base_domain),
                        $conn=c,
                        $identifier=cat(c$id$orig_h, base_domain),
                        $suppress_for=30min]);
            }
        }
    }
}

Detect Beaconing Behavior (/opt/zeek/share/zeek/site/detect-beaconing.zeek):

@load base/protocols/conn

module Beaconing;

export {
    redef enum Notice::Type += {
        C2_Beacon_Detected
    };

    # Track connection intervals
    global conn_intervals: table[addr, addr, port] of vector of time &create_expire=1hr;

    const min_connections = 20 &redef;
    const jitter_threshold = 0.15 &redef;
}

event connection_state_remove(c: connection)
{
    if ( c$id$resp_p == 80/tcp || c$id$resp_p == 443/tcp )
    {
        local key = [c$id$orig_h, c$id$resp_h, c$id$resp_p];

        if ( key !in conn_intervals )
            conn_intervals[key] = vector();

        conn_intervals[key] += network_time();

        if ( |conn_intervals[key]| >= min_connections )
        {
            local intervals: vector of interval = vector();
            local i = 1;
            while ( i < |conn_intervals[key]| )
            {
                intervals += conn_intervals[key][i] - conn_intervals[key][i-1];
                i += 1;
            }

            # Calculate mean and standard deviation
            local sum_val = 0.0;
            for ( idx in intervals )
                sum_val += interval_to_double(intervals[idx]);

            local mean_val = sum_val / |intervals|;

            local variance = 0.0;
            for ( idx in intervals )
            {
                local diff = interval_to_double(intervals[idx]) - mean_val;
                variance += diff * diff;
            }
            variance = variance / |intervals|;
            local stddev = sqrt(variance);

            if ( mean_val > 0 && (stddev / mean_val) < jitter_threshold )
            {
                NOTICE([$note=C2_Beacon_Detected,
                        $msg=fmt("Possible C2 beaconing: %s -> %s:%s (interval=%.1fs, jitter=%.2f)",
                                 c$id$orig_h, c$id$resp_h, c$id$resp_p,
                                 mean_val, stddev/mean_val),
                        $conn=c,
                        $identifier=cat(c$id$orig_h, c$id$resp_h),
                        $suppress_for=1hr]);
            }
        }
    }
}

Step 4: Configure Intel Framework

Load threat intelligence feeds into Zeek:

# In local.zeek
@load frameworks/intel/seen
@load frameworks/intel/do_notice

redef Intel::read_files += {
    "/opt/zeek/intel/malicious-ips.intel",
    "/opt/zeek/intel/malicious-domains.intel",
    "/opt/zeek/intel/malicious-hashes.intel",
};

Intel file format (/opt/zeek/intel/malicious-ips.intel):

#fields	indicator	indicator_type	meta.source	meta.desc	meta.do_notice
198.51.100.50	Intel::ADDR	abuse.ch	Known C2 server	T
203.0.113.100	Intel::ADDR	threatfeed	Ransomware infrastructure	T

Step 5: Deploy and Operate

# Deploy Zeek cluster
sudo /opt/zeek/bin/zeekctl deploy

# Check cluster status
sudo /opt/zeek/bin/zeekctl status

# Process offline PCAP
zeek -r capture.pcap local.zeek

# View logs
cat /opt/zeek/logs/current/conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto service duration orig_bytes resp_bytes

# Search for specific connections
cat /opt/zeek/logs/current/dns.log | zeek-cut query answers | grep -i "suspicious"

# Rotate logs
sudo /opt/zeek/bin/zeekctl cron

Step 6: SIEM Integration

Filebeat configuration for ELK Stack:

filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - /opt/zeek/logs/current/*.log
    json.keys_under_root: true
    json.add_error_key: true
    fields:
      source: zeek
    fields_under_root: true

output.elasticsearch:
  hosts: ["https://elasticsearch:9200"]
  index: "zeek-%{+yyyy.MM.dd}"

setup.template.name: "zeek"
setup.template.pattern: "zeek-*"

Analysis Techniques

Connection Analysis

# Find top talkers by bytes
cat conn.log | zeek-cut id.orig_h orig_bytes | sort -t$'\t' -k2 -rn | head -20

# Find long-duration connections (potential C2)
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p duration | awk '$4 > 3600' | sort -t$'\t' -k4 -rn

# Find connections with unusual ports
cat conn.log | zeek-cut id.resp_p proto | sort | uniq -c | sort -rn | head -30

TLS Analysis

# Find self-signed certificates
cat ssl.log | zeek-cut server_name validation_status | grep "self signed"

# Extract JA3 fingerprints for known malware
cat ssl.log | zeek-cut ja3 server_name | sort | uniq -c | sort -rn

# Find expired certificates
cat ssl.log | zeek-cut server_name not_valid_after | awk -F'\t' '$2 < systime()'

Best Practices

• TAP Over SPAN - Use network TAPs instead of SPAN ports to avoid packet loss under load
• Worker Scaling - Assign 1 Zeek worker per 1 Gbps of monitored traffic
• AF_PACKET Clusters - Use AF_PACKET with load balancing for multi-core processing
• Log Rotation - Configure automatic log rotation and archival (default: hourly)
• Intel Updates - Automate threat intelligence feed updates at least daily
• Packet Loss Monitoring - Monitor capture_loss.log for dropped packets
• Custom Scripts - Develop organization-specific detections based on threat landscape

References

• Zeek Documentation
• Zeek Scripting Reference
• Zeek Intel Framework
• CISA Zeek Resources
• Zeek GitHub Repository