This chapter covers Zeek (formerly Bro), a powerful open-source network security monitoring tool that captures and analyzes network traffic to produce high-fidelity logs. For the CS0-003 exam, Zeek is a key topic under Security Operations (Objective 1.3), specifically for traffic analysis and threat detection. Expect approximately 5-8% of exam questions to involve Zeek's architecture, log types, and use cases. Mastering Zeek will help you understand how to detect network-based threats, perform incident response, and integrate with other security tools.
Jump to a section
Imagine a courtroom where every spoken word is recorded by a stenographer. The stenographer does not judge whether a statement is true or false, nor do they intervene in the proceedings. Their job is to transcribe everything verbatim, capturing who said what, when, and in what order. Later, if a lawyer asks, 'Did the witness mention a blue car on Tuesday?' the stenographer can replay the exact words from the transcript. Zeek works like that stenographer for network traffic. It passively listens to packets on the wire, reassembles them into sessions, and logs metadata—such as IP addresses, ports, protocols, and application-layer details—without inspecting packet payloads for malicious content. Just as the stenographer's transcript is a neutral record, Zeek's logs are a high-fidelity, structured record of network activity. Security analysts then query these logs to detect anomalies, like a lawyer scanning the transcript for contradictions. Zeek does not block or alert on threats itself; it provides the raw material for analysis, making it an essential sensor for security monitoring and incident response.
What is Zeek and Why Does It Exist?
Zeek (originally called Bro) is a passive, open-source network security monitoring (NSM) framework. Unlike signature-based intrusion detection systems (IDS) like Snort or Suricata, Zeek does not primarily inspect packet payloads for known attack patterns. Instead, it focuses on creating high-fidelity, structured logs of network activity. These logs capture metadata about connections, DNS queries, HTTP requests, SSL/TLS certificates, file transfers, and more. The core philosophy is that by faithfully recording what happened on the network, security analysts can later query, correlate, and analyze the data to detect both known and unknown threats.
Zeek was developed at Lawrence Berkeley National Laboratory and is now maintained by the Zeek community. It is widely used in enterprise security operations centers (SOCs), research institutions, and incident response teams. On the CS0-003 exam, you need to understand Zeek's role in the security monitoring ecosystem, its log types, and how it complements other tools like firewalls, IDS/IPS, and SIEMs.
How Zeek Works Internally
Zeek operates in two primary layers: the event engine and the policy script interpreter.
Packet Capture and Event Generation: Zeek captures packets from the network interface (using libpcap or AF_PACKET). It reassembles IP fragments, tracks TCP streams, and normalizes protocol traffic. As it processes packets, it generates events—structured messages that describe network activity. For example, when a TCP connection is established, Zeek generates a tcp_packet event; when a DNS query is seen, it generates a dns_request event.
Policy Scripts: The event engine passes events to the policy script interpreter, which runs custom scripts written in Zeek's scripting language. These scripts define what to do with each event: log it, alert, or perform further analysis. Zeek ships with a comprehensive set of default scripts that produce the standard logs (conn.log, http.log, dns.log, ssl.log, etc.). Analysts can write custom scripts to extract specific data, generate alerts, or integrate with external systems.
Log Output: The default scripts write logs in tab-separated value (TSV) format by default, but JSON output is also supported. Each log file contains a series of fields relevant to that protocol. For example, conn.log includes fields like ts (timestamp), uid (unique connection ID), id.orig_h (source IP), id.orig_p (source port), id.resp_h (destination IP), id.resp_p (destination port), proto (protocol), service (detected application protocol), duration, orig_bytes, resp_bytes, and conn_state (connection state).
Key Components, Values, Defaults, and Timers
Zeek Control Scripts: Located in /usr/share/zeek/ or /opt/zeek/share/zeek/. The main configuration file is zeekctl.cfg for managing Zeek as a service.
Zeek Process: The main binary is zeek (formerly bro). Running zeek -i eth0 starts Zeek on interface eth0.
Zeekctl: A management tool to start, stop, and monitor Zeek processes. Common commands: zeekctl deploy, zeekctl status, zeekctl stop.
Log Directory: Default location is /var/log/zeek/ or /var/log/zeek/current/.
Memory Usage: Zeek is memory-intensive, especially with large traffic volumes. A rule of thumb is 1 GB of RAM per 100 Mbps of traffic.
Timers: Zeek uses timers for connection timeouts. Default tcp_inactivity_timeout is 5 minutes; udp_inactivity_timeout is 1 minute; icmp_inactivity_timeout is 30 seconds. These can be adjusted in scripts.
Bifrost: Zeek's inter-process communication system, used for clustering.
Configuration and Verification Commands
To start Zeek on an interface:
zeek -i eth0To run Zeek with a specific script:
zeek -i eth0 /path/to/script.zeekTo list available scripts:
zeek --print-scriptsTo check Zeek status using zeekctl:
zeekctl statusExample output:
Name Type Host Status Pid Started
zeek standalone localhost running 12345 01 Jan 00:00:00To view live logs:
tail -f /var/log/zeek/current/conn.logTo check for errors:
grep -i error /var/log/zeek/current/notice.logHow Zeek Interacts with Related Technologies
SIEM Integration: Zeek logs are commonly forwarded to SIEMs like Splunk, ELK Stack, or ArcSight via syslog or filebeat. The structured TSV/JSON format makes parsing easy.
IDS/IPS: Zeek can complement Snort/Suricata by providing context. While Snort alerts on signatures, Zeek logs all traffic, allowing analysts to investigate alerts with full session details.
Threat Intelligence: Zeek scripts can incorporate threat intelligence feeds to tag connections to known malicious IPs or domains.
Network Forensics: Zeek logs provide a timeline of network events, essential for reconstructing incidents.
File Extraction: Zeek can extract files from HTTP, SMTP, FTP, and other protocols for malware analysis.
Zeek Log Types and Their Fields
- conn.log: Connection records. Key fields: ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, proto, service, duration, orig_bytes, resp_bytes, conn_state. - conn_state values: S0 (connection attempt seen, no reply), S1 (connection established, not closed), S2 (connection established and close attempt by originator), S3 (connection established and close attempt by responder), SF (normal establishment and termination), REJ (connection rejected), etc. - http.log: HTTP requests. Fields: ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, method, host, uri, referrer, user_agent, status_code, etc. - dns.log: DNS queries. Fields: ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, proto, query, qtype, qclass, rcode, answers, TTLs. - ssl.log: SSL/TLS handshakes. Fields: ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, version, cipher, server_name, certificate_chain, subject, issuer. - notice.log: Alerts generated by Zeek scripts. Fields: ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, note, msg, sub, src, dst, p, n. - files.log: Files extracted from the network. Fields: ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, fuid, tx_hosts, rx_hosts, conn_uids, mime_type, filename, duration, local_orig, is_orig.
Zeek Scripting Basics
Zeek's scripting language is event-driven. A simple script to log all HTTP requests with a specific user-agent:
event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string) {
if (c$http?$user_agent && c$http$user_agent == "BadAgent") {
print fmt("Suspicious user-agent from %s", c$id$orig_h);
}
}To load custom scripts, place them in $PREFIX/share/zeek/site/ and add @load directives in local.zeek.
Performance Considerations
Zeek is CPU and memory intensive. For high-speed networks (10 Gbps+), use cluster mode where multiple Zeek workers process traffic in parallel. Use zeekctl to manage clusters. Key tuning parameters: redef for buffer sizes and timeouts. Avoid loading unnecessary scripts to reduce overhead.
Troubleshooting Common Issues
Missing logs: Check interface is in promiscuous mode, verify Zeek is running (zeekctl status), check permissions on log directory.
High memory usage: Reduce max_filesize in zeekctl.cfg, increase tcp_inactivity_timeout.
Packet drops: Use zeek -i eth0 -v to see packet drop stats. Consider using PF_RING or AF_PACKET for better performance.
Zeek vs. Other Tools
Snort/Suricata: Signature-based IDS/IPS; Zeek is not an IDS—it does not block traffic or generate alerts by default. It provides logs for analysis.
Wireshark: Packet-level analysis; Zeek provides session-level logs, not raw packets.
tcpdump: Captures packets; Zeek processes them into structured logs.
Exam Relevance for CS0-003
On the CS0-003 exam, you may be asked to:
Identify which Zeek log contains specific information (e.g., SSL certificate details are in ssl.log).
Interpret a conn.log field like conn_state to determine if a connection was successful (SF) or rejected (REJ).
Understand that Zeek is a passive monitoring tool that does not block traffic.
Recognize that Zeek logs are often used for network forensics and incident response.
Differentiate Zeek from Snort/Suricata.
Conclusion
Zeek is a cornerstone of network security monitoring, providing rich metadata for threat detection and investigation. Its log-based approach allows for flexible analysis and integration. For the CS0-003 exam, focus on its architecture, log types, and how it fits into the security operations workflow.
Capture Packets from Network Interface
Zeek begins by capturing raw packets from a network interface using libpcap or AF_PACKET. The interface must be in promiscuous mode to see all traffic. Zeek reads packets in real-time and performs initial processing: it reassembles IP fragments, tracks TCP sequence numbers, and normalizes protocol headers. At this stage, no analysis occurs; it simply collects raw network data. The capture process is passive—Zeek never injects packets or alters traffic. Performance at this step depends on the capture method; for high-speed links, Zeek may use PF_RING or zero-copy mechanisms to avoid packet drops.
Reassemble Sessions and Generate Events
After capturing packets, Zeek reassembles them into sessions (e.g., TCP connections, UDP flows, ICMP exchanges). For TCP, it tracks the three-way handshake and sequence numbers to ensure complete stream reassembly. As sessions progress, Zeek generates events—structured messages that describe network activity. For example, when a TCP SYN packet is seen, Zeek fires a `tcp_syn_packet` event; when a DNS query is detected, it fires a `dns_request` event. These events are passed to the policy script interpreter for further processing. The event engine is protocol-aware and can handle application-layer protocols like HTTP, SMTP, FTP, and SSL/TLS.
Process Events with Policy Scripts
The event engine passes events to Zeek's policy script interpreter, which executes custom scripts written in Zeek's scripting language. These scripts define what actions to take for each event. Default scripts, located in the Zeek installation directory, generate logs (e.g., `conn.log`, `http.log`). Analysts can write custom scripts to extract specific data, generate alerts, or integrate with external systems. Scripts can also filter out noise, enrich logs with threat intelligence, or trigger notifications. The interpreter is event-driven and can handle complex logic, such as correlating multiple events over time.
Write Structured Logs to Disk
Based on the policy scripts, Zeek writes logs to disk in tab-separated value (TSV) or JSON format. Each log file corresponds to a specific protocol or activity: `conn.log` for connection summaries, `http.log` for HTTP requests, `dns.log` for DNS queries, `ssl.log` for TLS handshakes, and `notice.log` for alerts. Logs are rotated automatically based on file size or time interval (configurable in `zeekctl.cfg`). The logs are structured with consistent field names, making them easy to parse with tools like Splunk or ELK. Zeek also supports real-time log streaming via syslog or custom outputs.
Analyze Logs for Threat Detection
Security analysts use Zeek logs for threat detection and incident response. By querying logs, they can identify suspicious activities such as connections to known malicious IPs, unusual DNS queries, SSL certificates from untrusted issuers, or large data transfers. Zeek's `notice.log` contains alerts generated by built-in or custom scripts. For example, the `SSL::Invalid_Server_Cert` notice triggers when a server's certificate is invalid. Analysts can correlate Zeek logs with other data sources (e.g., firewall logs, endpoint logs) to investigate incidents. Zeek logs also provide a timeline of network events, essential for forensics.
Enterprise Deployment Scenarios
Scenario 1: Monitoring a Corporate Network for Malware C2 Communications
A large enterprise deploys Zeek on a span port at the internet gateway to monitor all inbound and outbound traffic. The security team uses Zeek's conn.log and dns.log to detect beaconing behavior. They write custom scripts that flag connections to IP addresses with low TTL values or domains that are algorithmically generated (DGA). For example, a script checks dns.log for queries to domains with high entropy names. When a match is found, Zeek generates a notice in notice.log. The team then correlates that notice with ssl.log to see if the connection used TLS and what certificate was presented. This helps identify malware that uses HTTPS for C2. In production, Zeek handles 2 Gbps of traffic using a cluster of four workers. The team tunes tcp_inactivity_timeout to 10 minutes to avoid missing long-lived C2 sessions.
Scenario 2: Incident Response after a Phishing Attack
After a user clicks a malicious link in a phishing email, the incident response team uses Zeek logs to determine the extent of the compromise. They query http.log for the user's IP address around the time of the click to see what URLs were accessed. They find a request to a malicious domain and a subsequent download of a .exe file. Zeek's files.log shows the extracted file with a MIME type of application/x-dosexec. The team retrieves the file hash from files.log and scans it against a sandbox. They also check conn.log for any outbound connections from the infected host to external IPs, finding a long-lived connection to a C2 server. Zeek's ssl.log reveals the TLS certificate used, which was self-signed. The team uses this information to block the IP and certificate on the firewall.
Scenario 3: Compliance Monitoring for Data Exfiltration
A financial institution uses Zeek to monitor for potential data exfiltration. They focus on conn.log for large data transfers (e.g., orig_bytes or resp_bytes exceeding 100 MB). They also monitor ftp.log and http.log for uploads to external sites. Custom scripts tag connections to cloud storage providers and generate alerts if the amount of data sent exceeds a threshold. In production, Zeek is deployed in a cluster with load balancing across multiple interfaces. The team uses zeekctl to manage the cluster and regularly reviews notice.log for policy violations. They also integrate Zeek logs with their SIEM to automate alerting and reporting for compliance audits.
Common Misconfigurations and Pitfalls
Insufficient Resources: Under-provisioning CPU/RAM leads to packet drops. Always monitor zeekctl status for drop stats.
Overly Verbose Logging: Loading all default scripts can generate massive logs. Tune scripts to only log relevant protocols.
Ignoring Notice Log: Many analysts focus only on conn.log and miss critical alerts in notice.log.
Not Updating Zeek: Older versions lack support for newer protocols like QUIC. Keep Zeek updated.
CS0-003 Exam Focus on Zeek
Objective 1.3: Given a scenario, analyze network traffic for malicious activity. Zeek is a primary tool for this objective. You must know:
The purpose of Zeek (passive monitoring, not blocking).
Common log types and their fields.
How to interpret conn_state values (SF = normal, REJ = rejected, S0 = no reply).
That Zeek logs are used for network forensics and incident response.
Common Wrong Answers Candidates Choose
Confusing Zeek with Snort/Suricata: Many candidates think Zeek is an IDS/IPS that blocks traffic. Wrong—Zeek is passive and does not block.
Thinking Zeek inspects packet payloads for signatures: Zeek focuses on metadata, not deep packet inspection for signatures.
Misidentifying which log contains specific data: For example, thinking SSL certificate info is in conn.log instead of ssl.log.
Assuming Zeek is real-time alerting: Zeek logs are usually analyzed after the fact; it does not generate real-time alerts unless scripts are written.
Specific Numbers and Terms on the Exam
conn_state values: SF, S0, REJ, S1, S2, S3.
Default ports: Zeek does not have a default port; it listens on a network interface.
Log formats: TSV (default) or JSON.
Key files: conn.log, http.log, dns.log, ssl.log, notice.log.
Commands: zeek -i eth0, zeekctl status.
Edge Cases and Exceptions
If a connection is encrypted, Zeek logs the TLS handshake in ssl.log but cannot see the payload.
Zeek may not detect all protocols; unknown protocols are logged as generic connections in conn.log.
When using cluster mode, logs are aggregated by the manager node.
How to Eliminate Wrong Answers
If the question mentions blocking or preventing, Zeek is not the answer.
If the question asks for detailed HTTP request data, answer http.log, not conn.log.
If the question is about passive monitoring, Zeek is the correct tool.
If the question involves extracting files, think of files.log.
Exam Tips
Memorize the main log files and their typical fields.
Understand that Zeek is a sensor, not a control.
Practice interpreting conn.log entries to determine connection status.
Know that Zeek can be integrated with SIEM for centralized analysis.
Zeek is a passive network monitoring tool that generates structured logs (conn.log, http.log, dns.log, ssl.log, notice.log).
Zeek does not block traffic; it only logs and analyzes network activity.
The conn_state field in conn.log indicates the status of a connection (SF = normal, REJ = rejected, S0 = no reply).
Zeek logs are in TSV format by default, but JSON is also supported.
Zeek is commonly used for network forensics, incident response, and threat hunting.
Zeek can be integrated with SIEMs for centralized log analysis.
Zeek uses a scripting language for custom event-driven analysis.
Memory and CPU requirements are high; cluster mode is used for high-speed networks.
These come up on the exam all the time. Here's how to tell them apart.
Zeek
Passive monitoring – does not block traffic.
Produces structured logs (conn.log, http.log, etc.).
Focuses on metadata and protocol analysis.
Scripting language for custom analysis.
Best for network forensics and incident response.
Snort
Can act as an IPS – can block traffic using inline mode.
Generates alerts based on signatures.
Focuses on packet payload inspection for known attacks.
Rule-based detection (Snort rules).
Best for real-time intrusion detection and prevention.
Mistake
Zeek is an intrusion prevention system (IPS) that can block malicious traffic.
Correct
Zeek is a passive network monitoring tool. It does not block traffic or inject packets. It only logs and analyzes network activity. Blocking is done by firewalls or IPS devices.
Mistake
Zeek inspects packet payloads for attack signatures like Snort.
Correct
Zeek focuses on metadata and protocol-level analysis. It does not use signature-based detection by default. It can be extended with scripts to detect specific patterns, but its core strength is logging, not intrusion detection.
Mistake
Zeek logs are only useful for real-time alerting.
Correct
Zeek logs are primarily used for post-event analysis and forensics. While scripts can generate notices, Zeek is not designed for real-time alerting. It excels at providing a historical record of network activity.
Mistake
The ssl.log contains the decrypted content of encrypted sessions.
Correct
ssl.log contains metadata about the TLS handshake, such as certificate details, cipher suites, and server name. It does not contain decrypted payload data. Zeek cannot decrypt encrypted traffic unless the private key is provided (rarely done).
Mistake
Zeek can only run on Linux.
Correct
Zeek is primarily developed for Linux/Unix, but it can be compiled on macOS and Windows (via WSL or Cygwin). However, production deployments are almost always on Linux.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Zeek is a passive network monitoring framework that generates structured logs of network activity, focusing on metadata and protocol analysis. Snort is an intrusion detection/prevention system that uses signatures to detect known threats in real-time and can block traffic. Zeek does not block traffic; it provides logs for analysis. Snort is rule-based, while Zeek uses event-driven scripts. Both can be used together for comprehensive monitoring.
Use the command `zeek -i eth0` to start Zeek on interface eth0. Replace eth0 with the appropriate interface name. For persistent operation, use `zeekctl deploy` after configuring zeekctl. Ensure the interface is in promiscuous mode and you have proper permissions (root or CAP_NET_RAW).
conn.log contains connection-level metadata: timestamp, unique connection ID, source IP/port, destination IP/port, protocol, service, duration, bytes transferred (orig_bytes, resp_bytes), connection state (conn_state), and more. It summarizes each network session, whether TCP, UDP, or ICMP.
Zeek itself does not detect malware; it provides logs that analysts can use to identify suspicious behavior. For example, connections to known malicious IPs, unusual DNS queries, or SSL certificates from untrusted issuers can be flagged by custom scripts. Zeek can also extract files for malware analysis.
Use `tail -f /var/log/zeek/current/conn.log` to watch new entries as they are written. For other logs, replace conn.log with http.log, dns.log, etc. You can also use `zeekctl` to check status and view logs.
The default log format is tab-separated values (TSV). Zeek also supports JSON output by setting the `LogAscii::use_json` variable to T in the configuration or in a script. JSON is easier to parse with modern tools.
Zeek cannot decrypt encrypted traffic unless the private key is provided. However, it logs metadata from the TLS handshake in ssl.log, such as certificate details, cipher suites, and server name. This metadata can be used to detect anomalies, like self-signed certificates or connections to untrusted servers.
You've just covered Zeek for Network Traffic Analysis — now see how well it sticks with free CS0-003 practice questions. Full explanations included, no account needed.
Done with this chapter?