EN
ENNA

Zeek

๐ŸŒ Network Recon ยท C++

Zeek (formerly Bro) is a powerful network analysis framework that sits on a network tap, link, or live interface and generates detailed logs describing network activity. Unlike traditional IDS systems that match signatures, Zeek performs deep protocol analysis to produce structured logs for every connection, DNS query, HTTP request, SSL certificate, file transfer, and dozens of other protocol events. These logs are the foundation for network security monitoring - they tell you not just that something happened, but exactly what happened at the application layer. Zeek's scripting language allows custom analysis, from detecting specific attack patterns to extracting files from network traffic. It's widely deployed in academic networks, enterprises, and government agencies, and its logs are commonly fed into SIEM platforms for correlation and alerting. Zeek also includes a signature framework for traditional pattern matching and a file analysis framework for extracting and inspecting transferred files.

7.5kstars
1.3kforks
229issues
Updated 4d ago
View on GitHubOfficial WebsiteDocumentation

Installation

brew (macOS)

$ brew install zeek

apt (Debian/Ubuntu)

$ echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/zeek.list && sudo apt install zeek

from source

$ git clone --recursive https://github.com/zeek/zeek && cd zeek && ./configure && make && sudo make install

Use Cases

  • Generating structured logs of all network connections, DNS, and HTTP activity
  • Deep protocol analysis for security monitoring and threat detection
  • Extracting files transferred over the network for malware analysis
  • Building custom network detection logic with the Zeek scripting language
  • Feeding network telemetry into SIEM platforms for correlation and alerting
  • Forensic analysis of packet captures with detailed protocol-level output

Tags

network-monitoringprotocol-analysisidsloggingpcapdeep-inspectionbrodfirndrnsmsecurityzeek

Details

Category
๐ŸŒ Network Recon
Language
C++
Repository
zeek/zeek
Platforms
๐Ÿงlinux๐ŸŽmacos

Links

GitHub Repository

github.com/zeek/zeek

Official Website

zeek.org

Documentation

docs.zeek.org

Releases

github.com/zeek/zeek/releases

Issues

github.com/zeek/zeek/issues

Sponsored

Your ad here

Reach security professionals and developers - ads@en-na.com

Alternatives & Comparisons

Nmap

C/C++

The gold standard network scanner. Host discovery, port scanning, service/version detection, OS fingerprinting.

Compare Zeek vs Nmap

Wireshark

C/C++

The world's foremost network protocol analyzer. Deep packet inspection for hundreds of protocols.

Compare Zeek vs Wireshark

Arkime

JavaScript/C

Full packet capture and search system (formerly Moloch). Indexed network traffic with a web UI for hunting and forensics.

Compare Zeek vs Arkime

Suricata

C/Rust

High-performance IDS/IPS and network monitoring engine. Multi-threaded with Snort-compatible rules and protocol logging.

Compare Zeek vs Suricata

More in Network Recon

Nmap

C/C++

The gold standard network scanner. Host discovery, port scanning, service/version detection, OS fingerprinting.

port-scanservice-detectionos-fingerprint

Masscan

C

Internet-scale port scanner. Transmits 10 million packets per second. Asynchronous, stateless scanning.

port-scanhigh-speedinternet-scale

RustScan

Rust

Blazing fast port scanner that pipes into Nmap. Scans all 65k ports in 3 seconds flat.

port-scanfastnmap-integration

Shodan CLI

Python

Command-line interface for Shodan, the search engine for internet-connected devices.

iotsearch-engineinternet-scan

Wireshark

C/C++

The world's foremost network protocol analyzer. Deep packet inspection for hundreds of protocols.

packet-captureprotocol-analysisgui

Responder

Python

LLMNR/NBT-NS/mDNS poisoner and rogue authentication server. Captures NTLMv1/v2 hashes on the network.

ntlmpoisoncredential-capture