What is Zeek (Bro IDS)? Zeek, formerly known as Bro, is an open-source software framework for analyzing network traffic that is most commonly used to detect behavioral anomalies on a network for cybersecurity purposes.
Zeek provides capabilities that are similar to network intrusion detection systems (IDS), however, thinking about Zeek exclusively as an IDS doesn’t effectively describe the breadth of its capabilities. This is because Zeek enables security operations centers (SOC) to do much more – including performing incident response, forensics, file extraction, and hashing among other capabilities.
1) Converts data about network traffic into higher-level events; and
2) Provides a script interpreter – a robust programming language – which is used to interact with events and understand what those events mean in terms of network security.
In other words, Zeek captures metadata about activity on a network and then provides a programming language to understand when that activity presents malicious or suspicious indications.
Zeek Compared to Conventional IDS
As Zeek monitors a traffic stream it produces logs that record everything it understands about the network activity. This understanding includes connection records, the volume of packets sent and received, attributes about TCP sessions, and other metadata that is useful for analyzing network behavior and understanding the context of that behavior.
What is deemed suspicious network behavior in one organization, maybe be routine in another? This is why the Zeek programming language is so advantageous; it can be used to customize the interpretation of metadata to the specific needs of an organization.
A good way to understand why this is so unique is to compare it to a conventional rules-based IDS such as Suricata or Snort. A classic use case for those tools is to monitor traffic on a targeted port for a specific attribute – a certain protocol or byte pattern that exists in the packet payloads. When those conditions match the rule, the IDS triggers an alert.
Zeek provides a way to perform the same types of checks for traffic attributes, but with the added value of a programmatic interface. This means Zeek can be used to calculate numerical statistics and regular expression pattern matching. It can also build out complex logical conditions using AND, OR and NOT operators, which allow the users to customize the analysis to their environment.
>>> Also see: IDS/IPS: The Most Useful Threat Detection Tool You Have
The Zeek Forensic Capabilities
While Zeek provides network traffic visibility and capability to perform threat detection, it also provides the means to conduct incident response and forensics all in one place. If for example, federal law enforcement notifies an enterprise of evidence a system is beaconing out to a malicious domain they are monitoring, Zeek can determine which machine is responsible.
Since Zeek maintains a record of network transactions, a user can go back retroactively and look at how a series of events played out leading up to that notification. This forensic examination helps determine the behavior a machine was exhibiting before beaconing and understanding if other machines were touched or infected in the process.
There’s really nothing quite like Zeek available today. It’s providing both real-time traffic inspection for a wide range of protocols and also functions like a network recorder and collection tool, with the capacity to perform offline analysis.
Use Cases for Zeek in Practice
A common use case for Zeek is the identification of network behavioral deviations. A few examples include an internal host that suddenly begins communicating with a machine for the first time ever, communicating with more hosts than normal, or using a protocol that is different or unusual.
While this broad use case is fairly common, one of the big advantages of Zeek is its ability to be customized to unique environments. To help illustrate this, we’ve pulled together specific examples from three different vertical markets:
1) Zeek use case for retail.
The point-of-sale (POS) system is high-risk for retailers striving to protect credit card data to avoid both financial damages and adverse regulatory effects. Zeek can be configured to monitor those systems used for credit card transactions and understand what protocols are used and what systems should be communicating with each other under routine circumstances. In other words, it characterizes what the typical pattern of traffic to and from POS terminals looks like – which allows it to identify when those patterns are deviating. This can be used to flag potential problems sooner, and in the event of a compromise, understand the effects on data and scope of impact.
2) Zeek use case for energy.
Institutions that create or transmit energy typically use a closed IP-based control system called supervisory control and data acquisition (SCADA). Because these systems are closed, the network communications and behavior fall into a consistent pattern. In the energy vertical, Zeek is frequently deployed to establish a baseline of what a normal pattern looks like – what number of connections or hosts an endpoint communicates with, the protocols it uses, and the amount of data it typically sends or receives. If these systems begin communicating with nodes they never have before, Zeek provides the means to write scripts to identify this anomaly. While this is a similar adaptation as the POS use case, the implications are different because they are physical and can include damage to supply and control systems, reductions in output, and potentially power outages with the many possible side effects that come with an outage.
3) Zeek use case for healthcare.
A key concern for network security in healthcare is data leakage – and specifically personal health information (PHI) being leaked from the network. Zeek will capture the metadata about the network communications, and the programming language can be used to write scripts to interpret when metadata contains information suggesting PHI is potentially leaving the network.
Additional Resources for Understanding Zeek
Bro is extremely powerful because it captures network metadata and provides a programming language that can be used to interpret behavioral networks signs of interest. This allows organizations to examine threats from different perspectives and it’s why Bricata has included Zeek on its sensors as one of three important detection engines.
For those interested in learning more about Zeek, we recommend the following resources:
- How Zeek IDS can Help Security Capture Institutional Knowledge for Cyber Alert Enrichment and Better Network Traffic Analysis
- A brief study and comparison of Snort and Bro [Zeek] Open Source Network Intrusion Detection Systems
>>> Note: Zeek IDS is one of three detection technologies Bricata has integrated on its sensors. If you’d like to see Bricata in action for yourself, please contact us for a live demonstration.
If you enjoyed this post, you might also like:
Here is How Open Source DIY Fatigue Saps Cybersecurity Resources