Zeek

zeek.org
Zeek Icon

Zeek (formally Bro) Passively monitors network traffic and looks for suspicious activity.

Open Source

Zeek Source Code

Author

zeek

Description

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.

#bro#dfir#network-monitoring#nsm#pcap#security#zeek

Homepage

https://www.zeek.org

License

NOASSERTION

Created

06 Jul 12

Last Updated

22 Jun 24

Latest version

v7.0.0-dev

Primary Language

C++

Size

164,668 KB

Stars

6,041

Forks

1,183

Watchers

6,041

Language Usage

Language Usage

Star History

Star History

Recent Commits

  • Christian Kreibich (21 Jun 24)

    Merge branch 'topic/awelzel/topic/awelzel/ssh-invalid-version-2' * topic/awelzel/topic/awelzel/ssh-invalid-version-2: zeek-testing-private: Update baseline ssh: Revert half-duplex robustness

  • Christian Kreibich (21 Jun 24)

    Merge branch 'topic/dopheide/runtime-includes' of github.com:/dopheide-esnet/zeek * 'topic/dopheide/runtime-includes' of github.com:/dopheide-esnet/zeek: Fixes build error of OpenVPN spicy plugin

  • Michael Dopheide (20 Jun 24)

    Fixes build error of OpenVPN spicy plugin

  • Robin Sommer (20 Jun 24)

    Merge remote-tracking branch 'origin/topic/robin/gh-3521-zeek-val' * origin/topic/robin/gh-3521-zeek-val: Bump Spicy and documentation submodules. Spicy: Provide runtime API to access Zeek-side globals. Spicy: Reformat `zeek.spicy` with `spicy-format`. Spicy: Extend exception hierarchy.

  • Robin Sommer (19 Jun 24)

    Bump Spicy and documentation submodules.

  • Robin Sommer (17 Jun 24)

    Spicy: Provide runtime API to access Zeek-side globals. This allows to read Zeek global variables from inside Spicy code. The main challenge here is supporting all of Zeek's data type in a type-safe manner. The most straight-forward API is a set of functions `get_<type>(<id>)`, where `<type>` is the Zeek-side type name (e.g., `count`, `string`, `bool`) and `<id>` is the fully scoped name of the Zeek-side global (e.g., `MyModule::Boolean`). These functions then return the corresponding Zeek value, converted in an appropriate Spicy type. Example: Zeek: module Foo; const x: count = 42; const y: string = "xxx"; Spicy: import zeek; assert zeek::get_count("Foo::x") == 42; assert zeek::get_string("Foo::y") == b"xxx"; # returns bytes(!) For container types, the `get_*` function returns an opaque types that can be used to access the containers' values. An additional set of functions `as_<type>` allows converting opaque values of atomic types to Spicy equivalents. Example: Zeek: module Foo; const s: set[count] = { 1, 2 }; const t: table[count] of string = { [1] = "One", [2] = "Two" } Spicy: # Check set membership. local set_ = zeek::get_set("Foo::s"); assert zeek::set_contains(set_, 1) == True # Look up table element. local table_ = zeek::get_table("Foo::t"); local value = zeek::table_lookup(t, 1); assert zeek::as_string(value) == b"One" There are also functions for accessing elements of Zeek-side vectors and records. If any of these `zeek::*` conversion functions fails (e.g., due to a global of that name not existing), it will throw an exception. Design considerations: - We support only reading Zeek variables, not writing. This is both to simplify the API, and also conceptually to avoid offering backdoors into Zeek state that could end up with a very tight coupling of Spicy and Zeek code. - We accept that a single access might be relatively slow due to name lookup and data conversion. This is primarily meant for configuration-style data, not for transferring lots of dynamic state over. - In that spirit, we don't support deep-copying complex data types from Zeek over to Spicy. This is (1) to avoid performance problems when accidentally copying large containers over, potentially even at every access; and (2) to avoid the two sides getting out of sync if one ends up modifying a container without the other being able to see it.

  • Arne Welzel (19 Jun 24)

    zeek-testing-private: Update baseline

  • Arne Welzel (12 Jun 24)

    ssh: Revert half-duplex robustness This reverts part of commit a0888b7e36308d241f4c62b42715a94d499aab23 due to inhibiting analyzer violations when parsing non SSH traffic when the &restofdata path is entered. @J-Gras reported the analyzer not being disabled when sending HTTP traffic on port 22. This adds the verbose analyzer.log baselines such that future improvements of these scenarios become visible.

  • Robin Sommer (18 Jun 24)

    Spicy: Reformat `zeek.spicy` with `spicy-format`.

  • Robin Sommer (18 Jun 24)

    Spicy: Extend exception hierarchy. We move the current `TypeMismatch` into a new `ParameterMismatch` exception that's derived from a more general `TypeMismatch` now that can also be used for other, non-parameter mismatches.

  • Arne Welzel (18 Jun 24)

    Merge remote-tracking branch 'origin/topic/christian/ci-updates' * origin/topic/christian/ci-updates: CMakeLists: Disable -Werror for 3rdparty/sqlite3.c Bump zeek-3rdparty to pull in sqlite move to 3.46 CI: drop Fedora 38, add 40

  • Arne Welzel (18 Jun 24)

    CMakeLists: Disable -Werror for 3rdparty/sqlite3.c We package vanilla sqlite from upstream and on Fedora 40 with sqlite 3.46 there's the following compiler warning: In function 'sqlite3Strlen30', inlined from 'sqlite3ColumnSetColl' at ../../src/3rdparty/sqlite3.c:122105:10: ../../src/3rdparty/sqlite3.c:35003:28: error: 'strlen' reading 1 or more bytes from a region of size 0 [-Werror=stringop-overread] 35003 | return 0x3fffffff & (int)strlen(z); | ^~~~~~~~~ In function 'sqlite3ColumnSetColl': Disabling -Werror on sqlite3.c seems sensible given we have little control over that code.

  • Christian Kreibich (29 May 24)

    Bump zeek-3rdparty to pull in sqlite move to 3.46 This avoids a compiler warning/error on Fedora 40.

  • Christian Kreibich (24 May 24)

    CI: drop Fedora 38, add 40

  • Robin Sommer (14 Jun 24)

    Merge remote-tracking branch 'origin/topic/robin/gh-3783-replaces-two' * origin/topic/robin/gh-3783-replaces-two: Spicy: Disallow repeating replacements of the same analyzer. Bump Spicy.

  • Robin Sommer (14 Jun 24)

    Spicy: Disallow repeating replacements of the same analyzer. We now reject EVT files that attempt to replace the same built-in analyzer multiple times as doing so would be ill-defined and not very intuitive in what exactly it means. Closes #3783.

  • Robin Sommer (14 Jun 24)

    Bump Spicy.

  • Benjamin Bannier (11 Jun 24)

    Merge remote-tracking branch 'origin/topic/bbannier/ci-centos8-stream-eol'

  • Benjamin Bannier (11 Jun 24)

    Drop EOL centos8-stream in CI

  • Arne Welzel (11 Jun 24)

    Merge remote-tracking branch 'origin/topic/timw/civetweb-shutdown-data-race' * origin/topic/timw/civetweb-shutdown-data-race: Suppress a known data race during civetweb shutdown

  • Arne Welzel (11 Jun 24)

    Merge remote-tracking branch 'origin/topic/awelzel/asan-coverage-fixes' * origin/topic/awelzel/asan-coverage-fixes: Bump cmake for -fprofile-update=atomic usage cirrus: Unset CCACHE_BASEDIR for asan/coverage build

  • Arne Welzel (10 Jun 24)

    Bump cmake for -fprofile-update=atomic usage

  • Arne Welzel (10 Jun 24)

    cirrus: Unset CCACHE_BASEDIR for asan/coverage build When CCACHE_BASEDIR is set, ccache will rewrite absolute paths to relative paths in order to allow compilation in different source directories. We do not need this feature on Cirrus (the checkout is always in /zeek) and using absolute paths avoids confusion/normalization needs for the gcov -p results. We could consider removing the global CCACHE_BASEDIR, but it'd bust the ccache of every other task, too.

  • zeek-bot (08 Jun 24)

    Update doc submodule [nomail] [skip ci]

  • Tim Wojtulewicz (07 Jun 24)

    Suppress a known data race during civetweb shutdown

  • Tim Wojtulewicz (07 Jun 24)

    Merge remote-tracking branch 'origin/topic/timw/telemetry-bind-address' * origin/topic/timw/telemetry-bind-address: Add Telemetry::metrics_address option

  • Tim Wojtulewicz (07 Jun 24)

    Add Telemetry::metrics_address option

  • Tim Wojtulewicz (07 Jun 24)

    Merge remote-tracking branch 'origin/topic/timw/pic-prometheus-cpp' * origin/topic/timw/pic-prometheus-cpp: Update cmake submodule [nomail]

  • Tim Wojtulewicz (05 Jun 24)

    Update cmake submodule [nomail]

  • Tim Wojtulewicz (07 Jun 24)

    Merge remote-tracking branch 'origin/topic/timw/dont-require-jq' * origin/topic/timw/dont-require-jq: Change prometheus test to check for require jq

Zeek Website

Website

The Zeek Network Security Monitor

Zeek (formerly Bro) is the world’s leading platform for network security monitoring. Flexible, open source, and powered by defenders.

Redirects

Does not redirect

Security Checks

All 66 security checks passed

Server Details

  • IP Address 192.0.78.212
  • Location San Francisco, California, United States of America, NA
  • ISP Automattic Inc
  • ASN AS2635

Associated Countries

  • US

Saftey Score

Website marked as safe

100%

Blacklist Check

zeek.org was found on 0 blacklists

  • ThreatLog
  • OpenPhish
  • PhishTank
  • Phishing.Database
  • PhishStats
  • URLhaus
  • RPiList Not Serious
  • AntiSocial Blacklist
  • PhishFeed
  • NABP Not Recommended Sites
  • Spam404
  • CRDF
  • Artists Against 419
  • CERT Polska
  • PetScams
  • Suspicious Hosting IP
  • Phishunt
  • CoinBlockerLists
  • MetaMask EthPhishing
  • EtherScamDB
  • EtherAddressLookup
  • ViriBack C2 Tracker
  • Bambenek Consulting
  • Badbitcoin
  • SecureReload Phishing List
  • Fake Website Buster
  • TweetFeed
  • CryptoScamDB
  • StopGunScams
  • ThreatFox
  • PhishFort

Website Preview

Zeek Reviews

More Intrusion Detection

About the Data: Zeek

API

You can access Zeek's data programmatically via our API. Simply make a GET request to:

https://api.awesome-privacy.xyz/networking/intrusion-detection/zeek

The REST API is free, no-auth and CORS-enabled. To learn more, view the Swagger Docs or read the API Usage Guide.

About the Data

Beyond the user-submitted YAML you see above, we also augment each listing with additional data dynamically fetched from several sources. To learn more about where the rest of data included in this page comes from, and how it is computed, see the About the Data section of our About page.

Share Zeek

Help your friends compare Intrusion Detection, and pick privacy-respecting software and services.
Share Zeek and Awesome Privacy with your network!

View Intrusion Detection (5)