We covered an introduction to Zeek, packets and logs analyzer, that can be used for network security monitoring, incident analysis and logs investigation. Zeek has two primary layers; “Event Engine” and “Policy Script Interpreter” that are used to process and extract key data and insights from the logs such as source and destination IP addresses and ports.

We also covered the second part of working with Zeek, the packet and network security analyzer, where we explained how to detect certain events using Zeek signatures and how to correlate those events to trigger certain actions using Zeek scripting language.

We also demonstrated the third part of packet analysis using Zeek. We explained frameworks and packages that can be used to extend the functionality of Zeek allowing for more events correlation and data extraction. Frameworks and packages can be both called and invoked while using Zeek from the command line or they can be invoked inside scripts using the “load” keyword.

This was part of TryHackMe Zeek |  SOC analyst level 1 pathway.

What Is Zeek?

Zeek is a passive, open-source network traffic analyzer widely used for security monitoring, forensic investigations, and protocol analysis. While traditional IDS tools like Snort generate real-time alerts, Zeek takes a log-based forensic approach, providing context-rich data about network activity.

Zeek enables analysts to:

Generate and correlate logs for analysis.

Detect malware and unauthorized access.

Investigate encrypted and unencrypted traffic.

Monitor usage patterns and device health.

How Zeek Operates: Two Primary Modes

1. Live Network Monitoring

  • Zeek runs as a system service.
  • Continuously analyzes live traffic.
  • Typically deployed on network tap or span ports.
  • Logs are stored by default in /opt/zeek/logs/current.

2. Offline Packet Capture Analysis (PCAP)

  • Run from command line, not as a service.
  • Analyze .pcap files with:
zeek -C -r sample.pcap

-C: Ignore checksum validation.

-r: Read mode.

Network vs. Security Monitoring

Network Monitoring

  • Focus on device uptime, performance, latency, and health.
  • Ensures IT assets meet business SLA and policy.

Network Security Monitoring (NSM)

  • Detects anomalies, threats, and rogue elements.
  • Tracks suspicious domains, IPs, and malicious patterns.
  • Analyzes port usage, encryption levels, and traffic behaviors.

Zeek excels in NSM by generating actionable, detailed logs.

Zeek Log Architecture

Zeek generates over 50 log types categorized into three main classes:

1. Protocol-Based Logs

Captured based on observed traffic protocols:

  • conn.log: General connection summary.
  • http.log: HTTP request/response info.
  • dns.log: DNS queries/responses.
  • ssl.log: TLS/SSL metadata.
  • dhcp.log, ssh.log, ftp.log, etc.

2. Detection-Based Logs

Focused on alert-like activities:

  • signatures.log: Signature hits.
  • notice.log: Notices like potential scanning, weird traffic.
  • weird.log: Unusual protocol violations.

3. Observation Logs

Support behavioral baselining:

  • known_hosts.log: Hosts known in the network.
  • known_services.log: Services discovered during analysis.

Understanding Zeek Signatures

What Are Signatures?

Zeek signatures define specific patterns to match in network traffic. They work similarly to Snort rules but are more customizable and versatile.

Signature Structure

Each signature consists of:

  1. Signature ID – Unique name for the rule.
  2. Header – Filters like source/destination IPs and ports.
  3. Content – What to look for in payload (e.g. regex match).
  4. Action – What happens when the signature matches (e.g., log, script trigger).

Example Signature

signature ftp-admin {
  ip-proto == tcp
  payload /USER admin/
  event "FTP admin login attempt"
}

This rule checks for TCP traffic where the payload contains “USER admin” and triggers a log entry.

Combining Signatures to Detect Brute Force

To detect brute-force attempts:

  • First signature looks for USER admin attempts.
  • Second signature matches 530 response (login failure).
  • When both occur together, Zeek correlates them as brute-force detection.

Global Signature Logic

A global rule links both partial signatures to define a compound attack scenario.

Zeek Scripting Language (ZeekScript)

What Is ZeekScript?

A domain-specific scripting language built into Zeek that allows users to:

  • Correlate events.
  • Extract data.
  • Trigger custom responses.

Use Cases

  • Extract hostnames from DHCP traffic.
  • Count connection attempts.
  • Trigger custom notifications or write specific logs.

Script Placement

  • Default scripts: /opt/zeek/share/zeek/base/
  • User scripts: /opt/zeek/share/zeek/site/

Signatures + Scripts = Full Power

By combining a signature and a script, you can:

  • Detect an event (e.g., brute force).
  • Execute a response (e.g., extract hostname or log specific details).

Workflow Example:

  1. Signature detects FTP brute force.
  2. Script runs on match to extract attacker hostname.
  3. Output is displayed or written to logs.

Loading Scripts Locally

When running:

zeek -C -r file.pcap local

Zeek applies all default scripts. Any triggered ones are logged in loaded_scripts.log.

To find which scripts were triggered:

cat loaded_scripts.log | grep zeek | wc -l

Practical Use: Analyzing Logs via CLI

Tools Needed:

  • cat, head, cut, sort, uniq, grep, zcat, zcut (Zeek’s log-friendly field extractor)

Field Extraction

  1. Identify fields using head -n 10 filename.log
  2. Extract:
cat dns.log | zcut query

3. Remove duplicates:

... | sort | uniq

Log Correlation Using UID

Each connection gets a unique UID which appears across related logs.

  • Use this as a join key to correlate logs like conn.log ↔ http.log ↔ dns.log.
  • Essential for tracing a session or attack path.

Advanced: Visualization via ELK and Splunk

While command-line analysis works, visualization enhances:

  • ELK Stack (Elasticsearch, Logstash, Kibana) offers interactive dashboards and searchability.
  • Splunk can ingest Zeek logs for advanced queries:
sourcetype="zeek:http" status_code=200

These tools simplify correlation, time series analysis, and anomaly detection.

TryHackMe Zeek Room Answers

What is the installed Zeek instance version number?

What is the version of the ZeekControl module?

Investigate the “sample.pcap” file. What is the number of generated alert files?

Investigate the sample.pcap file. Investigate the dhcp.log file. What is the available hostname?

Investigate the dns.log file. What is the number of unique DNS queries?

Investigate the conn.log file. What is the longest connection duration?

Investigate the http.pcap file. Create the  HTTP signature shown in the task and investigate the pcap. What is the source IP of the first event?

What is the source port of the second event?

Investigate the conn.log.
What is the total number of the sent and received packets from source port 38706?

Create the global rule shown in the task and investigate the ftp.pcap file.

Investigate the notice.log. What is the number of unique events?

What is the number of ftp-brute signature matches?

Investigate the smallFlows.pcap file. Investigate the dhcp.log file. What is the domain value of the “vinlap01” host?

Investigate the bigFlows.pcap file. Investigate the dhcp.log file. What is the number of identified unique hostnames?

Investigate the dhcp.log file. What is the identified domain value?

Go to folder TASK-7/101.
Investigate the sample.pcap file with 103.zeek script. Investigate the terminal output. What is the number of the detected new connections?

Go to folder TASK-7/201.
Investigate the ftp.pcap file with ftp-admin.sig signature and  201.zeek script. Investigate the signatures.log file. What is the number of signature hits?

Investigate the signatures.log file. What is the total number of “administrator” username detections?

Investigate the ftp.pcap file with all local scripts, and investigate the loaded_scripts.log file. What is the total number of loaded scripts?

Go to folder TASK-7/202.
Investigate the ftp-brute.pcap file with /opt/zeek/share/zeek/policy/protocols/ftp/detect-bruteforcing.zeek” script. Investigate the notice.log file. What is the total number of brute-force detections?

Investigate the case1.pcap file with intelligence-demo.zeek script. Investigate the intel.log file. Look at the second finding, where was the intel info found?

Investigate the http.log file. What is the name of the downloaded .exe file?

Investigate the case1.pcap file with hash-demo.zeek script. Investigate the files.log file. What is the MD5 hash of the downloaded .exe file?

Investigate the case1.pcap file with file-extract-demo.zeek script. Investigate the “extract_files” folder. Review the contents of the text file. What is written in the file?

Investigate the http.pcap file with the zeek-sniffpass module. Investigate the notice.log file. Which username has more module hits?
Investigate the case2.pcap file with geoip-conn module. Investigate the conn.log file. What is the name of the identified City?

Which IP address is associated with the identified City?

Investigate the case2.pcap file with sumstats-counttable.zeek script. How many types of status codes are there in the given traffic capture?

Video Walkthrough

,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles