Seven years after the formation of the last major branch, the launch of the new version of the Zeek 3.0.0 traffic analysis and network intrusion detection system was presented, previously distributed under the name of Bro.
Zeek is a traffic analysis platform which is primarily focused on security event tracking, but is not limited to this application. I know provide modules for the analysis of various application-level network protocols, taking into account the status of the connections and allowing the formation of a detailed record (file) of network activity.
A topic-oriented language is proposed for writing monitoring scenarios and identifying anomalies, taking into account the specific characteristics of specific infrastructures. The system is optimized for use on high bandwidth networks.
An API is provided for integration with third-party information systems and real-time data exchange.
IP packets captured with pcap are passed to an event engine who accepts or rejects them. Accepted packages are forwarded to the policy script interpreter.
The event engine analyzes live or recorded network traffic or files trace to generate neutral events. It generates events when "something" happens.
This can be caused by the Zeek process, such as just after initialization or just before the Zeek process termination, as well as something taking place on the network (or the trace file) being parsed, such as Zeek witnessing an HTTP request or a new TCP connection.
Zeek uses common ports and dynamic protocol detection (including signatures and behavior analysis) to better guess the interpretation of network protocols. Events are policy neutral in that they are neither good nor bad, but simply signal to the script that something happened.
Main news from Zeek
In this new installment of the application it is highlighted that the parser for the NTP protocol has been completely rewritten and a new parser has been added for MQTT.
Whereupon the analyzer functions were improved for DNS, RDP, SMB and TLS. For DNS, SPF record analysis is provided, and for DNSSEC, RRSIG, DNSKEY, DS, NSEC, and NSEC3, and related event mapping is provided.
Also all references to the name "bro" in the paths of files, configurations, packages, scripts, namespaces and functions are replaced by «zeek» (Backward compatibility is preserved for backward compatibility.) The bro-pkg package manager has been renamed to zkg.
Of the other changes featured in the announcement of this new version:
- Implemented support to de-encapsulate streams transmitted within VXLAN tunnels
- Added support for links with type NFLOG
- Added the ability to save extracted data records in UTF8 encoding.
- Support for closures for anonymous functions has been added to the scripting language, the table enumeration operator has been added in the key-value format ("for (key, value in t)").
- Adding Python-style vector division operations ("v [2: 4]")
- A new paraglob structure has been proposed to quickly match string masks in large binary data sets
- Added support for the SMB 3.x protocol in the SMB parser and support for TLS 1.3.
How to install Zeek on Linux?
In these moments (in which the article was written) the zeek package is not yet in the repositories of Linux distributions, which is currently still the latest version of "Bro".
So that if you want to install this new version of Zeek 3.0 they should download its source code and compile it on their computer.
To do this, what they must do is open a terminal and in it execute the following commands:
git clone --recursive https://github.com/zeek/zeek ./configure && make && sudo make install
And ready with it, they will already have this traffic analyzer installed.