performing-network-traffic-analysis-with-zeek
Deploy Zeek network security monitor to capture, parse, and analyze network traffic metadata for threat detection, anomaly identification, and forensic investigation.
Best use case
performing-network-traffic-analysis-with-zeek is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Deploy Zeek network security monitor to capture, parse, and analyze network traffic metadata for threat detection, anomaly identification, and forensic investigation.
Teams using performing-network-traffic-analysis-with-zeek should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/performing-network-traffic-analysis-with-zeek/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How performing-network-traffic-analysis-with-zeek Compares
| Feature / Agent | performing-network-traffic-analysis-with-zeek | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Deploy Zeek network security monitor to capture, parse, and analyze network traffic metadata for threat detection, anomaly identification, and forensic investigation.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for ChatGPT
Find the best AI skills to adapt into ChatGPT workflows for research, writing, summarization, planning, and repeatable assistant tasks.
AI Agent for Product Research
Browse AI agent skills for product research, competitive analysis, customer discovery, and structured product decision support.
AI Agent for SaaS Idea Validation
Use AI agent skills for SaaS idea validation, market research, customer discovery, competitor analysis, and documenting startup hypotheses.
SKILL.md Source
# Performing Network Traffic Analysis with Zeek
## Overview
Zeek (formerly Bro) is an open-source network analysis framework that operates as a passive network security monitor. Unlike traditional signature-based IDS tools, Zeek generates high-fidelity structured logs from observed network traffic, capturing detailed metadata for protocols including HTTP, DNS, TLS, SSH, SMTP, FTP, and dozens more. Zeek's extensible scripting language enables custom detection logic, behavioral analysis, and automated response. This skill covers deploying Zeek, understanding its log architecture, writing custom detection scripts, and integrating outputs with SIEM platforms.
## When to Use
- When conducting security assessments that involve performing network traffic analysis with zeek
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
## Prerequisites
- Linux server (Ubuntu 22.04+ or CentOS 8+) with 4+ CPU cores and 8GB+ RAM
- Network TAP or SPAN port mirroring configured for traffic capture
- Zeek 6.0+ installed (via package manager or source compilation)
- Root or capture group privileges for packet capture
- SIEM platform (Splunk, ELK Stack, or QRadar) for log ingestion
## Core Concepts
### Zeek Architecture
Zeek operates in two main modes:
1. **Live Capture** - Monitors traffic in real-time on one or more network interfaces
2. **Offline Analysis** - Processes saved PCAP files for retrospective analysis
The processing pipeline consists of:
- **Packet Capture Layer** - Reads raw packets from interfaces or PCAP files
- **Event Engine** - Reassembles TCP streams and generates protocol events
- **Script Interpreter** - Executes Zeek scripts that process events and generate logs
- **Log Framework** - Writes structured logs in TSV, JSON, or custom formats
### Log Architecture
Zeek generates protocol-specific log files:
| Log File | Description |
|----------|-------------|
| `conn.log` | TCP/UDP/ICMP connection summaries with duration, bytes, state |
| `dns.log` | DNS queries and responses with query type, answers, TTL |
| `http.log` | HTTP requests/responses with URIs, user agents, MIME types |
| `ssl.log` | TLS handshake details including certificate chain, JA3/JA3S |
| `files.log` | File transfers with MIME types, hashes (MD5, SHA1, SHA256) |
| `notice.log` | Alerts generated by Zeek detection scripts |
| `weird.log` | Protocol anomalies and unexpected behaviors |
| `x509.log` | Certificate details from TLS connections |
| `smtp.log` | Email metadata including sender, recipient, subject |
| `ssh.log` | SSH connection details and authentication results |
| `pe.log` | Portable Executable file metadata |
| `dpd.log` | Dynamic Protocol Detection failures |
## Workflow
### Step 1: Install and Configure Zeek
```bash
# Install Zeek on Ubuntu
sudo apt-get install -y zeek
# Or install from Zeek repository
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | \
sudo tee /etc/apt/sources.list.d/zeek.list
sudo apt-get update && sudo apt-get install -y zeek-lts
# Verify installation
zeek --version
```
Configure the node layout in `/opt/zeek/etc/node.cfg`:
```ini
[manager]
type=manager
host=localhost
[proxy-1]
type=proxy
host=localhost
[worker-1]
type=worker
host=localhost
interface=eth0
lb_method=pf_ring
lb_procs=4
[worker-2]
type=worker
host=localhost
interface=eth1
lb_method=pf_ring
lb_procs=4
```
Configure network definitions in `/opt/zeek/etc/networks.cfg`:
```
# Internal network ranges
10.0.0.0/8 Private RFC1918
172.16.0.0/12 Private RFC1918
192.168.0.0/16 Private RFC1918
```
### Step 2: Configure Logging and Output
Edit `/opt/zeek/share/zeek/site/local.zeek`:
```zeek
# Load standard detection scripts
@load base/protocols/conn
@load base/protocols/dns
@load base/protocols/http
@load base/protocols/ssl
@load base/protocols/ssh
@load base/protocols/smtp
@load base/protocols/ftp
# Load file analysis
@load base/files/hash-all-files
@load base/files/extract-all-files
# Load detection frameworks
@load base/frameworks/notice
@load base/frameworks/intel
@load base/frameworks/files
@load base/frameworks/software
# Load additional protocol analyzers
@load policy/protocols/ssl/validate-certs
@load policy/protocols/ssl/log-hostcerts-only
@load policy/protocols/ssh/detect-bruteforcing
@load policy/protocols/dns/detect-external-names
@load policy/protocols/http/detect-sqli
# Enable JA3 fingerprinting
@load policy/protocols/ssl/ja3
# Enable JSON output for SIEM ingestion
@load policy/tuning/json-logs
redef LogAscii::use_json = T;
# Configure file extraction directory
redef FileExtract::prefix = "/opt/zeek/extracted/";
# Set notice email
redef Notice::mail_dest = "soc@example.com";
```
### Step 3: Write Custom Detection Scripts
Create detection scripts for common threats:
**Detect DNS Tunneling** (`/opt/zeek/share/zeek/site/detect-dns-tunnel.zeek`):
```zeek
@load base/protocols/dns
module DNSTunnel;
export {
redef enum Notice::Type += {
DNS_Tunnel_Suspected
};
# Threshold for suspicious DNS query length
const query_len_threshold = 50 &redef;
# Track query counts per host per domain
global dns_query_counts: table[addr, string] of count &default=0 &create_expire=5min;
# High query volume threshold
const query_volume_threshold = 100 &redef;
}
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
{
if ( |query| > query_len_threshold )
{
local parts = split_string(query, /\./);
if ( |parts| > 3 )
{
local base_domain = cat(parts[|parts|-2], ".", parts[|parts|-1]);
dns_query_counts[c$id$orig_h, base_domain] += 1;
if ( dns_query_counts[c$id$orig_h, base_domain] > query_volume_threshold )
{
NOTICE([$note=DNS_Tunnel_Suspected,
$msg=fmt("Possible DNS tunneling: %s queries to %s with long query names",
c$id$orig_h, base_domain),
$conn=c,
$identifier=cat(c$id$orig_h, base_domain),
$suppress_for=30min]);
}
}
}
}
```
**Detect Beaconing Behavior** (`/opt/zeek/share/zeek/site/detect-beaconing.zeek`):
```zeek
@load base/protocols/conn
module Beaconing;
export {
redef enum Notice::Type += {
C2_Beacon_Detected
};
# Track connection intervals
global conn_intervals: table[addr, addr, port] of vector of time &create_expire=1hr;
const min_connections = 20 &redef;
const jitter_threshold = 0.15 &redef;
}
event connection_state_remove(c: connection)
{
if ( c$id$resp_p == 80/tcp || c$id$resp_p == 443/tcp )
{
local key = [c$id$orig_h, c$id$resp_h, c$id$resp_p];
if ( key !in conn_intervals )
conn_intervals[key] = vector();
conn_intervals[key] += network_time();
if ( |conn_intervals[key]| >= min_connections )
{
local intervals: vector of interval = vector();
local i = 1;
while ( i < |conn_intervals[key]| )
{
intervals += conn_intervals[key][i] - conn_intervals[key][i-1];
i += 1;
}
# Calculate mean and standard deviation
local sum_val = 0.0;
for ( idx in intervals )
sum_val += interval_to_double(intervals[idx]);
local mean_val = sum_val / |intervals|;
local variance = 0.0;
for ( idx in intervals )
{
local diff = interval_to_double(intervals[idx]) - mean_val;
variance += diff * diff;
}
variance = variance / |intervals|;
local stddev = sqrt(variance);
if ( mean_val > 0 && (stddev / mean_val) < jitter_threshold )
{
NOTICE([$note=C2_Beacon_Detected,
$msg=fmt("Possible C2 beaconing: %s -> %s:%s (interval=%.1fs, jitter=%.2f)",
c$id$orig_h, c$id$resp_h, c$id$resp_p,
mean_val, stddev/mean_val),
$conn=c,
$identifier=cat(c$id$orig_h, c$id$resp_h),
$suppress_for=1hr]);
}
}
}
}
```
### Step 4: Configure Intel Framework
Load threat intelligence feeds into Zeek:
```zeek
# In local.zeek
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += {
"/opt/zeek/intel/malicious-ips.intel",
"/opt/zeek/intel/malicious-domains.intel",
"/opt/zeek/intel/malicious-hashes.intel",
};
```
Intel file format (`/opt/zeek/intel/malicious-ips.intel`):
```
#fields indicator indicator_type meta.source meta.desc meta.do_notice
198.51.100.50 Intel::ADDR abuse.ch Known C2 server T
203.0.113.100 Intel::ADDR threatfeed Ransomware infrastructure T
```
### Step 5: Deploy and Operate
```bash
# Deploy Zeek cluster
sudo /opt/zeek/bin/zeekctl deploy
# Check cluster status
sudo /opt/zeek/bin/zeekctl status
# Process offline PCAP
zeek -r capture.pcap local.zeek
# View logs
cat /opt/zeek/logs/current/conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto service duration orig_bytes resp_bytes
# Search for specific connections
cat /opt/zeek/logs/current/dns.log | zeek-cut query answers | grep -i "suspicious"
# Rotate logs
sudo /opt/zeek/bin/zeekctl cron
```
### Step 6: SIEM Integration
**Filebeat configuration for ELK Stack:**
```yaml
filebeat.inputs:
- type: log
enabled: true
paths:
- /opt/zeek/logs/current/*.log
json.keys_under_root: true
json.add_error_key: true
fields:
source: zeek
fields_under_root: true
output.elasticsearch:
hosts: ["https://elasticsearch:9200"]
index: "zeek-%{+yyyy.MM.dd}"
setup.template.name: "zeek"
setup.template.pattern: "zeek-*"
```
## Analysis Techniques
### Connection Analysis
```bash
# Find top talkers by bytes
cat conn.log | zeek-cut id.orig_h orig_bytes | sort -t$'\t' -k2 -rn | head -20
# Find long-duration connections (potential C2)
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p duration | awk '$4 > 3600' | sort -t$'\t' -k4 -rn
# Find connections with unusual ports
cat conn.log | zeek-cut id.resp_p proto | sort | uniq -c | sort -rn | head -30
```
### TLS Analysis
```bash
# Find self-signed certificates
cat ssl.log | zeek-cut server_name validation_status | grep "self signed"
# Extract JA3 fingerprints for known malware
cat ssl.log | zeek-cut ja3 server_name | sort | uniq -c | sort -rn
# Find expired certificates
cat ssl.log | zeek-cut server_name not_valid_after | awk -F'\t' '$2 < systime()'
```
## Best Practices
- **TAP Over SPAN** - Use network TAPs instead of SPAN ports to avoid packet loss under load
- **Worker Scaling** - Assign 1 Zeek worker per 1 Gbps of monitored traffic
- **AF_PACKET Clusters** - Use AF_PACKET with load balancing for multi-core processing
- **Log Rotation** - Configure automatic log rotation and archival (default: hourly)
- **Intel Updates** - Automate threat intelligence feed updates at least daily
- **Packet Loss Monitoring** - Monitor `capture_loss.log` for dropped packets
- **Custom Scripts** - Develop organization-specific detections based on threat landscape
## References
- [Zeek Documentation](https://docs.zeek.org/en/master/)
- [Zeek Scripting Reference](https://docs.zeek.org/en/master/script-reference/index.html)
- [Zeek Intel Framework](https://docs.zeek.org/en/master/frameworks/intel.html)
- [CISA Zeek Resources](https://www.cisa.gov/resources-tools/services/kismet)
- [Zeek GitHub Repository](https://github.com/zeek/zeek)Related Skills
scanning-network-with-nmap-advanced
Performs advanced network reconnaissance using Nmap's scripting engine, timing controls, evasion techniques, and output parsing to discover hosts, enumerate services, detect vulnerabilities, and fingerprint operating systems across authorized target networks.
performing-yara-rule-development-for-detection
Develop precise YARA rules for malware detection by identifying unique byte patterns, strings, and behavioral indicators in executable files while minimizing false positives.
performing-wireless-security-assessment-with-kismet
Conduct wireless network security assessments using Kismet to detect rogue access points, hidden SSIDs, weak encryption, and unauthorized clients through passive RF monitoring.
performing-wireless-network-penetration-test
Execute a wireless network penetration test to assess WiFi security by capturing handshakes, cracking WPA2/WPA3 keys, detecting rogue access points, and testing wireless segmentation using Aircrack-ng and related tools.
performing-windows-artifact-analysis-with-eric-zimmerman-tools
Perform comprehensive Windows forensic artifact analysis using Eric Zimmerman's open-source EZ Tools suite including KAPE, MFTECmd, PECmd, LECmd, JLECmd, and Timeline Explorer for parsing registry hives, prefetch files, event logs, and file system metadata.
performing-wifi-password-cracking-with-aircrack
Captures WPA/WPA2 handshakes and performs offline password cracking using aircrack-ng, hashcat, and dictionary attacks during authorized wireless security assessments to evaluate passphrase strength and wireless network security posture.
performing-web-cache-poisoning-attack
Exploiting web cache mechanisms to serve malicious content to other users by poisoning cached responses through unkeyed headers and parameters during authorized security tests.
performing-web-cache-deception-attack
Execute web cache deception attacks by exploiting path normalization discrepancies between CDN caching layers and origin servers to cache and retrieve sensitive authenticated content.
performing-web-application-vulnerability-triage
Triage web application vulnerability findings from DAST/SAST scanners using OWASP risk rating methodology to separate true positives from false positives and prioritize remediation.
performing-web-application-scanning-with-nikto
Nikto is an open-source web server and web application scanner that tests against over 7,000 potentially dangerous files/programs, checks for outdated versions of over 1,250 servers, and identifies ve
performing-web-application-penetration-test
Performs systematic security testing of web applications following the OWASP Web Security Testing Guide (WSTG) methodology to identify vulnerabilities in authentication, authorization, input validation, session management, and business logic. The tester uses Burp Suite as the primary interception proxy alongside manual testing techniques to find flaws that automated scanners miss. Activates for requests involving web app pentest, OWASP testing, application security assessment, or web vulnerability testing.
performing-web-application-firewall-bypass
Bypass Web Application Firewall protections using encoding techniques, HTTP method manipulation, parameter pollution, and payload obfuscation to deliver SQL injection, XSS, and other attack payloads past WAF detection rules.