Zeek

Zeek (formerly Bro) is an open-source and commercial passive Network Monitoring tool (traffic analysis framework) developed by Lawrence Berkeley Labs. Today, Zeek is supported by several developers, and Corelight provides an Enterprise-ready fork of Zeek. Therefore this tool is called both open source and commercial. The differences between the open-source version and the commercial version are detailed here. Source: def3

usage

# read from stored pcap
zeek -r <pcap_file_location>

# output to json
zeek -r <pcap_file_location> LogAscii::use_json=T

# read output
cat <filename>
cat <filename> | zeek-cut
zeek-cut < <filename>

# show only specific fields
zeek-cut id.orig_h < conn.log
zeek-cut id.orig_h id.orig_p < conn.log

# count the results
zeek-cut id.orig_h < conn.log | sort | uniq -c | sort -n

# Search for IP with most traffic
zeek-cut orig_bytes id.resp_h < conn.log | sort -n 

Scripting

In example it is possible to detect bruteforce attempt

# usage 
zeek -C -r <pcap_file_location> <script_file_location>

source

• zeek.org
• cheatsheet: zeek
• zeek interactive scripting tutorial
• tryhackme Zeek