Stack Overflow
Stack Overflow

Questions tagged [zeek]

Appropriate Zeek related questions could include things such as:

  • Installation issues
  • Operational issues
  • Script writing difficulties
  • "How would I detected...?" questions related to event correlation

From the Zeek website:

Adaptable

Zeek's domain-specific scripting language enables site-specific monitoring policies.

Efficient

Zeek targets high-performance networks and is used operationally at a variety of large sites.

Flexible

Zeek is not restricted to any particular detection approach and does not rely on traditional signatures.

Forensics

Zeek comprehensively logs what it sees and provides a high-level archive of a network's activity.

In-depth Analysis

Zeek comes with analyzers for many protocols, enabling high-level semantic analysis at the application layer.

Highly Stateful

Zeek keeps extensive application-layer state about the network it monitors.

Open Interfaces

Zeek interfaces with other applications for real-time exchange of information.

Open Source

Zeek comes with a BSD license, allowing for free use with virtually no restrictions.

References:

37 questions
0
votes
1 answer

How to get community id from lua script in suricata

I am using suricata with community id to correlate zeek and suricata logs. I need to get the value of community id for each tuple in lua script. Is there any method to get community id for suricata using lua?
Vignesh
  • 302
  • 3
  • 12
0
votes
0 answers

"netlink error: Operation not permitted" running Zeek on Docker

I'm running Zeek on a Docker container (from image Zeekurity) in standalone mode and I'm trying to disable checksum offloading for my network interface, but then this happens: root@0787148fac96:/usr/local/zeek# ethtool --offload eth0 rx off tx…
Alessandro Perri
  • 1
  • 1
0
votes
1 answer

Trying to reproduce awk in jq

Preamble: Enterprise Network Engineer/Architect (Non-Programmer). Synopsis: Logs moving from txt output to json Issue: Not successfully trying to migrate from a functioning awk data extraction to using jq against json using one-liner. Active…
net_solv
  • 20
  • 3
0
votes
0 answers

Process relaunched automatically after SIGTERM or SIGKILL

I try to write a python script that will start a process and whenever an event occur the script terminates the process and relaunches it again after a delay. In order to stop the process I use kill -15 (SIGTERM) followed by the pid of the process…
4bdl
  • 9
  • 5
0
votes
0 answers

Zeek logs to elk

I've installed elk on server and zeek with filebeat on another server. I followed documnetation to install each one, but the filebeat is not shipping zeek logs to kibana. by the way filebeat basic logs is shiped to kibana but without zeek logs for…
Ruslan Jabbar
  • 1
  • 1
0
votes
1 answer

loading zeek connection data to pyflink

Trying to load data like this(zeek connection data) to pyflink. My problem is the id fields that have a name with a dot because they were originally a tuple in zeek. { "ts": 1584544201.798601, "uid": "CSgDnESdxqqAN88H3", "id.orig_h":…
Ben
  • 1
  • 2
0
votes
1 answer

How to solve rule defined twice error in Zeek signature?

I'm trying to learn zeek signature Signature file name: dns.sig signature dns-intel{ ip-proto == udp dst-port == 53 payload /.*life|.*bar/ event "[Suspicious DNS Query]" } Zeek file name: myfirst.zeek event signature_match (state:…
bhavyaraj
  • 1
0
votes
1 answer

Zeek is not storing files, even after script was loaded. What am I missing?

I'm trying to configure Zeek in order to store files (every file) on disc, but without any success. OS I'm using: Debian 10. What I did so far: I've installed this module: https://github.com/hosom/file-extraction (even after following this site…
Paulo
  • 1,458
  • 2
  • 12
  • 26
0
votes
1 answer

Zeek/Bro IDS - Sumstats - qty similarly sized TCP segments?

I'm trying to write my first script in Zeek which would allow to make statistics out of TLS packet segments sent and received by client in local network (quantity of packets with same size, list of dest ip by packets sent). Unfortunately, I'm unable…
Vitalijus
  • 1
  • 1
0
votes
1 answer

Zeek Workers cannot communicate with Zeek Proxy/manager

I set up a small zeek cluster and had it working fine. Here's my rough setup: Proxy/Manager/Logger - 192.168.1.10 Worker-1 - 192.168.1.10 (em1) Worker-2 - 192.168.1.15 (em1) Worker-3 - 192.168.1.15 (p1p1) Worker-4 - 192.168.1.15 (p1p2) Worker-5 -…
briansyph
  • 150
  • 11
0
votes
1 answer

How to set mmdb_dir in Zeek/Bro

I try to use GeoIp functionality in Bro/Zeek. From the official Zeek Documentation: If you see an error message similar to “Failed to open GeoIP location database”, then you may need to either rename or move your GeoIP location database file. If…
smilee89
  • 533
  • 5
  • 9
0
votes
2 answers

Zeek cluster fails with pcap_error: socket: Operation not permitted (pcap_activate)

I'm trying to setting up a Zeek IDS cluster (v.3.2.0-dev.271) on 3 Ubuntu 18.04 LTS hosts to no avail - running zeek deploy command fails with the following output: fatal error: problem with interface ens3 (pcap_error: socket: Operation not…
piscesgeek
  • 200
  • 1
  • 6
0
votes
1 answer

How to configure bro to ignore traffic from certain subnets?

Situation: I have set up a Zeek/Bro IDS and have it listen on one interface (with iptables forwarding traffic. client1 === iptables === client2 || zeek_ids Problem: Zeek is getting triggered by 127.0.0.1/8 traffic and I…
Timothy Wong
  • 689
  • 3
  • 9
  • 28
0
votes
1 answer

Zeek Scripting "Error field missing value"

I'm trying to write a Zeek script to divide the dns traffic into two log files (query and reply) The error is "Field missing value" for the code $TTL=c$dns$TTLs in dns_query_reply event. I don't understand the reason for this error since the dns.log…
Flank
  • 53
  • 7
0
votes
0 answers

Zeek missing loaded_scripts.log file

I am using Zeek standalone for the learning purpose and I am facing the following issues in the log file: I am missing the "loaded_scripts.log" file from the current folder. I have followed the installation guide from the rapid7 and Zeek manual so I…
Rut
  • 1
  • 2
1
2
3