Advanced Zeek Usage: Scripting and Framework

  • Webcast Aired Tuesday, 10 Sep 2019 10:30AM EDT (10 Sep 2019 14:30 UTC)
  • Speaker: David Szili

The open-source Network Security Monitor (NSM) and analytics platform Zeek (formerly known as Bro) became well-known in the information security industry among professionals. At its core, Zeek inspects traffic and creates an extensive set of detailed, well-structured log files that record a network's activity. As it is very scalable and can run on commodity hardware, Zeek provides an alternative to commercial solutions. Most deployments run with little or no configuration customization, thus only generating the default set of log files.

However, Zeek is so much more than just log files. It has a domain-specific, event-driven, Turing-complete scripting language that allows you to perform arbitrary analysis tasks such as extracting files from sessions, detecting brute-force attacks, or generating statistics. It also enables security analysts to modify, extend, and optimize logs, or to create new log files. Zeek comes with a broad set of libraries, called frameworks to facilitate script development.

This webcast gives an introduction to Zeek Scripting, starting with the basics and demonstrating the potential within this powerful platform through real-life examples. The second half of the webcast is going to show how to use Zeek frameworks such as the Intelligence Framework to consume and detect indicators from threat intelligence feeds.