Top Cybersecurity Instructors and Best Offers of the Year Available Now - Learn More!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Advanced Zeek Usage: Scripting and Framework

  • Tuesday, September 10, 2019 at 10:30 AM EDT (2019-09-10 14:30:00 UTC)
  • David Szili

You can now attend the webcast using your mobile device!



The open-source Network Security Monitor (NSM) and analytics platform Zeek (formerly known as Bro) became well-known in the information security industry among professionals. At its core, Zeek inspects traffic and creates an extensive set of detailed, well-structured log files that record a networks activity. As it is very scalable and can run on commodity hardware, Zeek provides an alternative to commercial solutions. Most deployments run with little or no configuration customization, thus only generating the default set of log files.

However, Zeek is so much more than just log files. It has a domain-specific, event-driven, Turing-complete scripting language that allows you to perform arbitrary analysis tasks such as extracting files from sessions, detecting brute-force attacks, or generating statistics. It also enables security analysts to modify, extend, and optimize logs, or to create new log files. Zeek comes with a broad set of libraries, called frameworks to facilitate script development.

This webcast gives an introduction to Zeek Scripting, starting with the basics and demonstrating the potential within this powerful platform through real-life examples. The second half of the webcast is going to show how to use Zeek frameworks such as the Intelligence Framework to consume and detect indicators from threat intelligence feeds.

Speaker Bio

David Szili

David Szili is a SANS instructor for SANS FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. A managing partner and CTO at a Luxembourg-based consulting company, he has more than eight years of professional experience in penetration testing, red teaming, vulnerability assessment, vulnerability management, security monitoring, security architecture design, incident response, digital forensics and software development. David holds several IT security certifications, including the GSEC, GCED, GCIA, GCIH, GMON, GNFA, GYPC, GMOB, OSCP, OSWP and CEH. He is also a member of the BSides Luxembourg conference organizing team.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.