One Day Left! Get an iPad, Tab A, or $250 Off with your OnDemand registration


To attend this webcast, login to your SANS Account or create your Account.

Tech Tuesday Workshop: Advanced Zeek Brim, Zeek agent, Spicy, and new Zeek packages

  • Tuesday, December 08, 2020 at 10:00 AM EST (2020-12-08 15:00:00 UTC)
  • David Szili, Eva Szilagyi

You can now attend the webcast using your mobile device!



In 2020, the popular network security monitoring and analytics platform Zeek (formerly known as Bro) got a few great additions. Not only could we benefit from the outcomes of the Zeek Package Contests, but we also now have Zeek Agent for monitoring Linux and macOS endpoints. A new domain-specific scripting language, called Spicy, is now available to write parsers for Zeek. On top of all that, a start-up called Brim Security also released several tools like zq and Brim, allowing security analysts to search large packet captures and Zeek logs more efficiently.

In this workshop, we will start with a few of the new Zeek scripts and packages contributed by the community. Then, we will take a look at zq and Brim and see how we can analyze PCAPs and Zeek logs with them. Finally, we will see how the Zeek Agent works and briefly look at the Spicy parser generator. Join us and explore these exciting new options to see how you can use them to supercharge your Zeek environment!

Download the VM prior to the workshop here:

System Requirements:

  • A host system with at least 8 GB of RAM and 20-30 GB of free disk space.
  • VMware Workstation Pro, VMware Workstation Player, or VMware Fusion installed.


  • Intermediate Zeek skills (experienced user/admin level)
  • Familiarity with Zeek scriping (ability to read Zeek scripts)
  • Familiarity with network protocols (TCP/IP and application layer)

Speaker Bios

David Szili

David Szili is a SANS instructor for SANS FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. A managing partner and CTO at a Luxembourg-based consulting company, he has more than eight years of professional experience in penetration testing, red teaming, vulnerability assessment, vulnerability management, security monitoring, security architecture design, incident response, digital forensics and software development. David holds several IT security certifications, including the GSEC, GCED, GCIA, GCIH, GMON, GNFA, GYPC, GMOB, OSCP, OSWP and CEH. He is also a member of the BSides Luxembourg conference organizing team.

Eva Szilagyi

Eva Szilagyi is managing partner and CEO of Alzette Information Security, a consulting company based in Luxembourg. She has more than nine years of professional experience in penetration testing, security source code review, vulnerability management, digital forensics, IT auditing, telecommunication networks, and security research. Eva has master's degrees in electrical engineering and in networks and telecommunication. She holds several IT security certifications such as GSEC, GICSP, GMON, GSSP-JAVA, GWAPT, GMOB, CCSK, eWPT, and eJPT. Eva speaks on a regular basis at international conferences like BruCON,, Nuit du Hack, Hacktivity, Black Alps, BSides Munich, BSidesBUD, Pass the SALT, Security Session and she is a member of the organizer team of BSides Luxembourg.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.