• In-depth Analysis

  Zeek comes with analyzers for many protocols, enabling high-level semantic analysis at the application layer.

• Highly Stateful

  Zeek keeps extensive application-layer state about the network it monitors.

• Open Interfaces

  Zeek interfaces with other applications for real-time exchange of information.

• Open Source

  Zeek comes with a BSD license, allowing for free use with virtually no restrictions.

While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well-grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally by both major companies and numerous many educational and scientific institutions for securing their cyberinfrastructure.

Zeek was originally developed by Vern Paxson. Robin Sommer now leads the project, jointly with a core team of researchers and developers at the International Computer Science Institute in Berkeley, CA; and the National Center for Supercomputing Applications in Urbana-Champaign, IL.

Changelog v5.2.2

This release fixes the following security issues:

• A specially-crafted series of FTP packets with a CMD command with a large path
  followed by a very large number of replies could cause Zeek to spend a long
  time processing the data. Due to the possibility of receiving these packets
  from remote hosts, this is a DoS risk. The fix included prevents Zeek from
  reusing the CMD command if it was already consumed by path-traversal logic.
• A specially-crafted with a truncated header can cause Zeek to overflow memory
  and potentially crash. Due to the possibility of receiving these packets from
  remote hosts, this is a DoS risk. This overflow requires implementing the
  raw_packet event handler which isn’t implemented by default, which makes the
  risk of this issue low. The fix included adds additional length checking
  during handling of raw_packet events.
• A specially-crafted series of SMTP packets can cause Zeek to generate a very
  large number of events and take a long time to process them. Zeek correctly
  disables the SMTP analyzer while processing these packets but continues to
  feed packets to it, generating more events. Due to the possibility of
  receiving these packets from remote hosts, this is a DoS risk. The fix
  included prevents an analyzer from calling another analyzer that has already
  been disabled for a connection.
• A specially-crafted series of POP3 packets containing MIME data can cause Zeek
  to spend a long time dealing with each individual file ID. Due to the
  possibility of receiving these packets from remote hosts, this is a DoS
  risk. The fix included attempts to reuse an existing file ID for a connection
  instead of recreating it each pass through the MIME analyzer.

This release fixes the following bugs:

• The config parser implements handling of commas at the end of input files in a
  safer way now, avoiding some crashes on Linux systems during parsing.
• The AF_Packet plugin wasn’t properly masking the tp_vlan_tci values received
  from the kernel, and so could return invalid values for the VLAN ID reported
  to Zeek. The value is now correctly masked.
• The AF_Packet plugin now checks whether the interface is up during setup,
  ensuring that a more useful error message is reported.

Download & Install & Tutorial