Zeek Network Security Monitor v3.2 releases: powerful network analysis framework
Zeek Network Security Monitor
Zeek is a powerful framework for network analysis and security monitoring. It is a powerful system that on top of the functionality it provides out of the box, also offers the flexibility to customize analysis pretty much arbitrarily
Zeek’s domain-specific scripting language enables site-specific monitoring policies.
Zeek targets high-performance networks and is used operationally at a variety of large sites.
Zeek is not restricted to any particular detection approach and does not rely on traditional signatures.
Zeek comprehensively logs what it sees and provides a high-level archive of a network’s activity.
Zeek comes with analyzers for many protocols, enabling high-level semantic analysis at the application layer.
Zeek keeps extensive application-layer state about the network it monitors.
Zeek interfaces with other applications for real-time exchange of information.
Zeek comes with a BSD license, allowing for free use with virtually no restrictions.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally by both major companies and numerous many educational and scientific institutions for securing their cyberinfrastructure.
Zeek was originally developed by Vern Paxson. Robin Sommer now leads the project, jointly with a core team of researchers and developers at the International Computer Science Institute in Berkeley, CA; and the National Center for Supercomputing Applications in Urbana-Champaign, IL.
Zeek v3.2 releases.
- X509 Certificate caching:
Zeek now caches certificates if they have (by default) been encountered
more than 10 times in 62 seconds. Information for cached certificates is
retained; if the certificate is encountered again it does not have to
be re-parsed and already existing information is used to raise the events.
This should especially help with performance in environments where the
same certificates are seen very often.
Certificate caching is very configureable; it is possible to disable the
feature, change the time intervals or even suppress X509 events.
For details see
- Add parsing support for Remote Desktop Protocol UDP Transport Extension
(RDPEUDP versions 1 and 2). This primarily only adds “rdpeudp” to
connection record service fields when an RDPEUDP session handhake is
detected, but also provides a few other events related to the RDPEUDP
- Add the
udp_content_portsconfiguration option. Any port added to
this set will cause the
udp_contentsevent to be raised.
- Add the
udp_content_delivery_ports_use_respoption which can be used
to specify how the destination port for the
udp_content_delivery_ports_origoptions is determined. The current value
keeps behavior as it was in previous versions of Zeek.
- Add a file signature to identify ISO9660 disk images (application/x-iso9660-image)
- Add file signature to identify Python bytecode (application/x-python-bytecode)
- Events and hooks are now allowed to have multiple, alternate prototype
declarations. This allows for extending event/hook parameters in a way that
won’t break an existing user’s handlers and also allows users to define their
own custom event/hook prototypes that consume a subset of the parameters
(convenience of typing/memory/etc). This feature is documented in detail
Reporter::conn_weirdnow correctly handles weirds for expired connections,
for which no connection state information is available in the core anymore. These
cases will raise the new
- Broker Store table synchronization (experimental).
Zeek now supports synchronizing tables/sets across clusters using a backing Broker
store. The same feature also allows persistent storage of data in tables/sets
over Zeek restarts. This feature is implemented using the new
To synchronize a table over a cluster, you can, e.g., use:
global t: table[string] of count &backend=Broker::MEMORY;
Copyright (c) 1995-2016, The Regents of the University of California through the Lawrence Berkeley National Laboratory and the International Computer Science Institute. All rights reserved.