Zeek

Zeek (formerly known as Bro) is a powerful open-source network security monitoring (NSM) framework, originally created by Professor Vern Paxson at the University of California, Berkeley in the 1990s to deeply analyze network traffic activities in university and national laboratory environments. In 2018, the project was renamed from Bro to Zeek to reflect its expanding role in the cybersecurity domain. Unlike traditional firewalls or intrusion prevention systems (IPS), Zeek is not an active defense mechanism but rather a passive network traffic analysis platform that quietly runs on sensor nodes, whether deployed on hardware, software, virtualized infrastructure, or the cloud, analyzing network traffic in real time and generating high-fidelity transaction logs, file content, and customizable data outputs that are ideal for manual review by security analysts or integration into SIEM systems for automated correlation analysis. The scale of Zeek is impressive: it provides over 70 default log file types out of the box, tracks over 3,000 network event types, has over 10,000 deployment instances worldwide, over 7,700 GitHub stars, over 20 years of federally funded research and development history, and over 270 community-contributed extension packages. The core analysis engine uses its proprietary scripting language to write custom analysis logic, supporting DNS analysis, HTTP and HTTPS analysis, SSL and TLS certificate analysis, file extraction and analysis, and intrusion detection signature matching. The project is primarily developed and funded by Corelight and is open-sourced under the BSD license.