___________ __________ _____ ________ ________ .____ ___________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

zeek Cheatsheet

← Back to cheatsheets

← Home

zeek (formerly Bro) is a network security monitor and analysis framework.

Basic Usage

  • zeek -r <pcap> - Analyze a pcap file
  • zeek -i <interface> - Monitor live traffic on interface
  • zeek -i <interface> -C - Monitor live traffic (ignore checksum errors)
  • zeek <script> - Run zeek script

zeekctl Commands

  • zeekctl start - Start all nodes
  • zeekctl stop - Stop all nodes
  • zeekctl restart - Restart all nodes
  • zeekctl status - View node status
  • zeekctl deploy - Check, install, and restart zeek
  • zeekctl check - Syntax-check configs without restarting
  • zeekctl top - Monitor resource usage across nodes
  • zeekctl netstats - Show network statistics
  • zeekctl diag - Run diagnostics
  • zeekctl cron - Enable/disable cron jobs

Command Line Options

  • -r <file> - Read from pcap file
  • -i <interface> - Capture from interface
  • -C - Ignore checksum errors (useful for NIC offloading)
  • -f <filter> - Apply BPF filter
  • -w <file> - Write output to file
  • -b - Run in bare mode (minimal scripts)
  • -s <script> - Load script file
  • -p <plugin> - Load plugin

Configuration

Config File Locations

  • /usr/local/zeek/etc/node.cfg - Node configuration
  • /usr/local/zeek/etc/networks.cfg - Network configuration
  • /usr/local/zeek/etc/zeekctl.cfg - zeekctl configuration
  • /usr/local/zeek/share/zeek/site/local.zeek - Local scripts
  • /opt/zeek/etc/ - Alternative install location

Example node.cfg

[zeek]
type=standalone
host=localhost
interface=eth0

Example networks.cfg

10.0.0.0/8          Private IP Space
172.16.0.0/12       Private IP Space
192.168.0.0/16      Private IP Space

Log Files

  • conn.log - Connection logs
  • http.log - HTTP logs
  • dns.log - DNS logs
  • ssl.log - SSL/TLS logs
  • files.log - File analysis logs
  • Logs stored in: /usr/local/zeek/logs/current/

Tips

  • Use zeek -C when listening on interfaces where checksum offloading causes invalid checksums
  • Always test configs with zeekctl check before deploying
  • Use the UID field from conn.log to correlate across logs (HTTP, DNS, etc.)
  • After changing config files or scripts, use zeekctl deploy to apply changes
  • Use zeekctl status, top, netstats for monitoring runtime status
  • Enable JSON logs using LogAscii::use_json=T for integration with logging pipelines
  • Logs are organized by date under logs/current/ and older ones under dated subfolders
  • Make use of zeek's plugin/package manager zkg for easy extension
  • Use BPF filters to reduce processing load on high-traffic networks
  • Custom scripts can extend zeek's analysis capabilities

← Back to cheatsheets

← Home