detecting-network-anomalies-with-zeek

Featured

Deploys and configures Zeek (formerly Bro) network security monitor to passively analyze network traffic, generate structured logs, detect anomalous behavior, and create custom detection scripts for threat hunting and incident response.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Network Anomalies with Zeek ## When to Use - Deploying passive network security monitoring at key network choke points for continuous visibility - Generating structured connection, DNS, HTTP, SSL, and file transfer logs for SIEM ingestion and threat hunting - Writing custom Zeek scripts to detect organization-specific threats, policy violations, or beaconing behavior - Performing retrospective analysis on network metadata to investigate security incidents - Complementing IDS solutions with protocol-level metadata analysis that signature-based tools may miss **Do not use** as a replacement for inline IDS/IPS that can actively block traffic, for monitoring encrypted payloads without TLS inspection, or on endpoints where host-based agents are more appropriate. ## Prerequisites - Zeek 6.0+ installed from source or package manager (`zeek --version`) - Network interface configured on a span port, network tap, or virtual switch mirror for passive capture - Sufficient disk storage for log files (estimate 1-5 GB/day per 100 Mbps of monitored traffic) - Familiarity with Zeek's scripting language for writing custom detections - Log aggregation system (Splunk, Elastic, Graylog) for centralized analysis ## Workflow ### Step 1: Install and Configure Zeek ```bash # Install Zeek on Ubuntu/Debian sudo apt install -y zeek # Or install from source for latest version git clone --recursive https://github.com/zeek/zeek cd zeek && ./configure --prefix=/opt/zeek && make -j$(npro...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-network-traffic-analysis-with-zeek

Deploy Zeek network security monitor to capture, parse, and analyze network traffic metadata for threat detection, anomaly identification, and forensic investigation.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-lateral-movement-with-zeek

Detect lateral movement in network traffic using Zeek (formerly Bro) log analysis. Parses conn.log, smb_mapping.log, smb_files.log, dce_rpc.log, kerberos.log, and ntlm.log to identify SMB file transfers, NTLM account spray activity, remote service execution, and anomalous internal connections.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-exfiltration-over-dns-with-zeek

Detect DNS-based data exfiltration by analyzing Zeek dns.log for high-entropy subdomains and anomalous query patterns

12,642 Updated today
mukul975
AI & Automation Solid

detecting-beaconing-patterns-with-zeek

Performs statistical analysis of Zeek conn.log connection intervals to detect C2 beaconing patterns. Uses the ZAT library to load Zeek logs into Pandas DataFrames, calculates inter-arrival time standard deviation, and flags periodic connections with low jitter. Use when hunting for command-and-control callbacks in network data.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-dns-tunneling-with-zeek

Detect DNS tunneling and data exfiltration by analyzing Zeek dns.log for high-entropy subdomain queries, excessive query volume, long query lengths, and unusual DNS record types indicating covert channel communication.

12,642 Updated today
mukul975