WEBVTT 00:00:01.548 --> 00:00:05.547 So the big question of the day is, what exactly is Zeek? 00:00:05.548 --> 00:00:10.548 Some of you may have an idea and have used it before, some of you may have not. 00:00:10.548 --> 00:00:14.548 We're going to learn all about it right now, so don't worry. 00:00:14.548 --> 00:00:14.833 Remember, 00:00:14.833 --> 00:00:18.147 the short version is that Zeek is a network monitoring 00:00:18.147 --> 00:00:20.547 platform that's used mostly for network security, 00:00:20.548 --> 00:00:25.548 but does really well at traffic analysis as well. 00:00:25.548 --> 00:00:29.448 Zeek was initially developed in the 1990s and was very 00:00:29.448 --> 00:00:31.548 well known under the name of Bro. 00:00:31.548 --> 00:00:36.214 1995 is when Vern Paxson began working on the code and started 00:00:36.214 --> 00:00:38.548 laying out the foundation for this tool. 00:00:38.548 --> 00:00:42.547 Of course, over time it's evolved tremendously, 00:00:42.548 --> 00:00:46.548 adding features and protocols and added functionality to the tool. 00:00:46.548 --> 00:00:51.548 In 2003, after several contributors helped add to the project, 00:00:51.548 --> 00:00:54.548 the National Science Foundation helped by supporting 00:00:54.548 --> 00:00:57.548 more research and development into Bro. 00:00:57.548 --> 00:01:00.147 Academic research projects were the main contributing 00:01:00.147 --> 00:01:02.547 factors to the capabilities that it now has. 00:01:02.548 --> 00:01:06.214 After several more years of additions and many adoptions 00:01:06.214 --> 00:01:10.547 to the product and the environments, Bro was renamed to Zeek. 00:01:10.548 --> 00:01:14.547 We're currently using version 3.0. 00:01:14.548 --> 00:01:17.547 So Zeek uses scripts as its main policy engine. 00:01:17.548 --> 00:01:21.548 We're definitely going to cover these much more later on in the course. 00:01:21.548 --> 00:01:26.548 There are many, many signatures and rules within the Zeek tool that come default, 00:01:26.548 --> 00:01:29.548 and you can build your own as well. 00:01:29.548 --> 00:01:32.547 You can tell Zeek exactly what you want to look for 00:01:32.548 --> 00:01:34.548 and how you want to classify it. 00:01:34.548 --> 00:01:39.548 So Zeek can be installed as a standalone or as a cluster and can 00:01:39.548 --> 00:01:43.548 perform analysis either in real time or offline. 00:01:43.548 --> 00:01:47.848 This is very helpful so that we can perform forensics after the fact and 00:01:47.848 --> 00:01:50.547 see what Bro saw or should have seen historically. 00:01:50.548 --> 00:01:55.548 It's also a completely passive tool, which is very nice. 00:01:55.548 --> 00:01:57.548 I love working with passive tools because we don't have to worry 00:01:57.548 --> 00:02:00.548 about the pressure of disrupting the network. 00:02:00.548 --> 00:02:02.548 During the operation of Zeek, 00:02:02.548 --> 00:02:06.747 it looks for many different aspects of your network for analysis 00:02:06.747 --> 00:02:10.548 including protocol behavior from application layer protocols, 00:02:10.548 --> 00:02:16.548 file content, and it even decapsulates tunnels for analysis. 00:02:16.548 --> 00:02:20.548 The standard output for Zeek is its ASCII logs. 00:02:20.548 --> 00:02:23.848 These logs show all of the signature hits that Zeek has and 00:02:23.848 --> 00:02:26.548 can be exported to a SIM such as Splunk. 00:02:26.548 --> 00:02:30.833 It also has the capability to export using JSON and other formats, 00:02:30.833 --> 00:02:34.423 which is really useful for ingesting into more sophisticated 00:02:34.423 --> 00:02:37.548 applications in SIMs that can parse the information better. 00:02:37.548 --> 00:02:40.548 This type of method allows for a much easier time 00:02:40.548 --> 00:02:43.547 reading and understanding the logs. 00:02:43.548 --> 00:02:47.690 Another really cool feature of Zeek is its ability to trigger 00:02:47.690 --> 00:02:50.548 external processes from within the scripting language. 00:02:50.548 --> 00:02:53.548 Configuring this is outside of the scope of this course, 00:02:53.548 --> 00:02:59.548 but it can be done from within the scripting language if you're interested.