Articles

Faster network and security pcap analysis with Zeek logs

6 min read

Zeek offers a new way to start your packet analysis

Network + security management is hard work. Companies have a number of detection and automation tools at their disposal, but when analysts need to get involved, having acess to the raw packet captures saves analysts valuable time and helps them accomplish the goal of netsec ops: protecting the business.

Zeek (formerly Bro) is a powerful tool trusted by networking and cybersecurity experts for analyzing network traffic through high-level, organized logs. This means Zeek is an excellent place for analysts to start investigations. In this article, you’ll learn what Zeek is, how to best use it when analyzing packet data, and how CloudShark’s Zeek Logs analysis tool makes it simple to drill down to the data you need for your whole team to solve network security problems.

 

Zeek as a part of SIEM

Fundamentally, Zeek turns raw network traffic into comprehensive metadata logs. These logs act as a summary of all of the network activity, broken down into many different categories. By default, it knows about a lot of network behaviors, including connections, network services, applications, protocols, files, hosts, and more.

When used on live traffic, Zeek sits quietly on a sensor and passively analyzes the packets as they go by, creating logs that are sent to a centralized SIEM. Many applications built for monitoring and threat-hunting use Zeek as their core.

 

Zeek for targeted analysis

Zeek doesn’t only operate passively on live network traffic. Zeek can take pre- recorded pcap files and provide a broad, high-level overview of the traffic saved in the capture. When used for specific incident analysis, it’s job is to narrow down the traffic you’re interested in without having to sift through mountains of network data. It’s very good at this, and fast - Zeek doesn’t go to the same depth as a full decoder, so it’s able to build its logs quickly.

With all of the default logs Zeek can create, plus the ability to add your own through its package manager, it automatically does a lot of the heavy lifting of network analysis in milliseconds.

Zeek typically is run as a command-line program in Linux. Experts then turn to different text processing tools (awk, sort, grep, uniq, etc.) to dig through the log files. There is a bit of a learning curve to using Zeek this way. That amount of bash shell kung-fu isn’t for everyone, and It takes some configuration and knowledge to set up correctly.

Even when Zeek is used this way, the pcap itself is often discarded after processing. Analysts rely on the summary data and don’t often return to the PCAP. This means there’s no way to get back to the packets underlying the log data when you need it, and can further complicate retrospective analysis.

 

Using packet captures during incident response

Packet captures are an integral part of the incident response, and Zeek adds yet another tool to get to the data you need more quickly.

Read our companion article to learn the role packet captures play in the incident response lifecycle - before, during, and after an attack happens - and four tips to use them better, greatly improving the success of your security operations.

 

Bringing the raw network pcap data to your Zeek logs

Zeek is a great place to start your PCAP analysis.

CloudShark includes a powerful analysis tool to create Zeek logs from your packet captures. It keeps both the Zeek logs and the packets that generated them together, which lets you pivot between the two as you walk through your analysis - looking at what you need, when you need it. The Zeek Logs analysis tool tells you where to point the microscope, and CloudShark’s capture viewer, filters, profiles, and other analysis tools let you dig deeper and zoom in on what you need to know.

Zeek comes pre-built and pre-configured in CloudShark. The Zeek Logs analysis tool provides a web front end for interacting with logs, letting you sort, filter, and share logs or summary views with your entire team. We’ve also included some useful preset views that are used most often. This makes using Zeek for incident response much easier and useful.

 

Using Zeek and pcaps together

Starting your pcap analysis with Zeek logs can get you a clearer picture of what’s going on with less digging and scrolling. Here are some ways using Zeek can augment your investigation.

1. Find who was on the network

Zeek brings host names and client credentials to the surface without needing to remember complex filter expressions or scroll through thousands of packets.

2. Find out what they were doing

Zeek summarizes the behavior of network actors in different ways that let us refine our analysis. Knowing which network services were running, specific versions of software clients used, and getting a birds-eye view of any file transfer activity, all give the analyst a picture of an incident.

3. View specific packet payloads

Having access to the packets is seamless. Once interesting behavior has been identified from the high level Zeek logs, switch to the packet view of only that stream to continue your analysis with the traffic at the packet level.

Having the Zeek logs and pcaps together makes it easier to look at specific payloads and decide where to look next.

4. Record, annotate, and share

As you understand more and more of the incident, write it down! Save annotations on individual packets needed for your report, or create a saved Zeek view showing exactly the hosts you need to focus on. When you or someone else comes back next week to look further into an issue, all your hard work is saved.

 

Let's see that in action! Tom and Zach go through a real-world example of these steps in our webinar, "Cutting through network forensic data with Zeek". Watch the video of this example, featuring a malware investigation, here.

 

Network analysis is hard. Zeek and pcaps together make it easier.

Our goal is to improve network analysis for everybody. There are so many tools and methods out there, and it can be difficult to deploy, maintain, and learn how to use them. Zeek is a powerful tool, and combined with CloudShark, enables both high-level discovery and low-level packet dissection. We’re here to help make an often hard, thankless job easier in any way we can!

 

Learning more

Zeek is found at Zeek.org and has an amazing collection of documentation and community resources. If you have any questions or want something specific added to CloudShark, let us know! And, if you’re ready to start making your incident response lightning fast and your analysts’ sleep a little easier, request a demo of CS Enterprise or sign up for CS Personal SaaS to try it out yourself. Photo credit Markus Winkler via Unsplash

 

Photo credit Markus Winkler via Unsplash


Want articles like this delivered right to your inbox?

Sign up for our newsletter

No spam, just good networking