CyberScan
Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.
Discover CyberScan →
Cyber Security
CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.
Discover →From Bro to Zeek
Bro was born in 1995 at Lawrence Berkeley National Lab as a research project by Vern Paxson, with a name inspired by Orwell’s Big Brother. The goal is to monitor network traffic passively and programmably, with a different approach from classic signature-based IDSs.
For twenty years the project was maintained as an academic reference and used in operational environments, but the name “Bro” became over time a source of ambiguity. On 11 October 2018, during BroCon renamed ZeekWeek, the official rebranding to Zeek was announced.
The code is now maintained under the care of the Zeek Project (governance hosted by Corelight, company founded in 2013 by members of the original team), under 3-clause BSD licence.
Event-driven architecture
Zeek differs from classic IDSs: it does not look for malicious patterns but extracts events from traffic and allows describing security logic in a dedicated scripting language.
Typical flow:
- Capture — libpcap, AF_PACKET, PF_RING for high-throughput acquisition
- Event engine — protocol parser generating semantic events (e.g.
http_request,ssl_established,dns_request) - Script layer — Zeek scripts consuming events and producing logs or alerts
- Logging framework — structured output to files (TSV or JSON) or downstream broker
Scripting language
The Zeek language is typed, event-driven, functional-imperative. It offers:
- expressive types (
addr,port,subnet,interval,pattern) - tables and sets with composite keys
- protocol event handlers
- modules with namespace and dynamic load
- notice framework for structured emission of security notifications
Structured logs
Zeek produces dozens of per-protocol logs ready for SIEM:
- conn.log — TCP/UDP/ICMP sessions
- http.log — HTTP requests with method, host, URI, user-agent
- dns.log — DNS queries and responses
- ssl.log / x509.log — TLS handshakes and certificates
- ssh.log — SSH sessions with server/client version
- files.log — transferred objects, hashes, mime-types
- notice.log — security notifications
- software.log — per-host software detection
These logs have become a de facto standard in Network Security Monitoring.
Integrations
- Security Onion — NSM distribution including Zeek + Suricata + Elastic
- Corelight — commercial sensors based on Zeek
- Elastic Common Schema (ECS) — official mapping for Elastic ingestion
- Wazuh, Graylog, OpenSearch — Zeek log ingestion for correlation
- Suricata — often paired to have signature-based IDS and event-driven NSM
Adoption
Zeek is adopted in:
- Research & education networks (RENs) — European NRENs, Internet2, ESnet
- Universities and research centres — campus traffic monitoring
- Government agencies — retrospective analysis on large volumes
- SOCs and threat hunting teams — investigations based on network metadata
In the Italian context
In Italy Zeek is used by GARR, universities, regional CERTs and advanced SOCs, often as the base for network forensic investigations and session reconstruction even without full packet capture. Integration with Security Onion and the ECS ecosystem simplifies operational deployment.
References: Zeek (formerly Bro). Official rebranding: 11 October 2018 (BroCon→ZeekWeek). Started by Vern Paxson at Lawrence Berkeley National Lab in 1995. 3-clause BSD licence. Reference commercial company: Corelight (2013). Structured logs: conn, http, dns, ssl, ssh, files, notice. Security Onion, Elastic ECS integration. Website: https://zeek.org