Detecting Network Anomalies with Zeek

When to Use

• Deploying passive network security monitoring at key network choke points for continuous visibility
• Generating structured connection, DNS, HTTP, SSL, and file transfer logs for SIEM ingestion and threat hunting
• Writing custom Zeek scripts to detect organization-specific threats, policy violations, or beaconing behavior
• Performing retrospective analysis on network metadata to investigate security incidents
• Complementing IDS solutions with protocol-level metadata analysis that signature-based tools may miss

Do not use as a replacement for inline IDS/IPS that can actively block traffic, for monitoring encrypted payloads without TLS inspection, or on endpoints where host-based agents are more appropriate.

Prerequisites

• Zeek 6.0+ installed from source or package manager (zeek --version)
• Network interface configured on a span port, network tap, or virtual switch mirror for passive capture
• Sufficient disk storage for log files (estimate 1-5 GB/day per 100 Mbps of monitored traffic)
• Familiarity with Zeek's scripting language for writing custom detections
• Log aggregation system (Splunk, Elastic, Graylog) for centralized analysis