Zeek Blog
Your First Zeek Script Doesn’t Need to Be Perfect
Your first Zeek script doesn't need to detect malware, stop threats, or solve a critical security problem. In fact, it probably shouldn't. David Fitz learned Zeek through a SANS course and wanted to try his first script in his homelab. Instead of detecting botnets or...
What Should You Actually Customize in Zeek?
You got Zeek running, logs are flowing, and the default configuration is doing its job. And then you hit the wall that almost every Zeek user hits eventually: you know Zeek is extensible, you know you're supposed to customize it, but nobody has given you a clear...
Using Zeek with AWS Traffic Mirroring and Kafka
AWS provides a feature that allows mirroring your infrastructure's network traffic to a separate system for analysis purposes. This is called AWS Traffic Mirroring. If you'd like to use Zeek's network traffic analysis capabilities in such a cloudy environment, this...
How to Find Operational Problems Hiding in Your Zeek Logs
Network security monitoring typically focuses on catching threats. But ask Zeek users what they actually discover in their logs, and a different picture emerges: chatty devices wasting bandwidth, misconfigurations creating millions of unnecessary DNS queries, and...
Why Zeek keeps breaking your test baselines
With zeek-8.1.0 dns.log now includes information on dynamic update messages (RFC 2136) adding new opcode and opcode_name columns. During the RC phase we received feedback that this change to the log schema might break downstream consumers of dns.log, so we also...
How to Use JA4 Network Fingerprints in Zeek
Learn how to use JA4 network fingerprinting in Zeek to identify client and server software, detect malware, and track behavior across encrypted connections without requiring decryption. Network fingerprinting helps identify client and server software without...
Introducing Zeek 8.1
The Zeek team is proud to announce Zeek 8.1! This release achieves a major milestone in our architectural shift away from the Broker messaging backend, includes a bunch of analyzer enhancements, takes first steps to phase out MD5 support, and features a host of other...
3 Ways to Integrate Zeek With Your Security Stack
Zeek rarely works in isolation. The real power comes from pairing it with other tools - SIEMs for log aggregation, IDS/IPS for signature-based detection, threat intel feeds for enrichment, packet capture tools for deeper investigation. We recently asked our community:...
Zeek 8.1 Development Update
The first release candidate for Zeek 8.1 is out! This release includes the last major building block in our multi-release effort to move Zeek's cluster communication off of Broker. Work on this release began in August and includes the switch to ZeroMQ as Zeek's...
Developing Zeek Scripts with Style
Whether you're extending Zeek's functionality or integrating it into a larger NDR stack, your work probably involves some form of source code. While that code is ultimately a means to an end, I like code to be neat: fit for the task, to the point, understandable, and...
Common Mistakes When Deploying Zeek (and How to Avoid Them)
We recently asked the community something we've been curious about for a while: What kind of hardware are you using to run Zeek? What does that setup even look like? What started as a straightforward question about specs and sizing quickly turned into something...
5 Ways the Zeek Community Actually Uses Logs
Plenty of people generate Zeek logs, but not everyone knows what to do with them. We asked the Zeek community to share their real-world approaches, and they delivered. We heard everything from automation scripts to quantum cryptography research and, honestly, we...
Inside Zeek Training at NSF Cybersecurity Summit
On October 20, 2025, the Zeek team hosted a full-day training at the NCAR facility in Boulder as part of the NSF Cybersecurity Summit. With 52 registrations and about 50 people showing up, the room was packed with a diverse crowd: professors, postdocs, students,...
Integrating Zeek With Third-Party Applications (a hack.lu Recap)
Last week, Zeek's Technical Lead Christian Kreibich presented at hack.lu in Luxembourg, a conference that draws around 400 security practitioners spanning both offensive and defensive disciplines. His talk tackled a challenge we hear about constantly from power users:...
5 Ways to Contribute to the Zeek Project for the First Time
This summer we ran the Zeek Project Survey to get a clearer picture of how people use Zeek, what challenges they face, and where our team should focus our efforts next. One area we asked about was contribution: how people are (or aren’t) getting involved in the...
The Storage Framework in Action
I’ve talked in a video and a blog post recently about the new Zeek storage framework. This blog post expands upon those previous posts to explain how to actually use the framework. It will do this by adapting an existing policy script to use the new features to...
Zeek’s Storage Framework Explained
Until Zeek 7.2, storing data across a cluster could be tricky and inefficient. The new Storage Framework changes that. This post explains the old model, the new framework, and what’s coming next. The Old Model: Broker Storage Storage in Zeek traditionally has run...
ZeroMQ Cluster Backend: Try It Out in Zeek 8
With Zeek 8.0, we’re taking the first step toward a major shift in cluster communication. A new ZeroMQ backend is now available, making it simpler to run clusters and opening the door for more flexible backends in the future. Prefer a quick walkthrough? Check out our...
Introducing Zeek 8
We’re proud to announce the release of Zeek 8.0! This release introduces a range of technical innovations and culminates architectural improvements we’ve been working on since the release of Zeek 7 a year ago. Customizable Flow Tuples For the first time ever, it’s now...
Zeek Project Survey Results: What We Heard and What’s Next
This summer we asked Zeek users, contributors, and curious newcomers from around the world to take our 2025 Zeek Project Survey. Your feedback was honest, actionable and sometimes quite direct—which was exactly what we needed. Here are a few key themes that stood out,...
Zeek 8.0 Development Update
Zeek 8.0, our next long-term support (LTS) release, is just a few weeks away! Time for a quick recap of what the development team has been up to lately, and a look at our planned release timeline. The major features we planned for this release have landed at this...
Help Us Build the Best Zeek Yet: Community Survey Launching June 23
On June 23, we’re launching the Zeek Project Survey 2025 to understand how the community is currently using Zeek, what challenges you face, and where you want to see the project grow. This survey is a key part of our mission: to develop Zeek in a way that enables the...
Are Spicy parsers slower than Binpac parsers?
Within Zeek, there are two separate parser generators: Binpac (the old one) and Spicy (the new one). Both allow users to write protocol parsers by declaring what the protocol looks like rather than writing C++ code to parse it. Binpac parsers are difficult to write....
Introducing Zeek 7.2
The Zeek team is proud to announce Zeek 7.2! Work on this release began in December 2024 and includes some 1,200 commits, 330 merged pull requests, and 130 closed issues. The 7.2 release brings important new features, matures Zeek’s ability to run on alternative...
Meet the New Zeek Community Liaison
Hi everyone! I’m excited to introduce myself as the new Community Liaison for Zeek and a non-voting member of the Zeek Leadership Team. I joined the team two weeks ago, and I’ve spent that time diving headfirst into the community: meeting contributors, listening to...
Zeek 7.2 Development Update
We’re three months into the Zeek 7.2 development cycle, so now is a good time to share an update about ongoing development and our planned timeline for the Zeek’s next feature release. We recently merged two of the biggies planned for this release: the new storage...
Building a Redis Analyzer with Spicy, Part II
In our last post, we left off with a functional but incomplete analyzer for Redis. It analyzed RESP (Redis Serialization Protocol) traffic, crudely created “command” objects, then sent that off into Zeek script in events in order to log it. It created something nice,...
Building a Redis Analyzer with Spicy
You can find the source code referenced throughout this post here — though, it is quite different from what is written here. Redis is an in-memory, key-value database. Its primary use is for caching. It does this over the network, but it’s only really meant to be used...
Introducing Zeek 7.1
The Zeek team is proud to announce Zeek 7.1! Work on this release began in July 2024 and includes some 1,400 commits, 340 pull requests, and 130 closed issues. The 7.1 release introduces new user-visible features, contains many bugfixes, and advances a bunch of...
Zeek 7.1 Development Update
We're closing in on Zeek 7.1, the next feature release in Zeek’s current release cycle. Here's a quick look at our planned release timeline. Early next week the last planned 7.1 features will land in our master branch. We're planning to fork the release branch and...
RSS - Posts