Open-source at Corelight. Working in various corners of Zeek’s code base and ecosystem. Hacked Zeek to be a JavaScript event emitter. Network programming and packets for some 15+ years. German.

Containers, systemd, Prometheus: Running Zeek in 2026

This is a great talk for Zeek operators and system builders to get insight about modern appliance style Zeek deployments using systemd. No more Zeekctl cronjob to restart crashed Zeek processes or dealing with runaway Zeek processes. Straightforward resource controls and process confinement. Observability into Zeek’s operational behavior via native and scripting level Prometheus support.

Benjamin Bannier works as a Senior Open Source Developer at Corelight where he spends most of his time maintaining and evolving Spicy and its integration into the Zeek ecosystem. He previously worked on containerization and workload orchestration with Apache Mesos, and distributed columnar data stores. He holds a PhD in Physics from Stony Brook University.

Plugin Development with Rust

Zeek is designed to be extensible with custom Zeek scripts or with plugins written against Zeek’s C++ API. While the C++ API allows to implement everything from builtin functions to custom replacements for internal components, the need for C++ still provides a barrier of entry.

In recent years Rust has become an obnoxiously popular choice in e.g., the systems programming domain. In this talk I will speak about my journey implementing a custom Zeek serializer component with Rust, touching on everything from how I exposed Zeek’s C++ API to Rust, integration of Rust with Zeek’s plugin build system, to idiomatic mapping of Zeek C++ types to Rust.

This talk will give interesting insides to current Zeek plugin authors, or anyone who is curious about Zeek’s plugin API in general.

Christian is the Technical Lead of the Zeek project and an engineer at Corelight. He previously headed the networking group at Lastline, and prior to that was a staff research scientist at the International Computer Science Institute in Berkeley. He has served on the advisory board of the Open Information Security Foundation, and holds a PhD from the University of Cambridge’s Systems Research Group.

The Road to 9.0: a Zeek Development Update

This talk gives an overview of the themes and priorities that have shaped recent Zeek releases, and looks ahead at the roadmap toward Zeek 9, our next long-term support release.

Edoardo Martelli is a network engineer in charge of the external connectivity of CERN. He takes care of the Internet firewall and supports the CERN Security Team in protecting the computing infrastructure. 

CERN Networking Mirroring and Distribution Setup for Zeek

The CERN Zeek based IDS cluster contains a tier of Zeek server receiving traffic from sensitive points in the network. Traffic is being mirrored in critical points of the network and is then fed via direct links to a Network Distributor Device (NDD). The NDD aggregates the received traffic and distributes it symmetrically over the IDS servers (both directions of a given flow will land on the same IDS server for correct inspection). We will present how this functionality is implemented with Juniper Equipment (QFX10k series).

Before joining Corelight as an open source developer for the Zeek project in 2024, Evan worked in static program analysis for programming languages such as C/C++, Rust, and Swift. Now, Evan primarily works on the compiler parts of Zeek, like Spicy, along with a healthy dose of low level network plumbing.

Addressing the Elephant in the Traffic: Shunting with Zeek

Have you ever wondered how to scale your Zeek cluster’s performance without throwing more hardware at it? The solution lies in “shunting” — reducing the load on Zeek by dynamically discarding irrelevant traffic, such as encrypted data following a TLS handshake. In this talk, we will explore a new approach to shunting with Zeek using express data path (XDP) and discuss real-world application to get the most out of shunting without any surprises.

During an internship in the security team of the European Organization for Nuclear Research (CERN) in 2015, Jan became a fan of Zeek and started contributing to the project. Among other things, he authored the AF_Packet plugin and was involved in the development of the packet analyzer framework. In 2022, Jan joined Corelight’s Labs team, where he combines his theoretical background in computer science with his passion for engineering practical solutions and continues to work on Zeek.

Addressing the Elephant in the Traffic: Shunting with Zeek

Have you ever wondered how to scale your Zeek cluster’s performance without throwing more hardware at it? The solution lies in “shunting” — reducing the load on Zeek by dynamically discarding irrelevant traffic, such as encrypted data following a TLS handshake. In this talk, we will explore a new approach to shunting with Zeek using express data path (XDP) and discuss real-world application to get the most out of shunting without any surprises.

Johanna Amann is an engineer at Corelight and a member of the Zeek Leadership Team. Her main research interests lie in the areas of network security, Internet measurement and applied cryptography.

Zeek and the Balance between Academic Freedom, Industrial Operations & Security

The CERN Computer Security Office has been mandated to protect the operations and reputation of CERN against cyber-threats. In this presentation we will go through the different defence mechanisms the CERN Computer Security Office is providing, with a focus on the use of Zeek. The different controls implemented are used to prevent, protect, detect and respond to any kind of abuse, attack or intrusion against CERN’s computing facilities, devices, accounts, services & control systems in an agile, complex and heterogenous environment, while keeping a good balance between “academia”, “operations” and “computer security.”

As a core team member of Zeek for many years and a co-founder of Corelight, Seth has been immersed in network security and monitoring for decades. Taking that background and experience, he is now building MatchyLabs to manage data broadly and at high speed.

Matching IOCs is now fast and easy!

Most organizations have access to threat intelligence feeds but struggle to use them effectively. The data sits unused while security teams manually hunt through logs. MatchyLabs builds tools that change that. Anyone using the Intel framework in Zeek will get a lot from this talk and the accompanying software.  It makes doing intelligence matching in Zeek (and outside of Zeek) easier, faster, and makes it use much less memory!

Tim Wojtulewicz is a software engineer with nearly 25 years in the industry. He’s worked on everything from parsing and displaying data from radar systems, to personal media servers, to network protocol parsing. Tim has worked on the Zeek open-source team at Corelight since 2019 as a merge master, release manager, and general code wrangler.

The New Storage Framework

Until Zeek 7.2, storing data across a cluster could be tricky and inefficient. The new Storage Framework changes that, turning this model on its head. This talk will cover the old model, the new framework, and what’s coming next.