Zeekurity Zen Zeries

Zeekurity Zen Zeries

Zeek (formerly named Bro) is my favorite network security monitoring platform, and I’ve used and promoted it throughout my career.  It generates rich network metadata that’s incredibly valuable for incident response, forensics, and general troubleshooting.

For most people, the main challenge with using Zeek is in setting it up.  While today there exists Corelight (an enterprise Zeek appliance), not everyone has the budget for this.  Plus, it’s fun to do it yourself and learn a thing or two. 😉
This series will walkthrough Zeek setup and a variety of tips and tricks I’ve learned over the years.


Stuff I Like

Web Hosting: SiteGround

ericooi.com is proudly hosted by SiteGround. Performance and customer service are top notch. Quick and easy https implementation via built-in Let's Encrypt integration.


7 thoughts on “Zeekurity Zen Zeries”

  • Thank you so much. I love the series. It’s so valuable to beginners like me and it’s saved me so much time and headaches on getting my zeek environment up and running.
    Really look forward to part viii. Any ETA about that 🙂 ?

      • Awesome!! Can’t wait!
        btw, And it’ll be great if you can share with us your experience on the architecture designs of using zeek/suricata, ELK SIEM Elk alert, etc in enterprise environment. I”m designing and building a solution for a SOC. Really interested in how core network traffic should be mirrored, how can we scale the solution(zeek clustering is easy but how about Suricata, for instance). Due to our privacy law, we can’t use cloud like Splunk, we go for our own ELK SIEM setup. Do you have experience building a complete solution using these tools or do you happen to know some good reference architectures?

        • I know there are solutions like Security Onion, everything works out of the box and it’s very easy to scale. It sounds almost too good to be true. But we prefer to build our own solutions similar to that.

          • It has also been a while since I used Security Onion, but for beginners it is a great starting point. If you want to learn more about how things work and be able to tune things specifically to your liking, then building it yourself is certainly the way to go.

        • I have experience with Elastic + Zeek, but not Suricata. Suricata is beyond the scope of what I will cover and to be honest, it has been years since I last used it.

          At a high level, for mirroring core network traffic you’d typically want to start by mirroring internet egress and ingress traffic (“North-South”) before moving to internal traffic (“East-West”). If you have significant volumes of traffic, you can either look into using packet brokers like Gigamon to control what traffic goes where and/or leverage high bandwidth network capture cards on your Zeek sensors.

          • Thank you so much for the tips and suggestions.
            Your website is now my go-to place for learning more about zeek and ELK. Thank you once again for sharing your knowledge with the world. Have a good day! Stay safe and healthy!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.