🛰️ Network detection (NIDS/NDR)
Zeek
Network analysis framework producing rich, structured protocol logs.
Why use it
Where Suricata says "this matched a rule", Zeek says "here is everything that happened on the wire, structured as logs". It's the gold standard for retrospective hunting and forensic timelines — analysts use it to reconstruct what happened, not just detect known patterns.
What you get
- Per-protocol logs: conn, http, dns, ssl, smb, ssh, files
- File hashes and extracted file content
- Scriptable detection in Zeek's own language
- Community Zeek packages (CIRT, threat intel)
- Integration with Suricata for combined signature + metadata
System requirements
| Cpu | 4 cores (more for high-throughput) |
|---|---|
| Ram | 4 GB minimum, 8 GB recommended |
| Disk | 50 GB+ for logs |
| Os | Linux |
| Docker | Yes |
Installation
On Ubuntu: add the OpenSUSE OBS repo and sudo apt install zeek. Edit /opt/zeek/etc/node.cfg to point at your SPAN interface. Start with sudo zeekctl deploy. Logs land in /opt/zeek/logs/current/.
Suggested configuration
Forward the JSON-formatted logs (set LogAscii::use_json = T) to your SIEM. Install the Zeek-Cyber package and zeek-EternalSafety for high-signal community detections. Rotate logs hourly to keep search snappy.
Integration ideas
- Ingest into Wazuh, Elastic, or Graylog as JSON
- Combine with Suricata in Security Onion for one-stop NSM
- Feed connection metadata to TheHive for context on alerts
Alternatives
- Suricata — Signature-based detection; less metadata depth.
- Arkime — Full packet capture + search; heavier disk footprint.
Cyentrix verdict
The single best addition for hunting and post-incident analysis. Pair with Suricata — they're complementary, not competitive.