Zeek (Bro) Connection & Protocol Logs
Location
Zeek log directory (typically /opt/zeek/logs/ or /nsm/zeek/logs/)Description
Structured network metadata logs generated by Zeek including conn.log (connection summaries), http.log (HTTP transactions), dns.log (DNS queries), ssl.log (TLS handshakes), files.log (file transfers with hashes), and x509.log (certificate details).
Forensic Value
Zeek produces the most comprehensive structured network metadata available from a single sensor. conn.log provides NetFlow-equivalent records enriched with connection state analysis and service identification. ssl.log exposes certificate details for encrypted C2 channels, enabling detection of self-signed or anomalous certificates. files.log extracts hashes of transferred files for immediate threat-intel lookups without needing full PCAP. The UID field links related logs across all Zeek log types for a single connection.
Tools Required
Collection Commands
zeek-cut
cat /opt/zeek/logs/current/conn.log | zeek-cut ts uid id.orig_h id.resp_h id.resp_p proto orig_bytes resp_bytes duration | sort -t$'\t' -k8 -rn | head -100 > top_connections.txt
Zeek
zeek -r capture.pcap /opt/zeek/share/zeek/site/local.zeek && cat conn.log dns.log http.log ssl.log files.log
RITA
rita import /opt/zeek/logs/2024-01-* --database ir_case && rita show-beacons ir_case --tsv > beacons.tsv && rita show-long-connections ir_case --tsv > long_conns.tsv