Zeek (Bro) Connection & Protocol Logs

networkNetwork TrafficNetwork CaptureSIEM / Log Aggregator

Location

Zeek log directory (typically /opt/zeek/logs/ or /nsm/zeek/logs/)

Description

Structured network metadata logs generated by Zeek including conn.log (connection summaries), http.log (HTTP transactions), dns.log (DNS queries), ssl.log (TLS handshakes), files.log (file transfers with hashes), and x509.log (certificate details).

Forensic Value

Zeek produces the most comprehensive structured network metadata available from a single sensor. conn.log provides NetFlow-equivalent records enriched with connection state analysis and service identification. ssl.log exposes certificate details for encrypted C2 channels, enabling detection of self-signed or anomalous certificates. files.log extracts hashes of transferred files for immediate threat-intel lookups without needing full PCAP. The UID field links related logs across all Zeek log types for a single connection.

Tools Required

Zeekzeek-cutRITASIEM (Splunk, Elastic)jq

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical