ProHoster > Blog > internet news > Zeek Traffic Analyzer 3.0.0 Released

Zeek Traffic Analyzer 3.0.0 Released

Seven years after the formation of the last significant branch submitted release of the traffic analysis and network intrusion detection system Zeek 3.0.0 , formerly distributed under the name Bro. This is the first significant release since project renaming, committed because the name Bro was associated with the marginal subculture of the same name, and not as a hint of the "big brother" from George Orwell's novel "1984" conceived by the authors. The system code is written in C++ and spreads under the BSD license.

Zeek is a traffic analysis platform primarily focused on, but not limited to, monitoring security-related events. Modules are provided for analyzing and parsing various network protocols of the application level, taking into account the state of connections and allowing the formation of a detailed log (archive) of network activity. A domain-specific language is proposed for writing scripts for monitoring and detecting anomalies, taking into account the specifics of specific infrastructures. The system is optimized for use in high bandwidth networks. An API is provided for integration with third-party information systems and real-time data exchange.

В new release:

  • The parser for the NTP protocol has been completely rewritten and a new parser for MQTT has been added. Expanded analyzer capabilities for DNS, RDP, SMB and TLS. For DNS, SPF records are parsed, and for DNSSEC, RRSIG, DNSKEY, DS, NSEC, and NSEC3 records are parsed and their associated events are highlighted. Added support for the SMB 3.x protocol to the SMB parser, and for TLS, support for TLS 1.3;
  • Implemented support for deencapsulation of streams transmitted inside VXLAN tunnels;
  • Added support for links with the NFLOG type;
  • Added the ability to save extracted data in the log in UTF8 encoding;
  • Added support for closures for anonymous functions to the scripting language, added a key-value table iteration operator ("for ( key, value in t)"), implemented Python-style vector splitting operations ("v[2:4]"), proposed a new paraglob structure for fast matching of string masks in large binary data sets;
  • All references to the name "bro" in file paths, settings, packages, scripts, namespaces, and functions have been changed to "zeek" (old names are supported for backwards compatibility). The bro-pkg package manager has been renamed to zkg.

Source: opennet.ru

Add a comment