Deploy Zeek network security monitor to capture, parse, and analyze network traffic metadata for threat detection, anomaly identification, and forensic investigation.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionperforming-network-traffic-analysis-with-zeekExecute the skills CLI command in your project's root directory to begin installation:
Fetches performing-network-traffic-analysis-with-zeek from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-network-traffic-analysis-with-zeek. Access via /performing-network-traffic-analysis-with-zeek in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Quickly understand datasets, identify patterns, and generate insights
Example
Analyze CSV with 100K rows, identify outliers, visualize correlations, suggest hypotheses
Reduce EDA time from hours to minutes, uncover insights faster
Write scripts to clean messy data, handle missing values, normalize formats
Example
Generate Python/SQL to fix date formats, impute missing values, remove duplicates
Automate 80% of data preprocessing work
Perform hypothesis testing, regression, and statistical modeling
Example
Run A/B test analysis, calculate confidence intervals, interpret p-values
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | performing-network-traffic-analysis-with-zeek |
| description | Deploy Zeek network security monitor to capture, parse, and analyze network traffic metadata for threat detection, anomaly identification, and forensic investigation. |
| domain | cybersecurity |
| subdomain | network-security |
| tags | - zeek - network-monitoring - traffic-analysis - ids - nids - pcap - threat-detection - forensics - siem-integration |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - DE.CM-01 - ID.AM-03 - PR.DS-02 |
Zeek (formerly Bro) is an open-source network analysis framework that operates as a passive network security monitor. Unlike traditional signature-based IDS tools, Zeek generates high-fidelity structured logs from observed network traffic, capturing detailed metadata for protocols including HTTP, DNS, TLS, SSH, SMTP, FTP, and dozens more. Zeek's extensible scripting language enables custom detection logic, behavioral analysis, and automated response. This skill covers deploying Zeek, understanding its log architecture, writing custom detection scripts, and integrating outputs with SIEM platforms.
Zeek operates in two main modes:
The processing pipeline consists of:
Zeek generates protocol-specific log files:
| Log File | Description |
|---|---|
conn.log | TCP/UDP/ICMP connection summaries with duration, bytes, state |
dns.log | DNS queries and responses with query type, answers, TTL |
http.log | HTTP requests/responses with URIs, user agents, MIME types |
ssl.log | TLS handshake details including certificate chain, JA3/JA3S |
files.log | File transfers with MIME types, hashes (MD5, SHA1, SHA256) |
notice.log | Alerts generated by Zeek detection scripts |
weird.log | Protocol anomalies and unexpected behaviors |
x509.log | Certificate details from TLS connections |
smtp.log | Email metadata including sender, recipient, subject |
ssh.log | SSH connection details and authentication results |
pe.log | Portable Executable file metadata |
dpd.log | Dynamic Protocol Detection failures |
# Install Zeek on Ubuntu
sudo apt-get install -y zeek
# Or install from Zeek repository
echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' | \
sudo tee /etc/apt/sources.list.d/zeek.list
sudo apt-get update && sudo apt-get install -y zeek-lts
# Verify installation
zeek --version
Configure the node layout in /opt/zeek/etc/node.cfg:
[manager]
type=manager
host=localhost
[proxy-1]
type=proxy
host=localhost
[worker-1]
type=worker
host=localhost
interface=eth0
lb_method=pf_ring
lb_procs=4
[worker-2]
type=worker
host=localhost
interface=eth1
lb_method=pf_ring
lb_procs=4
Configure network definitions in /opt/zeek/etc/networks.cfg:
# Internal network ranges
10.0.0.0/8 Private RFC1918
172.16.0.0/12 Private RFC1918
192.168.0.0/16 Private RFC1918
Edit /opt/zeek/share/zeek/site/local.zeek:
# Load standard detection scripts
@load base/protocols/conn
@load base/protocols/dns
@load base/protocols/http
@load base/protocols/ssl
@load base/protocols/ssh
@load base/protocols/smtp
@load base/protocols/ftp
# Load file analysis
@load base/files/hash-all-files
@load base/files/extract-all-files
# Load detection frameworks
@load base/frameworks/notice
@load base/frameworks/intel
@load base/frameworks/files
@load base/frameworks/software
# Load additional protocol analyzers
@load policy/protocols/ssl/validate-certs
@load policy/protocols/ssl/log-hostcerts-only
@load policy/protocols/ssh/detect-bruteforcing
@load policy/protocols/dns/detect-external-names
@load policy/protocols/http/detect-sqli
# Enable JA3 fingerprinting
@load policy/protocols/ssl/ja3
# Enable JSON output for SIEM ingestion
@load policy/tuning/json-logs
redef LogAscii::use_json = T;
# Configure file extraction directory
redef FileExtract::prefix = "/opt/zeek/extracted/";
# Set notice email
redef Notice::mail_dest = "[email protected]";
Create detection scripts for common threats:
Detect DNS Tunneling (/opt/zeek/share/zeek/site/detect-dns-tunnel.zeek):
@load base/protocols/dns
module DNSTunnel;
export {
redef enum Notice::Type += {
DNS_Tunnel_Suspected
};
# Threshold for suspicious DNS query length
const query_len_threshold = 50 &redef;
# Track query counts per host per domain
global dns_query_counts: table[addr, string] of count &default=0 &create_expire=5min;
# High query volume threshold
const query_volume_threshold = 100 &redef;
}
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
{
if ( |query| > query_len_threshold )
{
local parts = split_string(query, /\./);
if ( |parts| > 3 )
{
local base_domain = cat(parts[|parts|-2], ".", parts[|parts|-1]);
dns_query_counts[c$id$orig_h, base_domain] += 1;
if ( dns_query_counts[c$id$orig_h, base_domain] > query_volume_threshold )
{
NOTICE([$note=DNS_Tunnel_Suspected,
$msg=fmt("Possible DNS tunneling: %s queries to %s with long query names",
c$id$orig_h, base_domain),
$conn=c,
$identifier=cat(c$id$orig_h, base_domain),
$suppress_for=30min]);
}
}
}
}
Detect Beaconing Behavior (/opt/zeek/share/zeek/site/detect-beaconing.zeek):
@load base/protocols/conn
module Beaconing;
export {
redef enum Notice::Type += {
C2_Beacon_Detected
};
# Track connection intervals
global conn_intervals: table[addr, addr, port] of vector of time &create_expire=1hr;
const min_connections = 20 &redef;
const jitter_threshold = 0.15 &redef;
}
event connection_state_remove(c: connection)
{
if ( c$id$resp_p == 80/tcp || c$id$resp_p == 443/tcp )
{
local key = [c$id$orig_h, c$id$resp_h, c$id$resp_p];
if ( key !in conn_intervals )
conn_intervals[key] = vector();
conn_intervals[key] += network_time();
if ( |conn_intervals[key]| >= min_connections )
{
local intervals: vector of interval = vector();
local i = 1;
while ( i < |conn_intervals[key]| )
{
intervals += conn_intervals[key][i] - conn_intervals[key][i-1];
i += 1;
}
# Calculate mean and standard deviation
local sum_val = 0.0;
for ( idx in intervals )
sum_val += interval_to_double(intervals[idx]);
local mean_val = sum_val / |intervals|;
local variance = 0.0;
for ( idx in intervals )
{
local diff = interval_to_double(intervals[idx]) - mean_val;
variance += diff * diff;
}
variance = variance / |intervals|;
local stddev = sqrt(variance);
if ( mean_val > 0 && (stddev / mean_val) < jitter_threshold )
{
NOTICE([$note=C2_Beacon_Detected,
$msg=fmt("Possible C2 beaconing: %s -> %s:%s (interval=%.1fs, jitter=%.2f)",
c$id$orig_h, c$id$resp_h, c$id$resp_p,
mean_val, stddev/mean_val),
$conn=c,
$identifier=cat(c$id$orig_h, c$id$resp_h),
$suppress_for=1hr]);
}
}
}
}
Load threat intelligence feeds into Zeek:
# In local.zeek
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += {
"/opt/zeek/intel/malicious-ips.intel",
"/opt/zeek/intel/malicious-domains.intel",
"/opt/zeek/intel/malicious-hashes.intel",
};
Intel file format (/opt/zeek/intel/malicious-ips.intel):
#fields indicator indicator_type meta.source meta.desc meta.do_notice
198.51.100.50 Intel::ADDR abuse.ch Known C2 server T
203.0.113.100 Intel::ADDR threatfeed Ransomware infrastructure T
# Deploy Zeek cluster
sudo /opt/zeek/bin/zeekctl deploy
# Check cluster status
sudo /opt/zeek/bin/zeekctl status
# Process offline PCAP
zeek -r capture.pcap local.zeek
# View logs
cat /opt/zeek/logs/current/conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto service duration orig_bytes resp_bytes
# Search for specific connections
cat /opt/zeek/logs/current/dns.log | zeek-cut query answers | grep -i "suspicious"
# Rotate logs
sudo /opt/zeek/bin/zeekctl cron
Filebeat configuration for ELK Stack:
filebeat.inputs:
- type: log
enabled: true
paths:
- /opt/zeek/logs/current/*.log
json.keys_under_root: true
json.add_error_key: true
fields:
source: zeek
fields_under_root: true
output.elasticsearch:
hosts: ["https://elasticsearch:9200"]
index: "zeek-%{+yyyy.MM.dd}"
setup.template.name: "zeek"
setup.template.pattern: "zeek-*"
# Find top talkers by bytes
cat conn.log | zeek-cut id.orig_h orig_bytes | sort -t$'\t' -k2 -rn | head -20
# Find long-duration connections (potential C2)
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p duration | awk '$4 > 3600' | sort -t$'\t' -k4 -rn
# Find connections with unusual ports
cat conn.log | zeek-cut id.resp_p proto | sort | uniq -c | sort -rn | head -30
# Find self-signed certificates
cat ssl.log | zeek-cut server_name validation_status | grep "self signed"
# Extract JA3 fingerprints for known malware
cat ssl.log | zeek-cut ja3 server_name | sort | uniq -c | sort -rn
# Find expired certificates
cat ssl.log | zeek-cut server_name not_valid_after | awk -F'\t' '$2 < systime()'
capture_loss.log for dropped packetsGet statistically sound analysis without PhD in statistics
Create charts, dashboards, and visual reports
Example
Generate matplotlib/seaborn code for time series plots, distribution charts, heatmaps
Build presentation-ready visualizations 3x faster
Prerequisites
Time Estimate
20-40 minutes to set up and run first analysis
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use for exploratory data analysis, data cleaning, statistical testing, visualization prototyping, and learning new analysis techniques. Best for initial exploration and rapid insights.
✗ Avoid when
Avoid for mission-critical financial analysis, medical research requiring regulatory compliance, production ML models, or when deep statistical expertise is required for nuanced interpretation.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
I recommend performing-network-traffic-analysis-with-zeek for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
performing-network-traffic-analysis-with-zeek fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Useful defaults in performing-network-traffic-analysis-with-zeek — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
performing-network-traffic-analysis-with-zeek has been reliable in day-to-day use. Documentation quality is above average for community skills.
Registry listing for performing-network-traffic-analysis-with-zeek matched our evaluation — installs cleanly and behaves as described in the markdown.
Keeps context tight: performing-network-traffic-analysis-with-zeek is the kind of skill you can hand to a new teammate without a long onboarding doc.
performing-network-traffic-analysis-with-zeek fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
performing-network-traffic-analysis-with-zeek has been reliable in day-to-day use. Documentation quality is above average for community skills.
Registry listing for performing-network-traffic-analysis-with-zeek matched our evaluation — installs cleanly and behaves as described in the markdown.
Useful defaults in performing-network-traffic-analysis-with-zeek — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
showing 1-10 of 28