Zeek Plugin

The Threat Bus Zeek plugin enables communication with the Zeek network monitor. The plugin handles all communication with Zeek via the "Zeek Messaging Library" Broker.

The plugin makes the following deployment assumptions:

  1. Indicators of compromise (IoCs) are published on the Threat Bus topic threatbus/intel.
  2. The Zeek Intelligence Framework is enabled and can match IoCs.

With the help of this plugin and the respective Zeek script, Zeek subscribes the topic threatbus/intel where it receives IoC updates that apply to the intelligence framework data.

After an IoC match, Zeek generates a sighting and passes it to Threat Bus. Sightings are published to the topic threatbus/sighting. Plugins that consume sightings, such as the MISP plugin, can subscribe to this topic.

Installation

The plugin uses the Broker python bindings for native interaction with Zeek. Broker and the Python bindings need to be installed on the Threat Bus host system to use this plugin. Please consult the official Broker documentation for installation instructions.

Once the prerequisites are met, install the Zeek plugin via pip.

pip install threatbus-zeek

Configuration

The plugin starts a listening Broker endpoint. The endpoint characteristics for listening can be configure as follows.

...
plugins:
apps:
zeek:
host: "127.0.0.1"
port: 47761
module_namespace: Tenzir
...

The last parameter module_namespace: Tenzir is required for Zeek's messaging library Broker.

Threat Bus Zeek Script

Threat Bus is a pub/sub broker for threat intelligence data. Applications, like Zeek, have to register themselves at the bus. Zeek cannot communicate with Threat Bus out of the box, but we provide a Zeek script that adds the ability to Zeek to communicate with Threat Bus.

The script can be configured via certain options for setting topic names or requesting an intel snapshot, as follows.

zeek -i <INTERFACE> -C ./apps/zeek/threatbus.zeek -- "Tenzir::snapshot_intel=-30 days"