Augmenting Zeek with additional scripts


I’m a computer science student currently working on his bachelor thesis. My project involves creating a secret channel aimed at communicating covertly over a network. In order to evaluate its stealthiness I’m trying to test whether IDS such as Zeek or Suricata are able to notice something’s wrong upon analyzing the .pcap I recorded while using the channel to transmit.

I successfully installed Zeek on the virtual machine I’m using but I’m confused about what steps I should take in order to expand it with additional scripts/rules/community created augments in order to make its controls more strict. My only former experience with an IDS is with Suricata, where I used suricata-update to automatically download pre-existing rule sets created by online communities, thus expanding Suricata’s base installation. Compared to Suricata, I’m struggling with Zeek mainly because:

  1. I don’t seem to be able to find any pre-existing rule set (or in Zeek’s case, script set) I can simply download and add to the program (not sure if it’s my fault, in that I may have simply needed to use better Google queries)

  2. I’m still having some trouble understanding Zeek’s architecture. I’m assuming what I should be looking for in order to tighten my security scans are new scripts I can add, but then I noticed there’s also whole packages and plug ins Zeek can be augmented with. I’m ultimately not sure about what would work best in my specific case.

  3. I’m getting the feeling (correct me if I’m wrong) that most people prefer to write their own scripts rather than resort to community created sets (which would explain why I wasn’t able to find that many, as explained in point 1) ). If I were to follow this logic, the most natural thing to do would be to implement myself the scripts I need for my network. In my case however the network is purely fictional, as I’m merely trying to imagine what could be the average use case for a company that runs Zeek to guard its network (I do understand that different companies have different sizes, different threats to look out for and different needs, meaning this “average” would also be very approximate).

My channel ultimately transmits information using network steganography based on manipulating the header fields used by TCP and IP protocols. It does not alter a packet’s content at the Application level and as such I don’t believe I should be interested in any script that focuses too much on the packet’s payload/content. I already tried scanning the .pcap using Zeek’s base installation but it produced no weird.log nor notice.log files, so I’m assuming it doesn’t see anything suspicious (at least for now). Since I’m just a beginner and have no experience with real life scenarios and use cases involving Zeek I’m open to any kind of advice from more experienced people in regards to what I should be adding to Zeek’s base installation in order to improve its chances of spotting odd behaviour related to my secret channel.

Thanks in advance for your attention.


Thanks for your detailed description.

I don’t think Zeek “out of the box” is going to do much for you if you are manipulating TCP or IP headers. You might get some NOTICE or WEIRD events, however.

The packages repository is available at

but I find the list here easier to consume

This is a really old idea, e.g. one famous example:

It’s basically not worth the effort to build covert channels into TCP or IP headers, though, for two reasons:

  1. It’s easier to just encrypt the payload, whether via TLS or a nonstandard protocol, if the intruder worries about TLS break and inspect,

and more importantly,

  1. The proliferation of middle-boxes which rewrite TCP and IP headers means that your covert channel is probably not going to survive getting into or out of the target environment.