Hey everyone,
I have been working with Zeek for a few months now in a mid-sized enterprise environment, and it’s been incredibly useful for network visibility. However, as traffic volume increases, I have noticed some performance issues — mostly higher memory usage and occasional packet loss when capturing data during peak hours.
I have written a few custom Zeek scripts to track specific application behavior, but I suspect some may not be optimized. I have gone through the official docs and GitHub examples.., but I would love to hear from others in the community:
What are your go-to strategies for optimizing Zeek scripts: ??
Are there specific functions or patterns to avoid when dealing with heavy network loads: ??
How do you handle logging efficiently without overwhelming the system: ??
Appreciate any tips, real-world examples, or lessons learned. I am also curious if using cyber security course Intel feeds or notice frameworks has added any unexpected overhead.
Thanks in advance !!
Daniel Jose