We already installed Zeek but we are not running it in real time to analyze traffic. So this is a guide to help you deploy Zeek and apply the previous script into real time. In the example below, Zeek installation's root directory defaults to /usr/local/zeek since we install it from the source.

Running Zeek Control

There are basic configurations we need to change before running it. In /usr/local/zeek/etc/node.cfg, set the right interface to monitor.

interface=eth0   # change this according to your listening interface in ifconfig

Now start the ZeekControl shell like:


On the ZeekControl shell, run install then deploy.

[ZeekControl] > install
[ZeekControl] > deploy

Just that and it will load Zeek some default scripts and run automatically. If you want to stop it, run command:

[ZeekControl] > stop

Log Files

Zeek generates important log files based on the network traffic statistics, interesting activity captured in the traffic, and detection focused log files. You can check all these log in /usr/local/zeek/logs.

As you can see, if you do not stop ZeekControl it will save logs each day in each repository. The /current folder contains log real time running.

Applying Custom Scripts

Now is the exciting part. In the previous article, we created scripts to block some specific addresses. But we only run it on a history traffic file. Here is how we apply these scripts to ZeekControl.

First, create a new repository /block-thread in /usr/local/zeek/share/zeek/policy/. Then add 2 files in the /block-thread:

  • __load__.zeek:
@load ./block_vpn.zeek
  • block_vpn.zeek:
event NetControl::init() {
    local debug_plugin = NetControl::create_debug(T);
    NetControl::activate(debug_plugin, 0);

event new_connection(c: connection) {   
    local b = InternetDB::lookup_internetdb_api(c$id$resp_h);
    if ( b?$tags ){
        if ( "vpn" in b$tags ){
            NetControl::drop_connection(c$id, 1min);

The main entry point for the default analysis configuration of a Zeek instance managed by ZeekControl is the /usr/local/zeek/share/zeek/site/local.zeek script. This is where we add our new policy to ZeekControl. Open this script and add this line at the end of the file.

@load policy/block-thread

After we did all this configuration. Just rerun ZeekControl by install and deploy command.

We can check our new deploy script has been add or not by going to /usr/local/zeek/logs/current/loaded_scripts.log.If you look up, you can see our custom policy has been loaded when deploying ZeekControl.


Another thing you can notice is that it generates the /usr/local/zeek/logs/current/netcontrol.log file and it will be automatically saved to history.