Bro/Zeek Network Security Monitor

Project Summary

Vern Paxson developed the initial version of the Bro Network Security Monitor initial version in 1995 while at Lawrence Berkeley National Laboratory. The original software was called “Bro” as an “Orwellian reminder that monitoring comes hand in hand with the potential for privacy violations.” Bro changed its name to Zeek and has also been commercialized in a spinoff called Corelight.

Paxson first deployed Zeek while at the Berkeley Labin 1996, and the USENIX Security Symposium published Paxson’s original paper on Zeek in 1998, and awarded it the Best Paper Award that year. The paper was awarded a “Test of Time Award” in 2022 for its lasting impact on the research community.

The Berkeley Lab’s work with Zeek/Bro has continued over the years including 100G capable network monitoring using Bro in 2015; applications of Zeek/Bro to the Science DMZ and Medical Science DMZ network design patterns; the commercial spinoff of Zeek/Bro into Corelight(previously Broala) by Paxson, Robin Sommer, and LBNL Scientific Division Director / ESnet Director, Greg Bell; and Berkeley Lab and ESnet personnels’ continued roles on the Zeek Leadership Team.

The canonical reference for Zeek/Bro is Paxson’s 1999 ``Bro: A System for Detecting Network Intruders in Real-Time.''

More Information:

Vern Paxson
Zeek (open source)
Corelight (commercial spinoff)
additional history

More information is available on other Berkeley Lab R&D projects focusing on cybersecurity in general, as well as specifically on cybersecurity for research cyberinfrastructure and high-performance computing.