Brussels / 3 & 4 February 2024


ZeekJS: JavaScript support in Zeek

Zeek (formerly Bro) is an extensible and scriptable Network Security Monitor. For decades, it has provided its own custom scripting language as the primary way for users to handle low-level network protocol events. With the release of Zeek 6.0, support for JavaScript as an alternative scripting language has been added by embedding Node.js via the ZeekJS plugin.

$ cat hello.js
zeek.on('zeek_init', () => {
  console.log('Hello, Zeek!');

$ zeek ./hello.js
Hello, Zeek!

This talk will give a short Zeek introduction followed by a technical overview of how JavaScript support in Zeek was realized as an external plugin and demonstrate use-case examples. There will be details about Zeek's plugin architecture, its IO loop concepts and ways to interact with the Zeek script interpreter. Each of these enabled an almost seamless way to load .js script files, adding Node.js's libuv IO loop as another IO source into Zeek's main loop, as well as patching in JavaScript functions as Zeek event and hook handlers. Astonishingly, no modifications to Zeek's core were needed to pull this off.

One area this feature opens up is Zeek interacting with external systems by using Node.js builtin functionality or off-the-shelf libraries through npm - something where the Zeek scripting language ecosystem pales in comparison or quickly requires a C++ implementation. Concrete examples are sending HTTP requests in reaction to certain events, rapid log exporter prototyping (Redis, ZeroMQ), or serving HTTP APIs directly from within Zeek.


Photo of Arne Welzel Arne Welzel