# Install zeek with Homebrew, MacPorts, Nix, apt, scoop

Network security monitor. Version 8.2.0 via Homebrew; verified 2026-06-22.

## Install

```sh
sudo av install brew:zeek
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install zeek
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install zeek
```

  Evidence: MacPorts ports tree: net/zeek/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#zeek
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ze/zeek/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- Debian apt (92%):

```sh
sudo apt install bifcl
```

  Evidence: Debian stable package indexes: bifcl from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

### Windows

- Scoop (92%):

```sh
scoop install extras/btest
```

  Evidence: Scoop official bucket manifest trees: bucket/btest.json from https://api.github.com/repos/ScoopInstaller/Extras/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:zeek
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/zeek>
- **Version:** 8.2.0
- **Source summary:** Network security monitor
- **Homepage:** <https://zeek.org/>
- **Repository:** <https://github.com/zeek/zeek>
- **Upstream docs:** <https://docs.zeek.org/en/current>
- **License:** BSD-3-Clause
- **Source archive:** <https://github.com/zeek/zeek/releases/download/v8.2.0/zeek-8.2.0.tar.gz>
- **Last updated:** 2026-06-22T14:06:45-07:00
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- bifcl (cli)
- binpac (cli)
- btest (cli)
- btest-ask-update (cli)
- btest-bg-run (cli)
- btest-bg-run-helper (cli)
- btest-bg-wait (cli)
- btest-diff (cli)
- btest-diff-rst (cli)
- btest-progress (cli)
- btest-rst-cmd (cli)
- btest-rst-include (cli)
- btest-rst-pipe (cli)
- btest-setsid (cli)
- capstats (cli)
- hilti-config (cli)
- hiltic (cli)
- paraglob-test (cli)
- spicy-build (cli)
- spicy-config (cli)
- spicy-driver (cli)
- spicy-dump (cli)
- spicy-precompile-headers (cli)
- spicyc (cli)
- spicyz (cli)
- trace-summary (cli)
- zeek (cli)
- zeek-archiver (cli)
- zeek-client (cli)
- zeek-cluster-layout-generator (cli)
- zeek-config (cli)
- zeek-cut (cli)
- zeek-systemd-generator (cli)
- zeekctl (cli)
- zkg (cli)
- bifcl (alias)
- binpac (alias)
- btest (alias)
- btest-ask-update (alias)
- btest-bg-run (alias)
- btest-bg-run-helper (alias)
- btest-bg-wait (alias)
- btest-diff (alias)
- btest-diff-rst (alias)
- btest-progress (alias)
- btest-rst-cmd (alias)
- btest-rst-include (alias)
- btest-rst-pipe (alias)
- btest-setsid (alias)
- capstats (alias)
- hilti-config (alias)
- hiltic (alias)
- paraglob-test (alias)
- spicy-build (alias)
- spicy-config (alias)
- spicy-driver (alias)
- spicy-dump (alias)
- spicy-precompile-headers (alias)
- spicyc (alias)
- spicyz (alias)
- trace-summary (alias)
- zeek (alias)
- zeek-archiver (alias)
- zeek-client (alias)
- zeek-cluster-layout-generator (alias)
- zeek-config (alias)
- zeek-cut (alias)
- zeek-systemd-generator (alias)
- zeekctl (alias)
- zkg (alias)

## Dependencies

- c-ares
- libmaxminddb
- libuv
- node@24
- openssl@3
- python@3.14
- zeromq

## Build dependencies

- bison
- cmake
- flex
- swig

## Uses from macOS

- krb5
- libpcap

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 8.2.0
- Package-manager updated: 2026-06-22
- Local data: ok
- Upstream repository: https://github.com/zeek/zeek
- info: No cached GitHub release or tag data was available.
## Project history and usage

Zeek is the network security monitor formerly known as Bro: an open-source framework for turning network traffic into high-fidelity logs, events, and scriptable security telemetry. It is one of the canonical packages in network security monitoring.

### Project history

Vern Paxson developed the first version of Bro at Lawrence Berkeley National Laboratory in 1995, and Berkeley Lab says it was first deployed there in 1996. Paxson's original research paper on Bro appeared at the 1998 USENIX Security Symposium and later received a Test of Time Award, giving the project unusually strong research roots for an operational security tool.

The project changed its name from Bro to Zeek in 2018. The rename kept the technical lineage while moving away from a name tied to Orwellian surveillance language; the current Zeek site presents the project as a mature open-source network security monitoring tool used across university, national-lab, enterprise, and cloud environments.

Zeek evolved from a research network intrusion detection system into a broad traffic-analysis framework. Its architecture centers on protocol analyzers, an event engine, a domain-specific scripting language, and logs that describe network activity at a semantic level rather than only matching packets against signatures.

### Adoption history

Zeek's adoption grew through security operations centers, research networks, incident response teams, and enterprise monitoring programs that needed richer context than firewalls or classic intrusion prevention systems expose. Berkeley Lab notes continued work around 100G monitoring, Science DMZ environments, and the Corelight commercial spinoff.

The current Zeek site presents large adoption signals: worldwide deployments, thousands of tracked network events, many default log types, federally funded R&D history, and hundreds of community-contributed packages. The GitHub README also notes operational use by major companies plus educational and scientific institutions.

Its ecosystem includes community packages, ZeekControl/zeekctl for managing deployments, zkg for package management, and adjacent tools such as Spicy and BinPAC for protocol parsing. That gives Zeek a package ecosystem of its own inside the larger OS package ecosystem.

### How it is used

Users run Zeek on packet captures or live network interfaces to produce logs such as connection, DNS, HTTP, TLS, file, software, notice, and weird activity logs. Security teams then send those logs into SIEMs, data lakes, detection pipelines, or manual investigation workflows.

Zeek is scriptable: users write policy scripts and event handlers to add site-specific detection, extraction, enrichment, and logging behavior. Larger deployments use ZeekControl and cluster configuration files to split traffic analysis across workers, proxies, managers, and loggers.

### Why package nerds care

Zeek matters to package nerds because it is not just one binary: a Homebrew-style install exposes the analyzer, control tooling, test tooling, package tooling, protocol tooling, and helper commands. It is a full security platform delivered through packages.

It also shows how an academic research system can become durable operational infrastructure. The package carries decades of protocol-analysis practice, a rename, a commercial ecosystem, community packages, and heavy deployment expectations while still remaining installable as an open-source Unix tool.

### Timeline

- 1995: Vern Paxson developed the initial Bro Network Security Monitor at Lawrence Berkeley National Laboratory.
- 1996: Bro was first deployed at Berkeley Lab.
- 1998: Paxson's original Bro paper appeared at the USENIX Security Symposium.
- 2018: The Bro project changed its name to Zeek.
- 2022: The original Bro/Zeek paper received a USENIX Test of Time Award.

### Related projects

- Corelight: commercial company and product lineage built around Zeek/Bro expertise.
- Spicy: Zeek-adjacent parser/tooling stack shipped with modern Zeek packages.
- BinPAC: protocol analyzer compiler historically associated with Bro/Zeek.
- Suricata and Snort: adjacent network IDS tools often compared with Zeek, though Zeek emphasizes semantic logs and scripting over pure signature blocking.

### Sources

- <https://docs.zeek.org/en/current/about/what.html - official docs explain what Zeek is and how it differs from traditional IDS tools.>
- <https://docs.zeek.org/en/current/quickstart.html - official docs cover running Zeek, live traffic, scripting, managing Zeek, and cluster concepts.>
- <https://github.com/zeek/zeek - README describes Zeek's key features, operational use, scripting, development model, and community.>
- <https://secpriv.lbl.gov/project/network-security-monitor/ - Berkeley Lab summary gives origin, first deployment, original paper, rename, Corelight spinoff, and Test of Time Award context.>
- <https://zeek.org/ - project site describes Zeek's current role, rename from Bro, telemetry/logging model, deployment claims, and community package ecosystem.>


## Security Notes

No matching local secret-handling manifest was found for zeek. Nucleus package metadata is still published here so future coverage has a stable package URL.



## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: <prefix>/etc/node.cfg, <prefix>/etc/networks.cfg, <prefix>/etc/zeekctl.cfg
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** zeek
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - zeek: normalized package name match | nixpkgs package indexes: pkgs/by-name/ze/zeek/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- MacPorts - zeek: normalized package name match | MacPorts ports tree: net/zeek/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1
- Debian apt - bifcl - 1.6.2-1: installed executable or alias match | Debian stable package indexes: bifcl from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Bro Built-In-Function Compiler | https://www.zeek.org/
- Debian apt - binpac - 0.59.0-1: installed executable or alias match | Debian stable package indexes: binpac from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | high level protocol parser language | http://www.bro.org/
- Debian apt - btest - 0.72-1.1: installed executable or alias match | Debian stable package indexes: btest from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | simple driver for basic unit tests | http://www.zeek.org/
- Debian apt - capstats - 0.31-1+b1: installed executable or alias match | Debian stable package indexes: capstats from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | command-line tool for collecting network interface statistics | https://www.zeek.org
- Nix - btest: installed executable or alias match | nixpkgs package indexes: pkgs/by-name/bt/btest/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Ubuntu apt - bifcl - 1.6.2-1: installed executable or alias match | Ubuntu 24.04 LTS package indexes: bifcl from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | Bro Built-In-Function Compiler | https://www.zeek.org/
- Ubuntu apt - binpac - 0.59.0-1: installed executable or alias match | Ubuntu 24.04 LTS package indexes: binpac from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | high level protocol parser language | http://www.bro.org/
- Ubuntu apt - btest - 0.72-1: installed executable or alias match | Ubuntu 24.04 LTS package indexes: btest from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | simple driver for basic unit tests | http://www.zeek.org/
- Ubuntu apt - capstats - 0.31-1build2: installed executable or alias match | Ubuntu 24.04 LTS package indexes: capstats from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | command-line tool for collecting network interface statistics | https://www.zeek.org
- Scoop - extras/btest: installed executable or alias match | Scoop official bucket manifest trees: bucket/btest.json from https://api.github.com/repos/ScoopInstaller/Extras/git/trees/master?recursive=1


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [Homebrew utility packages](https://www.automicvault.com/pkg/brew-utility-packages/) - Matched Homebrew package provider.
- [c-ares](https://www.automicvault.com/pkg/brew/c-ares/) - Runtime dependency declared by Homebrew.
- [libmaxminddb](https://www.automicvault.com/pkg/brew/libmaxminddb/) - Runtime dependency declared by Homebrew.
- [openssl@3](https://www.automicvault.com/pkg/brew/openssl-3/) - Runtime dependency declared by Homebrew.
- [python@3.14](https://www.automicvault.com/pkg/brew/python-3-14/) - Runtime dependency declared by Homebrew.
- [zeromq](https://www.automicvault.com/pkg/brew/zeromq/) - Runtime dependency declared by Homebrew.
- [bison](https://www.automicvault.com/pkg/brew/bison/) - Build dependency declared by Homebrew.
- [cmake](https://www.automicvault.com/pkg/brew/cmake/) - Build dependency declared by Homebrew.
- [flex](https://www.automicvault.com/pkg/brew/flex/) - Build dependency declared by Homebrew.
- [swig](https://www.automicvault.com/pkg/brew/swig/) - Build dependency declared by Homebrew.
- [silk](https://www.automicvault.com/pkg/brew/silk/) - Shares av.db curated category or tags: cli, network-security, security, traffic-analysis.
- [suricata](https://www.automicvault.com/pkg/brew/suricata/) - Shares av.db curated category or tags: cli, network-security, security, security-monitoring.
- [arpoison](https://www.automicvault.com/pkg/brew/arpoison/) - Shares av.db curated category or tags: cli, network-security, security.
- [bettercap](https://www.automicvault.com/pkg/brew/bettercap/) - Shares av.db curated category or tags: cli, network-security, security.
- [ettercap](https://www.automicvault.com/pkg/brew/ettercap/) - Shares av.db curated category or tags: cli, network-security, security, traffic-analysis.
- [fragroute](https://www.automicvault.com/pkg/brew/fragroute/) - Shares av.db curated category or tags: cli, network-security, security.
- [killswitch](https://www.automicvault.com/pkg/brew/killswitch/) - Shares av.db curated category or tags: cli, network-security, security.
- [openssh](https://www.automicvault.com/pkg/brew/openssh/) - Shares av.db curated category or tags: cli, network-security, security.
- [strongswan](https://www.automicvault.com/pkg/brew/strongswan/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, cmd, network, network-security, openssl.

## Combined YAML source

View the package source record on GitHub. [combined/zeek.yml](https://github.com/automic-vault/db/blob/main/combined/zeek.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
