Zeek Package Manager
 

zeek-flowtriq

https://github.com/Flowtriq/zeek-flowtriq
0
0
0
0
Last Push 6/26/26, 3:25 PM

Flowtriq DDoS Detection for Zeek

A Zeek package that detects volumetric DDoS attacks and sends structured alerts to the Flowtriq platform via webhook.

Detection Capabilities

  • SYN Flood: Detects excessive new TCP connections from a single source
  • UDP Flood: Detects excessive UDP traffic from a single source
  • ICMP Flood: Detects excessive ICMP echo requests from a single source

Each detector uses configurable per-source thresholds with sliding measurement windows and per-source cooldowns to prevent alert fatigue.

Installation

Using the Zeek Package Manager:

zkg install zeek-flowtriq

Or install directly from the repository:

zkg install https://github.com/Flowtriq/zeek-flowtriq

Configuration

Add these settings to your local.zeek or a dedicated configuration file:

@load Flowtriq/DDoS

redef Flowtriq::webhook_url = "https://app.flowtriq.com/api/webhook/zeek";
redef Flowtriq::api_key = "your-api-key-here";

All configuration options live in Flowtriq:: namespace:

Option Default Description
webhook_url (empty) Flowtriq webhook endpoint
api_key (empty) API key for webhook authentication
syn_flood_threshold 1000 SYN packets per source before alerting
udp_flood_threshold 2000 UDP packets per source before alerting
icmp_flood_threshold 1000 ICMP echo requests per source before alerting
measurement_window 30sec Counter reset interval
alert_cooldown 5min Suppress duplicates per source
raise_notices T Also raise Zeek Notice framework alerts
webhook_timeout 30sec HTTP timeout for webhook calls

How It Works

The package monitors network events using Zeek's built-in connection and protocol event handlers. When packet counts from any single source exceed the configured thresholds within a measurement window, the package:

  1. Fires a Flowtriq::ddos_detected event (available for custom handling)
  2. Sends a JSON alert to your Flowtriq webhook via ActiveHTTP
  3. Optionally raises a Zeek Notice (Flowtriq::SYN_Flood, etc.)

Webhook Payload

{
    "event": "ddos_alert",
    "attack_type": "syn_flood",
    "source_ip": "192.0.2.1",
    "packet_count": 1523,
    "window_seconds": 30,
    "detected_at": "1719400000.123456",
    "sensor": "sensor01.example.com"
}

Custom Event Handling

Other Zeek scripts can subscribe to the detection event for custom logic:

event Flowtriq::ddos_detected(attack_type: string, src: addr,
                               packet_count: count, window: interval)
    {
    # Your custom handling here.
    }

Requirements

  • Zeek 5.0 or later
  • Network access from the Zeek sensor to the Flowtriq webhook endpoint

License

BSD 3-Clause. See LICENSE for details.

Package Version :

Description :

DDoS detection scripts for Zeek with Flowtriq webhook alerting.
Detects volumetric attacks including SYN floods, UDP floods, and ICMP floods,
and sends structured alerts to the Flowtriq platform for centralized
traffic analytics and mitigation.

Script Dir :

scripts

Depends :

zeek >=5.0.0

Tags :

flood detection, syn flood, udp flood, icmp flood, volumetric attack, flowtriq, alerting, network security, traffic analytics, webhook, ddos

Package Checks :

License:
Info:
Found license 'LICENSE'
Readme:
Info:
Found readme 'README.rst'
Build Command:
Bad Extension:
Expensive Events:
Unsafe Functions:
Charset: