{"id":40943346,"url":"https://github.com/stratosphereips/zeek_anomaly_detector","last_synced_at":"2026-01-22T04:37:32.743Z","repository":{"id":52957162,"uuid":"200415955","full_name":"stratosphereips/zeek_anomaly_detector","owner":"stratosphereips","description":"A completely automated anomaly detector Zeek network flows files (conn.log).","archived":false,"fork":false,"pushed_at":"2025-08-05T04:12:18.000Z","size":1350,"stargazers_count":81,"open_issues_count":6,"forks_count":33,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-09-04T21:50:02.062Z","etag":null,"topics":["anomaly-detection","ids","intrusion-detection","network-security","python","zeek","zeek-analysis","zeek-ids"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stratosphereips.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-08-03T19:59:04.000Z","updated_at":"2025-08-25T16:48:05.000Z","dependencies_parsed_at":"2025-09-04T21:48:07.694Z","dependency_job_id":"0770bc4a-7243-4788-87ad-81d191aef526","html_url":"https://github.com/stratosphereips/zeek_anomaly_detector","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/stratosphereips/zeek_anomaly_detector","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stratosphereips%2Fzeek_anomaly_detector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stratosphereips%2Fzeek_anomaly_detector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stratosphereips%2Fzeek_anomaly_detector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stratosphereips%2Fzeek_anomaly_detector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stratosphereips","download_url":"https://codeload.github.com/stratosphereips/zeek_anomaly_detector/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stratosphereips%2Fzeek_anomaly_detector/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28654891,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-22T01:17:37.254Z","status":"online","status_checked_at":"2026-01-22T02:00:07.137Z","response_time":144,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anomaly-detection","ids","intrusion-detection","network-security","python","zeek","zeek-analysis","zeek-ids"],"created_at":"2026-01-22T04:37:32.680Z","updated_at":"2026-01-22T04:37:32.734Z","avatar_url":"https://github.com/stratosphereips.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# zeek_anomaly_detector\n[![Docker Image CI](https://github.com/stratosphereips/zeek_anomaly_detector/actions/workflows/docker-image.yml/badge.svg)](https://github.com/stratosphereips/zeek_anomaly_detector/actions/workflows/docker-image.yml)\n[![Python Checks](https://github.com/stratosphereips/zeek_anomaly_detector/actions/workflows/python-checks.yml/badge.svg)](https://github.com/stratosphereips/zeek_anomaly_detector/actions/workflows/python-checks.yml)\n![GitHub last commit (branch)](https://img.shields.io/github/last-commit/stratosphereips/zeek_anomaly_detector/main?color=green)\n![Docker Pulls](https://img.shields.io/docker/pulls/stratosphereips/zeek_anomaly_detector?color=green)\n\n\nAn anomaly detector for conn.log files of zeek/bro. It uses Zeek Analysis Tools (ZAT) to load the file, and pyod models. It is completely automated, so you can just give the file and will ouput the anomalous flows. By default uses the PCA model.\n\n## Performace\n\nUsing the PCA model the `zeek_anomaly_detector.py` is capable of training and testing 6.3 million flow lines in 11 minutes.\n\n\n## Usage\n```bash\n$ time ./zeek_anomaly_detector.py -a 20 -f dataset/001-zeek-scenario-malicious/conn.log\nSimple Anomaly Detector for Zeek conn.log files. Version: 0.2\nAuthor: Sebastian Garcia (eldraco@gmail.com), Veronica Valeros (vero.valeros@gmail.com)\n\nFlows of the top anomalies\n id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes durationsec score\n24482 192.168.1.125 53510 87.236.19.168 80 tcp http 00:05:33.102728 108 2455407 593 23852 1686 2524319 333.102728 3.091147e+07\n109 192.168.1.125 49188 201.232.32.124 443 tcp ssl 00:02:08.617586 79809 2544 78 84351 55 4828 128.617586 2.377891e+07\n35031 192.168.1.125 62788 192.157.238.15 447 tcp ssl 00:01:06.384740 522 611151 295 16506 444 655203 66.384740 8.334937e+06\n28096 192.168.1.125 56689 5.172.34.138 447 tcp ssl 00:02:45.920620 506 608558 336 16309 446 639202 165.920620 8.262826e+06\n28460 192.168.1.125 57002 5.172.34.138 447 tcp ssl 00:02:23.709549 469 608336 328 16359 436 631468 143.709549 8.180498e+06\n26385 192.168.1.125 55173 217.31.111.153 447 tcp ssl 00:01:08.363216 783 630568 239 11475 442 648260 68.363216 8.095119e+06\n29848 192.168.1.125 58222 91.219.28.14 447 tcp ssl 00:01:05.301758 506 611151 152 6598 437 628643 65.301758 7.728219e+06\n33329 192.168.1.125 61298 151.80.84.3 447 tcp ssl 00:01:05.182020 506 611151 135 5918 428 628283 65.182020 7.658844e+06\n31604 192.168.1.125 59773 151.80.84.3 447 tcp ssl 00:01:05.181878 506 611151 128 5638 428 628283 65.181878 7.652506e+06\n819 192.168.1.125 49417 84.42.159.138 443 tcp ssl 00:01:57.329889 24618 4215 45 26454 31 5691 117.329889 7.261139e+06\n1307 192.168.1.125 49574 200.116.206.58 443 tcp ssl 00:02:05.574474 24618 4199 43 26350 42 5891 125.574474 7.252795e+06\n318 192.168.1.125 49258 36.66.107.162 443 tcp ssl 00:02:09.694961 24602 4199 42 26294 51 6251 129.694961 7.248093e+06\n563 192.168.1.125 49336 200.116.206.58 443 tcp ssl 00:01:58.684675 24597 4162 40 26209 38 5694 118.684675 7.229915e+06\n1058 192.168.1.125 49496 203.92.62.46 443 tcp ssl 00:01:58.581551 24565 4162 40 26177 39 5734 118.581551 7.220959e+06\n57 192.168.1.125 49170 190.138.249.45 443 tcp ssl 00:02:12.193263 23903 73195 62 26391 93 76923 132.193263 7.217059e+06\n24688 192.168.1.125 53673 217.31.111.153 447 tcp ssl 00:01:08.831043 783 553108 197 9131 389 570140 68.831043 7.058567e+06\n2591 192.168.1.125 50637 203.92.62.46 447 tcp ssl 00:01:14.004751 751 548447 184 8639 385 563859 74.004751 6.971375e+06\n9436 192.168.1.125 56618 203.92.62.46 447 tcp ssl 00:01:10.099220 751 553092 151 6803 389 568664 70.099220 6.969540e+06\n7799 192.168.1.125 55150 203.92.62.46 447 tcp ssl 00:01:12.834688 751 548447 182 8439 385 563859 72.834688 6.963647e+06\n4557 192.168.1.125 52200 203.92.62.46 447 tcp ssl 00:01:12.101060 751 548447 167 7875 385 563859 72.101060 6.942839e+06\n\nreal\t0m4.972s\nuser\t0m3.540s\nsys\t0m0.581s\n```\n\n## Installation\n\n### Docker\n\nThe `zeek_anomaly_detector` has a public Docker image with the latest version:\n```bash\ndocker run --rm -it stratosphereips/zeek_anomaly_detector:latest python3 zeek_anomaly_detector.py -f dataset/001-zeek-scenario-malicious/conn.log\n```\nMount the local datasets to the container to run the zeek_anomaly_detector on them:\n\n```bash\ndocker run -v /full/path/to/logs/:/zeek_anomaly_detector/dataset --rm -it stratosphereips/zeek_anomaly_detector:latest python3 zeek_anomaly_detector.py -f dataset/001-zeek-scenario-malicious/conn.log\n```\n\n### Source\n\nClone the repository with the submodules:\n```\ngit clone --recurse-submodules --remote-submodules https://github.com/stratosphereips/zeek_anomaly_detector\n```\n\nPlease install the following dependencies:\n- pyod: PyOD is a comprehensive and scalable Python toolkit for detecting outlying objects in multivariate data. \n\nInstall with pip:\n\n```bash\npip install pyod\n```\n\n## Contribute\n\nCreate an issue or PR and we will process it.\n\n## Authors\n\nThis project was created by Sebastian Garcia and Veronica Valeros at the Stratosphere Research Laboratory, AIC, FEE, Czech Technical University in Prague.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstratosphereips%2Fzeek_anomaly_detector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstratosphereips%2Fzeek_anomaly_detector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstratosphereips%2Fzeek_anomaly_detector/lists"}