Paxson, V. (1999). Bro: A system for detecting network intruders in real-time. Computer networks, 31(23-24), 2435-2463. https://www.usenix.org/legacy/publications/library/proceedings/sec98/full_papers/paxson/paxson.pdf
This was the original paper on Bro (now called Zeek) and provides a nice overview of how Zeek works.