<div dir="ltr"><div>Yes, exactly. We need to be careful with our messaging on this as a community because the number of threats still seen (and more generally, the amount of metadata from traffic that can be successfully logged to support NSM) is still significant. Richard said "fairly dead" but casual readers and the tech press tend to take that as a soundbyte and parrot it out as "it's basically all encrypted, don't worry about it." I have had customers that have refuse an option to deploy a network sensor like Zeek or Suricata in their environment in the role of NSM sensors because of this erroneous belief (and a convenient chance to save some capex not buying more hardware). It's disappointing because we see a lot of success detecting badness in other environments so these customers willfully put themselves at a disadvantage to attackers who still operate over cleartext protocols.</div><div><br></div><div>- Darren<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 18, 2019 at 8:46 AM Patrick Kelley <<a href="mailto:patrick.kelley@criticalpathsecurity.com">patrick.kelley@criticalpathsecurity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Had me all the way until...<div><br></div><div>"Aside from web application firewalls, I think the IPS market is fairly dead anyway with the ubiquity of encrypted north-south network traffic.". </div><div><br></div><div>I still see the same issues we had on networks 10 years ago. It is reduced, due to HTTPS and some SMTP, sure. Dead... not really. </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 18, 2019 at 11:19 AM Richard Bejtlich <<a href="mailto:richard@corelight.com" target="_blank">richard@corelight.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">JB's answer was great. I'd only add that I don't think of Zeek as an IDS. Zeek is a network security monitor. It's designed to describe what's happening on your network in a mostly neutral way. It's up to the analyst to use that data for a variety of purposes, one of which could be intrusion detection. Suricata and Snort are more characteristic of an "IDS" because they make judgements about what they see, although Suricata has been integrating ever more NSM functionality by logging DNS, HTTP, etc. as Zeek does.<div><br></div><div>Aside from web application firewalls, I think the IPS market is fairly dead anyway with the ubiquity of encrypted north-south network traffic.<br><div><br></div><div>Sincerely,</div><div><br></div><div>Richard</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 18, 2019 at 6:04 AM Dario Mohaddes <<a href="mailto:m.dariuz@gmail.com" target="_blank">m.dariuz@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="margin:0px">I'm starting a comparison paper about inline Network IPS. I was looking for an opensource anomaly-based detection engine with IPS capabilities. The easiest choice seemed Zeek but from the website user-manual it doesn't look like it actually supports packets dropping, instead can only work as IDS. Digging a bit online I found a lot of confusion and contradictions with people asserting either that is possible or not but none giving a practical example. I have scraped a multitude of academic and research papers but they haven’t help... I was wondering if anyone can tell me if is feasible before wasting hours trying to do something that is not. Any help or insight is much appreciated. Thank you.</div></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail-m_-2358822255047744425gmail-m_8029089995185430428gmail_signature"><div dir="ltr">Richard Bejtlich<div>Principal Security Strategist, Corelight</div></div></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail-m_-2358822255047744425gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><br></div><div><b>Patrick Kelley, CISSP, C|EH, ITIL</b></div><div><i>CTO</i></div><div><a href="mailto:patrick.kelley@criticalpathsecurity.com" target="_blank">patrick.kelley@criticalpathsecurity.com</a></div><div>(o) 770-224-6482</div><div><br></div><div><i style="color:rgb(51,51,51);font-family:Helvetica,Arial,sans-serif">The limit to which you have accepted being comfortable is the limit to which you have grown. Accept new challenges as an opportunity to enrich yourself and not as a point of potential failure.</i><br></div><div><br></div><img src="https://drive.google.com/a/criticalpathsecurity.com/uc?id=0B8pLF9KsqY6YVy1zb3FUUkpmTHM&export=download" width="200" height="70"><br></div></div></div></div></div></div></div></div></div></div>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature">Darren Spruell<br><a href="mailto:phatbuckett@gmail.com" target="_blank">phatbuckett@gmail.com</a></div>