[Zeek] Can Zeek be installed as in-line IPS?
Richard Bejtlich
richard at corelight.com
Mon Mar 18 08:09:23 PDT 2019
JB's answer was great. I'd only add that I don't think of Zeek as an IDS.
Zeek is a network security monitor. It's designed to describe what's
happening on your network in a mostly neutral way. It's up to the analyst
to use that data for a variety of purposes, one of which could be intrusion
detection. Suricata and Snort are more characteristic of an "IDS" because
they make judgements about what they see, although Suricata has been
integrating ever more NSM functionality by logging DNS, HTTP, etc. as Zeek
does.
Aside from web application firewalls, I think the IPS market is fairly dead
anyway with the ubiquity of encrypted north-south network traffic.
Sincerely,
Richard
On Mon, Mar 18, 2019 at 6:04 AM Dario Mohaddes <m.dariuz at gmail.com> wrote:
> I'm starting a comparison paper about inline Network IPS. I was looking
> for an opensource anomaly-based detection engine with IPS capabilities. The
> easiest choice seemed Zeek but from the website user-manual it doesn't look
> like it actually supports packets dropping, instead can only work as IDS.
> Digging a bit online I found a lot of confusion and contradictions with
> people asserting either that is possible or not but none giving a practical
> example. I have scraped a multitude of academic and research papers but
> they haven’t help... I was wondering if anyone can tell me if is feasible
> before wasting hours trying to do something that is not. Any help or
> insight is much appreciated. Thank you.
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Richard Bejtlich
Principal Security Strategist, Corelight
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190318/4902640f/attachment.html
More information about the Zeek
mailing list