[Zeek] Can Zeek be installed as in-line IPS?

Patrick Kelley patrick.kelley at criticalpathsecurity.com
Mon Mar 18 08:30:57 PDT 2019


Had me all the way until...

"Aside from web application firewalls, I think the IPS market is fairly
dead anyway with the ubiquity of encrypted north-south network traffic.".

I still see the same issues we had on networks 10 years ago. It is reduced,
due to HTTPS and some SMTP, sure.  Dead... not really.

On Mon, Mar 18, 2019 at 11:19 AM Richard Bejtlich <richard at corelight.com>
wrote:

> JB's answer was great. I'd only add that I don't think of Zeek as an IDS.
> Zeek is a network security monitor. It's designed to describe what's
> happening on your network in a mostly neutral way. It's up to the analyst
> to use that data for a variety of purposes, one of which could be intrusion
> detection. Suricata and Snort are more characteristic of an "IDS" because
> they make judgements about what they see, although Suricata has been
> integrating ever more NSM functionality by logging DNS, HTTP, etc. as Zeek
> does.
>
> Aside from web application firewalls, I think the IPS market is fairly
> dead anyway with the ubiquity of encrypted north-south network traffic.
>
> Sincerely,
>
> Richard
>
> On Mon, Mar 18, 2019 at 6:04 AM Dario Mohaddes <m.dariuz at gmail.com> wrote:
>
>> I'm starting a comparison paper about inline Network IPS. I was looking
>> for an opensource anomaly-based detection engine with IPS capabilities. The
>> easiest choice seemed Zeek but from the website user-manual it doesn't look
>> like it actually supports packets dropping, instead can only work as IDS.
>> Digging a bit online I found a lot of confusion and contradictions with
>> people asserting either that is possible or not but none giving a practical
>> example. I have scraped a multitude of academic and research papers but
>> they haven’t help... I was wondering if anyone can tell me if is feasible
>> before wasting hours trying to do something that is not. Any help or
>> insight is much appreciated. Thank you.
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Richard Bejtlich
> Principal Security Strategist, Corelight
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 

*Patrick Kelley, CISSP, C|EH, ITIL*
*CTO*
patrick.kelley at criticalpathsecurity.com
(o) 770-224-6482

*The limit to which you have accepted being comfortable is the limit to
which you have grown. Accept new challenges as an opportunity to enrich
yourself and not as a point of potential failure.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190318/f25d68fb/attachment-0001.html 


More information about the Zeek mailing list