[Zeek] Can Zeek be installed as in-line IPS?
Seth Hall
seth at corelight.com
Mon Mar 18 10:02:20 PDT 2019
On 18 Mar 2019, at 11:30, Patrick Kelley wrote:
> I still see the same issues we had on networks 10 years ago. It is
> reduced, due to HTTPS and some SMTP, sure. Dead... not really.
To be fair, he did say IPS. In my opinion IPS has always been in a
weird spot where the definition isn't terribly clear (block a single
packet in-flight? block a connection after a determination is made?
...etc).
I think everyone here will agree that the visibility provided by Zeek is
useful even on modern networks and that tail of completely unencrypted
traffic is awfully long. :)
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Zeek
mailing list