[Zeek] Can Zeek be installed as in-line IPS?

Edgmand, Craig craig.edgmand at okstate.edu
Mon Mar 18 11:39:51 PDT 2019


Didn’t IDS die circa 2005?   ☺

From: zeek-bounces at zeek.org <zeek-bounces at zeek.org> On Behalf Of Richard Bejtlich
Sent: Monday, March 18, 2019 1:28 PM
To: Patrick Kelley <patrick.kelley at criticalpathsecurity.com>
Cc: zeek at zeek.org
Subject: Re: [Zeek] Can Zeek be installed as in-line IPS?

**External Email - Please verify sender email address before responding.**
The PCI requirement is for IDS or IPS, which is unfortunate because they are totally different. I'm surprised IPS is even a market segment anymore. At this point it's really just a firewall feature. There's so much more that can be done with a passive observation platform like Zeek, when you don't have to worry about making line-speed judgements.

Sincerely,

Richard

On Mon, Mar 18, 2019 at 1:50 PM Patrick Kelley <patrick.kelley at criticalpathsecurity.com<mailto:patrick.kelley at criticalpathsecurity.com>> wrote:
Yes.  Many.

PCI-DSS 11.4 comes up quite often. Whether we have consensus on the validity and utility of an IPS or not, it comes up in every single PCI audit.

On Mon, Mar 18, 2019 at 1:40 PM Richard Bejtlich <richard at corelight.com<mailto:richard at corelight.com>> wrote:
Yes, as Seth said, I said IPS. Is anyone really deploying IPS now? I only see Palo Alto firewalls, etc.

Sincerely,

Richard

On Mon, Mar 18, 2019 at 1:02 PM Seth Hall <seth at corelight.com<mailto:seth at corelight.com>> wrote:


On 18 Mar 2019, at 11:30, Patrick Kelley wrote:

> I still see the same issues we had on networks 10 years ago. It is
> reduced, due to HTTPS and some SMTP, sure.  Dead... not really.

To be fair, he did say IPS.  In my opinion IPS has always been in a
weird spot where the definition isn't terribly clear (block a single
packet in-flight?  block a connection after a determination is made?
...etc).

I think everyone here will agree that the visibility provided by Zeek is
useful even on modern networks and that tail of completely unencrypted
traffic is awfully long. :)

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com<https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.corelight.com&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7Ceb633696233247bb889908d6abd0c3a5%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636885310457070759&sdata=tf5QlbJafXoIAE6FTNN0ETdKn5oixhcp%2BIgMBoGGZRY%3D&reserved=0>


--
Richard Bejtlich
Principal Security Strategist, Corelight


--

Patrick Kelley, CISSP, C|EH, ITIL
CTO
patrick.kelley at criticalpathsecurity.com<mailto:patrick.kelley at criticalpathsecurity.com>
(o) 770-224-6482

The limit to which you have accepted being comfortable is the limit to which you have grown. Accept new challenges as an opportunity to enrich yourself and not as a point of potential failure.

[https://drive.google.com/a/criticalpathsecurity.com/uc?id=0B8pLF9KsqY6YVy1zb3FUUkpmTHM&export=download]


--
Richard Bejtlich
Principal Security Strategist, Corelight
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190318/4424c619/attachment-0001.html 


More information about the Zeek mailing list