[Zeek] Can Zeek be installed as in-line IPS?

Mon Mar 18 11:49:19 PDT 2019

Somedays I wish...

As I sit here reviewing the deployment and Change Management notes for a
ASA/FirePower, two SourceFire 7120's, two 8250's, and two VM FirePowers.

Orgs are still trying to get ROI on some of this stuff.  It's not AI/ML or
Blockchain, but it's still running.

On Mon, Mar 18, 2019 at 2:39 PM Edgmand, Craig <craig.edgmand at okstate.edu>
wrote:

> Didn’t IDS die circa 2005?   J
>
>
>
> *From:* zeek-bounces at zeek.org <zeek-bounces at zeek.org> *On Behalf Of *Richard
> Bejtlich
> *Sent:* Monday, March 18, 2019 1:28 PM
> *To:* Patrick Kelley <patrick.kelley at criticalpathsecurity.com>
> *Cc:* zeek at zeek.org
> *Subject:* Re: [Zeek] Can Zeek be installed as in-line IPS?
>
>
>
> **External Email - Please verify sender email address before responding.**
>
> The PCI requirement is for IDS or IPS, which is unfortunate because they
> are totally different. I'm surprised IPS is even a market segment anymore.
> At this point it's really just a firewall feature. There's so much more
> that can be done with a passive observation platform like Zeek, when you
> don't have to worry about making line-speed judgements.
>
>
>
> Sincerely,
>
>
>
> Richard
>
>
>
> On Mon, Mar 18, 2019 at 1:50 PM Patrick Kelley <
> patrick.kelley at criticalpathsecurity.com> wrote:
>
> Yes.  Many.
>
>
>
> PCI-DSS 11.4 comes up quite often. Whether we have consensus on the
> validity and utility of an IPS or not, it comes up in every single PCI
> audit.
>
>
>
> On Mon, Mar 18, 2019 at 1:40 PM Richard Bejtlich <richard at corelight.com>
> wrote:
>
> Yes, as Seth said, I said IPS. Is anyone really deploying IPS now? I only
> see Palo Alto firewalls, etc.
>
>
>
> Sincerely,
>
>
>
> Richard
>
>
>
> On Mon, Mar 18, 2019 at 1:02 PM Seth Hall <seth at corelight.com> wrote:
>
>
>
> On 18 Mar 2019, at 11:30, Patrick Kelley wrote:
>
> > I still see the same issues we had on networks 10 years ago. It is
> > reduced, due to HTTPS and some SMTP, sure.  Dead... not really.
>
> To be fair, he did say IPS.  In my opinion IPS has always been in a
> weird spot where the definition isn't terribly clear (block a single
> packet in-flight?  block a connection after a determination is made?
> ...etc).
>
> I think everyone here will agree that the visibility provided by Zeek is
> useful even on modern networks and that tail of completely unencrypted
> traffic is awfully long. :)
>
>    .Seth
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.corelight.com&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7Ceb633696233247bb889908d6abd0c3a5%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636885310457070759&sdata=tf5QlbJafXoIAE6FTNN0ETdKn5oixhcp%2BIgMBoGGZRY%3D&reserved=0>
>
>
>
>
> --
>
> Richard Bejtlich
>
> Principal Security Strategist, Corelight
>
>
>
>
> --
>
>
>
> *Patrick Kelley, CISSP, C|EH, ITIL*
>
> *CTO*
>
> patrick.kelley at criticalpathsecurity.com
>
> (o) 770-224-6482
>
>
>
> *The limit to which you have accepted being comfortable is the limit to
> which you have grown. Accept new challenges as an opportunity to enrich
> yourself and not as a point of potential failure.*
>
>
>
>
>
>
> --
>
> Richard Bejtlich
>
> Principal Security Strategist, Corelight
>

-- 

*Patrick Kelley, CISSP, C|EH, ITIL*
*CTO*
patrick.kelley at criticalpathsecurity.com
(o) 770-224-6482

*The limit to which you have accepted being comfortable is the limit to
which you have grown. Accept new challenges as an opportunity to enrich
yourself and not as a point of potential failure.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190318/1f0c35c3/attachment.html 