[Zeek] Can Zeek be installed as in-line IPS?

Patrick Kelley patrick.kelley at criticalpathsecurity.com
Mon Mar 18 12:01:49 PDT 2019 

@James Lay

Couldn't agree more about the metadata and convergence of E/W traffic.
Additionally, we've used SIP analyzers to validate the implementation of
Zeek as a security platform, as it could provide greater visibility into
call center traffic.

Showing that it could increase efficiency, while providing a better
security posture was a good win.

On Mon, Mar 18, 2019 at 2:49 PM Patrick Kelley <
patrick.kelley at criticalpathsecurity.com> wrote:

> Somedays I wish...
>
> As I sit here reviewing the deployment and Change Management notes for a
> ASA/FirePower, two SourceFire 7120's, two 8250's, and two VM FirePowers.
>
> Orgs are still trying to get ROI on some of this stuff.  It's not AI/ML or
> Blockchain, but it's still running.
>
> On Mon, Mar 18, 2019 at 2:39 PM Edgmand, Craig <craig.edgmand at okstate.edu>
> wrote:
>
>> Didn’t IDS die circa 2005?   J
>>
>>
>>
>> *From:* zeek-bounces at zeek.org <zeek-bounces at zeek.org> *On Behalf Of *Richard
>> Bejtlich
>> *Sent:* Monday, March 18, 2019 1:28 PM
>> *To:* Patrick Kelley <patrick.kelley at criticalpathsecurity.com>
>> *Cc:* zeek at zeek.org
>> *Subject:* Re: [Zeek] Can Zeek be installed as in-line IPS?
>>
>>
>>
>> **External Email - Please verify sender email address before responding.**
>>
>> The PCI requirement is for IDS or IPS, which is unfortunate because they
>> are totally different. I'm surprised IPS is even a market segment anymore.
>> At this point it's really just a firewall feature. There's so much more
>> that can be done with a passive observation platform like Zeek, when you
>> don't have to worry about making line-speed judgements.
>>
>>
>>
>> Sincerely,
>>
>>
>>
>> Richard
>>
>>
>>
>> On Mon, Mar 18, 2019 at 1:50 PM Patrick Kelley <
>> patrick.kelley at criticalpathsecurity.com> wrote:
>>
>> Yes.  Many.
>>
>>
>>
>> PCI-DSS 11.4 comes up quite often. Whether we have consensus on the
>> validity and utility of an IPS or not, it comes up in every single PCI
>> audit.
>>
>>
>>
>> On Mon, Mar 18, 2019 at 1:40 PM Richard Bejtlich <richard at corelight.com>
>> wrote:
>>
>> Yes, as Seth said, I said IPS. Is anyone really deploying IPS now? I only
>> see Palo Alto firewalls, etc.
>>
>>
>>
>> Sincerely,
>>
>>
>>
>> Richard
>>
>>
>>
>> On Mon, Mar 18, 2019 at 1:02 PM Seth Hall <seth at corelight.com> wrote:
>>
>>
>>
>> On 18 Mar 2019, at 11:30, Patrick Kelley wrote:
>>
>> > I still see the same issues we had on networks 10 years ago. It is
>> > reduced, due to HTTPS and some SMTP, sure.  Dead... not really.
>>
>> To be fair, he did say IPS.  In my opinion IPS has always been in a
>> weird spot where the definition isn't terribly clear (block a single
>> packet in-flight?  block a connection after a determination is made?
>> ...etc).
>>
>> I think everyone here will agree that the visibility provided by Zeek is
>> useful even on modern networks and that tail of completely unencrypted
>> traffic is awfully long. :)
>>
>>    .Seth
>>
>> --
>> Seth Hall * Corelight, Inc * www.corelight.com
>> <https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.corelight.com&data=02%7C01%7Ccraig.edgmand%40okstate.edu%7Ceb633696233247bb889908d6abd0c3a5%7C2a69c91de8494e34a230cdf8b27e1964%7C0%7C0%7C636885310457070759&sdata=tf5QlbJafXoIAE6FTNN0ETdKn5oixhcp%2BIgMBoGGZRY%3D&reserved=0>
>>
>>
>>
>>
>> --
>>
>> Richard Bejtlich
>>
>> Principal Security Strategist, Corelight
>>
>>
>>
>>
>> --
>>
>>
>>
>> *Patrick Kelley, CISSP, C|EH, ITIL*
>>
>> *CTO*
>>
>> patrick.kelley at criticalpathsecurity.com
>>
>> (o) 770-224-6482
>>
>>
>>
>> *The limit to which you have accepted being comfortable is the limit to
>> which you have grown. Accept new challenges as an opportunity to enrich
>> yourself and not as a point of potential failure.*
>>
>>
>>
>>
>>
>>
>> --
>>
>> Richard Bejtlich
>>
>> Principal Security Strategist, Corelight
>>
>
>
> --
>
> *Patrick Kelley, CISSP, C|EH, ITIL*
> *CTO*
> patrick.kelley at criticalpathsecurity.com
> (o) 770-224-6482
>
> *The limit to which you have accepted being comfortable is the limit to
> which you have grown. Accept new challenges as an opportunity to enrich
> yourself and not as a point of potential failure.*
>
>
>

-- 

*Patrick Kelley, CISSP, C|EH, ITIL*
*CTO*
patrick.kelley at criticalpathsecurity.com
(o) 770-224-6482

*The limit to which you have accepted being comfortable is the limit to
which you have grown. Accept new challenges as an opportunity to enrich
yourself and not as a point of potential failure.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190318/f1d8a0c9/attachment.html

More information about the Zeek mailing list