[Zeek] Ryu Controller

Richard Bejtlich richard at corelight.com
Tue Nov 26 14:20:23 PST 2019


Why are you interested in this approach? Is it a school project?

Zeek isn’t designed to be an intrusion detection system that creates
alerts, although it does produce notices. You might be better off with
Suricata if you want alerts.

Sincerely,

Richard

On Tue, Nov 26, 2019 at 4:17 PM Priyatham Ganta <gantapritham4 at gmail.com>
wrote:

> Hi,
>
> I'm trying to run Bro as IDS. Hence, I don't want to show all the logs on
> the console.I just want to look at the alerts generated by Bro if there are
> any attacks on the network. That's the reason I want to print only the
> alerts and not logs.
> How do I run Bro in IDS mode?
>
> For Bro to run as IDS, there should be some policies configured with which
> this application will differentiate between normal traffic and malicious
> traffic. I want to look at those policies.
>
> Can you help me with this?
>
> Thanks
>
> On Tue, 26 Nov 2019 at 10:54, Johanna Amann <johanna at icir.org> wrote:
>
>> Hi,
>>
>> > How can I run bro for the current traffic and show the alerts on a
>> > console
>> > instead of logs?
>>
>> you can run it on the command line without using zeekctl/broctl using
>> zeek (or bro) -i [interfacename]. However, logs will always written to
>> files - it does not really make sense to write them to the console,
>> which would make it hard to distinguish between the different log
>> streams.
>>
>> Note - most Zeek logs are policy neutral and not really alerts…
>>
>> > Also where can I check the policies that are configured to Bro for
>> > IDS?
>>
>> I don’t 100% get the questions. If you load misc/loaded-scripts in
>> your configuration, you will get a loaded-scripts.log which will show
>> you all script files that are loaded. The default configuration of Zeek
>> loads most protocol analyzers and writes their log-files.
>>
>> > Also what is the difference between the broctl binary and bro binary?
>>
>> zeekctl/broctl is the management application to start zeek cluster
>> setups. See e.g. https://github.com/zeek/zeekctl - or
>> https://docs.zeek.org/en/stable/quickstart/ for a getting started guide
>> that mentions this.
>>
>> Johanna
>>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

-- 
Richard Bejtlich
Principal Security Strategist, Corelight
https://corelight.blog/author/richardbejtlich/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191126/28e30cf1/attachment.html 


More information about the Zeek mailing list