[Zeek] Ryu Controller

Priyatham Ganta gantapritham4 at gmail.com
Tue Nov 26 15:59:47 PST 2019 

Hi,

Yes, it is for a school project and would like to use Bro as IDS. And I
would like Bro to generate active alerts for the incoming traffic. How can
I do it?

Thanks

On Tue, 26 Nov 2019 at 14:20, Richard Bejtlich <richard at corelight.com>
wrote:

> Why are you interested in this approach? Is it a school project?
>
> Zeek isn’t designed to be an intrusion detection system that creates
> alerts, although it does produce notices. You might be better off with
> Suricata if you want alerts.
>
> Sincerely,
>
> Richard
>
> On Tue, Nov 26, 2019 at 4:17 PM Priyatham Ganta <gantapritham4 at gmail.com>
> wrote:
>
>> Hi,
>>
>> I'm trying to run Bro as IDS. Hence, I don't want to show all the logs on
>> the console.I just want to look at the alerts generated by Bro if there are
>> any attacks on the network. That's the reason I want to print only the
>> alerts and not logs.
>> How do I run Bro in IDS mode?
>>
>> For Bro to run as IDS, there should be some policies configured with
>> which this application will differentiate between normal traffic and
>> malicious traffic. I want to look at those policies.
>>
>> Can you help me with this?
>>
>> Thanks
>>
>> On Tue, 26 Nov 2019 at 10:54, Johanna Amann <johanna at icir.org> wrote:
>>
>>> Hi,
>>>
>>> > How can I run bro for the current traffic and show the alerts on a
>>> > console
>>> > instead of logs?
>>>
>>> you can run it on the command line without using zeekctl/broctl using
>>> zeek (or bro) -i [interfacename]. However, logs will always written to
>>> files - it does not really make sense to write them to the console,
>>> which would make it hard to distinguish between the different log
>>> streams.
>>>
>>> Note - most Zeek logs are policy neutral and not really alerts…
>>>
>>> > Also where can I check the policies that are configured to Bro for
>>> > IDS?
>>>
>>> I don’t 100% get the questions. If you load misc/loaded-scripts in
>>> your configuration, you will get a loaded-scripts.log which will show
>>> you all script files that are loaded. The default configuration of Zeek
>>> loads most protocol analyzers and writes their log-files.
>>>
>>> > Also what is the difference between the broctl binary and bro binary?
>>>
>>> zeekctl/broctl is the management application to start zeek cluster
>>> setups. See e.g. https://github.com/zeek/zeekctl - or
>>> https://docs.zeek.org/en/stable/quickstart/ for a getting started guide
>>> that mentions this.
>>>
>>> Johanna
>>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
> --
> Richard Bejtlich
> Principal Security Strategist, Corelight
> https://corelight.blog/author/richardbejtlich/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191126/7278cab2/attachment-0001.html

More information about the Zeek mailing list