[Zeek] Detection of all attacks in pcap file

Richard Bejtlich richard at corelight.com
Mon Oct 21 13:59:26 PDT 2019


The notice log would contain any information pertaining to
the policy/protocols/ssh/detect-bruteforcing.zeek script.

However, I'm a little concerned by the nature of your task. Zeek isn't
really designed as an "intrusion detection system" like Snort or Suricata.
Is this a school project?



On Mon, Oct 21, 2019 at 2:18 PM Borivoje Pavlovic <bpboci24 at gmail.com>

> Hi all,
> I am beginner in Zeek. Currently, I have a task to perform analysis of .
> pcap files and detect all possible attacks per time instances. In the other
> words I have to test Zeek as an IDS tool and find with which percentage is
> Zeek able to classify traffic correctly (True/False positive, True/False
> negative indication). Is there possibility to do so? For example, I tried
> to run integrated Brute-Forcing.zeek script against my .pcap file but in
> the notice.log there is just note that there was an attack which is not
> what I am looking. Do I have to search for labeled network in some other
> logs?
> Thanks in advance
> Borivoje
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek

Richard Bejtlich
Principal Security Strategist, Corelight
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191021/319b8df5/attachment.html 

More information about the Zeek mailing list