[Zeek] Detection of all attacks in pcap file

Richard Bejtlich richard at corelight.com
Mon Oct 21 15:18:17 PDT 2019

Hi Borivoje and Zeek users,

Traditionally, analyst uses Zeek to transform their network traffic into
compact logs that describe a variety of activities. Rather than recording
full content in a .pcap if you're interested in a FTP session, for example,
Zeek will create one or more logs describing the important elements of that
FTP session. There's no concept of "good" or "bad" in that log, or in most

So, the premise of comparing Zeek as an IDS with Snort or Suricata doesn't
make much sense. You would be better off comparing Snort with Suricata, as
they are both designed as intrusion detection systems, i.e., they render
judgments based on the traffic they observe. Of course you need to provide
rule sets, which contain the essence of "badness" as designed by the rule

You could conceivably program Zeek to be an IDS if you decided what was bad
on your network and told Zeek to write a notice when it sees that activity.
Running default Zeek against a data set from the Internet is not going to
yield the results your professor is seeking.



On Mon, Oct 21, 2019 at 6:05 PM Borivoje Pavlovic <bpboci24 at gmail.com>

> Hi Richard,
> Thank you for promt response. Actually, it is a part of my thesis at
> faculty. I am required to compare different Intrusion detection systems
> such as Zeek and aforementioned Suricata and Snort based on dataset
> CICIDS2017 which contains malicious (Bruteforce, DoS, Web attacks...) and
> benign traffic. What I need is to classify/label traffic with these
> different IDS tools, but I haven't found the way anywhere how to do that
> with Zeek. Attached, you can find two images. The first one is .csv file
> that contains different flow-based features and labeled traffic (benign or
> ftp patator). I am not sure is Bro able to perform this kind of analysis at
> all. The second image is notice.log made after running
> policy/protocols/ssh/detect-bruteforcing.zeek script against .pcap file. It
> would mean a lot to me if you know is there some kind of custom script
> written in Zeek which can label all the traffic per each instances?
> Best regards
> Borivoje
> On Mon, Oct 21, 2019 at 10:59 PM Richard Bejtlich <richard at corelight.com>
> wrote:
>> Hello,
>> The notice log would contain any information pertaining to
>> the policy/protocols/ssh/detect-bruteforcing.zeek script.
>> However, I'm a little concerned by the nature of your task. Zeek isn't
>> really designed as an "intrusion detection system" like Snort or Suricata.
>> Is this a school project?
>> Sincerely,
>> Richard
>> On Mon, Oct 21, 2019 at 2:18 PM Borivoje Pavlovic <bpboci24 at gmail.com>
>> wrote:
>>> Hi all,
>>> I am beginner in Zeek. Currently, I have a task to perform analysis of .
>>> pcap files and detect all possible attacks per time instances. In the other
>>> words I have to test Zeek as an IDS tool and find with which percentage is
>>> Zeek able to classify traffic correctly (True/False positive, True/False
>>> negative indication). Is there possibility to do so? For example, I tried
>>> to run integrated Brute-Forcing.zeek script against my .pcap file but in
>>> the notice.log there is just note that there was an attack which is not
>>> what I am looking. Do I have to search for labeled network in some other
>>> logs?
>>> Thanks in advance
>>> Borivoje
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>> --
>> Richard Bejtlich
>> Principal Security Strategist, Corelight
>> https://corelight.blog/author/richardbejtlich/

Richard Bejtlich
Principal Security Strategist, Corelight
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191021/1303233f/attachment.html 

More information about the Zeek mailing list