[Zeek] Detection of all attacks in pcap file

Richard Bejtlich richard at corelight.com
Mon Oct 21 16:22:08 PDT 2019


That’s generally what IDS users want to know — what activity is normal,
suspicious, or malicious?

Richard

On Mon, Oct 21, 2019 at 7:04 PM Borivoje Pavlovic <bpboci24 at gmail.com>
wrote:

> Dear Richard,
>
> Thank you very much for your answer. I have one last question.
> What do you mean by deciding what was bad on network?
>
> Best regards
>
> Borivoje
>
> On Tue, 22 Oct 2019, 00:18 Richard Bejtlich, <richard at corelight.com>
> wrote:
>
>> Hi Borivoje and Zeek users,
>>
>> Traditionally, analyst uses Zeek to transform their network traffic into
>> compact logs that describe a variety of activities. Rather than recording
>> full content in a .pcap if you're interested in a FTP session, for example,
>> Zeek will create one or more logs describing the important elements of that
>> FTP session. There's no concept of "good" or "bad" in that log, or in most
>> logs.
>>
>> So, the premise of comparing Zeek as an IDS with Snort or Suricata
>> doesn't make much sense. You would be better off comparing Snort with
>> Suricata, as they are both designed as intrusion detection systems, i.e.,
>> they render judgments based on the traffic they observe. Of course you need
>> to provide rule sets, which contain the essence of "badness" as designed by
>> the rule creators.
>>
>> You could conceivably program Zeek to be an IDS if you decided what was
>> bad on your network and told Zeek to write a notice when it sees that
>> activity. Running default Zeek against a data set from the Internet is not
>> going to yield the results your professor is seeking.
>>
>> Sincerely,
>>
>> Richard
>>
>> On Mon, Oct 21, 2019 at 6:05 PM Borivoje Pavlovic <bpboci24 at gmail.com>
>> wrote:
>>
>>> Hi Richard,
>>>
>>> Thank you for promt response. Actually, it is a part of my thesis at
>>> faculty. I am required to compare different Intrusion detection systems
>>> such as Zeek and aforementioned Suricata and Snort based on dataset
>>> CICIDS2017 which contains malicious (Bruteforce, DoS, Web attacks...) and
>>> benign traffic. What I need is to classify/label traffic with these
>>> different IDS tools, but I haven't found the way anywhere how to do that
>>> with Zeek. Attached, you can find two images. The first one is .csv file
>>> that contains different flow-based features and labeled traffic (benign or
>>> ftp patator). I am not sure is Bro able to perform this kind of analysis at
>>> all. The second image is notice.log made after running
>>> policy/protocols/ssh/detect-bruteforcing.zeek script against .pcap file. It
>>> would mean a lot to me if you know is there some kind of custom script
>>> written in Zeek which can label all the traffic per each instances?
>>>
>>> Best regards
>>>
>>> Borivoje
>>>
>>> On Mon, Oct 21, 2019 at 10:59 PM Richard Bejtlich <richard at corelight.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> The notice log would contain any information pertaining to
>>>> the policy/protocols/ssh/detect-bruteforcing.zeek script.
>>>>
>>>> However, I'm a little concerned by the nature of your task. Zeek isn't
>>>> really designed as an "intrusion detection system" like Snort or Suricata.
>>>> Is this a school project?
>>>>
>>>> Sincerely,
>>>>
>>>> Richard
>>>>
>>>> On Mon, Oct 21, 2019 at 2:18 PM Borivoje Pavlovic <bpboci24 at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I am beginner in Zeek. Currently, I have a task to perform analysis of
>>>>> . pcap files and detect all possible attacks per time instances. In the
>>>>> other words I have to test Zeek as an IDS tool and find with which
>>>>> percentage is Zeek able to classify traffic correctly (True/False positive,
>>>>> True/False negative indication). Is there possibility to do so? For
>>>>> example, I tried to run integrated Brute-Forcing.zeek script against my
>>>>> .pcap file but in the notice.log there is just note that there was an
>>>>> attack which is not what I am looking. Do I have to search for labeled
>>>>> network in some other logs?
>>>>>
>>>>> Thanks in advance
>>>>>
>>>>> Borivoje
>>>>>
>>>>> _______________________________________________
>>>>> Zeek mailing list
>>>>> zeek at zeek.org
>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>>
>>>>
>>>>
>>>> --
>>>> Richard Bejtlich
>>>> Principal Security Strategist, Corelight
>>>> https://corelight.blog/author/richardbejtlich/
>>>>
>>>
>>
>> --
>> Richard Bejtlich
>> Principal Security Strategist, Corelight
>> https://corelight.blog/author/richardbejtlich/
>>
> --
Richard Bejtlich
Principal Security Strategist, Corelight
https://corelight.blog/author/richardbejtlich/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191021/61f4210b/attachment-0001.html 


More information about the Zeek mailing list