[Zeek] Detection of all attacks in pcap file

Michał Purzyński michalpurzynski1 at gmail.com
Mon Oct 21 20:20:07 PDT 2019

It would be extremely difficult to compare IDS systems and here are a
couple of reasons why.

What does it mean, to compare IDS systems? Would you compare the
performance? Sure, this one can be measured, but it's so much ruleset
dependent that it rarely makes sense.

Detection accuracy? All of them basically perform the same job - reassemble
a number of packets in a stream, compare that stream against a huge
dataset, flag matches. If one of those components does not work correctly,
for example, IDS X can correctly reassemble TCP flows 99% of time, it is
either a bug in the engine or there is something wrong with the capture, or
there are performance problems.

Then it comes the comparison of "how many alerts will IDS X generate vs IDS
Y vs Z for the same input". You're not really comparing IDS-es again, but
the set of rules. Some rules can be used by multiple engines, like the
Emerging Threats has versions for both Snort and Suricata. Some don't -
like the commercial Palo Alto Networks.

Finally, you have the "neutral" engines, like Zeek (or Suricata without any
rules and with flow and protocol logging enabled in eve-json). They do not
tell what is good and what is bad - because that's up to you. They merely
tell you about a connection that happened in the past, was from A to B, N
bytes and packets were sent and M bytes and packets were received, it took
5 minutes and it was SSL.
In case of Zeek or Suricata you can have protocol analysis done, so for our
SSL connection, you will see the SNI, ciphersuites negotiated, X509
certificate details and so on.

At this point nothing is technically good or bad. Now, you as an analyst
can feed Zeek with rules saying "connections to or from IP A are always
bad" - and Zeek will let you know when those happen (or try to happen).

Or you can say "all SSL connections with a certificate with a serial number
12345 are bad" or flag a domain name in many places (not just the DNS
traffic), calculate file hashes, analyze PE files, SMB and RPC sessions,

NSM like Zeek is basically like a giant time machine + a matching engine +
an engine that can do almost arbitrary operations on network flows. It's up
to you to program it.

And that's why I think it cannot be compared with IDSes like Snort (purely
rule based) or Suricata (a combination of a traditional IDS with NSM

Comparing Snort vs Suricata doesn't make sense either - because you would
be comparing rulesets, not engines.

On Mon, Oct 21, 2019 at 4:24 PM Richard Bejtlich <richard at corelight.com>

> That’s generally what IDS users want to know — what activity is normal,
> suspicious, or malicious?
> Richard
> On Mon, Oct 21, 2019 at 7:04 PM Borivoje Pavlovic <bpboci24 at gmail.com>
> wrote:
>> Dear Richard,
>> Thank you very much for your answer. I have one last question.
>> What do you mean by deciding what was bad on network?
>> Best regards
>> Borivoje
>> On Tue, 22 Oct 2019, 00:18 Richard Bejtlich, <richard at corelight.com>
>> wrote:
>>> Hi Borivoje and Zeek users,
>>> Traditionally, analyst uses Zeek to transform their network traffic into
>>> compact logs that describe a variety of activities. Rather than recording
>>> full content in a .pcap if you're interested in a FTP session, for example,
>>> Zeek will create one or more logs describing the important elements of that
>>> FTP session. There's no concept of "good" or "bad" in that log, or in most
>>> logs.
>>> So, the premise of comparing Zeek as an IDS with Snort or Suricata
>>> doesn't make much sense. You would be better off comparing Snort with
>>> Suricata, as they are both designed as intrusion detection systems, i.e.,
>>> they render judgments based on the traffic they observe. Of course you need
>>> to provide rule sets, which contain the essence of "badness" as designed by
>>> the rule creators.
>>> You could conceivably program Zeek to be an IDS if you decided what was
>>> bad on your network and told Zeek to write a notice when it sees that
>>> activity. Running default Zeek against a data set from the Internet is not
>>> going to yield the results your professor is seeking.
>>> Sincerely,
>>> Richard
>>> On Mon, Oct 21, 2019 at 6:05 PM Borivoje Pavlovic <bpboci24 at gmail.com>
>>> wrote:
>>>> Hi Richard,
>>>> Thank you for promt response. Actually, it is a part of my thesis at
>>>> faculty. I am required to compare different Intrusion detection systems
>>>> such as Zeek and aforementioned Suricata and Snort based on dataset
>>>> CICIDS2017 which contains malicious (Bruteforce, DoS, Web attacks...) and
>>>> benign traffic. What I need is to classify/label traffic with these
>>>> different IDS tools, but I haven't found the way anywhere how to do that
>>>> with Zeek. Attached, you can find two images. The first one is .csv file
>>>> that contains different flow-based features and labeled traffic (benign or
>>>> ftp patator). I am not sure is Bro able to perform this kind of analysis at
>>>> all. The second image is notice.log made after running
>>>> policy/protocols/ssh/detect-bruteforcing.zeek script against .pcap file. It
>>>> would mean a lot to me if you know is there some kind of custom script
>>>> written in Zeek which can label all the traffic per each instances?
>>>> Best regards
>>>> Borivoje
>>>> On Mon, Oct 21, 2019 at 10:59 PM Richard Bejtlich <
>>>> richard at corelight.com> wrote:
>>>>> Hello,
>>>>> The notice log would contain any information pertaining to
>>>>> the policy/protocols/ssh/detect-bruteforcing.zeek script.
>>>>> However, I'm a little concerned by the nature of your task. Zeek isn't
>>>>> really designed as an "intrusion detection system" like Snort or Suricata.
>>>>> Is this a school project?
>>>>> Sincerely,
>>>>> Richard
>>>>> On Mon, Oct 21, 2019 at 2:18 PM Borivoje Pavlovic <bpboci24 at gmail.com>
>>>>> wrote:
>>>>>> Hi all,
>>>>>> I am beginner in Zeek. Currently, I have a task to perform analysis
>>>>>> of . pcap files and detect all possible attacks per time instances. In the
>>>>>> other words I have to test Zeek as an IDS tool and find with which
>>>>>> percentage is Zeek able to classify traffic correctly (True/False positive,
>>>>>> True/False negative indication). Is there possibility to do so? For
>>>>>> example, I tried to run integrated Brute-Forcing.zeek script against my
>>>>>> .pcap file but in the notice.log there is just note that there was an
>>>>>> attack which is not what I am looking. Do I have to search for labeled
>>>>>> network in some other logs?
>>>>>> Thanks in advance
>>>>>> Borivoje
>>>>>> _______________________________________________
>>>>>> Zeek mailing list
>>>>>> zeek at zeek.org
>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>>> --
>>>>> Richard Bejtlich
>>>>> Principal Security Strategist, Corelight
>>>>> https://corelight.blog/author/richardbejtlich/
>>> --
>>> Richard Bejtlich
>>> Principal Security Strategist, Corelight
>>> https://corelight.blog/author/richardbejtlich/
>> --
> Richard Bejtlich
> Principal Security Strategist, Corelight
> https://corelight.blog/author/richardbejtlich/
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191021/1981fffe/attachment.html 

More information about the Zeek mailing list