[Zeek] Detection of all attacks in pcap file

jamie brim bramiejim at gmail.com
Mon Oct 21 21:37:41 PDT 2019

Looking at the page I found for CICIDS2017
<https://www.unb.ca/cic/datasets/ids-2017.html>, it seems like there are
specific attacks enumerated on the page that describe the traffic in the
PCAPs. Roughly the captured behavior seems like it can be broken down into
reconnaissance, specific exploits, botnet activity, implant activity, and
DoS. There is included already scanning and ssh brute force detection, an
provided of
how to set up FTP brute force detection, as well as a blog post
<https://blog.zeek.org//2014/04/detecting-heartbleed-bug-using-bro.html> on
Heartbleed detection in Zeek, that was arguably more robust than the
signature based detections that went out at the same time. I encourage you
to check these resources out!

Your results with Zeek will depend on just how deep down the rabbit hole
you are willing to go. The exploits and implants will likely not be
detected by Zeek "out of the box", the same likely goes with the DoS
detection (though the SumStats
<https://docs.zeek.org/en/stable/frameworks/sumstats.html> framework may
help here with some quick wins). Some could likely be caught with good IOC
(domain, IP) feeds, transformed into something usable by Zeek, and fed into
Zeek's intel framework
<https://docs.zeek.org/en/stable/frameworks/intel.html>. Other exploit /
implant detection might require further log analysis or some scripting.
Some might only be detectable by bytestream signatures. It's hard to tell
without digging in further.

As others have explained, Zeek "out of the box" can provide useful
telemetry, in the form of network protocol logs, that could be used
downstream, in either some sort of SIEM, rules engine, or similarly
purposed data infrastructure, to not only detect such attacks, but provide
a fuller context to incident responders running down these detections, who
might need later follow-up information that the pattern matching based
approaches would not have preserved. As others have also said, Zeek makes
more observations than judgments, and it is up to the operator what
response to take to these observations.

Without knowing more about those specific DoS attacks or exploit based
attacks, it's hard to know what would show up in the standard logs, but it
could be an interesting exercise to run the PCAPs through default Zeek,
feed the logs to Splunk or ELK, look for patterns that you might be able to
discern and write rules for them, either in the downstream log processor,
or in Zeek scripting language itself. I encourage you to consider Zeek as a
crucial source component of your overall security detection stack, rather
than a full-stack, fully-calibrated network detection engine in a box.

One cool thing about Zeek vs most signature based IDS systems is that it
Zeek reaches as deep as it can into the protocols it understands, and makes
even more information available than it does by default to operators who
are willing to dive into script land. If you know what you're looking for,
and it's observable on the network, chances are there's a way to analyze it
with a Zeek script. As an example, Corelight recently published an overview
of such work for SSH
analysis. Zeek offers a diverse set of Protocol Analyzers
<https://docs.zeek.org/en/stable/script-reference/proto-analyzers.html> that
provide a rich stream of events that can be hooked to suit your every
purpose. There's also a collection of packages <https://packages.zeek.org/> to
explore if you're interested in learning more about scripting. If you have
an hour, or two, I'd also check out this talk
<https://www.youtube.com/watch?v=fGgHgJEzgLc> which I found helpful in
explaining what it is you're signing up yourself up for :)

All the best

On Mon, Oct 21, 2019 at 3:20 PM Richard Bejtlich <richard at corelight.com>

> Hi Borivoje and Zeek users,
> Traditionally, analyst uses Zeek to transform their network traffic into
> compact logs that describe a variety of activities. Rather than recording
> full content in a .pcap if you're interested in a FTP session, for example,
> Zeek will create one or more logs describing the important elements of that
> FTP session. There's no concept of "good" or "bad" in that log, or in most
> logs.
> So, the premise of comparing Zeek as an IDS with Snort or Suricata doesn't
> make much sense. You would be better off comparing Snort with Suricata, as
> they are both designed as intrusion detection systems, i.e., they render
> judgments based on the traffic they observe. Of course you need to provide
> rule sets, which contain the essence of "badness" as designed by the rule
> creators.
> You could conceivably program Zeek to be an IDS if you decided what was
> bad on your network and told Zeek to write a notice when it sees that
> activity. Running default Zeek against a data set from the Internet is not
> going to yield the results your professor is seeking.
> Sincerely,
> Richard
> On Mon, Oct 21, 2019 at 6:05 PM Borivoje Pavlovic <bpboci24 at gmail.com>
> wrote:
>> Hi Richard,
>> Thank you for promt response. Actually, it is a part of my thesis at
>> faculty. I am required to compare different Intrusion detection systems
>> such as Zeek and aforementioned Suricata and Snort based on dataset
>> CICIDS2017 which contains malicious (Bruteforce, DoS, Web attacks...) and
>> benign traffic. What I need is to classify/label traffic with these
>> different IDS tools, but I haven't found the way anywhere how to do that
>> with Zeek. Attached, you can find two images. The first one is .csv file
>> that contains different flow-based features and labeled traffic (benign or
>> ftp patator). I am not sure is Bro able to perform this kind of analysis at
>> all. The second image is notice.log made after running
>> policy/protocols/ssh/detect-bruteforcing.zeek script against .pcap file. It
>> would mean a lot to me if you know is there some kind of custom script
>> written in Zeek which can label all the traffic per each instances?
>> Best regards
>> Borivoje
>> On Mon, Oct 21, 2019 at 10:59 PM Richard Bejtlich <richard at corelight.com>
>> wrote:
>>> Hello,
>>> The notice log would contain any information pertaining to
>>> the policy/protocols/ssh/detect-bruteforcing.zeek script.
>>> However, I'm a little concerned by the nature of your task. Zeek isn't
>>> really designed as an "intrusion detection system" like Snort or Suricata.
>>> Is this a school project?
>>> Sincerely,
>>> Richard
>>> On Mon, Oct 21, 2019 at 2:18 PM Borivoje Pavlovic <bpboci24 at gmail.com>
>>> wrote:
>>>> Hi all,
>>>> I am beginner in Zeek. Currently, I have a task to perform analysis of
>>>> . pcap files and detect all possible attacks per time instances. In the
>>>> other words I have to test Zeek as an IDS tool and find with which
>>>> percentage is Zeek able to classify traffic correctly (True/False positive,
>>>> True/False negative indication). Is there possibility to do so? For
>>>> example, I tried to run integrated Brute-Forcing.zeek script against my
>>>> .pcap file but in the notice.log there is just note that there was an
>>>> attack which is not what I am looking. Do I have to search for labeled
>>>> network in some other logs?
>>>> Thanks in advance
>>>> Borivoje
>>>> _______________________________________________
>>>> Zeek mailing list
>>>> zeek at zeek.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>> --
>>> Richard Bejtlich
>>> Principal Security Strategist, Corelight
>>> https://corelight.blog/author/richardbejtlich/
> --
> Richard Bejtlich
> Principal Security Strategist, Corelight
> https://corelight.blog/author/richardbejtlich/
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191021/9bbec7cc/attachment-0001.html 

More information about the Zeek mailing list