[Zeek] Signature for IoT Devices
Michał Purzyński
michalpurzynski1 at gmail.com
Mon Feb 3 15:45:04 PST 2020
It’s actually the other way. Signatures are the last use case for Zeek. Gathering metadata, writing scripts and writing protocol analyzers - that’s where Zeek shines.
Simple signatures with a way better support, shaped by a huge community that deals with signatures on a daily basis, is what Suricata does best.
> On Feb 3, 2020, at 3:41 PM, Jonah Cartwright <jacartwright at g.hmc.edu> wrote:
>
>
> Not any particular reason, we were asked to use Zeek for the project, and figured signatures was the best method to use in Zeek.
>
>> On Mon, Feb 3, 2020 at 3:27 PM Richard Bejtlich <richard at corelight.com> wrote:
>> Just curious — if you prefer signatures, why choose Zeek over Suricata?
>>
>> Sincerely,
>>
>> Richard
>>
>>> On Mon, Feb 3, 2020 at 5:51 PM Jonah Cartwright <jacartwright at g.hmc.edu> wrote:
>>> Hi Zeek Community,
>>>
>>> I am working on a project to identify IoT devices on a network. We are primarily working with the signatures framework. We would like to write signatures for different device types (i.e. smart plug, smart speaker, etc.). Does anyone have any advice on how to start going about this in terms of unique identifiers or protocols these IoT devices may be using that other devices may not use?
>>>
>>> Thanks,
>>> Jonah
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>> --
>> Richard Bejtlich
>> Principal Security Strategist, Corelight
>> https://corelight.blog/author/richardbejtlich/
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200203/0b0095ee/attachment-0001.html
More information about the Zeek
mailing list