I write a thesis about sequential patterns ( https://en.wikipedia.org/wiki/Sequential_pattern_mining ) in cyber security and I am looking for tools that support adding sequential rules. For example in zeek such a rule could be that if we see a certain group of messages in a certain order, then we have an ongoing attack. I don’t find anything like this in the manual so I assume it does not exist, but just to be sure, is there support for this in the current version or is it planned?
I am looking for tools that support adding sequential rules. For
example in zeek such a rule could be that if we see a certain group of
messages in a certain order, then we have an ongoing attack. I don't find
anything like this in the manual so I assume it does not exist, but just to
be sure, is there support for this in the current version or is it planned?
Zeek can readily support this, both within the handler for a given event (because its scripting is Turing-complete and imperative) and across events, by tracking state that reflects earlier activity the monitor has observed.
— Vern
Thanks!
Somebody told me that correlation rules can cover sequences too. Can
you confirm this?
Vern Paxson <vern@icir.org> ezt írta (időpont: 2021. ápr. 27., K, 16:37):
Somebody told me that correlation rules can cover sequences too. Can
you confirm this?
That’s not actually a well-formed question for Zeek. If you want to include Zeek in your study, it’ll be helpful to delve into how its scripting processing works, per Introduction to Scripting — Book of Zeek (v6.1.0).
— Vern