Can Zeek be installed as in-line IPS?

I’m starting a comparison paper about inline Network IPS. I was looking for an opensource anomaly-based detection engine with IPS capabilities. The easiest choice seemed Zeek but from the website user-manual it doesn’t look like it actually supports packets dropping, instead can only work as IDS. Digging a bit online I found a lot of confusion and contradictions with people asserting either that is possible or not but none giving a practical example. I have scraped a multitude of academic and research papers but they haven’t help… I was wondering if anyone can tell me if is feasible before wasting hours trying to do something that is not. Any help or insight is much appreciated. Thank you.

Take a look at the netcontrol stuff.

https://docs.zeek.org/en/latest/frameworks/netcontrol.html

Zeek will talk to other systems to perform the actual action of crushing the connection.

Best hope with that scenario really is that you kill the connection a few packets in, as you’re racing to block on an inline device (router, switch, FW), from another passive system (Zeek). It blurs the line between IDS and IPS because the race condition. Good example is droppers. You might only have subsecond to block. Are you really running an IPS if some packets can get through?

Reactive IDS might be a more apt analogy.

Cheers,

JB



From: m.dariuz@gmail.com
Sent: March 18, 2019 6:04 AM
To: zeek@zeek.org
Subject: [Zeek] Can Zeek be installed as in-line IPS?

I’m starting a comparison paper about inline Network IPS. I was looking for an opensource anomaly-based detection engine with IPS capabilities. The easiest choice seemed Zeek but from the website user-manual it doesn’t look like it actually supports packets dropping, instead can only work as IDS. Digging a bit online I found a lot of confusion and contradictions with people asserting either that is possible or not but none giving a practical example. I have scraped a multitude of academic and research papers but they haven’t help… I was wondering if anyone can tell me if is feasible before wasting hours trying to do something that is not. Any help or insight is much appreciated. Thank you.

JB’s answer was great. I’d only add that I don’t think of Zeek as an IDS. Zeek is a network security monitor. It’s designed to describe what’s happening on your network in a mostly neutral way. It’s up to the analyst to use that data for a variety of purposes, one of which could be intrusion detection. Suricata and Snort are more characteristic of an “IDS” because they make judgements about what they see, although Suricata has been integrating ever more NSM functionality by logging DNS, HTTP, etc. as Zeek does.

Aside from web application firewalls, I think the IPS market is fairly dead anyway with the ubiquity of encrypted north-south network traffic.

Sincerely,

Richard

Had me all the way until…

“Aside from web application firewalls, I think the IPS market is fairly dead anyway with the ubiquity of encrypted north-south network traffic.”.

I still see the same issues we had on networks 10 years ago. It is reduced, due to HTTPS and some SMTP, sure. Dead… not really.

Yes, exactly. We need to be careful with our messaging on this as a community because the number of threats still seen (and more generally, the amount of metadata from traffic that can be successfully logged to support NSM) is still significant. Richard said “fairly dead” but casual readers and the tech press tend to take that as a soundbyte and parrot it out as “it’s basically all encrypted, don’t worry about it.” I have had customers that have refuse an option to deploy a network sensor like Zeek or Suricata in their environment in the role of NSM sensors because of this erroneous belief (and a convenient chance to save some capex not buying more hardware). It’s disappointing because we see a lot of success detecting badness in other environments so these customers willfully put themselves at a disadvantage to attackers who still operate over cleartext protocols.

  • Darren

To be fair, he did say IPS. In my opinion IPS has always been in a weird spot where the definition isn't terribly clear (block a single packet in-flight? block a connection after a determination is made? ...etc).

I think everyone here will agree that the visibility provided by Zeek is useful even on modern networks and that tail of completely unencrypted traffic is awfully long. :slight_smile:

   .Seth

Concur. Zeek on the perimeter is great for metadata about encrypted sessions. Zeek internally from client/server or Windows Client/Windows Domain Controller will open your eyes to a LOT of traffic you may not have expected.

James

Yes, as Seth said, I said IPS. Is anyone really deploying IPS now? I only see Palo Alto firewalls, etc.

Sincerely,

Richard

Yes. Many.

PCI-DSS 11.4 comes up quite often. Whether we have consensus on the validity and utility of an IPS or not, it comes up in every single PCI audit.

The PCI requirement is for IDS or IPS, which is unfortunate because they are totally different. I’m surprised IPS is even a market segment anymore. At this point it’s really just a firewall feature. There’s so much more that can be done with a passive observation platform like Zeek, when you don’t have to worry about making line-speed judgements.

Sincerely,

Richard

Didn’t IDS die circa 2005? J

Somedays I wish…

As I sit here reviewing the deployment and Change Management notes for a ASA/FirePower, two SourceFire 7120’s, two 8250’s, and two VM FirePowers.

Orgs are still trying to get ROI on some of this stuff. It’s not AI/ML or Blockchain, but it’s still running.

@James Lay

Couldn’t agree more about the metadata and convergence of E/W traffic. Additionally, we’ve used SIP analyzers to validate the implementation of Zeek as a security platform, as it could provide greater visibility into call center traffic.

Showing that it could increase efficiency, while providing a better security posture was a good win.