How do you find my idea since I couldn’t find so much info about creating a baseline.
I know that are some logs ( known-hosts) which includes the IP’s from my network that completed a TCP handshake in 24 hours, also ( known-services ) ip+port+service.
What I am trying to create is a script/package that takes these IP’s and every time when a new “known-hosts” is detected that means that the new IP address is out of Baseline.
How do you find this ? Any thoughts are appreciate it, thanks !
Just to understand the question - are you asking if what you are proposing (using Zeek data/logs to make a baseline of network activity) is a good idea?
If I understand the question correctly - yes, this kind of approach works. It is, e.g., used by some people to determine which services exist in their network. This can then be used to, e.g., quickly block scanners when they try to connect to non-existing services.
Creating packages around this could be a neat project
