I would like to use zeek to detect an application layer attack such as SQL Map. However, i am limited to sending only syslog data from a switch. Is it still possible to detect a n application layer attack given only layer 3/4 ingestion of data into a zeek sensor?
BTW - I am pretty sure I know that its not possible to detect an application layer attack at layer 7 with data ingested that contains ONLY layer3/4 from a switch - but just wanted some insight and feedback from experts in the field on this. Really appreciate any feedback where possible.
Are you asking if Zeek can ingest Syslog data? If that is the question, the answer is no.
Sincerely,
Richard