Hi Borivoje and Zeek users,
Traditionally, analyst uses Zeek to transform their network traffic into compact logs that describe a variety of activities. Rather than recording full content in a .pcap if you’re interested in a FTP session, for example, Zeek will create one or more logs describing the important elements of that FTP session. There’s no concept of “good” or “bad” in that log, or in most logs.
So, the premise of comparing Zeek as an IDS with Snort or Suricata doesn’t make much sense. You would be better off comparing Snort with Suricata, as they are both designed as intrusion detection systems, i.e., they render judgments based on the traffic they observe. Of course you need to provide rule sets, which contain the essence of “badness” as designed by the rule creators.
You could conceivably program Zeek to be an IDS if you decided what was bad on your network and told Zeek to write a notice when it sees that activity. Running default Zeek against a data set from the Internet is not going to yield the results your professor is seeking.
Sincerely,
Richard