Signature for IoT Devices

Hi Zeek Community,

I am working on a project to identify IoT devices on a network. We are primarily working with the signatures framework. We would like to write signatures for different device types (i.e. smart plug, smart speaker, etc.). Does anyone have any advice on how to start going about this in terms of unique identifiers or protocols these IoT devices may be using that other devices may not use?


Just curious — if you prefer signatures, why choose Zeek over Suricata?



Not any particular reason, we were asked to use Zeek for the project, and figured signatures was the best method to use in Zeek.

It’s actually the other way. Signatures are the last use case for Zeek. Gathering metadata, writing scripts and writing protocol analyzers - that’s where Zeek shines.

Simple signatures with a way better support, shaped by a huge community that deals with signatures on a daily basis, is what Suricata does best.

I’d be happy to help. I don’t have any signatures off hand but happy to analyze pcaps.

I have a few devices on home WiFi. I’ll dump some traffic and see what I can come up with.