Subject: Drop packet by signature event

Vincenzo · March 25, 2020, 4:26pm

I have a configuration of FreeBSD with Zeek, my goal is to analyze network traffic on one network interface and block (IPS) the packet to the other interface, if this falls within my list of signatures that I have defined in my signatures.sig.

I have searched far and wide for a solution, but I have not come up with feasible solutions for this purpose (since Zeek was not born as IPS, as snort and suricata), do you have any advice?

Zeek 3.0.3
FreeBSD 11
bro-netmap installed

Thanks very much

Aashish_Sharma1 · March 25, 2020, 4:41pm

feasible solutions for this purpose (since Zeek was not born as IPS, as
snort and suricata), do you have any advice?

Umm, zeek's been doing IPS before snort or surcata were born

I am not sure of specifics on your end (ie how you want to implement it) but You
should look at netcontrol-framework and ACLD
(Index of /downloads/acld) in case you want to expand and work with
cisco/juniper routers.

Aashish

Topic		Replies	Views
Zeek Community Signatures Zeek	3	216	May 6, 2022
Bro and Snort together Zeek	8	135	May 6, 2022
Zeek Vs. FreeBSD Zeek	6	144	May 6, 2022
Signature for IoT Devices Zeek	5	115	May 6, 2022
New Analyzer Zeek	9	147	May 6, 2022

Subject: Drop packet by signature event

Related topics