Hi everyone, I’m exploring ways to use Zeek to monitor network traffic from a fleet of IoT devices (ESP32, Raspberry Pi, etc.) and want to understand what kinds of traffic patterns or scripts work best for detecting unusual behavior. For context, I’ve been playing with a simple ESP32 motion sensor project https://www.theengineeringprojects.com/2022/03/iot-based-motion-detection-with-email-alert-using-esp32.html, that regularly POSTs data over HTTP, and I’m curious how Zeek can help profile or flag anomalies in similar IoT traffic. I’ve seen Arduino forum threads and some Raspberry Pi community posts where folks talk about pushing sensor data via REST APIs or MQTT brokers. For those experienced with Zeek in mixed environments, what scripts, policy tweaks, or protocol analyzers do you recommend for reliably tracking and alerting on IoT traffic patterns without too much noise?
Hi Aria,
this is a question that is a bit hard to answer, as it really depends on the details of your environment.
As you might already be aware, by default Zeek doesn’t do much anomaly detection. Instead most of the log files just descript what happens in the traffic in your network, without attaching any value to it.
If you have a network setup with traffic that’s fairly stable - you totally can write scripts that look for anomalies. If you know that your IOT devices will only connect to a couple of hosts, or only accept incoming connections - you could write Zeek scripts that look for this, etc. But - as every setup is different - you probably will have to come up with reasonable rules yourself, after looking at the traffic patterns of your network.
I hope that this might help a little bit as a starting point 