Hello,
I am working on a thesis related Analysis and Comparison of Open Source IDSs with public signatures.I want to run Zeek with signatures like Snort and Suricata signatures but i couldn’t find community signatures about Zeek.Also brocata signatures didn’t run on Zeek. Can you help me about is there any public signatures for Zeek?
Thank you for your replies.
Hello,
I am happy to hear you are working on open source security, but sad to hear about this topic.
Did your professor assign this to you? We see the same question several times a year from students. It’s usually the result of a professor who does not understand the state of IDS software.
This sort of project has not made much sense for the last ten or so years. Snort and Suricata are essentially the only open source IDS’ left. They run essentially the same rule sets.
You might be able to compare them directly, but for how most people use them, the differences are negligible.
Zeek is very different. Zeek does not use byte matching signatures like Snort and Suricata. Comparing them on a signature basis is irrelevant. Many shops run both Zeek and Suricata in parallel because they have different functions.
If you have some freedom to change your topic, I bet we could help you develop something more relevant?
Sincerely,
Richard
You can write signatures for Zeek, but that really isn’t the purpose of the platform.
You can leverage threat intelligence feeds to cover some of the traditional IDS functions.
https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds
The following example can be used to write a signature.
signature my-first-sig {
ip-proto == tcp
dst-port == 80
payload /.*root/
event "Found root!"
}
Glad to assist you further in any way that I can.