Solutions for Labeling Independent Zeek Logs for Attacks and Exploits


Posted on June 15, 2022 | Completed on May 3, 2022 | By: Ryan Fowler

Has anyone ever labeled individual records in Zeek logs for attacks/exploits? If so, how did they do it?

Zeek, formerly known as Bro Network Security Monitor, is a powerful open-source intrusion detection system. There was a requirement to know whether an individual record should be marked as anomalous or not, assuming attacks are anomalies.  The inquirer was interested in finding possible solutions to automatically label network events/sessions based on time and IP addresses of known attacks using Zeek logs. CSIAC subject matter experts provided open-source research to the inquirer and publicly posted the technical inquiry to solicit responses from our membership.  We then consolidated, organized, and analyzed 10 community responses before forwarding the synthesized set of viable solutions to the inquirer.

Want to find out more about this topic?

Request a FREE Technical Inquiry!