Solutions for Labeling Independent Zeek Logs for Attacks and Exploits

Source: https://media.defense.gov/2011/Dec/06/2000194493/-1/-1/0/111206-F-FP939-001.JPG
Source: https://media.defense.gov/2011/Dec/06/2000194493/-1/-1/0/111206-F-FP939-001.JPG

Posted on June 15, 2022 | Completed on May 3, 2022 | By: Ryan Fowler

Has anyone ever labeled individual records in Zeek logs for attacks/exploits? If so, how did they do it?

Zeek, formerly known as Bro Network Security Monitor, is a powerful open-source intrusion detection system. There was a requirement to know whether an individual record should be marked as anomalous or not, assuming attacks are anomalies.  The inquirer was interested in finding possible solutions to automatically label network events/sessions based on time and IP addresses of known attacks using Zeek logs. CSIAC subject matter experts (SMEs) provided open search research to the inquirer and also publicly posted the technical inquiry to solicit responses from our membership.  We then consolidated, organized, and analyzed 10 community responses before forwarding the synthesized set of viable solutions to the inquirer.

Want to find out more about this topic?

Request a FREE Technical Inquiry!