By:Zina Eyas Mohamed Elmutasim

Zeek (IDS Tool)

Introduction
Zeek is the world’s leading platform for network security monitoring. Flexible,
open-source, and powered by defenders. Zeek is a passive, open-source network
traffic analyser. Many operators use Zeek as a network security monitor to support
suspicious or malicious activity investigations. It also supports a wide range of
traffic analysis tasks beyond the security domain, including performance
measurement and troubleshooting.

How does it work?

Zeek is much more powerful than traditional IDS/IPS, systems, though you can still
perform traditional signature detection with it. Zeek extracts metadata from the
network traffic that can be used in several ways. In a traditional Security
Operations Center, the logs created by Zeek could get ingested into a Security
Information and Event Management system, such as Splunk, which would allow analysts
to search over the data or create analytics to identify malicious or anomalous
traffic. Additionally Zeek metadata/logs could provide input for other Zeek scripts
to perform all sorts of behavioral analytics and provide alerts to the user. Zeek
has a large community that develops these scripts and analytics for the good of the
community already. It doesn't necessarily have to replace Suricata but could
alternatively be used along side it depending on the system specifications.

Advantages of Zeek
As a network security tool based on the use of metadata, Zeek provide several
advantages.
• Powerful Security Language: Zeek logs provides a powerful set of flow-
based information that can be leveraged by network security tools.
• Open-Source Tool: You can easily create integrate 3rd party tools for
analyzing network data.
• Threat Hunting: Zeek enables detection of active threats through
behavioral-based analysis. Zeek logs provide a more effective foundation for
proactive threat hunting versus traditional methods.
• Encrypted Traffic Analysis: Privacy concerns have led to a sharp rise
in encrypted traffic volume. Zeek provides a mechanism to analyze encrypted traffic
using specific raw indicators like JA3 fingerprints and TLS ciphers.

Conclusion
Cyber attacks are rising at rates never before seen, therefore security measures
must be adjusted accordingly. Thanks to the Zeek programming language, businesses
can easily customize the metadata interpretation accordingly. With the help of Zeek
and other forms of enriched metadata, you can easily monitor any and all network
activity to the finest of detail.

Zeek vs Snort
While both are called IDS/NIDS, it is good to know the cons and pros of each tool
and use them in a specific manner. While there are some overlapping
functionalities, they have different purposes for usage.
Tool Zeek Snort
Capabilities IDS framework. It is heavily focused on network analysis. It is
more focused on specific threats to trigger alerts. The detection mechanism is
focused on events An IDS/IPS system. It is heavily focused on signatures to detect
vulnerabilities. The detection mechanism is focused on signature patterns and
packets
Cons The analysis is done out of the Zeek manually or by automation which makes it
hard to use Hard to detect complex threats
Pros It provides in-depth traffic visibility
Useful for threat hunting
Ability to detect complex threats Easy to write rules
Cisco supported rules
Community support
Common Use Case Network monitoring
In depth traffic investigation
Intrusion detecting in chained events Intrusion detection and prevention
Stop known attacks/threats