Hi,
as per the Zeek documentation-
"Zeek is not a classic signature-based intrusion detection system (IDS); while it supports such standard functionality as well, Zeek’s scripting language facilitates a much broader spectrum of very different approaches to finding malicious activity. These include semantic misuse detection, anomaly detection, and behavioral analysis."
How exactly anomaly detection is being used with respect to following points:
1. Which type of attacks does Zeek handle using anomaly detection?
2. What anomaly detection techniques are being used by Zeek?
3. What are the specific scripts which are using these techniques for detection?
Also there is one more concern about the use of Zeek as an IDS, like previously there was one bro-script to detect synflood in Bro-1.5.3 version which is not available in the current version. So why it got discontinued ?
Thanks
Zeya Umayya
I'm trying to update the FreeBSD zeek port for 4.0.0 and am having
trouble getting netmap 2.0.0 to build which seems to assume that zeek
will be installed in /usr/local when it is built:
[ 40%] Building CXX object
CMakeFiles/Zeek-Netmap.freebsd-amd64.dir/src/Plugin.cc.o
In file included from
/wrkdirs/usr/ports/security/zeek/work/zeek-netmap-2.0.0/src/Plugin.cc:3:
In file included from
/wrkdirs/usr/ports/security/zeek/work/zeek-netmap-2.0.0/src/Plugin.h:6:
/wrkdirs/usr/ports/security/zeek/work/zeek-netmap-2.0.0/src/zeek-compat.h:4:10:
fatal error: 'zeek/zeek-config.h' file not found
#include <zeek/zeek-config.h>
^~~~~~~~~~~~~~~~~~~~
1 error generated.
*** Error code 1
Due to the way FreeBSD packages are built at this point zeek is
installed but in /wrkdirs/usr/ports/security/zeek/work/stage/usr/local,
not /usr/local.
With 3.X I was using the configure script in bro-netmap, I started out
trying to do something similar:
post-install-NETMAP-on:
${LN} -s ../.build ${WRKSRC}/build
cd ${WRKSRC_zeek_netmap} && ./configure --zeek-dist=${WRKSRC} \
--install-root=${STAGEDIR}${PREFIX}/lib/zeek/plugins
cd ${WRKSRC_zeek_netmap}/build && make && make install
I tried using env to set CFLAGS and CXXFLAGS to -I... but that didn't
work. I also tried calling cmake directly and setting the appropriate -D
arguments. I got that to the same point of failure.
Suggestions on how to get the build to find the include tree? I can
easily patch files before or after running the configure script (or
cmake itself). And in the end the various bits will be installed in
/usr/local (or whatever PREFIX is set when the package is built).
Thanks!
Craig