Let's Talk: IDS(Intrusion Detection Systems)
Hi Everyone!
This is the first post I’ve been making in relation to my capstone! My capstone utilizes Zeek logs partnered with some python tools that leverage machine learning algorithms for anomaly detection and also visualizations! Today, let’s talk about Zeek! Well, what’s Zeek? Zeek, is actually the world’s leading network security monitoring platform. It’s a flexible, open source, IDS that’s run by expert defenders in the field. But hold on, what’s an IDS?
What is an IDS?
An intrusion detection system is a computer dedicated to the analysis and monitoring of network traffic. We want to be extensively vigilant for indicators of compromise in your system. Indicators of compromise or (IOCs) show attackers are in your network. A great resource for IOCs and threat intelligence is the Mitre Att&ck Framework. https://attack.mitre.org/matrices/enterprise/ When the IDS detects something suspicious it will give you an alert, if configured correctly. You can see an excellent resource from some experts at security firm Varonis below which details the differences between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS)
Now that you’re familiar with what an IDS is let’s talk about how to download one for your configuration in your network. For my network I decided to use a new Ubuntu 19.10 VM since it’s the newest edition of Ubuntu currently.
How To Download Zeek IDS on Ubuntu 19.10
james@zeek:~$: sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev python-ipaddress
james@zeek:~$: git clone --recursive https://github.com/zeek/zeek
james@zeek:~$: ./configure
james@zeek:~$: make
james@zeek:~$: make install
What are those prerequisite packages? (For the curious learner)
-
Cmake – used to control the software compilation process using simple platform and compiler independent configuration files, and generate native makefiles and workspaces that can be used in the compiler environment of your choice. It basically generates make files to use for the automation of building systems with Make.
-
Make – is a build automation tool that automatically builds executable programs and libraries from source code by reading files called Makefiles which specify how to build the specified program. Basically it allows for the automation of building systems.
-
Gcc – is a compiler used to convert code into machine language that the computer can understand.
-
G++- is another compiler used to compile C++ programs
-
Flex – is a tool/computer program for generating lexical analyzers. What that means is that it reads the source program, scans the input characters, groups them into a collection of words called lexemes and produces the token of that as output. Basically a fundamental system that works in tandem with compilers.
-
Bison – is the package that reads those tokens and helps the compiler interpret them
-
Libpcap – a packet capture tool for network analysis
-
Libssl – allows SSL to have TLS encryption. SSL is a secure form of communication which can be enhanced using more encryption like TLS.
-
Python – a program language with the tools in the package to use it.
-
Swig – used to interface and wrap C or C++ programs (if you haven’t guessed it by now, Zeek is written in C++)
-
Zlib – is used to decompress packages and files that have been compressed for example in a zip format.
-
Python-ipaddress – a python module that allows you to pass ip addresses into python and work with ip addresses. *we install the python-ipaddress package because Ubuntu 19.10 uses Python 2.7 by default, if you use Python 3 you might not need it.
Now with all the prerequisites installed and Zeek; you’re pretty much all set to start monitoring your network and generating logs! You can configure Zeek with much more customization and alerting using their documentation or any other resources online! For this tutorial, you’ve got the fundamental building blocks to go a build a stronger network monitoring solution using Zeek!