WEBVTT 00:00:01.734 --> 00:00:03.734 When thinking about use cases for Zeek, 00:00:03.734 --> 00:00:07.371 the first one that comes to mind is network security, 00:00:07.371 --> 00:00:07.734 right? 00:00:07.734 --> 00:00:11.234 That's what many network monitoring systems are being used for, 00:00:11.234 --> 00:00:14.734 and this is definitely one of the main use cases for Zeek. 00:00:14.734 --> 00:00:18.068 It can essentially be used as an intrusion detection system to 00:00:18.068 --> 00:00:20.734 help us detect threats from within our network. 00:00:20.734 --> 00:00:26.734 We can detect attacks such as brute force, SQL injection, and malware downloads. 00:00:26.734 --> 00:00:27.734 As I've stated before, 00:00:27.734 --> 00:00:32.280 you can also create scripts to detect other attacks or other 00:00:32.280 --> 00:00:35.306 events within your network so that you can evolve the 00:00:35.306 --> 00:00:38.734 capabilities of the system over time. 00:00:38.734 --> 00:00:43.734 Another use case that I love this tool for is network monitoring. 00:00:43.734 --> 00:00:45.734 As you'll see in the logs when we get to the demo, 00:00:45.734 --> 00:00:49.734 you can see so much about your network and the typical protocols within it. 00:00:49.734 --> 00:00:53.734 You can see your DNS requests and see where your traffic is going. 00:00:53.734 --> 00:00:57.068 You can monitor your HTTP traffic and see where your 00:00:57.068 --> 00:00:58.734 requests and responses are going. 00:00:58.734 --> 00:01:01.734 What if there's a proxy server that someone's using? 00:01:01.734 --> 00:01:05.734 You can have Zeek capture files that are being downloaded or uploaded 00:01:05.734 --> 00:01:08.734 and have it create a copy for separate analysis. 00:01:08.734 --> 00:01:13.734 I'm telling you, this tool is very powerful if you know how to use it. 00:01:13.734 --> 00:01:17.371 You can use it for network statistics too and have it tell you with 00:01:17.371 --> 00:01:21.734 the help of a SIM things like how many requests you have for an IP 00:01:21.734 --> 00:01:25.734 address per day or how many times you've reached out to DNS servers 00:01:25.734 --> 00:01:28.734 not in your environment. 00:01:28.734 --> 00:01:32.512 What I really like using it for is detecting what it 00:01:32.512 --> 00:01:34.734 classifies as weird traffic though. 00:01:34.734 --> 00:01:36.068 I don't know why, 00:01:36.068 --> 00:01:40.734 but I guess it's because I started out at the network level and I love it there. 00:01:40.734 --> 00:01:44.984 The weird.log shows us our unexpected protocol level 00:01:44.984 --> 00:01:48.734 activity according to the Zeek documentation, 00:01:48.734 --> 00:01:52.591 pretty much anything that doesn't seem right in the 00:01:52.591 --> 00:01:54.734 behavior of the various protocols. 00:01:54.734 --> 00:01:57.734 An example would be a bad TCP checksum. 00:01:57.734 --> 00:02:02.734 If that wasn't quite right, Zeek would flag this and log it in the weird.log. 00:02:02.734 --> 00:02:05.734 I love seeing how the network acts and reacts, 00:02:05.734 --> 00:02:13.734 and Zeek allows me to do this effectively.