Information Security Asked by ustavsaat on October 28, 2021
I’m trying to find difference between Zeek and Snort 3. Сan anybody tell me what are the advantages of Zeek against Snort 3?
Snort is more a traditional IDS/IPS which does some deep packet inspection and then applies signatures on the traffic in order to detect (and maybe block) attacks.
Zeek does not claim to be an IDS: instead it claims to be a network monitor and traffic analyzer. From their own description:
Zeek is a passive, open-source network traffic analyzer. It is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, however, Zeek supports a wide range of traffic analysis tasks even outside of the security domain, including performance measurements and helping with trouble-shooting.
As far as I know (i.e. what I got from discussions with others) Zeek is therefore more used to capture the details of the traffic and forward these to some analysis system. The analysis regarding attacks is primarily done outside of Zeek and the focus for Zeek is on collecting detailed information about the traffic. Sometimes custom protocol dissectors are added which are specific for the protocols used in the environment. I think Bro/Zeek is for example used in Darktrace to get the traffic details.
Classical signature based IDS like Snort or Suricata are instead more used as actual IDS, i.e the focus is on matching specific attack signatures. For example Cisco provides its subscribers new signatures when new attacks emerge. But I also know several cases where Snort or Suricata are used to only collect information about the traffic and feed these traffic details into a larger system, similar to how Zeek is typically used.
In other words: there is overlapping functionality. But the primary goals of these tools are different and thus are also the use cases.
Answered by Steffen Ullrich on October 28, 2021
Both of them are NIDS(Network intrusion detection systems). The main difference is the way they make the detection, for example in snort the detection is made inside the software by using rules. On the other hand, Bro/Zeek works by dumping the information on files and you need to do the detection with other tools, however I think in bro you can create plugins in Lua that can label the network conversations as you want. Probably there are more differences (License, format files, and so on) but right now that are the ones that came to my mind.
Answered by camp0 on October 28, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP