Learning Zeek
I’ve been fascinated by Network Intrusion Detection Systems (NIDS) for ages. I love that a port on a switch can mirror all traffic coming into other (or all) ports and make that traffic available for inspection. Back in the day I used to deploy ISS (Now IBM) IDS devices in corporate networks. At the core they were beefy server class devices with plenty of compute power that could barely take on a gigabit of data and had proprietary software and signature based detection engines to report any suspicious patterns.
These days there are many open source solutions that can do what these servers did back in the day on a budget. I’ve been running Zeek for the last year on a Raspberry PI form factor and wrote up how to install the basics and get it reporting locally.
I hope this can help some folks on the security journey. They can discover the same fun I had being able to scan through packets and finding any adversaries.