Zeek Intrusion Detection

UofSC and NSF

The development of this lab series was supported with funding from the National Science Foundation Award 1829698 “CyberTraining CIP: Cyberinfrastructure Expertise on High-throughput Networks for Big Science Data Transfers” at the University of South Carolina (UofSC). The labs provide hands-on training in the technologies used to build and configure high-speed networks.

Zeek is an open-source network analysis framework, primarily used in security monitoring and traffic analysis. Zeek will generate log files based on signatures or events found during network traffic analysis and also includes built-in functionality for a variety of analysis and detection tasks. For additional information, please see: zeek.org.

The Zeek Intrusion Detection labs explain and demonstrate Zeek’s capabilities towards performing network traffic analysis. The labs are supported using the Zeek Intrusion Detection Pod.

Supported Labs

Lab Title
1 Introduction to the Capabilities of Zeek
2 An Overview of Zeek Logs
3 Parsing, Reading and Organizing Zeek Files
4 Generating, Capturing and Analyzing Network Scanner Traffic
5 Generating, Capturing and Analyzing DoS and DDoS-Centric Network Traffic
6 Introduction to Zeek Scripting
7 Introduction to Zeek Signatures
8 Advanced Zeek Scripting for Anomaly and Malicious Event Detection
9 Profiling and Performance Metrics of Zeek
10 Application of the Zeek IDS for Real-Time Network Protection
11 Preprocessing of Zeek Output Logs for Machine Learning
12 Developing Machine Learning Classifiers for Anomaly Inference and Classification
Enabling the Labs

To enable the Zeek Intrusion Detection labs, install the UofSC - Zeek Intrusion Detection - v1.0 course using the Course Manager. See the Course Manager section of the NETLAB+ VE Admin Guide for details. The course content will then be available to be added to classes.

perf