https://mostafa-ashour.github.io/tags/untagged/Recent content in Untagged on Ashour BlogHugoen-us<a href="https://creativecommons.org/licenses/by-nc/4.0/" target="_blank" rel="noopener">CC BY-NC 4.0</a>Fri, 17 Apr 2026 14:34:26 +0200https://mostafa-ashour.github.io/posts/2026/04/zeek/Fri, 17 Apr 2026 14:34:26 +0200https://mostafa-ashour.github.io/posts/2026/04/zeek/<h1 id="zeek-fundamentals">Zeek Fundamentals</h1> <ul> <li> <p>Zeek is an open-source network traffic analyzer used to detect suspicious or malicious activity by scrutinizing network traffic.</p> </li> <li> <p>Beyond security, it aids in troubleshooting network issues and performing network measurements.</p> </li> <li> <p>Once deployed, Zeek provides defensive cybersecurity teams with extensive log files detailing network activity, including connection records and application-layer transcripts (e.g., DNS, HTTP).</p> </li> <li> <p>Zeek also offers built-in functions for analyzing and detecting network activities.</p> </li> <li> <p>Zeek&rsquo;s powerful scripting language allows users to create custom scripts, similar to Suricata rules, enabling adaptable network analysis and intrusion detection.</p>https://mostafa-ashour.github.io/posts/2026/04/suricata/Fri, 17 Apr 2026 14:34:19 +0200https://mostafa-ashour.github.io/posts/2026/04/suricata/<h1 id="suricata-fundamentals">Suricata Fundamentals</h1> <ul> <li> <p>Suricata is a robust, open-source network security engine for IDS, IPS, and NSM.</p> </li> <li> <p>Developed and maintained by the OISF, it showcases the power of community-led, non-profit projects.</p> </li> <li> <p>Suricata dissect/analyze all network traffic to find potential malicious activity.</p> </li> <li> <p>It can broadly:</p> <ul> <li>Assess the network&rsquo;s health/condition.</li> <li>Also investigate specific application-level interactions.</li> </ul> </li> <li> <p>Suricata uses a detailed set of rules to guide its analysis, helping it identify possible threats.</p> </li> <li> <p>It is designed for high-speed performance on standard and specialized hardware, making it a very efficient tool.</p>https://mostafa-ashour.github.io/posts/2026/04/snort/Fri, 17 Apr 2026 14:34:05 +0200https://mostafa-ashour.github.io/posts/2026/04/snort/<h1 id="snort-fundamentals">Snort Fundamentals</h1> <ul> <li>Snort is an open-source intrusion detection system (IDS) and intrusion prevention system (IPS) that can also function as a packet logger/sniffer, similar to Suricata.</li> <li>It inspects network traffic to identify and log all activity, providing a comprehensive view and detailed logs of application layer transactions.</li> <li>Snort requires rule sets to define inspection parameters and identify specific items of interest.</li> <li>It is designed to operate efficiently on both general-purpose and custom hardware.</li> </ul> <h2 id="snort-operation-modes">Snort Operation Modes</h2> <ul> <li>Snort typically operates in the following modes: <ul> <li>Inline IDS/IPS.</li> <li>Passive IDS.</li> <li>Network-based IDS.</li> <li>Host-based IDS (however, Snort is not ideally a host-based IDS. We would recommend opting for more specialized tools for this.)</li> </ul> </li> </ul> <p><strong>According to <a href="https://docs.snort.org/start/inspection">Snort&rsquo;s documentation</a></strong>:</p>