Behavioral detection may be more reliable than signature, simply because signatures fall out of date or are written poorly.
Might be a good idea to file zeek directly into Graylog for AniNIX/Sharingan, rather than slurping Suricata's fast.log.
* https://docs.zeek.org/en/current/examples/scripting/index.html#custom-logging
* https://marketplace.graylog.org/addons/5e6cf3c6-7bdc-4a2c-bdca-441407e4a016
Behavioral detection may be more reliable than signature, simply because signatures fall out of date or are written poorly.
Might be a good idea to file zeek directly into Graylog for AniNIX/Sharingan, rather than slurping Suricata's fast.log.
So far, zeek has failed in maat.aninix.net -- it causes OOM issues. We'll stick with suricata until we have time to revisit this.