You Cannot Defend What You Cannot See: Gaining Insight into Proprietary Protocols through Custom Parsers with Zeek

A vital component of any information security architecture is a network intrusion detection capability. Commercial network intrusion toolsets come preloaded with parsers to deconstruct common network traffic types into segments that can be analyzed for abnormal activity. These parsers are limited to standard protocols; proprietary and rare protocols do not present a large enough business case for vendors to develop the parsers. The lack of these parsers for proprietary protocols creates a blind spot for information security architectures. To reduce an organization's cyber-attack surface, the development of custom parsers provides the packet dissection required to provide insight into proprietary protocols. Once installed, a parser enables the full capabilities of a toolset, which increases its ability to detect malicious behavior. This research, will discuss the intrusion detection capabilities of Zeek, enhancement of those capabilities with a custom parser and the scripts required to detect attacks against proprietary protocols. Most importantly, adoption of this research into an organization’s environment is straightforward and provides immediate results.