KNOWLEDGE VALIDATION
Before moving on to the next lesson, take a few minutes to test your understanding of the concepts covered in this lesson. These questions aren’t meant to be tricky - they’re designed to ensure you’ve grasped the fundamental concepts that will inform everything that follows.
Think about the fundamental philosophical difference between Zeek and Snort. If you were explaining to a colleague who’s familiar with Snort why they should also deploy Zeek, what key points would you make? How would you explain the complementary nature of signature-based detection and behavioral analysis without suggesting that one is better than the other?
Consider the three types of threat intelligence indicators that Zeek’s Intelligence Framework can consume. Can you name at least three different types and explain why each type is valuable? Think about how different indicator types address different aspects of threat detection.
Here’s a true-or-false question that gets at an important misconception: Zeek can operate in inline IPS mode to actively block malicious traffic. Take a moment to consider why the answer is false and what implications this has for Zeek’s role in a security architecture.
Reflect on the primary advantage of Zeek’s event-driven architecture for detecting unknown threats. How does operating at the event level rather than the packet level enable detection of novel attacks? Think about the role of state tracking and protocol context in this capability.
Consider the two community packages we discussed that help detect malware in encrypted TLS traffic. Can you name them and explain at a high level how they work despite traffic being encrypted? This question tests whether you understand that analysis of encrypted traffic metadata can still reveal malicious activity.
Finally, think about why Zeek is often deployed alongside a SIEM rather than as a replacement for one. What unique capabilities does each system bring, and how do they complement each other? This question gets at understanding Zeek’s role in a comprehensive security architecture.
Take your time with these questions. If you’re uncertain about any of them, review the relevant sections of this lesson before proceeding. Understanding these foundational concepts is crucial for everything that follows.