Beyond Zeek: How ElastiFlow and NetQuest Deliver Zeek-Level Insight Through Enhanced Flow Data
By: Eric Graham
November 6, 2024
Using NetQuest with ElasticFlow, companies can obtain data directly from high-speed network links, essential for generating feature-rich NetFlow data enriched with security insights. While typical routers, switches, and firewalls provide data useful for network operations and volumetric DDOS attacks, security teams often lack the depth needed for detailed analysis like a Zeek log. By capturing traffic in real-time, NetQuest and ElastiFlow deliver a comprehensive view of network behavior, enabling detailed analysis of communication patterns and detailed DNS, HTTP, and SSL information. This allows for identifying unusual or suspicious activity, such as unauthorized access attempts, malware attacks, lateral movement, or anomalous traffic patterns. The continuous data flow ensures real-time monitoring and quick responses to emerging security incidents. NetQuest further enhances flow data with fields vital to network security, similar to Zeek logs. Partnered with NetQuest, Elastiflow provides the visibility companies need while efficiently handling unsampled 1:1 flow data at large flows per second (FPS), equipping security teams with all the data necessary to investigate incidents and resolve them quickly. This blog explores the similarities between NetFlow data from NetQuest and Zeek logs, offering a deeper comparison of the two technologies. In many ways, the choice of which data format to deploy is driven by what the upstream analytics platform can consume, existing workflows, and existing processes for network traffic analysis.
Why Flow is [As Good as, or Better] than Zeek for Network Security Monitoring with NetQuest and ElastiFlow enrichment
Background – What is Flow Data
Flow data, including NetFlow and IPFIX, provides a high-level abstraction of network traffic by capturing metadata about each packet traversing a network. Network flow data is a record of device communications that includes information about connections made over a network. This data is usually collected and sent by network devices and can include information such as Source and destination IP addresses, Ports, Protocols, Timestamps, Traffic volume, and Network interfaces. Unsampled Flow data is crucial for detailed network monitoring, offering a complete picture without sacrificing fidelity.
While flow data from routers, switches, and firewalls may not include the level of detail provided with Zeek, similar fields are included for flow using NetQuest. In addition, ElastiFlow enriches the flow records further to include valuable information for Geo-IP, BGP ASN, DNS, user-defined metadata, application name, and threat Intelligence, giving users even greater insight.
Flow Data for Network Monitoring:
Comprehensive Data: Captures every packet and byte, providing full visibility into network activity.
Enrichment: To offer deeper insights, additional context, such as Threat-Intel, Geo IP, BGP ASN, application, and session-level data, can be enhanced.
Efficiency: Flow data is a lightweight alternative to full packet capture, making it easier to collect, store, and analyze.
Enhanced Flow: Probe vendors can enhance flow records with details similar to those of Zeek.
Complete Visibility: Flow data can be generated from probes, routers, switches, and firewalls, making visibility north-south and east-west simple.
Background – What is Zeek
Zeek, formerly known as Bro, is an open-source network analysis framework that focuses on deep packet inspection for detailed security monitoring. It generates rich logs that describe network activities, including HTTP sessions, DNS queries, and SSL handshakes.
Zeek for Network Monitoring:
Detailed Logs: Provides extensive logs that can help identify complex security threats.
Specialization: Primarily designed for security monitoring rather than broader network management.
The Limitations of Zeek
Cost to Generate: Requires significant computational resources, leading to higher operational costs.
Availability: Needs specialized sensors, limiting its accessibility.
Scalability: Deep packet inspection demands substantial processing power, challenging its scalability in large environments.
Integration Complexity: Integrating Zeek data with upstream platforms can be resource-intensive.
Deployability: Zeek sensors need to see packet data, making deployment challenging in large environments where north-south and east-west visibility is required.
Encrypted Traffic: Zeek rules perform matches on packet payload to identify threats. With encrypted traffic, these rules are no longer useful, limiting the product's usefulness.
NetQuest Flow vs. Zeek: Comprehensive Comparison
Extensibility and Versatility
Flow data is ideal for security monitoring and valuable for other types of network monitoring. Its extensibility allows it to be leveraged across multiple platforms and use cases, offering a better return on investment.
Detecting Anomalous Traffic and Network Security Threats
Both Flow data and Zeek can detect anomalies. However, Flow's ability to scale efficiently and provide comprehensive coverage makes it a more versatile solution for detecting network security threats.
Identifying Applications and User Conversations
Enriched Flow data offers application-level and session-level context, making it comparable to Zeek in identifying applications and user conversations. This enrichment allows for detailed traffic analysis without needing full packet inspection.
Extracting Session-Level Context
Both technologies excel in extracting session-level context, but Flow data's scalability and efficiency give it an edge in larger environments.
Handling Encrypted Traffic
While Zeek's deep packet inspection can provide insights into encrypted traffic, Flow data can offer valuable metadata for identifying encrypted sessions and monitoring network health.
The Value of Unsampled Flow Data
Sampling data might save resources but at the cost of missing critical details. Unsampled Flow data ensures no packet is overlooked, providing a complete and accurate picture of network activity.
Advantages of Unsampled Flow Data:
Granularity: Captures every detail, making detecting and analyzing anomalies easier.
Full Visibility: A comprehensive view of network traffic eliminates blind spots.
Efficient Storage: Integration with advanced data compression technologies like Elasticsearch's TSDS ensures efficient storage, reducing the need for trade-offs.
Real-World Applications
ElastiFlow's Complete Network Insight Revolution:
Financial Services: High-speed transactions demand precise, real-time monitoring.
Healthcare: Critical data flows require comprehensive monitoring to ensure patient safety.
Telecom: Managing petabytes of data necessitates detailed visibility to prevent service disruptions.
ElastiFlow provides the tools to monitor, analyze, and secure networks effectively. By capturing 1:1 unsampled Flow data, ElastiFlow eliminates the compromises of traditional sampling, offering unparalleled insight and control.
Fields comparison between NetQuest flow and Zeek logs:
To compare the flow field output from NetQuest to Zeek fields, we need to map the respective fields from each system and understand their formats and structures. Here's a basic comparison of typical flow field outputs from NetQuest and Zeek (formerly Bro).
Comparison
NetQuest Field | Zeek Field | Description |
Source IP | id.orig_h | The IP address of the traffic origin |
Destination IP | id.resp_h | The IP address of the traffic destination |
Source Port | id.orig_p | The port number at the source |
Destination Port | id.resp_p | The port number at the destination |
Protocol | proto | The protocol used (e.g., TCP, UDP) |
Flow Duration | duration | The duration of the traffic flow |
Packets | orig_pkts + resp_pkts | Total number of packets in the flow |
Bytes | orig_ip_bytes + resp_ip_bytes | Total number of bytes in the flow |
Start Time | ts | The timestamp when the flow started |
End Time | ts + duration | The timestamp when the flow ended |
Notes
NetQuest may combine some fields Zeek separates into originator and responder specifics, such as orig_pkts and resp_pkts, vs. a single Packets field.
Zeek provides additional context, such as conn_state and history, that may not be present in NetQuest flow data.
NetQuest's Bytes and Packets fields represent aggregate values, while Zeek breaks them down by originator and responder.
To analyze the advanced fields between NetQuest SNS1000 IPFIX templates and Zeek, we will focus on NetQuest's enriched Layer 7 protocol-specific fields and compare them to Zeek's detailed logging.
A table compares the advanced DNS, HTTP, and TLS/SSL fields between NetQuest SNS1000 and Zeek.
Comparison Table: Advanced Fields
Protocol | NetQuest SNS1000 Field | Description | Zeek Field | Description |
DNS | dns_trans_id | DNS transaction ID | uid | Unique ID for the connection |
| dns_query | The domain name queried | query | The DNS query |
| dns_qclass | Class of the DNS query | qclass_name | Class of the DNS query |
| dns_qtype | Type of the DNS query | qtype_name | Type of the DNS query |
| dns_rcode | Response code in DNS response messages | rcode_name | Response code |
| dns_flags_codes | DNS header flags | flags | DNS header flags |
| dns_TTLs | TTL values for the DNS records | TTLs | Time-to-live values for the DNS answers |
| dns_response_ipv4_addr | IPv4 address in DNS response | answers | List of returned answers |
| dns_response_ipv6_addr | IPv6 address in DNS response | - | - |
HTTP | http_method | HTTP request method (e.g., GET, POST) | method | HTTP request method |
| http_uri | URI in the HTTP request | uri | URI in the request |
| http_user_agent | User-Agent string from the client | user_agent | User-Agent string |
| http_status_code | Status code returned by the server | status_code | HTTP status code |
| http_content_type | Content type of the response | resp_mime_types | MIME type of the response |
| http_proxied | Indicates if the request was proxied | - | - |
TLS/SSL | ssl_version | Version of the SSL/TLS protocol | version | Version of the SSL/TLS protocol |
| ssl_cipher | Cipher suite used | cipher | Cipher suite used |
| ssl_server_name | Server name from the Client Hello message | server_name | Server name from the Client Hello message |
| ssl_session_id | Unique session ID | - | - |
| ssl_subject | Distinguished name of the subject | subject | Distinguished name of the subject |
| ssl_issuer | Certificate Authority | issuer | Certificate Authority |
| ssl_not_valid_before | Certificate's start validity date | not_valid_before | Certificate's start validity date |
| ssl_not_valid_after | Certificate's end validity date | not_valid_after | Certificate's end validity date |
| ssl_certificate_subject_key_size | Length of the subject key | - | - |
| ssl_cert_hash | Hash of the certificate | - | - |
| ssl_ja3 | Fingerprint of the TLS client | - | - |
| ssl_ja3s | Fingerprint of the TLS server | - | - |
Notes
Fields marked with "-" indicate no direct equivalent in the other system.
NetQuest includes additional fields for HTTP and TLS/SSL not found in Zeek, such as http_proxied, ssl_session_id, ssl_certificate_subject_key_size, ssl_cert_hash, ssl_ja3, and ssl_ja3s.
Zeek provides connection-specific information such as uid and detailed response information in DNS logs, which might not be directly included in NetQuest fields.
In conclusion, NetQuest, when used with Elastiflow, offers a powerful solution for obtaining and enriching high-speed flow data, addressing the needs of both network and security teams. The combination enables real-time traffic capture and detailed flow analysis, providing comprehensive visibility into network behavior. While traditional network devices like routers and firewalls generate useful flow data, they often lack the detail required for robust security monitoring. With NetQuest, unsampled flow data is enriched to include security-relevant insights into DNS, HTTP, and SSL transactions. In contrast, ElastiFlow further enriches the records to include Geo-IP, BGP ASN, Threat-Intel, User-defined metadata, and App-ID and App-Name, which can reveal anomalous or malicious activity patterns.
Moreover, the enriched flow data can rival the detailed analysis provided by Zeek. Flow data's efficiency, scalability, and ability to handle encrypted traffic make it a versatile and cost-effective alternative to Zeek in many large-scale network environments. A detailed comparison of flow and Zeek fields shows that the choice often depends on specific organizational needs, infrastructure capabilities, and analytics platforms. For many use cases, flow data enriched by NetQuest and Elastiflow proves to be as good as or better than Zeek, offering comprehensive network visibility and enriched security insights with greater efficiency.
Stay connected
Sign up to stay connected and receive the latest content and updates from us!