As we gear up for ZeekWeek 2019, I wanted to introduce you to Fatema Bannat Wala an active Zeek community member, who I had the chance to meet earlier this year at the 2019 Open Source Zeek European Workshop that was held in Geneva, Switzerland at CERN. Fatema is a frequent speaker at Zeek events including BroCon(now ZeekWeek) and multiple Zeek workshops. She recently presented a talk about the weird.zeek log file at CERN and she was a panelist in a discussion about how Zeek is being used to secure university networks. Her excitement about sharing what she learns about Zeek is so contagious that I asked if she’d do a blog post series about weird.log–the weird.log file comes from the weird.bro script which helps users detect unexpected network level activity. To kick off that series, I spoke with her about her work with Zeek and the “Weirds” log and I am pleased to introduce her to the Zeek Community in today’s Q&A blog post.

Amber Graner (AG): Fatema, thank you so much for taking the time to answer my questions and let the community know who you are and what it is about Zeek and the weird.log files that interest you. Can you take a moment to tell the community a little about yourself and what a typical day is like for you?

Fatema Bannat Wala (FW): Firstly, thanks Amber for giving me this opportunity and platform to share my ideas and knowledge with the community. I truly appreciate your efforts! I currently work as a security engineer at the University of Delaware’s Security Operations team, where I got introduced to then Bro, now Zeek. It has been a terrific journey so far working with the team and learning new stuff every day at my job. That’s what keeps me motivated and going throughout the day. My daily activities vary as per the need of the hour, working with the Security Information and Event Management (SIEM) team primarily, firewalls, monitoring and enhancing the intrusion detection in the network traffic using Zeek Network Security Monitor (NSM), and other security tools.

AG: What drew you to Zeek and how did you get involved with the project?

FW: Zeek is different was my first impression when I started playing around with it. Unlike other tools which look for the patterns in the known traffic and records them, Zeek records and scraps everything interesting and useful that passes by for you to later look at. There is a lot of information flowing around on the network, unknown to the user, and Zeek keeps records of everything it sees on the network, which you can later take a look at to draw interesting statistical analysis of the overall network traffic and what transpires on your network. It gives binocular vision to the analysts who are otherwise blind to their network traffic. There are so many use cases of Zeek that I can’t enumerate them all, but whenever I think of an issue to solve, I think: can I use Zeek to solve it? 

That thought process drew me into asking a lot of questions of the awesome Zeek community and eventually getting involved with solving some interesting use cases and sharing it with others in the form of Zeek scripts and contributions to the source code repository.

AG: What was it about the Weird logging that made you want to write documentation, give talks on it and share your knowledge?

FW: What’s weird is, as analysts we are more interested to know what unconventional activity is going on in our network apart from normal protocols traffic, and honestly the name “Weird” for one of the log files that Zeek generates attracted me towards looking into it. I asked myself, ‘what is weird in the eyes of Zeek?’ As I read through the documentation about the weird.log file, I became even more interested in looking at it because it stated that ‘unusual or exceptional activity that can indicate malformed connections, traffic that doesn’t conform to a particular protocol, malfunctioning or misconfigured hardware, or even an attacker attempting to avoid/confuse a sensor.’ This is what you should look for in the network traffic as security analysts, isn’t it?

As I researched through various weird types in our environment I was amazed and excited by the network enhancements we made just based on weird activity logged by Zeek. Those enhancements motivated me to share my research and knowledge with the community, so that if similar conditions are occurring at different networks they don’t have to reinvent the wheel, or start from scratch to find the solution.

AG: In addition to the Weird logs, what’s the most interesting thing you’ve learned about Zeek so far?

FW: Other than Weird logs, the most interesting thing about Zeek is its ability to record enough information that can be used for fingerprinting the devices or unconstrained endpoints in a university network which is practically impossible, or hard to collect via any host/client based agent. As with every semester, comes a flood of all new devices and end points that we don’t manage centrally, and to keep an eye on them (what OS is running, what kind of software fingerprint it has) we use Zeek as our passive scanner. I have bragged enough in detail about this use case of Zeek at UD and in my 2017 BroCon talk UEPtSS – Unconstrained End-Point Security System, if people are interested to learn more about it. Apart from the users’ perspective, Zeek’s Scripting and logging frameworks are among the strongest features available to customize Zeek to achieve any use case that we come up with.

AG: Can you tell the community about the “Weird” blog series we’ll be starting soon and what they can expect to learn from the series?

FW: When I started to research Weird logs, there was very limited information available online. By digging up some of the source code and looking around on the internet in various mailing lists or personal blog posts, I found the answers I was looking for. I am hoping that by sharing the analysis I have done, information I found and some basics about the Weird logs with the community will make it easily available and accessible to the community in one central location.

The series will cover some basics of Weird, where to find them and what to do with some of the noisy ones after finding them. I plan to keep the community up to date regarding the new information I find with my continued research with Weird. If people have any questions or issues about or with the Weird logs they can ask and I will be more than happy to answer those, either via this blog or on the Zeek mailing lists.

AG: For those who want to get involved in the Zeek community, what advice would you give them and where would you tell them to start?

FW: Ask questions, no matter how silly you think they are, ask them any way. This way you will get expert advice and opinions for the things you are struggling with in your Zeek playground. After that you are just going to get better with Zeek. If you have any ideas for Zeek or any use cases that you would love to have Zeek solve, then don’t hesitate to share them on Zeek mailing list/IRC channel or Zeek dev mailing lists. These are the places that are regularly watched by the awesome core team, who is the biggest factor in my success with Zeek. When I started I joined the Zeek mailing list and tried to participate in as many Zeek events like BroCons (now known as ZeekWeek) and Zeek workshops as possible. This participation gives me opportunity to meet the developers face to face, which is a chance you definitely do not want to miss.

AG: Is there anything that you’d like to share about yourself or Zeek that I haven’t asked you about?

FW: Zeek is an outcome of tremendous efforts and time dedicated by some of the brilliant minds of the industry. Making a small effort towards contributing to this amazing open source free project is very satisfying and rewarding. Thanks for giving me the opportunity to be able to be a part of this community and to contribute back. Community involvement and contributing back to the project are key factors for any open source community project that keeps it growing and flourishing. As a part of the community, I would like to say, ‘stay involved and stay connected,’ the rewards are beyond imagination!

Helpful Links and information:
Getting Involved: If you would like to be part of the Open Source Zeek Community and contribute to the success of the project please sign up for our mailing lists, join our IRC Channel, come to our events, follow the blog and/or Twitter feed. If you’re writing scripts or plugins for Zeek we would love to hear from you! Can’t figure out what your next step should be, just reach out. Together we can find a place for you to actively contribute and be a part of this growing community.

About Zeek (formerly Bro): Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.

%d bloggers like this: