X

In late 2019, we held the first Zeek Package Contest (ZPC-1) and announced the winners at ZeekWeek. For those who may have missed this contest or may not have been at ZeekWeek in Seattle this blog post is a summary of the contest and the contributions. 

For ZPC-1 the focus was on Zeek scripts, not binary plugins. The packages could include a plugin to support its scripts through new built-in functions (“*.bif files”). However, packages with other binary functionality, such as protocol or file analyzers, log writers, input readers, etc were not eligible to win in this first competition. 

We had 11 submissions and we are grateful to all those who contributed to the success of ZPC-1 by submitting packages, and for those who helped judge the competition.

Below is a list of the winners and links to all the packages that were submitted (Package descriptions are from GitHub).  

Again, thank you so much to all those who participated in this competition.  

Winners: 

First Prize (one free trip (hotel and airfare) to ZeekWeek 2019, $5000 cash and ZPC-1 challenge coin): Lexi Brent with the EternalSafety package.  EternalSafety is a Zeek/Bro package for detecting potentially-dangerous SMBv1 protocol violations that encapsulate bugs exploited by the infamous Eternal* family of Windows exploits. It is capable of detecting EternalBlue, EternalSynergy/EternalRomance, EternalChampion, and the DoublePulsar backdoor. However, rather than identifying these exploits via simple signature-matching, *EternalSafety* instead implements a set of SMBv1 protocol invariants that encapsulate techniques used by each Eternal* exploit to trigger bugs in unpatched Windows systems. EternalSafety accurately and reliably identifies the EternalBlue, EternalSynergy and EternalRomance exploits, and the DoublePulsar backdoor implant. Due to limitations in Zeek’s SMBv1 support, it has limited support for detecting EternalChampion via signature-matching. EternalSafety also identifies a range of other protocol violations, such as the use of unimplemented/unused SMBv1 commands, server-initiated changes in values that may only be set by an SMBv1 client, and incorrect interleaving of transaction types.

Second Prize ($2500 cash and ZPC-1 challenge coin): Jan Grashofer with the Intel-Limiter package. This package provides limiting mechanisms for Zeek’s intelligence framework. This encompasses matching thresholds on per item basis and a heavy hitter suppression.

Third Prize ($1000 USD cash and ZPC-1 challenge coin): Andrew Klause with the zeek-sniffpass package. Sniffpass will alert on cleartext passwords discovered in HTTP POST requests.

Fourth Prize ($100 gift card and ZPC-1 challenge coin):  Michael “Dop” Dopheide contributed 2 packages*.  The Known-hosts-with-dns, which is a script that expands the base known-hosts policy to include reverse DNS queries and syncs it across all workers and Ssh-interesting-hostname-with-known, which is a script that replaces the default ssh/interesting-hostnames and reduces the number of asynchronous when() calls made by Zeek.   

(*These packages were judged as one submission)

Fifth Prize: Andrew Klause* with the zeek-httpattacks package.  This module detects HTTP requests that are non RFC compliant requests including:

  • Multiple HTTP Host headers
  • GET requests with a body
  • Both Content-Length and Transfer-Encoding present
  • Multiple of Content-Length and/or Transfer-Encoding headers

When any of these are detected, an HTTP_Smuggling notice will be added to notice.log.

(*Andrew was awarded 1 prize.)

3.0 Package Submissions

Because we released the 3.0 beta during the contest and some submissions would only work with the 3.0 release and not the 2.6 release, we awarded prizes for those that fall into that category. The prize was a $100 gift card and each author will receive a ZPC-1 Challenge Coin. 

The emojifier package by Jan Grashofer, Matthias Grundmann and Florian Jacob was ranked the highest in this category, but because the submitter could only receive one prize, and therefore not eligible to receive a prize in this category. This package gives the user the ability to “Set your logs on fire with Emojifier!” by adding an additional column to your conn.log by showing emojis that give you information about the connections in your log. 

The kyd package by Fatema Bannat Wala was ranked second in this category and received the gift card and will receive the ZPC-1 Challenge Coin.  KYD creates DHCP client hashes and logs the fingerprints and associated device information in a separate log file ‘dhcpfp.log. The Unknown fingerprints can easily be queried to the Fingerbanks API using the ‘dhcp-unknown.py’ script provided in this package, resulting dhcp-db-extend output file can be appended to the local dhcp-db.bro, and also can be shared with the community using dhcp-db-FBQ file generated by the python script. https://github.com/fatemabw/kyd 

The aaalm package by Nicholas Skelsey was ranked third and received a gift card and will receive the ZPC-1 Challenge Coin. aaalm is a zeek package that passively infers the structure of an IPv4 network over Ethernet from communication among hosts.

It will discover gateways, routers, and associate devices to subnets and gateways based on heuristics from analysis of raw packets and connections. It can even infer routing paths if the analyzed traffic contains icmp responses to a traceroute.

Ineligible Package Submissions

The following package submissions were not eligible for any of the promoted prizes, but we will be sending a ZPC-1 challenge coin to each author. 

GQUIC_Protocol_Analyzer Package (analyzer) was contributed by Caleb Yu. This analyzer parses GQUIC traffic in Bro/Zeek for logging and detection purposes. It examines the initial exchange between a client and server communicating over GQUIC, and extracts the information contained in the connection’s client hello packet and server rejection packet. Currently, this protocol analyzer supports GQUIC versions Q039 to Q046.

Zeek-mac-ages Package  (zeek team member) was contributed by Matthias Vallentin. This Zeek plugin adds functionality to query the age of a MAC address. The data comes from HD Moore’s MAC Adress Age Tracking repository, which is a curated database of MAC addresses bootstrapped from the DeepMAC and Wireshark archives. A bot pulls from an IEEE website daily to keep the data up to date.

We will be rolling out more Zeek Competitions this year, so stay tuned!!!

%d bloggers like this: