Zeek Package Contest – ZPC-2

• Are you a Zeek user?
• Do you enjoy writing Zeek scripts?  
• Do you like being recognized for your awesome work?  
• Do you want to make the world’s networks safer?  
• Do you like winning prizes and claiming bragging rights?
• Do you want the opportunity to present your work at Zeek events?

If you answered, “yes” to any of the above questions, then the Zeek Package Contest (ZPC) sponsored by Corelight, Inc. may be just the competition for you!

The ZPC contest series is intended to inspire Zeek users to demonstrate their creativity and ingenuity while winning the admiration of their peers, and giving back to the community. The ZPC-2 contest will focus on the MITRE ATT&CK™ Framework, more specifically packages that help detect C2 Techniques. 

What is the Zeek Package Contest?

The challenge is straightforward: Create an innovative and useful open source Zeek package that extends Zeek’s threat hunting and detection capabilities around C2 Techniques. 

• 1st place wins $2000.00 USD cash 
• 2nd place wins $1000.00 USD cash 
• 3rd place wins $500.00 USD cash

Cash Prizes may be subjected to a 30% withholding (for non-US winners). Before cash prizes are awarded all winners will be required to file a W-9 or W-8BEN (for non-US winners) and verify with their bank the wire information necessary to receive US dollars from a U.S. bank (for international winners)

In addition, everyone who submits an eligible package for ZPC-2 will receive a Zeek Package Contest challenge coin. 

The winners may also get the opportunity to present their work at future Zeek events and/or have their contributions featured on the Zeek blog.

Submissions need to be made available through the central Zeek package repository. We will evaluate them in terms of their overall functionality & quality, utility for incident responders, customizability, test coverage, and clarity of documentation. The jury will consist of Zeek core developers and other long-time Zeek community members. More details below.

Below are a few useful resource links to get you started:

• MITRE ATT&CK™ Framework
• C2 Techniques
• Script Reference Guide 
• Packages.zeek.org
• Zeek Package repository 
• Zeek Package Source – Readme 
• Zeek Package Manager Quickstart Guide

If you have any questions about how to write packages or need help with your submission, please join the #packages channel on Slack. 

Jury Members

• Fatema Bannat Wala (Community)
• Lexi Brent (Community)
• Nick Turley (Community)
• Johanna Amann (Corelight/ICSI)
• Matthias Vallentin (Community)
• Aashish Sharma (Community)
• Anthony Kasza (Corelight)

Important Dates

• Submission opens:                 April 6, 2020
• Submission deadline:             May 15, 2020
• Notification:                            June 1, 2020
• Announcement of results:      June 15th, 2020

Contest Results

• First Place ($2000.00)  – Zeek-Known-outbound contributed by Michael “Dop”  Dopheide. This script provides the ability to track and alert on outbound service usage to a list of ‘watched’ countries. It also adds the country codes for your orig and resp in conn.log. To help reduce repeated entries, it uses a persistent Broker data store.
• 2nd Place ($1000.00) – SPL-SPT Sequence of Payload Lengths/Sequence of Payload Times contributed by Michael Torres.  This Zeek plugin will save the following fields to spl.log in the logging directory.
  • uid – The related SSL session’s unique identifier.
  • orig_spl – A vector of configurable length (default 20), containing the lengths of encrypted payloads from the session originator
  • resp_spl – A vector of configurable length (default 20), containing the lengths of encrypted payloads from the session responder
  • orig_spt – A vector of configurable length (default 20), containing the time interval between encrypted payloads from the session originator
  • resp_spt – A vector of configurable length (default 20), containing the time interval between encrypted payloads from the session responder
• 3rd Place ($500.00) – RDPF (Zeek Remote Desktop Fingerprinting script) contributed by Jeff Atkinson. This script will create a new log containing details that build the fingerprint, plus some additional information. The fingerprint is created by concatenating extracted fields from different data packets.

Link to results announcement.

Rules of Engagement

1. The goal is to create an innovative and useful Zeek package that’s compatible with the Zeek Package Manager. The focus is on Zeek scripts that detect C2 Techniques, not binary plugins. A package may include a plugin to support its scripts through new built-in functions (“*.bif files”). However, the contest will not consider packages with other binary functionality, such as protocol or file analyzers, log writers, input readers, etc.
2. To submit a package to the contest, it must first be made available through the central Zeek package repository. You can then nominate it for consideration by filling out this webform. Please include with your nomination: a link to the package’s git repository, a list of authors, a short summary describing the motivation for the work, and documentation of the package’s usage. We will acknowledge receipt, and we will evaluate the version of the package as the package manager installs it at that time.
3. All submissions must be received no later than 15 May 2020, 11:59PM PST. The winners will be notified on 1 June, 2020. 
4. Packages created prior to 2 Sept 2019 are ineligible.  All packages created on or after 2 September 2019 through 15 May 2020 that focus on the MITRE ATT&CK™ Framework, more specifically packages that help detect C2 Techniques are eligible. 
5. Submitted packages must work with a Zeek release version >= 3.0. They must build and install on recent, standard Linux systems. Please specify any specific OS requirements of your package, if necessary. 
6. Submitted packages must be open source. We prefer BSD licensed submissions, but will accept any OSI-approved license. By submitting an entry, you declare that you own the copyright to the source code and all related materials, and are authorized to submit it.
7. Submissions may leverage other packages included in the Zeek package repository as  dependencies as long as the package manager can resolve them during installation. They may also link against external libraries as long as their installation is clearly documented and easy to follow. 
8. The top 3 winners of the contest will get the prizes mentioned above. We reserve the right to award fewer than 3 awards if we do not receive a sufficient number of high-quality submissions. In addition, anyone who submits an eligible package to the ZPC-2 contest will receive a Zeek Package Contest challenge coin. 
9. A committee of Zeek developers and other long-time Zeek community members, chosen by Corelight, will decide the winners based on the following criteria: overall functionality & quality, utility for incident responders, customizability, test coverage, and clarity of documentation.
10. In order to collect the cash prizes, winners will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made once all banking information has been verified.
11. Group entries are allowed; the prize will be paid to a person designated by the group.
12. You may submit more than one package for the contest, but we limit awards to one per person/group.
13. Names/aliases of the winners will be listed on the “Zeek Package Contest” on the Zeek Blog.
14. Zeek team members, members of the selection committee, and Corelight employees are not eligible to participate.

The Legal Stuff

In no event will Corelight be liable to you or any party entering this contest for lost profits or any form of indirect, special, incidental, or consequential damages of any character from any causes of action of any kind with respect to this contest, whether based on breach of contract, tort (including negligence), or otherwise, and whether or not you have been advised of the possibility of such damage.

More Information

If you have any questions, please contact us at contest@zeek.org.

Find out more about Zeek at: https://www.zeek.org/

Current packages list can be found at: https://packages.zeek.org/ and https://github.com/zeek/packages

The Zeek Package Contest is inspired and modeled after the Hex-Rays Plugin  and Volatility contests.