I still find it amazing what you can find quite simply with Zeek.
Since Zoom seems to be on top of mind for many recently, as an example to show how easily you can highlight specific traffic with great accuracy and granularity, I wrote this simple PoC package called got_zoom which raises a notice when a Zoom client logs in, and when it joins a meeting.
Zeek is often thought of as a tool that can detect bad things (and it definitely does!), but as shown in this example it can also be used to gain visibility from an operational sense. Knowing what’s on your network, knowing the ebbs and flows, what sort of volumes are normal, and developing granular monitoring of precious video conferencing tools can only help ensure that resources keep up with demand.
Shout out to the JA3 crew, which is a fantastic example of a community grown tool, and that I used in the package to help ensure accuracy.
About Ben Reardon
Ben is a member of the Research Team at Corelight, which is headed up by Vern Paxson. Here he gets to explore all manner of interesting network related topics. Based in Brisbane, Australia he has worked in the Infosec space for 18 years for global organizations, primarily in the Finance, Cloud, and Telco sectors helping organizations design and deploy security as well as in Incident Response / investigations. Personal/hobby website https://dataviz.com.au