Issue 4 – May  2020

Welcome to the Zeek Monthly Newsletter, Issue 4 covers April 2020 as well as upcoming events. 

In this Issue:

  • General Community News/Updates
  • Development Updates
  • Zeek in the News
  • Zeek In, Near and Around the Community
  • Interviews/Blog Posts 
  • Threat of the Month
  • Upcoming Events
  • New Zeek Related Packages
  • Publication Schedule
  • Get Involved

General Community News/Updates

The Zeek Package Contest Is Still OPEN – ZPC-2 – The ZPC contest series is intended to inspire Zeek users to demonstrate their creativity and ingenuity while winning the admiration of their peers, and giving back to the community. The ZPC-2 contest will focus on the MITRE ATT&CK™ Framework, more specifically packages that help detect C2 Techniques. Find out more about how you can participate in ZPC-2 at: https://zeek.org/2020/04/06/zeek-package-contest-zpc-2/

Check out the Virtual Events this month!! – We have a full line up of events in May.  Presentations for Zeek From Home include Looking Deeper into the Zeek 3.0 – Major Changes, Point Releases and more; Suricate and Security Onion.  Ask the Zeeksperts will be hosted by Suricate and Brim and new for this month is a virtual Zeek community CTF (Capture the Flag) event.  You can find out more about how to register for these events below in the events section. 

Development Updates

Zeek 3.0.4 and 3.1.2 release (security + bug fixes) – These releases fix several bugs, including one potential security issue due to a stack overflow in the POP3 analyzer (thanks to Matteo Rizzo for the report). – http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-April/015262.html

The New IO Loop in Zeek 3.1 – This blog post describes the new architecture for the IO loop and changes made to IO sources to support the new architecture. – https://zeek.org/2020/04/03/the-new-io-loop-in-zeek-3-1/

Issue Tracker:  If you would like to see the issues currently being tracked, help resolve a few or file an issue you can do so at: : https://github.com/zeek/zeek/issues

Zeek In, Near and Around The Community

Zeek 3.0.5 now available for Security Onion! – More details, documentation and release notes can be found at:  https://blog.securityonion.net/2020/04/zeek-305-now-available-for-security.html

Brim’s Open Source Desktop application which was first announced in March, but still being seen in Twitter feeds and mailing lists around the community.   You can find out more about it at: https://github.com/brimsec/brim

New Research: Open Source Tools! –  By Augusto Barros  –  In this Gartner blog post, author Augusto’s Barros is looking for some input on some research that he is doing. “The intent is to look at the most popular open source tools used by security operations teams out there. Things like the ELK stack, Osquery, MISP and Zeek.”  If you’d like to learn more what he’s looking for or event lend a hand, check out:  https://blogs.gartner.com/augusto-barros/2020/04/17/new-research-open-source-tools/

Four Key Elements for Comprehensive Network Threat Detection – This article by Bricata looks at the following key elements for a better understanding of network threat detection: Deep Packet Inspection (Signature-Based) Detection, Behavioral Anomaly-Based (Stateful) Detection, File Hashing and Detection, Artificial Intelligence and Machine Learning Detection and more.  https://securityboulevard.com/2020/04/four-key-elements-for-comprehensive-network-threat-detection/

COVID-19 CTI LEAGUE and CRITICAL PATH SECURITY Intel feed – CTI League and Critical Path Security has shared an updated COVID-19 threat feed for Zeek.  It includes COVID-19 CTI public data, Critical Path Security data collection from dns.log, as well as data from PREDICT. Find out more at: https://github.com/CriticalPathSecurity/COVID-THREAT-INTEL-PUBLIC-ZEEK/blob/master/README.md

Interviews/Blog Posts

Zeek From Home – Episode 1 – Zeek-Agent – Recording Now Available – Zeek-Agent is an endpoint monitoring agent that provides host activity to Zeek. More information about Zeek-Agent can be found on the Zeek blog and Github

These webinars are recorded and if  you were unable to attend the Zeek-Agent Zeek From Home episode we have made the following available: video, audio only and slides

Many thanks to all those who participated!! Keep those questions and feedback coming!! 

Find out more at: https://zeek.org/2020/04/17/zeek-from-home-episode-1-zeek-agent-recording-now-available/

Writing My First Protocol Analyzer – Anthony Kasza from Corelight walks you through his experience with writing his first protocol analyzer for Zeek. – https://zeek.org/2020/04/16/writing-my-first-protocol-analyzer/

Got Zoom? – This may be helpful for some out there. It’s a simple package that works on Zoom TLS traffic. – https://zeek.org/2020/04/14/got-zoom/

Zeek Package Contest – ZPC-2 – Announcing a new Zeek Package Contest (ZPC-2).  This contest will focus on the MITRE ATT&CK™ Framework, more specifically packages that help detect C2 Techniques. $2500.00 USD to the first prize winner. (Some restrictions apply) See Blog post for more details. – https://zeek.org/2020/04/06/zeek-package-contest-zpc-2/

2019 Zeek Package Contest Summary & Winners – In case you weren’t at ZeekWeek last year, here’s the list of winning submissions and a summary of each Package contributed to the first Zeek Package Contest (ZPC-1) Many thanks to all those who made it a success! – https://zeek.org/2020/04/06/2019-zeek-package-contest-summary-and-winners-zpc-1/

Threat of the Month

Do you have a threat you’d like to share with the community and how using Zeek in your security stack helped you identify that threat? Please email news@zeek.org and we’ll work with you to get it written up and shared in the next newsletter. 

Upcoming Events

Ask the Zeeksperts 

Ask the Zeeksperts  is a one hour bi-weekly call that is hosted by various “Zeeksperts” in the community.  This is where you can drop by and ask your Zeek Related questions.  The webinars are free to attend, but registration is required.

  • 14 May  2020  – 12:30pm PST/3:30pm EST – Suricata – Jason Ish, Suricata Senior Developer and Peter Manev, Lead QA for Suricata – Bring those Suricate related questions and ask the experts!

Registration: https://corelight.zoom.us/webinar/register/WN_KN8qo9ZDTfKL1nKl1inmQA

  • 28 May  2020 – 12:30pm PST/3:30pm EST – Brim Security – Phil Rzewski – 3:30 – Brim experts will be on hand to answer all your questions about their latest open source desktop application release.

Registration: https://corelight.zoom.us/webinar/register/WN_lXJb4F5WTRSQ1BQasln9HA

Zeek From Home  – This is a new weekly webinar series, where the community can share their Zeek Related presentations (scripts, use cases, how to’s, unique usages, lessons learned etc).  These will be recorded. 

  • 12 May 2020 – 2pm EST/11am PST – Looking Deeper into the Zeek 3.0 – Major Changes, Point Releases and more with Tim Wojtulewicz.  If you have questions about the Zeek 3.0 release then this is the presentation for you.  

Registration: https://corelight.zoom.us/webinar/register/WN_Hbp2Xm-mSbSRTgbwRMqtPA

  • 20  May 2020 – 2pm EST/11am PST – Suricata – Victor Julien, OISF Founder and Suricata’s Lead Developer and Josh Stroschein, Ph.D., Director of Training and Academic Initiatives 

Registration: https://corelight.zoom.us/webinar/register/WN_9haXhmcKR7aSEhKyzT9ICA

  • 27 May 2020 – 2pm EST/11am PST – Security Onion  – Doug Burks 

Registration: https://corelight.zoom.us/webinar/register/WN_5t5TdekCQYSkYp_b2K5Ngw

Capture the Flag Events

These events are free but registration is required. See links below for more information. 

  • 15 May 2020 4-6pm Eastern – Zeek Community CTF (Capture the Flag) – Players will compete head-to-head on dozens of security challenges using Zeek data in both Splunk and Elastic. Players can also use open-source Zeek tools on a CLI. Sign up Today! Game winner will take home bragging rights and a $100 Amazon Gift Card. Registration: https://www.eventbrite.com/e/zeek-community-ctf-capture-the-flag-tickets-10477636894
  • Corelight Virtual Hunt from Home (Every Tuesday and Thursday)  – A free, 2-hour Virtual Capture the Flag event hosted by Corelight, where players compete to answer security challenges using Zeek data in Splunk and Elastic. The security challenges model realistic IR and hunting queries and can help you uplevel your Zeek log proficiency. Corelight experts will be on hand during the game to guide players of all skill levels through two exciting hunt scenarios. Sign up for one of eight virtual CTF spots in May. Game winners will take home bragging rights and a $100 Amazon Gift Card. https://www3.corelight.com/ctf/hunt-from-home

If you know of any Zeek related events that you would like to share with the community in the monthly newsletter, please email news@zeek.org or share on the Zeek mailing list (zeek@zeek.org).

Zeek Related Packages/New Packages Added to packages.zeek.org

SPL-SPT – Sequence of Payload Lengths/Sequence of Payload Times – https://packages.zeek.org/packages/view/6b874e00-7ece-11ea-9321-0a645a3f3086

Got Zoom ? – https://packages.zeek.org/packages/view/bb1d635f-8060-11ea-9321-0a645a3f3086

Publication Schedule (Updated)

Issue 1 – January 2020 (Covers December 2019) – 14 January 2020

Issue 2 – March 2020 (Covers January and February 2020) – 2 March 2020

Issue 3 – April 2020 (Covers March 2020) – 7 April 2020

Issue 4 – May 2020 (Covers April 2020) – 8 May 2020

Issue 5 – June 2020 (Covers May 2020) – 1 June 2020

Issue 6 – July 2020 (Covers June 2020) – 6 July 2020

Issue 7 – August 2020 (Covers July 2020) – 3 August 2020

Issue 8 – September 2020 (Covers August 2020) – 7 September 2020

Issue 9 – Special Issue 1 – September 2020 (Covers ZeekWeek 2020) – 21 September 2020

Issue 10 – October 2020 (Covers September 2020) – 5 October 2020  

Issue 11 – November 2020 (Covers October 2020) – 2 November 2020

Issue 12 – December 2020 (Covers November 2020)  – 7 December 2020

Issue 13 – Special Issue 2 – (Year End Review) – 21 December 2020

Get Involved

If you are interested in getting involved with the Zeek Newsletter, please email news@zeek.org.

More information about the newsletter can be found here.

Stay up to date by subscribing to the Zeek Mailing List

Follow us on Twitter

%d bloggers like this: