Issue 4 – May 2020
Welcome to the Zeek Monthly Newsletter, Issue 4 covers April 2020 as well as upcoming events.
In this Issue:
- General Community News/Updates
- Development Updates
- Zeek in the News
- Zeek In, Near and Around the Community
- Interviews/Blog Posts
- Threat of the Month
- Upcoming Events
- New Zeek Related Packages
- Publication Schedule
- Get Involved
General Community News/Updates
The Zeek Package Contest Is Still OPEN – ZPC-2 – The ZPC contest series is intended to inspire Zeek users to demonstrate their creativity and ingenuity while winning the admiration of their peers, and giving back to the community. The ZPC-2 contest will focus on the MITRE ATT&CK™ Framework, more specifically packages that help detect C2 Techniques. Find out more about how you can participate in ZPC-2 at: https://zeek.org/2020/04/06/zeek-package-contest-zpc-2/
Check out the Virtual Events this month!! – We have a full line up of events in May. Presentations for Zeek From Home include Looking Deeper into the Zeek 3.0 – Major Changes, Point Releases and more; Suricate and Security Onion. Ask the Zeeksperts will be hosted by Suricate and Brim and new for this month is a virtual Zeek community CTF (Capture the Flag) event. You can find out more about how to register for these events below in the events section.
Zeek 3.0.4 and 3.1.2 release (security + bug fixes) – These releases fix several bugs, including one potential security issue due to a stack overflow in the POP3 analyzer (thanks to Matteo Rizzo for the report). – http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-April/015262.html
The New IO Loop in Zeek 3.1 – This blog post describes the new architecture for the IO loop and changes made to IO sources to support the new architecture. – https://zeek.org/2020/04/03/the-new-io-loop-in-zeek-3-1/
Issue Tracker: If you would like to see the issues currently being tracked, help resolve a few or file an issue you can do so at: : https://github.com/zeek/zeek/issues
Zeek In, Near and Around The Community
Zeek 3.0.5 now available for Security Onion! – More details, documentation and release notes can be found at: https://blog.securityonion.net/2020/04/zeek-305-now-available-for-security.html
Brim’s Open Source Desktop application which was first announced in March, but still being seen in Twitter feeds and mailing lists around the community. You can find out more about it at: https://github.com/brimsec/brim
New Research: Open Source Tools! – By Augusto Barros – In this Gartner blog post, author Augusto’s Barros is looking for some input on some research that he is doing. “The intent is to look at the most popular open source tools used by security operations teams out there. Things like the ELK stack, Osquery, MISP and Zeek.” If you’d like to learn more what he’s looking for or event lend a hand, check out: https://blogs.gartner.com/augusto-barros/2020/04/17/new-research-open-source-tools/
Four Key Elements for Comprehensive Network Threat Detection – This article by Bricata looks at the following key elements for a better understanding of network threat detection: Deep Packet Inspection (Signature-Based) Detection, Behavioral Anomaly-Based (Stateful) Detection, File Hashing and Detection, Artificial Intelligence and Machine Learning Detection and more. https://securityboulevard.com/2020/04/four-key-elements-for-comprehensive-network-threat-detection/
COVID-19 CTI LEAGUE and CRITICAL PATH SECURITY Intel feed – CTI League and Critical Path Security has shared an updated COVID-19 threat feed for Zeek. It includes COVID-19 CTI public data, Critical Path Security data collection from dns.log, as well as data from PREDICT. Find out more at: https://github.com/CriticalPathSecurity/COVID-THREAT-INTEL-PUBLIC-ZEEK/blob/master/README.md
Zeek From Home – Episode 1 – Zeek-Agent – Recording Now Available – Zeek-Agent is an endpoint monitoring agent that provides host activity to Zeek. More information about Zeek-Agent can be found on the Zeek blog and Github
Many thanks to all those who participated!! Keep those questions and feedback coming!!
Writing My First Protocol Analyzer – Anthony Kasza from Corelight walks you through his experience with writing his first protocol analyzer for Zeek. – https://zeek.org/2020/04/16/writing-my-first-protocol-analyzer/
Got Zoom? – This may be helpful for some out there. It’s a simple package that works on Zoom TLS traffic. – https://zeek.org/2020/04/14/got-zoom/
Zeek Package Contest – ZPC-2 – Announcing a new Zeek Package Contest (ZPC-2). This contest will focus on the MITRE ATT&CK™ Framework, more specifically packages that help detect C2 Techniques. $2500.00 USD to the first prize winner. (Some restrictions apply) See Blog post for more details. – https://zeek.org/2020/04/06/zeek-package-contest-zpc-2/
2019 Zeek Package Contest Summary & Winners – In case you weren’t at ZeekWeek last year, here’s the list of winning submissions and a summary of each Package contributed to the first Zeek Package Contest (ZPC-1) Many thanks to all those who made it a success! – https://zeek.org/2020/04/06/2019-zeek-package-contest-summary-and-winners-zpc-1/
Threat of the Month
Do you have a threat you’d like to share with the community and how using Zeek in your security stack helped you identify that threat? Please email email@example.com and we’ll work with you to get it written up and shared in the next newsletter.
Ask the Zeeksperts
Ask the Zeeksperts is a one hour bi-weekly call that is hosted by various “Zeeksperts” in the community. This is where you can drop by and ask your Zeek Related questions. The webinars are free to attend, but registration is required.
- 14 May 2020 – 12:30pm PST/3:30pm EST – Suricata – Jason Ish, Suricata Senior Developer and Peter Manev, Lead QA for Suricata – Bring those Suricate related questions and ask the experts!
- 28 May 2020 – 12:30pm PST/3:30pm EST – Brim Security – Phil Rzewski – 3:30 – Brim experts will be on hand to answer all your questions about their latest open source desktop application release.
Zeek From Home – This is a new weekly webinar series, where the community can share their Zeek Related presentations (scripts, use cases, how to’s, unique usages, lessons learned etc). These will be recorded.
- 12 May 2020 – 2pm EST/11am PST – Looking Deeper into the Zeek 3.0 – Major Changes, Point Releases and more with Tim Wojtulewicz. If you have questions about the Zeek 3.0 release then this is the presentation for you.
- 20 May 2020 – 2pm EST/11am PST – Suricata – Victor Julien, OISF Founder and Suricata’s Lead Developer and Josh Stroschein, Ph.D., Director of Training and Academic Initiatives
- 27 May 2020 – 2pm EST/11am PST – Security Onion – Doug Burks
Capture the Flag Events
These events are free but registration is required. See links below for more information.
- 15 May 2020 4-6pm Eastern – Zeek Community CTF (Capture the Flag) – Players will compete head-to-head on dozens of security challenges using Zeek data in both Splunk and Elastic. Players can also use open-source Zeek tools on a CLI. Sign up Today! Game winner will take home bragging rights and a $100 Amazon Gift Card. Registration: https://www.eventbrite.com/e/zeek-community-ctf-capture-the-flag-tickets-10477636894
- Corelight Virtual Hunt from Home (Every Tuesday and Thursday) – A free, 2-hour Virtual Capture the Flag event hosted by Corelight, where players compete to answer security challenges using Zeek data in Splunk and Elastic. The security challenges model realistic IR and hunting queries and can help you uplevel your Zeek log proficiency. Corelight experts will be on hand during the game to guide players of all skill levels through two exciting hunt scenarios. Sign up for one of eight virtual CTF spots in May. Game winners will take home bragging rights and a $100 Amazon Gift Card. https://www3.corelight.com/ctf/hunt-from-home
Zeek Related Packages/New Packages Added to packages.zeek.org
SPL-SPT – Sequence of Payload Lengths/Sequence of Payload Times – https://packages.zeek.org/packages/view/6b874e00-7ece-11ea-9321-0a645a3f3086
Publication Schedule (Updated)
Issue 1 – January 2020 (Covers December 2019) – 14 January 2020
Issue 2 – March 2020 (Covers January and February 2020) – 2 March 2020
Issue 3 – April 2020 (Covers March 2020) – 7 April 2020
Issue 4 – May 2020 (Covers April 2020) – 8 May 2020
Issue 5 – June 2020 (Covers May 2020) – 1 June 2020
Issue 6 – July 2020 (Covers June 2020) – 6 July 2020
Issue 7 – August 2020 (Covers July 2020) – 3 August 2020
Issue 8 – September 2020 (Covers August 2020) – 7 September 2020
Issue 9 – Special Issue 1 – September 2020 (Covers ZeekWeek 2020) – 21 September 2020
Issue 10 – October 2020 (Covers September 2020) – 5 October 2020
Issue 11 – November 2020 (Covers October 2020) – 2 November 2020
Issue 12 – December 2020 (Covers November 2020) – 7 December 2020
Issue 13 – Special Issue 2 – (Year End Review) – 21 December 2020
If you are interested in getting involved with the Zeek Newsletter, please email firstname.lastname@example.org.
More information about the newsletter can be found here.
Stay up to date by subscribing to the Zeek Mailing List.
Follow us on Twitter