X

We are thrilled to announce the winners of our second Zeek Package Contest. 

ZPC-2 (Zeek Package Contest Number 2)  was announced on 6 April 2020 and concluded on 15 May.  The focus of this competition was on the MITRE ATT&CK™ Framework, more specifically packages that help detect C2 Techniques

We would like to say “thank you” to those who contributed to the success of ZPC-2 by submitting packages, and to those who helped judge the competition.

Below is a list of the winners and links to the packages that were submitted (package descriptions are from GitHub). Each contributor to the contest will also receive a Zeek Package Contest challenge coin

  • First Place ($2000.00)  – Zeek-Known-outbound contributed by Michael “Dop”  Dopheide. This script provides the ability to track and alert on outbound service usage to a list of ‘watched’ countries. It also adds the country codes for your orig and resp in conn.log. To help reduce repeated entries, it uses a persistent Broker data store.
  • 2nd Place ($1000.00) – SPL-SPT Sequence of Payload Lengths/Sequence of Payload Times contributed by Michael Torres.  This Zeek plugin will save the following fields to spl.log in the logging directory.
    • uid – The related SSL session’s unique identifier.
    • orig_spl – A vector of configurable length (default 20), containing the lengths of encrypted payloads from the session originator
    • resp_spl – A vector of configurable length (default 20), containing the lengths of encrypted payloads from the session responder
    • orig_spt – A vector of configurable length (default 20), containing the time interval between encrypted payloads from the session originator
    • resp_spt – A vector of configurable length (default 20), containing the time interval between encrypted payloads from the session responder
  • 3rd Place ($500.00) – RDPF (Zeek Remote Desktop Fingerprinting script) contributed by Jeff Atkinson. This script will create a new log containing details that build the fingerprint, plus some additional information. The fingerprint is created by concatenating extracted fields from different data packets.

Thank you to all those who not only competed and judged this competition, but also to all those who gave feedback on the community calls and via the survey. Your feedback is important as it helps us improve each competition. 

Again, many thanks to our winners and stay tuned as will be rolling out more ZPC-3 soon!

%d bloggers like this: