
Issue 6 – July 2020
Welcome to the Zeek Monthly Newsletter! Issue 6 covers June 2020 as well as upcoming events.
In this Issue:
- TL;DR
- Development Updates
- Zeek Blog
- Zeek In The Community
- New Zeek Packages
- Zeek in Enterprise
- Upcoming Events
- Zeek Related Jobs
- Get Involved
TL;DR
Three new community packages are now available for detecting CallStranger, GnuTLS CVE-2020-13777, and Ripple20..
Notable webinars topics included Security Onion, Brim, Zeek Scripting, Spicy and Corelight’s role in the Zeek Community.
The Zeek Project, Brim, Security Onion Solutions and Corelight all released software updates in June.
The Zeek LT is soliciting feedback on Zeek governance: https://www.surveymonkey.com/r/zeekgovernancesurvey
More information about upcoming changes to the project governance: http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-June/015382.html
Development Updates
Zeek 3.0.7 and 3.1.4 now released (containing security + bug fixes): http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-June/015372.html
More information about project release cadence:
- https://github.com/zeek/zeek/wiki/Release-Cadence
- https://github.com/zeek/zeek/wiki/Security-Release-Process
Zeek Blog
5 June 2020 – Community Call Notes and Recording – Each month we have an open call with the community. This is the summary of the June 2020 call. http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-June/015372.html
7 Dos And Don’ts For Zeek Scripting – In this blog post, Anthony Kasza of Corelight gives an introduction to some of the pitfalls he had to learn about when writing Zeek scripts. Anthony includes code snippets and more. https://zeek.org/2020/06/08/7-dos-and-donts-for-zeek-scripting/
Zeek From Home – Episode 4 – Security Onion (Part 1) – Recording Now Available! – Doug Burks, Founder of Security Onion and CEO of Security Onion Solutions discussed the history of the project and explained what’s new. https://zeek.org/2020/06/09/zeek-from-home-episode-4-security-onion-recording-now-available/
Zeek From Home – Episode 5 – Brim Security – Recording Now Available! – Phil Rzewski, Technical Director and Steve McCanne, Coding CEO at Brim Security discussed Brim’s open source app and more. https://zeek.org/2020/06/09/zeek-from-home-episode-5-brim-security-recording-now-available/
Zeek Package Contest – ZPC-2 – Winners Announced! – Find out who won ZPC-2 and what packages were submitted. https://zeek.org/2020/06/15/zeek-package-contest-zpc-2-winners-announced/
Zeek From Home – Episode 6 – Zeek Scripting 101 to 495 in 45 Mins. – Recording Now Available! – Aashish Sharma of Berkeley Lab and the Zeek Project Leadership Team made a lively presentation on Zeek Scripting. https://zeek.org/2020/06/17/zeek-from-home-episode-6-zeek-scripting-101-to-495-in-45-mins-recording-now-available/
Zeek From Home – Episode 7 – Spicy – Recording Now Available! – Robin Sommer, CTO of Corelight and the Zeek Project Lead updated the community on the new Zeek parser generator. https://youtu.be/FZWVbKQyBmM
Zeek From Home – Episode 8 – Corelight’s Role in the Zeek Community. – Recording Now Available! – Greg Bell, CEO of Corelight updated the Community on Corelight’s commitment to support the Zeek Project and its community. https://youtu.be/kgC9nxIqlCc
Zeek Monthly Newsletter – Issue 5 – June 2020 – https://zeek.org/2020/06/18/zeek-monthly-newsletter-issue-5-june-2020/
Zeek in the Community
Webcast – On June 25, 2020, John Gamble, Alex Kirk, and Matt Bromiley presented ‘The Power of Using Network Alerts and Evidence with Open-Source Suricata and Zeek (Bro)’. The webcast focused on bringing the power of both FOSS tools together via the Community ID, and shows the power of combining signal + evidence. https://www.sans.org/webcasts/power-fusing-network-alerts-evidence-open-source-suricata-zeek-bro-115855
Webinar – Zeek And Ye Shall Find! – A Zeek Primer by Fatema Bannat Wala of ESnet – This tutorial was targeted towards the basics of Zeek NMS, and helping answer basic questions about architecture, deployment, and value as an open source NSM. https://youtu.be/29SEaMVF7Fg
New versions of Brim (v0.12.0) and zq (v0.16.0) released – JA3 and HASSH fields are now populated in the Zeek logs for encrypted traffic imported into Brim. Several bugs have also been fixed. The Brim downloads page has links for the latest versions for Windows, macOS, and Linux. https://github.com/brimsec/brim/releases and https://github.com/brimsec/zq/releases
Elastic 6.8.10 now available for Security Onion! – https://blog.securityonion.net/2020/06/elastic-6810-now-available-for-security.html
Zeek 3.0.7 now available for Security Onion! – https://blog.securityonion.net/2020/06/zeek-307-now-available-for-security.html
securityonion-sostat – 20120722-0ubuntu0securityonion145 now available for Security Onion! – https://blog.securityonion.net/2020/06/securityonion-sostat-20120722.html
Security Onion Hybrid Hunter Beta 3, Community ID, and Sysmon! – https://blog.securityonion.net/2020/06/security-onion-hybrid-hunter-beta-3.html
Detecting the New CallStranger UPnP Vulnerability With Zeek -Corelight’s Ryan Victory explains the motivation behind his new open-source package for detecting the CallStranger exploit. . https://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/
Detecting GnuTLS CVE-2020-13777 using Zeek – Corelight’s Johanna Amanngives a technical description of the GnuTLS CVE-2020-13777 vulnerability shows how it can be identified in network traffic, and provides a short Zeek script for detection. . https://corelight.blog/2020/06/11/detecting-gnutls-cve-2020-13777-using-zeek/
Ripple20 Zeek package open sourced – Corelight’s Ben Reardon discusses his new open-source Zeek package that detects the presence of tell-tale signs associated with exploitation of Ripple20. https://corelight.blog/2020/06/30/ripple20-zeek-package-open-sourced/
New Zeek Packages
Detecting the New CallStranger UPnP Vulnerability With Zeek – https://github.com/corelight/callstranger-detector
Detecting GnuTLS CVE-2020-13777 using Zeek –https://github.com/0xxon/cve-2020-13777
Ripple20 Zeek package open sourced – https://github.com/corelight/ripple20
Zeek In Enterprise
Security Onion Hybrid Hunter 1.4.0 – Beta 3 Available for Testing! – Security Onion Solutions announced the release of “Hybrid Hunter” 1.4.0 AKA Beta 3. In this release, Security Onion Solutions continues to embrace Community ID as a way to correlate different data types. They also sponsored the development of an Elasticsearch Ingest Processor that can automatically generate Community ID values for ANY logs that contain the necessary IP address and port information. https://blog.securityonion.net/2020/06/security-onion-hybrid-hunter-140-beta-3.html
Security Onion Hybrid Hunter 1.4.1 Available for Testing! – https://blog.securityonion.net/2020/07/security-onion-hybrid-hunter-141-now.html
Chocolate and Peanut Butter: Zeek and Suricata – Corelight Chief Product Officer Brian Dye announced a new software release that closely integrates Zeek and Suricata, with three key benefits. https://corelight.blog/2020/06/16/zeek-and-suricata-corelight-v19/
Zeek & Sigma: Fully Compatible for Cross-SIEM Detections – Corelight’s Alex Kirk explains how the company teamed up with SOC Prime to integrate Zeek logs with Sigma, a generic signature language that enables cross-SIEM detections from a single toolset. https://corelight.blog/2020/06/25/zeek-sigma-fully-compatible-for-cross-siem-detections/
Upcoming Events
July
(Events will be updated as we get more information.)
- 9 July 2020 – Brim Webinar – 11am PDT/2pm EDT – This webinar will cover some of the developer basics (material will be JavaScript-centric as Brim is written with Electron/React).
Invite link: https://zoom.us/j/94487542434?pwd=YUh2NDlJVUdJUWRVUWpRU2xrYTIxUT09
- 10 July 2020 – Monthly Community Call – Noon PDT/3pm EDT – This is a recurring call and you will be able to select all upcoming community calls.
Registration Link: https://corelight.zoom.us/meeting/register/tJcldO6qrTMrG9Kwsu6_qHsUeAvdjLmMw6-i
- 15 July 2020 – ZEEK FROM HOME –11am PDT/2pm EDT – DPD (Dynamic Protocols Detection) and presented by Jan Grashoefer his talk will be based on https://arxiv.org/abs/1912.03962 which is a research paper entitled “Attacks on Dynamic Protocol Detection of Open Source Network Security Monitoring Tools”
Registration Link – https://corelight.zoom.us/webinar/register/WN_sSTXJPODRSeTGhBrXKZc3Q
- 15 July 2020 – ZEEK COMMUNITY CTF –1-3pm PDT/4-6pm EDT
Registration Link – https://corelight.zoom.us/meeting/register/tJYqceGgqjwvGNXFYKgLYVQheMs8KhZnCQpu
- 22 July 2020 – ZEEK FROM HOME –11am PDT/2pm EDT – Spicy (Part 2) and presented by Robin Sommer
Registration Link – https://corelight.zoom.us/webinar/register/WN_W_cJVVykQh-jT6ogoPCKTw
- 23 July 2020 – ASK THE ZEEKSPERTS – 12:30pm PDT/3:30pm EDT
Registration Link – https://corelight.zoom.us/meeting/register/tJAlce6trjIsHtPe4jx4h12JTEzYhSRdv96w
- 29 July 2020 – ZEEK FROM HOME –11am PDT/2pm EDT – JA3 and presented by Jeff Atkinson.
Registration Link – https://corelight.zoom.us/webinar/register/WN_Gjh6eHImT56SUHP6XSs7BA
If you know of any Zeek related events that you would like to share with the community in the monthly newsletter, please email news@zeek.org or share on the Zeek mailing list (zeek@zeek.org).
About Zeek From Home: A weekly webinar featuring Zeek users, developers and invited guests These presentations ARE recorded and shared with the community. https://zeek.org/2020/03/31/zeek-from-home/
About Ask The Zeeksperts: A bi-weekly webinar in which Zeek users, developers and invited guests answer technical questions. The community is invited to “drop in” to these calls and ask questions. These webinars are NOT recorded (unless otherwise noted).
About Zeek Community CTF (Capture the Flag) Events: Players will compete head-to-head on dozens of security challenges using Zeek data using Splunk, Elastic, or CLI tools.. Sign up Today! Game winner will take home bragging rights and a $100 Amazon Gift Card.
About Monthly Zeek Community Call: Monthly calls that are open to everyone to discuss topics related to the growth, governance and administration of the community. These calls ARE recorded.
Zeek Related Jobs
From Bricata
Front End Engineer Position – https://bricata.com/careers/front-end-engineer-position/
Senior Software Engineer Position – https://bricata.com/careers/senior-software-engineer-position/
From Brim
Front End Engineer – https://www.brimsecurity.com/team/front-end-engineer/
From Corelight
Cloud Architect – https://www.corelight.com/company/careers/2220883
Principal Engineer, CI and Infrastructure – https://www.corelight.com/company/careers/2220598
From LinkedIn
Sr. Zeek/Bro Engineer – https://www.linkedin.com/jobs/view/1863997545/
BRO/ZEEK SME Engineer and Programmer with Security Clearance – https://www.linkedin.com/jobs/view/1935842486/
ZEEK Engineer/ Subject Matter Expert (Active Secret Clearance Desired) – https://www.linkedin.com/jobs/view/1855505919/
BRO/ZEEK SME Engineer and Programmer with Security Clearance – https://www.linkedin.com/jobs/view/1903016798/
Cyber Threat Hunter – Great Benefits & Company Equity (REMOTE) – https://www.linkedin.com/jobs/view/1898353609/
Cyber Threat Hunter – Great Benefits & Company Equity (REMOTE) – https://www.linkedin.com/jobs/view/1898351761/
Senior Cyber Threat Hunter – Company Equity (REMOTE) – https://www.linkedin.com/jobs/view/1898354628/
Incident Response / Triage Team Lead – https://www.linkedin.com/jobs/view/1906760359/
Cyber Security Analyst – https://www.linkedin.com/jobs/view/1926562351/
Strategic Initiatives Lead Analyst – https://www.linkedin.com/jobs/view/1910034594/
CSIS Cyber Program DevOps Team Lead – https://www.linkedin.com/jobs/view/1906764185/
Get Involved
If you are interested in getting involved with the Zeek Newsletter, please email news@zeek.org.
More information about the newsletter can be found here.
Stay up to date by subscribing to the Zeek Mailing List.
Join the conversation on Slack.
Follow us on Twitter