Zeek Monthly Newsletter – Issue 6 – July 2020

Issue 6 – July  2020

Welcome to the Zeek Monthly Newsletter! Issue 6 covers June 2020 as well as upcoming events. 

---

In this Issue:

• TL;DR 
• Development Updates
• Zeek Blog
• Zeek In The Community
• New Zeek Packages
• Zeek in Enterprise
• Upcoming Events
• Zeek Related Jobs
• Get Involved

---

TL;DR

Three new community packages are now available for detecting CallStranger, GnuTLS CVE-2020-13777, and Ripple20.. 

Notable webinars topics included  Security Onion, Brim, Zeek Scripting, Spicy and Corelight’s role in the Zeek Community.

The Zeek Project, Brim, Security Onion Solutions and Corelight all released software updates in June.  

The Zeek LT is soliciting feedback on Zeek governance: https://www.surveymonkey.com/r/zeekgovernancesurvey

More information about upcoming changes to the project governance:  http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-June/015382.html

---

Development Updates

Zeek 3.0.7 and 3.1.4 now released (containing security + bug fixes): http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-June/015372.html

More information about project release cadence:

• https://github.com/zeek/zeek/wiki/Release-Cadence
• https://github.com/zeek/zeek/wiki/Security-Release-Process

---

Zeek Blog

5 June 2020 – Community Call Notes and Recording – Each month we have an open call with the community.  This is the summary of the June 2020 call. http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-June/015372.html

7 Dos And Don’ts For Zeek Scripting – In this blog post, Anthony Kasza of Corelight gives an introduction to some of the pitfalls he had to learn about when writing Zeek scripts.  Anthony includes code snippets and more.  https://zeek.org/2020/06/08/7-dos-and-donts-for-zeek-scripting/

Zeek From Home – Episode 4 – Security Onion (Part 1) – Recording Now Available! – Doug Burks, Founder of Security Onion and CEO of Security Onion Solutions discussed the history of the project and explained what’s new. https://zeek.org/2020/06/09/zeek-from-home-episode-4-security-onion-recording-now-available/

Zeek From Home – Episode 5 – Brim Security – Recording Now Available! – Phil Rzewski, Technical Director and Steve McCanne, Coding CEO at Brim Security discussed Brim’s open source app and more.  https://zeek.org/2020/06/09/zeek-from-home-episode-5-brim-security-recording-now-available/

Zeek Package Contest – ZPC-2 – Winners Announced! – Find out who won ZPC-2 and what packages were submitted. https://zeek.org/2020/06/15/zeek-package-contest-zpc-2-winners-announced/

Zeek From Home – Episode 6 – Zeek Scripting 101 to 495 in 45 Mins. – Recording Now Available! – Aashish Sharma of  Berkeley Lab and the Zeek Project Leadership Team made a lively presentation on  Zeek Scripting. https://zeek.org/2020/06/17/zeek-from-home-episode-6-zeek-scripting-101-to-495-in-45-mins-recording-now-available/

Zeek From Home – Episode 7 – Spicy – Recording Now Available! – Robin Sommer, CTO of Corelight and the Zeek Project Lead updated the community on the new Zeek parser generator.  https://youtu.be/FZWVbKQyBmM

Zeek From Home – Episode 8 – Corelight’s Role in the Zeek Community. – Recording Now Available! – Greg Bell, CEO of Corelight updated the Community on Corelight’s commitment to support the Zeek Project and its community.  https://youtu.be/kgC9nxIqlCc

Zeek Monthly Newsletter – Issue 5 – June 2020 – https://zeek.org/2020/06/18/zeek-monthly-newsletter-issue-5-june-2020/

---

Zeek in the Community

Webcast – On June 25, 2020, John Gamble, Alex Kirk, and Matt Bromiley presented ‘The Power of Using Network Alerts and Evidence with Open-Source Suricata and Zeek (Bro)’. The webcast focused on bringing the power of both FOSS tools together via the Community ID, and shows the power of combining signal + evidence.  https://www.sans.org/webcasts/power-fusing-network-alerts-evidence-open-source-suricata-zeek-bro-115855

Webinar – Zeek And Ye Shall Find! – A Zeek Primer by Fatema Bannat Wala of ESnet – This tutorial was targeted towards the basics of Zeek NMS, and helping answer basic questions about architecture, deployment, and value as an open source NSM. https://youtu.be/29SEaMVF7Fg

New versions of Brim (v0.12.0) and zq (v0.16.0) released –  JA3 and HASSH fields are now populated in the Zeek logs for encrypted traffic imported into Brim. Several bugs have also been fixed. The Brim downloads page has links for the latest versions for Windows, macOS, and Linux. https://github.com/brimsec/brim/releases and https://github.com/brimsec/zq/releases

Elastic 6.8.10 now available for Security Onion! –  https://blog.securityonion.net/2020/06/elastic-6810-now-available-for-security.html

Zeek 3.0.7 now available for Security Onion! –  https://blog.securityonion.net/2020/06/zeek-307-now-available-for-security.html

securityonion-sostat – 20120722-0ubuntu0securityonion145 now available for Security Onion! –  https://blog.securityonion.net/2020/06/securityonion-sostat-20120722.html

Security Onion Hybrid Hunter Beta 3, Community ID, and Sysmon! –  https://blog.securityonion.net/2020/06/security-onion-hybrid-hunter-beta-3.html

Detecting the New CallStranger UPnP Vulnerability With Zeek -Corelight’s Ryan Victory explains  the motivation behind his new open-source package for detecting the CallStranger exploit. . https://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/

Detecting GnuTLS CVE-2020-13777 using Zeek – Corelight’s Johanna Amanngives a technical description of the GnuTLS CVE-2020-13777 vulnerability shows how it can be identified in network traffic, and provides a short Zeek script for detection. .  https://corelight.blog/2020/06/11/detecting-gnutls-cve-2020-13777-using-zeek/

Ripple20 Zeek package open sourced – Corelight’s Ben Reardon discusses his new open-source Zeek package that detects the presence of tell-tale signs associated with exploitation of Ripple20.  https://corelight.blog/2020/06/30/ripple20-zeek-package-open-sourced/

---

New Zeek Packages

Detecting the New CallStranger UPnP Vulnerability With Zeek – https://github.com/corelight/callstranger-detector

Detecting GnuTLS CVE-2020-13777 using Zeek –https://github.com/0xxon/cve-2020-13777

Ripple20 Zeek package open sourced –  https://github.com/corelight/ripple20

---

Zeek In Enterprise

Security Onion Hybrid Hunter 1.4.0 – Beta 3 Available for Testing! –  Security Onion Solutions announced the release of “Hybrid Hunter” 1.4.0 AKA Beta 3. In this release, Security Onion Solutions continues to embrace Community ID as a way to correlate different data types. They also sponsored the development of an Elasticsearch Ingest Processor that can automatically generate Community ID values for ANY logs that contain the necessary IP address and port information.  https://blog.securityonion.net/2020/06/security-onion-hybrid-hunter-140-beta-3.html

Security Onion Hybrid Hunter 1.4.1 Available for Testing! –  https://blog.securityonion.net/2020/07/security-onion-hybrid-hunter-141-now.html

Chocolate and Peanut Butter: Zeek and Suricata – Corelight Chief Product Officer Brian Dye announced a new software release that closely integrates Zeek and Suricata, with three key benefits. https://corelight.blog/2020/06/16/zeek-and-suricata-corelight-v19/

Zeek & Sigma: Fully Compatible for Cross-SIEM Detections – Corelight’s Alex Kirk explains how the company  teamed up with SOC Prime to integrate Zeek logs with Sigma, a generic signature language that enables cross-SIEM detections from a single toolset. https://corelight.blog/2020/06/25/zeek-sigma-fully-compatible-for-cross-siem-detections/

---

Upcoming Events 

July

(Events will be updated as we get more information.)

• 9 July 2020 – Brim Webinar – 11am PDT/2pm EDT – This webinar will cover some of the developer basics (material will be JavaScript-centric as Brim is written with Electron/React). 

Invite link:  https://zoom.us/j/94487542434?pwd=YUh2NDlJVUdJUWRVUWpRU2xrYTIxUT09

• 10 July 2020 – Monthly Community Call – Noon PDT/3pm EDT – This is a recurring call and you will be able to select all upcoming community calls. 

Registration Link: https://corelight.zoom.us/meeting/register/tJcldO6qrTMrG9Kwsu6_qHsUeAvdjLmMw6-i

• 15 July  2020 – ZEEK FROM HOME –11am PDT/2pm EDT  – DPD (Dynamic Protocols  Detection) and presented by Jan Grashoefer his talk will be based on https://arxiv.org/abs/1912.03962 which is a research paper entitled “Attacks on Dynamic Protocol Detection of Open Source Network Security Monitoring Tools”

Registration Link – https://corelight.zoom.us/webinar/register/WN_sSTXJPODRSeTGhBrXKZc3Q

• 15 July  2020 – ZEEK COMMUNITY CTF –1-3pm PDT/4-6pm EDT

Registration Link  –  https://corelight.zoom.us/meeting/register/tJYqceGgqjwvGNXFYKgLYVQheMs8KhZnCQpu

• 22 July  2020 – ZEEK FROM HOME –11am PDT/2pm EDT  – Spicy (Part 2) and presented by Robin Sommer

Registration Link –  https://corelight.zoom.us/webinar/register/WN_W_cJVVykQh-jT6ogoPCKTw

• 23 July 2020 –  ASK THE ZEEKSPERTS – 12:30pm PDT/3:30pm EDT

Registration Link  – https://corelight.zoom.us/meeting/register/tJAlce6trjIsHtPe4jx4h12JTEzYhSRdv96w

• 29 July  2020 – ZEEK FROM HOME –11am PDT/2pm EDT – JA3 and presented by Jeff Atkinson. 

Registration Link – https://corelight.zoom.us/webinar/register/WN_Gjh6eHImT56SUHP6XSs7BA

If you know of any Zeek related events that you would like to share with the community in the monthly newsletter, please email news@zeek.org or share on the Zeek mailing list (zeek@zeek.org).

About Zeek From Home:  A weekly webinar featuring  Zeek users, developers and invited guests  These presentations ARE recorded and shared with the community.  https://zeek.org/2020/03/31/zeek-from-home/

About Ask The Zeeksperts: A bi-weekly webinar in which Zeek users, developers and invited guests answer technical questions.  The community is invited to “drop in” to  these calls and ask questions.   These webinars are NOT recorded (unless otherwise noted).

About Zeek Community CTF (Capture the Flag) Events: Players will compete head-to-head on dozens of security challenges using Zeek data using Splunk, Elastic, or CLI tools.. Sign up Today! Game winner will take home bragging rights and a $100 Amazon Gift Card.

About Monthly Zeek Community Call:  Monthly calls that are open to everyone to discuss topics related to the growth, governance and administration of the community.  These calls ARE recorded.

---

Zeek Related Jobs

From Bricata

Front End Engineer Position – https://bricata.com/careers/front-end-engineer-position/

Senior Software Engineer Position – https://bricata.com/careers/senior-software-engineer-position/

From Brim

Front End Engineer – https://www.brimsecurity.com/team/front-end-engineer/

From Corelight

Cloud Architect – https://www.corelight.com/company/careers/2220883

Principal Engineer, CI and Infrastructure – https://www.corelight.com/company/careers/2220598

From LinkedIn

Sr. Zeek/Bro Engineer – https://www.linkedin.com/jobs/view/1863997545/

BRO/ZEEK SME Engineer and Programmer with Security Clearance – https://www.linkedin.com/jobs/view/1935842486/

ZEEK Engineer/ Subject Matter Expert (Active Secret Clearance Desired) – https://www.linkedin.com/jobs/view/1855505919/

BRO/ZEEK SME Engineer and Programmer with Security Clearance – https://www.linkedin.com/jobs/view/1903016798/

Cyber Threat Hunter – Great Benefits & Company Equity (REMOTE) – https://www.linkedin.com/jobs/view/1898353609/

Cyber Threat Hunter – Great Benefits & Company Equity (REMOTE) – https://www.linkedin.com/jobs/view/1898351761/

Senior Cyber Threat Hunter – Company Equity (REMOTE) – https://www.linkedin.com/jobs/view/1898354628/

Incident Response / Triage Team Lead – https://www.linkedin.com/jobs/view/1906760359/

Cyber Security Analyst – https://www.linkedin.com/jobs/view/1926562351/

Strategic Initiatives Lead Analyst – https://www.linkedin.com/jobs/view/1910034594/

CSIS Cyber Program DevOps Team Lead – https://www.linkedin.com/jobs/view/1906764185/

---

Get Involved

If you are interested in getting involved with the Zeek Newsletter, please email news@zeek.org.

More information about the newsletter can be found here.

Stay up to date by subscribing to the Zeek Mailing List.

Join the conversation on Slack. 

Follow us on Twitter