Zeek Package Contest – ZPC-3

Update: added winners and Jury members.

• Are you a Zeek user?
• Do you enjoy writing Zeek scripts?  
• Do you like being recognized for your awesome work?  
• Do you want to make the world’s networks safer?  
• Do you like winning prizes and claiming bragging rights?
• Do you want the opportunity to present your work at Zeek events?

If you answered, “yes” to any of these questions, then the Zeek Package Contest (ZPC) sponsored by Corelight, Inc. may be just the competition for you!

The ZPC contest series is intended to inspire Zeek users to demonstrate their creativity and ingenuity while winning the admiration of their peers, and giving back to the community. The ZPC-3 contest will be open to all Zeek Packages, including protocol and file analyzers implemented through Spicy.

For ZPC-3 we will also add  “Ideas” and  “Developer” phases to allow for team participation,  in addition to individual contributions.  See details and timeline below.

What is the Zeek Package Contest?

The challenge is straightforward: create an innovative and useful open source Zeek package that extends and customizes Zeek’s capabilities. 

• First Place ($2000.00) – Zeek-bogon contributed by Zander Work. This packagedds labels to bogon IP addresses when they appear in conn.log.
• 2nd Place ($1000.00) – remote_asn_geoip_conn contributed by Michael Portera. This package adds ASN and GeoIP data directly to conn.log for the remotr connection. The script checks the orig and resp host fields to determine which one is not defined as part of the local IP ranges and subsequently performs a lookup on the MaxMind ASN and GeoIP databases.
• 3rd Place ($500.00) – Bad ASN – contributed by Hudson Carr. This Zeek package performs ASN lookups on the remote connection’s IP address from conn.log. It furthermore retrieves the score from  CIRCL’s Bad ASN API. ASNs that cross a determined threshold will be written to notice.log. 

Cash Prizes may be subjected to a 30% withholding (for non-US winners). Before cash prizes are awarded all winners will be required to file a W-9 or W-8BEN (for non-US winners) and verify with their bank the wire information necessary to receive US dollars from a U.S. bank (for international winners)

Everyone who submits an eligible package for ZPC-3 will receive a Zeek Package Contest challenge coin. 

See actual coins here. 

The winners may also get the opportunity to present their work at future Zeek events and/or have their contributions featured on the Zeek blog.

Submissions need to be made available through the central Zeek package repository.  If you need help getting your package into this repository, please let us know so that we can assist you.  We don’t want that final step to be an obstacle to participation. 

We will evaluate contributions in terms of overall functionality & quality, utility for incident responders, customizability, test coverage, and clarity of documentation. If your submission includes a Spicy analyzer, you will also need to share traffic you tested the Parser against, so that the judges can ensure the analyzer will work. The jury will consist of Zeek core developers and other long-time Zeek community members. More details below.

Here are a few useful resource links to get you started:

• Script Reference Guide 
• Packages.zeek.org
• Zeek Package repository 
• Zeek Package Source – Readme 
• Zeek Package Manager Quickstart Guide
• Spicy

If you have any questions about how to write packages or need help with your submission, please join the #packages channel on Slack. 

Jury Members

• Fatema Bannat Wala (Community)
• Lexi Brent (Community)
• Nick Turley (Community)
• Matthias Vallentin (Community)
• Aashish Sharma (Community)

Important and Explanations Dates

• 15 July 2020 – Call for Ideas – If you have an idea for a Zeek Package,  but will need help developing that idea into a workable package, please submit your idea via this webform. Ideas for all kinds of packages are welcome (including detections, data enrichment, protocol parsing, etc). The best suggestions will be highly specific and well motivated by a compelling use case.  Later in the competition, your idea may be selected by a developer and you’ll have the option to form a team. 
• 17 August 2020 – Call Developers/Package Writers – If you are a developer and have an interest in being part of a team and helping turn an idea into a workable Zeek Package, please take a look at the package ideas that have been submitted to date, and pick 3 you’d like to work on.  We will pair you with the idea submitter and send out notices.  (Link to be added once the Call for Ideas Phase ends)
• 15 September 2020 – Team Notices – We will send out notices to the Developers and Idea submitters and create a list of teams 
• 29 September 2020 – Open Submission of Packages – Individuals and teams can begin to submit their Zeek Packages via this webform. 
• 26 November 2020 (Extended) – Close Submissions – Individuals and teams will have until 26 November 2020 at 6pm PDT to submit their Zeek Packages. 
• 16 December 2020 (Extended) – Notify Winners  – Winners will be notified privately on this date and arrangements for prize distributions finalized. 
• 18 December 2020 (Extended) – Announce Winners- On this date we will announce the winners to the public via the Zeek Blog, Mailing List and Twitter account. This announcement will also be updated. 

Contest Results

This section will be updated on 18 December 2020. 

Rules of Engagement

1. The goal is to create an innovative and useful Zeek package that’s compatible with the Zeek Package Manager.  A package may include a plugin to support its scripts through new built-in functions (“*.bif files”).It may also include Spicy source code implementing a custom protocol or file analyzer. The contest will not consider packages with other binary functionality, such as non-Spicy analyzers, log writers, input readers, etc.
2. To submit a package to the contest, it must first be made available through the central Zeek package repository. You can then nominate it for consideration by filling out this webform (On or after 29 Sep 2020 through 26 Oct 2020.). Please include with your nomination: a link to the package’s git repository, a list of authors, a short summary describing the motivation for the work, and documentation of the package’s usage. We will acknowledge receipt, and we will evaluate the version of the package as the package manager installs it at that time.
3. All submissions must be received no later than 26 November 2020, 6:00PM PST. The winners will be notified on 16 December, 2020. 
4. Packages created prior to 15 May 2020 are ineligible.  All packages created on or after 16 May 2020 through 26 November 2020 are eligible. 
5. Submitted packages must work with a Zeek release version >= 3.0. They must build and install on recent, standard Linux systems. Please specify any specific OS requirements of your package, if necessary. 
6. Submitted packages must be open source. We prefer BSD licensed submissions, but will accept any OSI-approved license. By submitting an entry, you declare that you own the copyright to the source code and all related materials, and are authorized to submit it.
7. Submissions may leverage other packages included in the Zeek package repository as  dependencies as long as the package manager can resolve them during installation. They may also link against external libraries as long as their installation is clearly documented and easy to follow. 
8. The top 3 winners of the contest will get the prizes mentioned above. We reserve the right to award fewer than 3 awards if we do not receive a sufficient number of high-quality submissions. In addition, anyone who submits an eligible package to the ZPC-3 contest will receive a Zeek Package Contest challenge coin. 
9. A committee of Zeek developers and other long-time Zeek community members, chosen by Corelight, will decide the winners based on the following criteria: overall functionality & quality, utility for incident responders, customizability, test coverage, and clarity of documentation.
10. In order to collect the cash prizes, winners will need to provide a legal picture identification and bank account information within 30 days of notification. The bank transfer will be made once all banking information has been verified.
11. Group entries are allowed; the prize will be paid to a person designated by the group.
12. You may submit more than one package for the contest, but we limit awards to one per person/group.
13. Names/aliases of the winners will be listed on the “Zeek Package Contest” on the Zeek Blog.
14. Zeek team members, members of the selection committee, and Corelight employees are not eligible to receive the cash prizes.

The Legal Stuff

In no event will Corelight be liable to you or any party entering this contest for lost profits or any form of indirect, special, incidental, or consequential damages of any character from any causes of action of any kind with respect to this contest, whether based on breach of contract, tort (including negligence), or otherwise, and whether or not you have been advised of the possibility of such damage.

More Information

If you have any questions, please contact us at contest@zeek.org.

Find out more about Zeek at: https://www.zeek.org/

Current packages list can be found at: https://packages.zeek.org/ and https://github.com/zeek/packages

The Zeek Package Contest is inspired and modeled after the Hex-Rays Plugin , Volatility contests and Google’s Summer of Code and Season of Docs events.