The global community of Zeek users and developers gathered virtually last month, October 13-15, for the annual ZeekWeek (formerly BroCon) event. 

This year’s Zeek Week smashed multiple records: over 1400 network security professionals representing 300 organizations joined from over 70 countries to share ideas and knowledge.

This year’s virtual event consisted of two Zeek training sessions on Day 1; 13 defender, threat hunter and IR focused presentations on Day 2; and 10 developer focused presentations on Day 3.  Day 2 and 3 presentations were delivered in a fast-paced 20 minute format,discussions and questions handled via dedicated Slack channels. 

In case you missed this year’s event, here is a list of all the talks – as well as slides, plus links to videos and Slack channel discussions. 

The full agenda and talk descriptions can be found here. 

Sessions

13 October 2020  – Day 1 – Zeek Training  

(Video will be added soon)

• Hands on Introduction to setting up and running Zeek, Keith Lehigh, Indiana University & Fatema ESNet (Slides and other information) (Slack)
• Hands on Zeek Scripting, Aashish Sharma, Lawrence Berkeley National Laboratory (Berkeley Lab)  (Slides and other information) (Slack)

14 October 2019 – Day 2 – Defender, Threat Hunter, IR Track

• Welcome /LT Introductions and Governance Update – Keith Lehigh, Indiana University, University Information Security Officer (Slides) (Video) (Slack)
• An Overview of Zeek Performance – Vern Paxson, Professor of Computer Science at UC Berkeley and Zeek (fka Bro), Co-founder and Chief Scientist at Corelight, Inc. (Slides) (Video) (Slack)
• I have an IT inventory! Now what? – Nick Turley, BYU (Slides) (Video) (Slack)
•  Is Weird still weird? Take-2 @ESnet  – Fatema Bannat Wala, ESNet (Slides) (Video) (Slack)
• Zeek Agent: Correlating Host and Network Logs for Better Forensics – Wajih Ul Hassan, Corelight, Inc., Research Intern, Corelight (Slides) (Video) (Slack)
• BSD Honeypots with Zeek – Of course it runs on BSD – Michael Shirk, Daemon Security (Slides) (Video) (Slack)
• Using Zeek in ESnet6 management network security monitoring – Scott Campbell, ESNet (Slides) (Video) (Slack)
• A Structural Approach to Modeling Encrypted Connections – Anthony K, Corelight, Inc., Technical Director (Slides) (Video) (Slack)
• Zeek, and Splunk, and Alertus, oh My – Brian Allen, Washington University in St. Louis, Information Security Manager (Slides) (Video) (Slack)
• How to set your logs on fire with Emoji-🔥 – Jan Grashöfer, KIT – Karlsruher Institute for Technology and Benjamin Berens, KIT – Karlsruher Institute for Technology (Slides) (Video) (Slack)
• Gamification of Zeek: Demonstrating the Power of Zeek through CTFs – Aaron Soto, Corelight, Inc., Director of Learning (Slides) (Video) (Slack)
• Community/2021 Strategic Plan Update – Amber Graner, Corelight, Inc., Director of Community (Slides) (Video) (Slack)
• Going Beyond Alerts – Maximizing Network Defense with Suricata 6.0 – Josh Stroschein, Suricata (Slides) (Video) (Slack)

15 October 2020 – ZeekWeek Day 3 – Developer Track 

(please note all the Roadmap sessions used the same slack channel)

• Zeek 4.0 and beyond: High-level Roadmap – Robin Sommer, Corelight, Inc., Co-Founder and CTO (Slides) (Video) (Slack)
• Packet Analyzers – Jan Grashöfer, KIT – Karlsruher Institute for Technology and Tim Wojtulewicz, Corelight, Inc. (Slides) (Video) (Slack)
•  Introducing Spicy – Benjamin Bannier, Corelight, Inc. (Slides) (Video) (Slack)
• Compiling Zeek Scripts – Vern Paxson, Professor of Computer Science at UC Berkeley and Zeek (fka Bro), Co-founder and Chief Scientist at Corelight, Inc. (Slides) (Video) (Slack)
• Packaging Zeek’s policy scripts with better zkg templating – Vlad Grigorescu, ESnet and Christian Kreibich, Corelight, Inc. (Slides) (Video) (Slack)
• Towards a New Management Framework for Zeek Clusters – Robin Sommer, Corelight, Inc., Co-Founder and CTO (Slides) (Video) (Slack)
• Starting to Zeek – Steve Smoot, Corelight, Inc., VP (Slides) (Video) (Slack)
• Test before Production: Introducing ZTest, a Unit Testing Framework for Zeek – Ryan Victory, Corelight, Inc. (Slides) (Video) (Slack)
• Spicy-parser Best-practices – Duffy O’Craven (Slides) (Video) (Slack)
• Recursive File Analysis in Zeek – Kazi Alom, Reservoir Labs, Intern (Slides) (Video) (Slack)

Many Thanks and Much Appreciation! 

Zeek events such as this one are only possible through the generous support of the Zeek community, its sponsors and hosts. A huge shoutout and “THANK YOU” to Corelight Inc. for hosting and to all the speakers!!

Market Survey

Please take a moment to answer this short anonymous market survey so that we can better understand how the community is using Zeek.  The results of this survey will be shared with the broader community, so everyone benefits if you participate. 

Helpful Links and information

If you would like to be part of the Zeek Community and contribute to the success of the project, please sign up for our mailing lists, join Slack Workspace, attend our events, and follow the blog and/or Twitter feed. If you’re writing scripts or plugins for Zeek we would love to hear from you! If you can’t figure out what your next step should be, just reach out to akgraner@zeek.org. Together we can find a place for you to actively contribute and be a part of this growing community.

About Zeek (formerly Bro): Zeek is the world’s leading platform for network security monitoring. Flexible, open source, and powered by defenders. 

More about Zeek and connecting with the community can be found at: https://zeek.org/