Issue 11 – August 2021

Welcome to the Zeek Monthly Newsletter! Issue 11 covers August 2021 and upcoming events. 


In this Issue:

  • TL;DR 
  • Development Updates
  • Zeek Blog
  • Zeek in the Community
  • Zeek Package Updates
  • Zeek in the Enterprise
  • Upcoming Events
  • Zeek Related Jobs
  • Get Involved

TL;DR

Welcome to the latest Zeek newsletter. 

Highlights from this edition include the release of Spicy 1.2 and Zeek 4.1.0, and late news that MITRE is paying closer attention to Zeek data as the standard for describing network activity.

With this issue, Richard Bejtlich takes over as editor. If you have any comments or material for the newsletter please email news@zeek.org or join the #news Slack channel.


Development Updates

Two big events happened in August 2021. 

First, we released Spicy 1.2, followed by a bug fix release (1.2.1) a few weeks later:

https://lists.zeek.org/archives/list/zeek-announce@lists.zeek.org/thread/RCVHFQ45IXOQLMHIZCSG6KZPNS2RGQMD/

https://lists.zeek.org/archives/list/zeek-announce@lists.zeek.org/thread/CYKUYCLBRK2SQDVVHPBYRSR6HIBVI2JY/

Second, we released Zeek 4.1.0. 

https://lists.zeek.org/archives/list/zeek-announce@lists.zeek.org/thread/MI257YXL2PBCB3ON4PRTVIBR6HES3B5E/

Other highlights include:

“SSL and X509 handling was significantly overhauled with the goal to make the data that is logged by Zeek more helpful and compact.” As noted by Robin Sommer, the “x509.log is now indexed by the SHA256 of the certificates, with deduplication being automatically performed. By default, the same certificate is now only logged once per day, reducing log volume substantially.”

For details on this and other enhancements, visit:

https://github.com/zeek/zeek/releases/tag/v4.1.0 

More information about project release cadence:


Zeek Blog

Robin posted the only post to the blog in August, with details on Zeek 4.1.0. The end of the post contains the following note:“As a reminder, please note that all Zeek 3.x versions are out of support now, and will no longer receive any updates. Zeek 4.0 is the current LTS [long term support – editor] version that we recommend for sites prioritizing stability over the new functionality in 4.1.”

For more, see the blog (https://zeek.org/blog/) and August mailing list archive:

https://lists.zeek.org/archives/list/zeek@lists.zeek.org/2021/8/ 


Zeek in the Community

Writing in Medium for MITRE, Ivan Kirillov and Jon Baker published Researching Data Sources to Build a Foundation for Detections. They used Zeek data as their “network-centric data source.”

Nate Guagenti (@neu5ron) and associates published zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml, a SIGMA rule to “detect usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack referred to as PetitPotam.” This is a rarely used RPC function. Analysts should investigate it if they see it in production. 


Zeek Package Updates

The following packages reported updates in August.

zeek-jetdirect; This package detects exploit attempts against HP JetDirect printers via this method: https://www.exploit-db.com/exploits/45273.

CVE-2020-16898; This package detects exploit attempts against Windows systems via CVE-2020-16898, aka “Bad Neighbor.”

hassh; HASSH is a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of an MD5 fingerprint.

common-encodings; This package provides common encodings and operations such as RC4 encryption and decryption base64 encoding and decoding, bit-shifting, and ASCII to and from integers.

zeek-jpeg; This package analyzed JPEG files.


Zeek in the Enterprise

Security Onion Solutions released Security Onion 2.3.70, which added new features and resolved a few issues.

Corelight, Inc. released Smart PCAP for its AP 3000 sensor, which uses Zeek to access full content packet capture at high Gbps rates.

Tenzir released VAST 2021.07.29, with native Zeek integration.


Upcoming Events 

About Zeek Monthly Webinar Series:  This is a bi-weekly webinar series held on the 2nd and 4th Tuesdays of each month featuring Zeek users, developers and invited guests.  These presentations ARE recorded and shared with the community.

About Monthly Zeek Community Call: Monthly calls that are open to everyone to discuss topics related to the growth, governance and administration of the community.  These calls ARE recorded.

  • ZeekWeek,13-15 October 2021 – Call for Speakers and Sponsors now open! ZeekWeek is the annual gathering of  defenders, developers, incident responders, threat hunters, and security architects who rely on open source Zeek as a critical element in their security stack. For more information visit zeekweek.org.

Zeek Related Jobs

The following are a sampling of job opportunities that mention Zeek software skills.


Get Involved

If you are interested in getting involved with the Zeek Newsletter, please email news@zeek.org.

Stay up to date by subscribing to the Zeek Mailing List.

Join the conversation on Slack

Follow us on Twitter.

See you next time!

 

%d bloggers like this: