Issue 11 – August 2021
Welcome to the Zeek Monthly Newsletter! Issue 11 covers August 2021 and upcoming events.
In this Issue:
- TL;DR
- Development Updates
- Zeek Blog
- Zeek in the Community
- Zeek Package Updates
- Zeek in the Enterprise
- Upcoming Events
- Zeek Related Jobs
- Get Involved
TL;DR
Welcome to the latest Zeek newsletter.
Highlights from this edition include the release of Spicy 1.2 and Zeek 4.1.0, and late news that MITRE is paying closer attention to Zeek data as the standard for describing network activity.
With this issue, Richard Bejtlich takes over as editor. If you have any comments or material for the newsletter please email news@zeek.org or join the #news Slack channel.
Development Updates
Two big events happened in August 2021.
First, we released Spicy 1.2, followed by a bug fix release (1.2.1) a few weeks later:
Second, we released Zeek 4.1.0.
Other highlights include:
“SSL and X509 handling was significantly overhauled with the goal to make the data that is logged by Zeek more helpful and compact.” As noted by Robin Sommer, the “x509.log is now indexed by the SHA256 of the certificates, with deduplication being automatically performed. By default, the same certificate is now only logged once per day, reducing log volume substantially.”
For details on this and other enhancements, visit:
https://github.com/zeek/zeek/releases/tag/v4.1.0
More information about project release cadence:
- https://github.com/zeek/zeek/wiki/Release-Cadence
- https://github.com/zeek/zeek/wiki/Security-Release-Process
Zeek Blog
Robin posted the only post to the blog in August, with details on Zeek 4.1.0. The end of the post contains the following note:“As a reminder, please note that all Zeek 3.x versions are out of support now, and will no longer receive any updates. Zeek 4.0 is the current LTS [long term support – editor] version that we recommend for sites prioritizing stability over the new functionality in 4.1.”
For more, see the blog (https://zeek.org/blog/) and August mailing list archive:
https://lists.zeek.org/archives/list/zeek@lists.zeek.org/2021/8/
Zeek in the Community
Writing in Medium for MITRE, Ivan Kirillov and Jon Baker published Researching Data Sources to Build a Foundation for Detections. They used Zeek data as their “network-centric data source.”
Nate Guagenti (@neu5ron) and associates published zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml, a SIGMA rule to “detect usage of the windows RPC library Encrypting File System Remote Protocol (MS-EFSRPC). Variations of this RPC are used within the attack referred to as PetitPotam.” This is a rarely used RPC function. Analysts should investigate it if they see it in production.
Zeek Package Updates
The following packages reported updates in August.
zeek-jetdirect; This package detects exploit attempts against HP JetDirect printers via this method: https://www.exploit-db.com/exploits/45273.
CVE-2020-16898; This package detects exploit attempts against Windows systems via CVE-2020-16898, aka “Bad Neighbor.”
hassh; HASSH is a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of an MD5 fingerprint.
common-encodings; This package provides common encodings and operations such as RC4 encryption and decryption base64 encoding and decoding, bit-shifting, and ASCII to and from integers.
zeek-jpeg; This package analyzed JPEG files.
Zeek in the Enterprise
Security Onion Solutions released Security Onion 2.3.70, which added new features and resolved a few issues.
Corelight, Inc. released Smart PCAP for its AP 3000 sensor, which uses Zeek to access full content packet capture at high Gbps rates.
Tenzir released VAST 2021.07.29, with native Zeek integration.
Upcoming Events
About Zeek Monthly Webinar Series: This is a bi-weekly webinar series held on the 2nd and 4th Tuesdays of each month featuring Zeek users, developers and invited guests. These presentations ARE recorded and shared with the community.
About Monthly Zeek Community Call: Monthly calls that are open to everyone to discuss topics related to the growth, governance and administration of the community. These calls ARE recorded.
- ZeekWeek,13-15 October 2021 – Call for Speakers and Sponsors now open! ZeekWeek is the annual gathering of defenders, developers, incident responders, threat hunters, and security architects who rely on open source Zeek as a critical element in their security stack. For more information visit zeekweek.org.
Zeek Related Jobs
The following are a sampling of job opportunities that mention Zeek software skills.
- Staff Security Engineer, Detection & Response – Cruise, San Francisco, CA
- Associate, Cybersecurity, Network Security Analyst – Ankura, multiple
- Principal Engineer – Cybersecurity Operations (Remote) – United Airlines, Chicago, IL, Remote
- Cloud Security Researcher– Blue Hexagon Inc., United States
- Sr. Enterprise Info Security Specialist – Emory University, Atlanta, GA
- And more
Get Involved
If you are interested in getting involved with the Zeek Newsletter, please email news@zeek.org.
Stay up to date by subscribing to the Zeek Mailing List.
Join the conversation on Slack.
Follow us on Twitter.
See you next time!