Zeek: Zeek Monthly Newsletter – Issue 12

Issue 12 – September 2021

Welcome to the Zeek Monthly Newsletter! Issue 12 covers September 2021 and upcoming events.

In this Issue:

TL;DR
Development Updates
Zeek Blog
Zeek in the Community
Zeek Package Updates
Zeek in the Enterprise
Upcoming Events
Zeek Related Jobs
Get Involved

TL;DR

Welcome to the latest Zeek newsletter.

Register for ZeekWeek 2021! ZeekWeek takes place October 13-15, and is free and exclusively online. Sign up here. Don’t miss our annual conference, with material for users and developers of all skill levels and interests.

If you have any comments or material for the newsletter please email news@zeek.org or join the #news Slack channel.

Development Updates

On September 22, Tim Wojtulewicz published Zeek 4.0.4 and Zeek 4.1.1. These releases addressed two security issues and several bugs. Recall that Zeek 4.0.x is the current Long Term Support (LTS) release, while Zeek 4.1.x is the development release with the newest features. We encourage users to run one of these releases as they incorporate the latest security fixes.

See these links for more information about project release cadence:

Zeek Blog

Beyond updates on ZeekWeek, the September blog featured a request from Robin Sommer for input to the Zeek roadmap:

“To provide input, please either start a GitHub Discussion for general ideas, suggestions, and feature requests; open a ticket on our GitHub issue tracker for immediate action items; or just post your thoughts on Slack in #development.”

For more, see the blog (https://zeek.org/blog/) and September mailing list archive:

https://lists.zeek.org/archives/list/zeek@lists.zeek.org/2021/9/

Zeek in the Community

Phil Rzewski and the Brim team released new GA releases of the Brim desktop app (v0.25.0) and Zed backend/CLI tooling (v0.30.0). We sometimes use Brim to demonstrate how to analyze Zeek data in our Zeek in Action videos. Brim CEO Steve McCanne spoke to the Sharkfest community this month on Brim as well. You can see him work with Zeek data in this video of his keynote.

Nate Guagenti Tweeted the following suggestion on Zeek data:

“[T]urn on

https://github.com/zeek/zeek/blob/master/scripts/policy/protocols/http/header-names.zeek

in your zeek/corelight instance yesterday. [I] have been advising this for many years. http headers are an infinite possibility for attackers and a lot of detection possibilities already exist at your fingertips.”

Richard Bejtlich spoke at the Zeek community virtual meet-up event on September 15 on “How to monitor your wireless network.” For more on this topic, see the corresponding Zeek in Action video.

Suricon 2021 will take place on October 20-22.

Zeek Package Updates

The latest Zeek package contest ends Friday October 1. Submit your package today for a chance to earn a challenge coin!

The following packages reported updates in September, via this search.

geoip-conn – Add geolocation fields to connection logs.

spicy-analyzers – This repository provides a Zeek package installing a set of protocol & file analyzers implemented through Spicy. Currently, the following analyzers are included:

DHCP [1], DNS [1], Facefish Rootkit, HTTP [1], IPSec, LDAP, OpenVPN, PNG, Portable Executable (PE) [2], STUN, Tailscale VPN, TFTP, Wireguard, ZIP archives. [1] replaces the corresponding Zeek analyzer. [2] replaces and extends the corresponding Zeek analyzer.

bro-is-darknet – This plugin adds a Site::is_darknet function. This is useful for scripts that track scan attempts or other probes. It can handle purely dark address space as well as honeynet space.

CVE-2021-38647 – “OMIGOD RCE”. See Corelight’s blog post. The exploit involves simply omitting the Authorization header in HTTP traffic.

spicy-plugin – This repository provides a Zeek package that adds Spicy support to Zeek through a plugin. After installing this package, you can then load Spicy-based protocol and file analyzers, such as those coming with the Spicy Analyzers package.

Zeek in the Enterprise

Anthony Kasza and Nick Hunter from Corelight presented “RDP Forensics Without Endpoint Visibility.” Their presentation is available on YouTube.

Paul Dokas, director of Corelight Labs, blogged Using Zeek to track communication state. An excerpt:

“The PetitPotam exploit offers an opportunity to illustrate the power of Zeek for tracking the state of network conversations over their lifetime. PetitPotam abuses EFS DCERPC functions to trigger an NTLM relay attack that can be used to gain elevated privileges in a Windows AD domain… To illustrate this point, here is a Zeek script for detecting attempts to exercise the PetitPotam exploits.”

Upcoming Events

Zeek Monthly Webinar Series: This is a bi-weekly webinar series held on the 2nd and 4th Tuesdays of each month featuring Zeek users, developers and invited guests. These presentations ARE recorded and shared with the community.

Monthly Zeek Community Call: Monthly calls that are open to everyone to discuss topics related to the growth, governance and administration of the community. These calls ARE recorded.

ZeekWeek,13-15 October 2021 – ZeekWeek is the annual gathering of defenders, developers, incident responders, threat hunters, and security architects who rely on Zeek as a critical element in their security stack. For more information visit zeekweek.org and register here.

Zeek Related Jobs

The following are a sampling of job opportunities that mention Zeek software skills.