Zeek: Zeek Monthly Newsletter – Issue 13

Issue 13 – October 2021

Welcome to the Zeek Monthly Newsletter!

In this Issue:

TL;DR
Development Updates
Zeek Blog and Mailing List
Zeek in the Community
Zeek Package Updates
Zeek in the Enterprise
Upcoming Events
Zeek Related Jobs
Get Involved

TL;DR

ZeekWeek 2021 was a great success. Thank you to everyone who participated. Expect to see videos of the sessions posted to the Zeek YouTube channel in November. Also keep an eye open for more Zeek in Action videos:

https://www.youtube.com/c/Zeekurity

Development Updates

As of this writing, the current versions of Zeek are 4.0.4, the Long Term Support (LTS) release, and 4.11, the development release with the newest features.

On October 19, Benjamin Bannier announced the release of Spicy 1.3. Spicy is a parser generator that makes it easy to create robust C++ parsers for network protocols, file formats, and more. Spicy development enables new and improved protocol parsing for network traffic and more.

For details on the new Spicy features, see the release news and changes:

https://github.com/zeek/spicy/blob/v1.3.0/NEWS.rst#version-13

https://github.com/zeek/spicy/blob/v1.3.0/CHANGES

Zeek Blog and Mailing List

The blog and mailing list were fairly quiet in October. Highlights include an announcement for the ZeekWeek Capture the Flag (CTF) contest, and a discussion of Zeek performance on FreeBSD 13.

For more, see the blog and October mailing list archive:

https://zeek.org/blog/

https://lists.zeek.org/archives/list/zeek@lists.zeek.org/2021/10/

Zeek in the Community

On October 18, the DFIR (Digital Forensics and Incident Response) Report published an analysis of “an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant.” They utilized the Real Intelligence Threat Analytics (RITA) scripts developed by Active Countermeasures to process Zeek logs created during their analysis. Read more about the event here:

https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/

On October 24, Florian Roth published a Sigma rule for identifying Monero crypto coin mining within Zeek data. See more here:

https://twitter.com/cyb3rops/status/1452271215968673810

Seth Grover released Malcolm 3.4.0, with updates to Zeek 4.1.1 and Spicy 1.3.0. Thank you to Seth for updating many Zeek packages to work with the latest versions! See this Malcolm release page for more details:

https://github.com/idaholab/Malcolm/releases/tag/v3.4.0

Finally, the Security Onion conference occurred October 1, and the SuriCon conference for Suricata followed on 20-22 October.

To watch the Security Onion videos, see this YouTube playlist:

https://www.youtube.com/playlist?list=PLljFlTO9rB17mESq7Z9OeFKvVh39vJW34

Zeek Package Updates

Corelight released a package which raises notices for the Path Traversal/RCE in Apache HTTP Server 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013) vulnerability. For details, see:

https://github.com/corelight/CVE-2021-41773/

A visit to the https://packages.zeek.org site showed that the Cybersecurity and Infrastructure Security Agency (CISA) updated the following Zeek packages:

10/27/21, 5:53 PM icsnpp-enip
10/27/21, 5:52 PM icsnpp-bsap
10/27/21, 5:50 PM icsnpp-bacnet
10/27/21, 3:06 PM zeek-plugin-s7comm
10/27/21, 3:05 PM zeek-plugin-profinet

These packages are hosted at the agency’s GitHub repository.

https://github.com/orgs/cisagov/repositories

Note that Zeek uses these packages to understand industrial control systems and infrastructure protocols.

No packages reported updates in October, according to this search.

Zeek in the Enterprise

Security Onion Solutions released their Response-Ready (R2) Appliances:

https://blog.securityonion.net/2021/10/introducing-security-onion-solutions.html

Corelight noted that Splunk was using Zeek and Suricata data in its latest Boss of the SOC (Security Operations Center) (BOTS) exercise:

https://corelight.com/blog/take-the-corelight-challenge-splunks-boss-of-the-soc

Upcoming Events

Zeek Monthly Webinar Series: This is a bi-weekly webinar series held on the 2nd and 4th Tuesdays of each month featuring Zeek users, developers and invited guests. These presentations ARE recorded and shared with the community.

Monthly Zeek Community Call: Monthly calls that are open to everyone to discuss topics related to the growth, governance and administration of the community. These calls ARE recorded.

For details, see: https://zeek.org/events/

Zeek Related Jobs

The following are a sampling of job opportunities that mention Zeek skills.

Director, Professional Services (Remote)

CrowdStrike Sunnyvale, CA Remote

https://www.linkedin.com/jobs/view/2768885814/

Principal Network Security Researcher

Battelle Chantilly, VA

https://www.linkedin.com/jobs/view/2769973129/

Sr. Security Engineer, Detection & Response

Cruise San Francisco, CA

https://www.linkedin.com/jobs/view/2681782548/