Issue 13 – October 2021
Welcome to the Zeek Monthly Newsletter!
In this Issue:
- TL;DR
- Development Updates
- Zeek Blog and Mailing List
- Zeek in the Community
- Zeek Package Updates
- Zeek in the Enterprise
- Upcoming Events
- Zeek Related Jobs
- Get Involved
TL;DR
ZeekWeek 2021 was a great success. Thank you to everyone who participated. Expect to see videos of the sessions posted to the Zeek YouTube channel in November. Also keep an eye open for more Zeek in Action videos:
https://www.youtube.com/c/Zeekurity
Development Updates
As of this writing, the current versions of Zeek are 4.0.4, the Long Term Support (LTS) release, and 4.11, the development release with the newest features.
On October 19, Benjamin Bannier announced the release of Spicy 1.3. Spicy is a parser generator that makes it easy to create robust C++ parsers for network protocols, file formats, and more. Spicy development enables new and improved protocol parsing for network traffic and more.
For details on the new Spicy features, see the release news and changes:
https://github.com/zeek/spicy/blob/v1.3.0/NEWS.rst#version-13
https://github.com/zeek/spicy/blob/v1.3.0/CHANGES
Zeek Blog and Mailing List
The blog and mailing list were fairly quiet in October. Highlights include an announcement for the ZeekWeek Capture the Flag (CTF) contest, and a discussion of Zeek performance on FreeBSD 13.
For more, see the blog and October mailing list archive:
https://lists.zeek.org/archives/list/zeek@lists.zeek.org/2021/10/
Zeek in the Community
On October 18, the DFIR (Digital Forensics and Incident Response) Report published an analysis of “an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant.” They utilized the Real Intelligence Threat Analytics (RITA) scripts developed by Active Countermeasures to process Zeek logs created during their analysis. Read more about the event here:
https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
On October 24, Florian Roth published a Sigma rule for identifying Monero crypto coin mining within Zeek data. See more here:
https://twitter.com/cyb3rops/status/1452271215968673810
Seth Grover released Malcolm 3.4.0, with updates to Zeek 4.1.1 and Spicy 1.3.0. Thank you to Seth for updating many Zeek packages to work with the latest versions! See this Malcolm release page for more details:
https://github.com/idaholab/Malcolm/releases/tag/v3.4.0
Finally, the Security Onion conference occurred October 1, and the SuriCon conference for Suricata followed on 20-22 October.
To watch the Security Onion videos, see this YouTube playlist:
https://www.youtube.com/playlist?list=PLljFlTO9rB17mESq7Z9OeFKvVh39vJW34
Zeek Package Updates
Corelight released a package which raises notices for the Path Traversal/RCE in Apache HTTP Server 2.4.49 (CVE-2021-41773) and 2.4.50 (CVE-2021-42013) vulnerability. For details, see:
https://github.com/corelight/CVE-2021-41773/
A visit to the https://packages.zeek.org site showed that the Cybersecurity and Infrastructure Security Agency (CISA) updated the following Zeek packages:
- 10/27/21, 5:53 PM icsnpp-enip
- 10/27/21, 5:52 PM icsnpp-bsap
- 10/27/21, 5:50 PM icsnpp-bacnet
- 10/27/21, 3:06 PM zeek-plugin-s7comm
- 10/27/21, 3:05 PM zeek-plugin-profinet
These packages are hosted at the agency’s GitHub repository.
https://github.com/orgs/cisagov/repositories
Note that Zeek uses these packages to understand industrial control systems and infrastructure protocols.
No packages reported updates in October, according to this search.
Zeek in the Enterprise
Security Onion Solutions released their Response-Ready (R2) Appliances:
https://blog.securityonion.net/2021/10/introducing-security-onion-solutions.html
Corelight noted that Splunk was using Zeek and Suricata data in its latest Boss of the SOC (Security Operations Center) (BOTS) exercise:
https://corelight.com/blog/take-the-corelight-challenge-splunks-boss-of-the-soc
Upcoming Events
Zeek Monthly Webinar Series: This is a bi-weekly webinar series held on the 2nd and 4th Tuesdays of each month featuring Zeek users, developers and invited guests. These presentations ARE recorded and shared with the community.
Monthly Zeek Community Call: Monthly calls that are open to everyone to discuss topics related to the growth, governance and administration of the community. These calls ARE recorded.
For details, see: https://zeek.org/events/
Zeek Related Jobs
The following are a sampling of job opportunities that mention Zeek skills.
Director, Professional Services (Remote)
CrowdStrike Sunnyvale, CA Remote
https://www.linkedin.com/jobs/view/2768885814/
Principal Network Security Researcher
Battelle Chantilly, VA
https://www.linkedin.com/jobs/view/2769973129/
Sr. Security Engineer, Detection & Response
Cruise San Francisco, CA
https://www.linkedin.com/jobs/view/2681782548/
Senior Associate, Cybersecurity, Managed Detection and Response Analyst
Ankura
Washington, DC Remote
https://www.linkedin.com/jobs/view/2728806377/
For more, see https://www.linkedin.com/jobs/search/?geoId=103644278&keywords=zeek
Get Involved
If you have any comments or material for the newsletter please email news@zeek.org or join the #news Slack channel.
Stay up to date by subscribing to the Zeek Mailing List.
Join the conversation on Slack.
Follow us on Twitter.
See you next time!
RSS - Posts