vZW21 – Day 3 – Developer Track

vZeekWeek 2021 – Day 3 – Developer/ Zeek Roadmap Track


Don’t forget; register today!


(Please note all times are Pacific Time)


9:00am – 9:10am  Recap Day 2 and Overview of Day 3

(Talk 1)

Amber Graner
9:10am – 9:40am Keynote

(Talk 2)

Richard Bejtlich
9:40am – 10:00am Roadmap & Contribution How-To

(Talk 3)

Robin Sommer
This talk will talk about what’s on the roadmap of the Zeek development team for the near- and medium term future. We’ll also talk about ways you can contribute to Zeek, through code, testing, documentations, or just ideas & feedback.
10:00am – 10:20am The new packet processing pipeline

(Talk 4)

Tim Wojtulewicz
At last year’s ZeekWeek, we introduced the new Packet Analysis framework for adding a new type of analyzers below layer 3, which opens up an entirely new class of detections not previously possible. This talk expands on that introduction, describing new use cases and the ways that we have been extending Zeek’s capabilities using the new framework.
10:20am – 10:40am BREAK
10:40am – 11:00am zkg templates

(Talk 5)

Christian Kreibich 
Zeek 4.1 introduces the ability to bootstrap Zeek packages directly via zkg’s new templating feature. This talk will explain this new feature and show examples of new Zeek packages with various capabilities, such as the plugins, Spicy analyzers, and CI.
11:00am – 11:20am Creating Zeek analyzers packages with Spicy

(Talk 6)

Benjamin Bannier
At last year’s ZeekWeek we introduced the Spicy language and toolset for efficiently creating memory-safe parsers for network protocols. Since then we have released a first major release and a number of minor releases making Spicy more ergonomic, addressing bugs, and streamlining the processes of creating new Zeek analyzers.

This talk gives a walkthrough of how to create a new Zeek analyzer package using Spicy from parser grammar to deployable Zeek package.

11:20am – 11:40am Compiling Zeek scripts

(Talk 7)

Vern Paxson
Zeek’s performance depends in part on how quickly the system executes the user’s scripts, as well as the many predefined scripts Zeek makes available. To date, this execution has used a high-level interpreter, which imposes considerable overhead. This talk will sketch two new experimental features for executing scripts much more quickly: compiling them to a low-level form (“ZAM”), and directly to C++.
11:40am – 12:00pm Build Zeek with static plugins included

(Talk 8)

Seth Hall
Since dynamically buildable plugins have been added to Zeek there has been a problem encountered by enthusiastic users where the plugins could fall out of date with their Zeek build. This can result in broken Zeek deployments.  This talk will go into how this problem is solved by directly integrating plugins into the main Zeek build with a new feature in Zeek 4.1.
12:00pm – 12:30pm LUNCH
12:30pm -12:50pm  Replacing ZeekControl with the new Cluster Controller

(Talk 9)

Christian Kreibich 
Zeek 4.1 includes a first version of Zeek’s future Cluster Controller, which we’ve slated to replace the aging ZeekControl in Zeek 5. This talk will provide a status update of what’s currently implemented and provide a first glance at this emerging functionality.
12:50pm – 1:10pm Lightning Talks

(Talk 10)

Arne Welzel: ZeekJS: An experimental Zeek plugin embedding Node.js supporting event handling in Javascript.

Matthias Vallentin: Becoming a Logger Node: Native Consumption of Zeek Logs

Seth Hall: Telemetry for Zeek

Justin Azoff: Isolating and fixing a script performance issue

Johanna Johnson: Log Policy Hooks:  What’s new in 4.1 and Dealing with Predicate Depreciation.


1:10pm – 1:50pm Ask the Speakers Q&A 

(Talk 11)

1:50pm – 2:00pm Summary, Wrap-Up and Thank you’s

(Talk 12)

Amber Graner