zeek August 2019

zeek@lists.zeek.org

32 participants
41 discussions

by Woot4moo

Are there any plans to use another communication platform besides IRC? To the best of my knowledge the IRC channel does not record history, so any new member is unaware of prior chats / discoveries. Is there a desire in the community to move to something along the lines of Discord or Slack? Granted Slack would come at a premium.

2 years, 3 months

Zeek 3.0.0 RC2 available

by Jon Siwek

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Release Candidate 2 for Zeek 3.0.0 is now available for testing: https://www.zeek.org/downloads/zeek-3.0.0-rc2.tar.gz https://www.zeek.org/downloads/zeek-3.0.0-rc2.tar.gz.asc See the CHANGES file for a list of changes since RC1. This major release will have many additions and changes, the most prominent being a comprehensive adaptation to use Zeek instead of Bro. See the NEWS file for the full list of important differences to be aware of when upgrading and testing. Our blog also describes the upcoming release and potential issues when upgrading: https://blog.zeek.org Please report bugs at our GitHub project: https://github.com/zeek/zeek/issues Or feel free to give feedback directly on the Zeek mailing list. -----BEGIN PGP SIGNATURE----- iQIzBAEBAgAdFiEE6WkLK32KwaGfkhxKxotJTfVqzH4FAl1nE94ACgkQxotJTfVq zH4i9g//bPeNtIckaFzdRJqevLqqj4H4TU6CWPnKaELVV0GljFcmuFzfMA4W35yx xFDUKOxUcIgLoQ79mhOm2x3VOaSpKmSz/8BXII5fvSshQ70CkNeTfOr79SQZ+Lvb wPTmq96y2UxSanPH4NanUO7AnI3o7rw9Fu8QGB0MgE0a9Cn1iPaE4dBA4ivAjrI1 JhLqMcuA7hLYwJSkPG3XjJTLumtELsiXxL8LLmbCKQDPYLm6gLSMTKq4p9n8+zo0 GJ/ltwPwmsSYcgmhiifEcVns/HpU7qLEI4uP5XnHQ5Fcgvmu7BPvxA5eV6ZwafxP 5u2rYiPyC6n5qOOiS/mvMP0Y39H8XDC2Oa6TJ+xy0fC5BHYPCBhRcBNlz31Fp8UR 2k1AMAMh+9pSEBz5c7F18H38zblt+swxbp/wN7D+Mg4gwX0qMP1ZUwuGzcYiT5mf Of5rUh2kZa1emrjBMqBe85hpd2Yfn6kvSjwqVeoYoMqgMBb3yhmQPH/itqBq/T1M G9ULuLB8rYRGvwD5DEnPRqzaXP8T0GGAP+1WNTEZxIL8vD6Ksw/oon1h+odTCtT8 zu68Jl/2nDCk7Y6kiHr6x5cOVOT0yEPvc5JlRgb9ZWWuWvvqujJI8aHqzLwiz9Wo XYKwpgroPGijax95pr8Y7Jzgqmcm66GPyBnRaNWXg2bohGOMycg= =8xcQ -----END PGP SIGNATURE-----

2 years, 4 months

Last Day to Submit a Package for the Zeek Package Contest

by Amber Graner

Just as a reminder - TODAY is the last day to submit a package for the Zeek Package Contest. https://blog.zeek.org/2019/07/zeek-package-contest_25.html Thanks, ~Amber-- *Amber Graner* Director of Community Corelight, Inc 828.582.9469 * Ask me about how you can participate in the Zeek (formerly Bro) community. * Remember - ZEEK AND YOU SHALL FIND!!

2 years, 4 months

Zeek Week (Formerly BroCon) Agenda Announced - 8-11 August 2019 - Seattle, Washington

by Amber Graner

Hi all, Check out the ZeekWeek Agenda today for 4 days of sessions, trainings, networking opportunities and more. ==== REGISTER NOW for ZeekWeek 2019 before prices go up August 31st! - http://bit.ly/zeekweek19_registration ==== Join all the leaders and contributors to the Zeek project as well as many of the most expert users from around the world at ZeekWeek 2019. Here's just a taste of the in-depth programming you'll be part of if you're in Seattle: - Learn how BZAR scripts created by MITRE can help you inspect SMB and RPC functions Presented by Mark Fernandez, Lead Cybersecurity Engineer, The MITRE Corporation - A case study on the DNSSEC Protocol parser Presented by Fatema Banat Wala, Security Engineer, University of Delaware - Understand how to profile production Zeek systems Presented by Justin Azoff, Senior Support Engineer, Corelight View the Full Agenda: http://bit.ly/zeekweek19agenda Register Now: http://bit.ly/zeekweek19_registration ==== Zeek out on workshops, training, and community presentations from leaders in the Zeek community. Visit with vendors, sponsors, and other Zeek community members. Save on your conference pass by registering now. Ticket prices rise August 31. Haven't been to a Zeek event? Check out last year's BroCon lineup: https://www.zeek.org/community/brocon2018.html ==== ZeekWeek 2019 is at the Embassy Suites by Hilton Downtown Pioneer Square in Seattle, Washington. We have negotiated a special group rate for our attendees who purchase in our room block. Deadline to reserve is September 16. Learn more: http://bit.ly/zeekweek19 ==== -- *Amber Graner* Director of Community Corelight, Inc 828.582.9469 * Ask me about how you can participate in the Zeek (formerly Bro) community. * Remember - ZEEK AND YOU SHALL FIND!!

2 years, 4 months

Raw HTTP Headers

by Andrew Klaus

Hello, I'd like to write a script for HTTP requests, but I need the raw and untruncated headers to do this. I can't seem to find an event that will give me this data to work with. I've looked at http_all_headers and http_header, but they still strip whitespace. Is there any (current) way of doing this? It'd be nice to be able to do this without having to modify the analyzer. Thanks! Andrew

2 years, 4 months

Decryption of HTTP traffic

by Jonah Burgess

Hi, When feeding PCAPs to Zeek, is there any functionality to decrypt HTTPS traffic? I see that the SSL log contains “a record of SSL sessions, including certificates being used” - can these certificates be used to decrypt PCAPs before Zeek processes them to ensure HTTP logs are correctly populated? Thanks, Jonah

2 years, 4 months

Bro 2.6.4 release (security update)

by Jon Siwek

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A security patch release, Bro v2.6.4, is now available for download: https://www.zeek.org/downloads/bro-2.6.4.tar.gz https://www.zeek.org/downloads/bro-2.6.4.tar.gz.asc Bro v2.6.4 addresses a potential Denial of Service vulnerability: * The NTLM analyzer did not properly handle AV Pair sequences that were either empty or unterminated, resulting in invalid memory access or heap buffer over-read. The NTLM analyzer is enabled by default and used in the analysis of SMB, DCE/RPC, and GSSAPI protocols. Thanks to Chris Hinshaw for reporting the issue. -----BEGIN PGP SIGNATURE----- iQIzBAEBAgAdFiEE6WkLK32KwaGfkhxKxotJTfVqzH4FAl1nE/kACgkQxotJTfVq zH6Few//S2ErQbxV2StBTRECbX7BeAOZy9y+UYhH1BYCQuYLplhdg+Slgj1cPxas y0Tkm8B6EX8uBcAX3QRzui+bZvwVtlJDo3sGAAkjiLAK6djf8ix1i9aAZgfzi7/I yiACWnpXe+2r3/XN020uoL8LQk7M0GZ7g3v6WMykdncCortneEVuQGPjb9lbXQ7B f5KYXaThV53t6axHBhnbMwEtiXzJQ/uWAwDd+owpuWYl7DpeVZ3WL3iGzaEsA66T pY6mjElOjeaHI4ttmdMsjbrxyseC+bhnlY5Q4NB9RJtQwbKjoP/FPwvOvD1qD3mD 2hY5h7t+GzENr3XHiuidmJvYRYrTn6wQLw5c6WL1Qs7raBdpRfpCmadrIYLYJVkY TnTc/8BO4Pu09pGoQB6JiCOdt4Q452RJkrEt7LcOmWYOLBThXGYejM/PvKkdWsft sGJ4bpsxKQoTWVLKKXTSnVvbwaDahyHl4/YZ776FEtBh5BTY4fHZw/GmwnbxEbDC dp7gZ3GvhIQwOzrofm3T5aX3AvIZglZcDTwwRYyQ8d8ZZ/s/HCE4GNX3JTjZCxlx ebKC9n5F+F6PSOdpeLsC7z9fT5/WPJHW9hxAhT5mHUToGeYohp6jqb+OAgHR0nXr aonvtN4Y/5MC4Ink+PAxHUdW228e9bv3Bxe7/0kCITeEBU6zX8Q= =Biua -----END PGP SIGNATURE-----

2 years, 4 months

extract URLs from emails, web pages, and documents

by Ambros Novak

Hola! How can URLs be extracted from SMTP emails, HTTP pages and files? Is there an analyzer or option that needs to be loaded or enabled? Side question --- is the an analyzer for JSON requests? Thank you for your help. Ambros

2 years, 4 months

OS fingerprinting Status

by Federico Foschini

Hello, Is there a way to fingerprinting operating systems in zeek? I have done some testing using *OS_version_found* event https://docs.zeek.org/en/stable/scripts/base/bif/event.bif.bro.html#id-OS_v… and by modify this old script: https://github.com/ewust/telex/blob/master/telex-station/station/bro-1.5.1/… But without much success. I stumpled upon the (WIP) release notes from Zeek 3.1.0 and read the following: - Removed p0f (passive OS fingerprinting) support. The version of p0f shipped with zeek was ancient, probably did not give any reliable support anymore and did not offer a clear upgrade path. The ``OS_version_found`` event as well as the ``generate_OS_version_event`` configuration option were removed. So I'm assuming my apprach it will be a failure. Is there another way to get OS information? Are there some zeek scripts that offer this functionality? -- Federico Foschini.

2 years, 4 months

Re: [Zeek] [EXT] HTTP/2 analyzer

by Khan, Murad A.

Afaik, the Palo’s downgrade traffic to HTTP 1.1 by manipulating the TLS exchange – so you might not even see any HTTP/2 traffic. Iirc adding support for HTTP/2 was on their roadmap but not a high priority. You can check if you actually have HTTP/2 negotiated connections by monitoring the pre-decrypted traffic and looking for the negotiated protocol in the ssl.log. The ALPN designator for standard http2 is ‘h2’. From: <zeek-bounces(a)zeek.org> on behalf of Eric Ooi <ericooi(a)gmail.com> Date: Wednesday, August 21, 2019 at 1:57 PM To: "zeek(a)zeek.org" <zeek(a)zeek.org> Subject: [EXT] [Zeek] HTTP/2 analyzer Has anyone tried the HTTP/2 analyzer from MITRE?: https://github.com/MITRECND/bro-http2 I've installed it but it doesn't seem to generate any http2.log files. I have a Palo Alto firewall performing decryption and mirroring this decrypted traffic to my Zeek sensor. Zeek has no issue analyzing the decrypted HTTP/1.1 traffic but I haven't yet seen decrypted HTTP/2 traffic show up which is what the majority of my decrypted traffic seems to be. Curious if anyone else has tried this or if the developers of the plugin are on the list for me to bug. :P Thanks! Eric

2 years, 4 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek August 2019