Zeek community,
We’re writing to let you know about zq <https://github.com/brimsec/zq>, an open source command-line processor for structured logs, built for Zeek. (In fact, we’ve been told zq is “like zeek-cut on steroids”.)
Those of you who were on the “Ask the Zeeksperts” call on January 16th saw Seth Hall and Justin Azoff give an early peek of zq (thanks guys!), so this is just an “official” announcement. Come one, come all!
You can get involved by:
• Checking out the zq GitHub repo <https://github.com/brimsec/zq> for install info, code, and docs
• Joining our public Slack <https://join.slack.com/t/brimsec/shared_invite/enQtOTMwMDczODg2ODgyLTk1NTdj…> workspace for announcements, Q&A, and to trade query ideas
• Contacting us directly via email <mailto:info@brimsecurity.com> to schedule a Zoom videoconference
All you need is some Zeek logs (and there’s sample logs <https://github.com/brimsec/zq-sample-data> to help you get started). Here’s just a taste of what’s possible:
- A table of top hosts in a subnet that are experiencing the most SYNs-without-ACK:
zq -f table "10.164.94.0/24 conn_state=S0 | count() by id.orig_h | sort -r" *
- A regex search for certain HTTP methods, with full events output as NDJSON:
zq -f ndjson "method=/^(PUT|PATCH|UPDATE)$/" *
- Connections open a long time with low traffic, printed as a Zeek TSV log:
zq -f zeek "duration>1000 orig_bytes<10 resp_bytes<10" *
Of course, that’s just scratching the surface. Please try it out and let us know what you think on GitHub <https://github.com/brimsec/zq> or Slack <https://join.slack.com/t/brimsec/shared_invite/enQtOTMwMDczODg2ODgyLTk1NTdj…>.
Happy hunting, Zeeking, & zq’ing!
--
The Brim team
Hi,
I tried to write simple script to detect long running connection using
zeek (3.0) threshold. I set duration in connection established event and
then using duration_threshold_crossed logged connection above the limit.
But Notice log is then flooded with every new established connection.
Simple PoC bellow. Did I missed something? Is there any better way to
detect long running connection? I tried Corelight bro-long-connections
but there is lot overhead in my environment. Thanks for pointing me the
right way!
--
Petr
PoC:
@load base/protocols/conn
module LongConnection;
export {
redef enum Log::ID += { LOG };
redef enum Notice::Type += {
LongConnection::found
};
const duration: interval = 12hr &redef;
}
event connection_established(c: connection)
{
ConnThreshold::set_duration_threshold(c, duration);
}
event ConnThreshold::duration_threshold_crossed(c: connection,
threshold: interval, is_orig: bool)
{
local message = fmt("%s:%s -> %s:%s remained alive for longer
than %s", c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p, threshold);
NOTICE([$note=LongConnection::found,
$msg=message,
$sub=fmt("%.2f", threshold),
$conn=c]);
}
Hello,
I wanted to ask whether contributing code to Zeek requires signing a
Contributor License Agreement (CLA). I have not seen any mentions of
this in Zeek's documentation but I'm asking just to make sure.
Thanks in advance,
Matteo Rizzo
So in my local.bro file I have
@load packages <---- line 119
When I run zeekctl check I get
manager scripts failed.
fatal error in /usr/local/bro/site/local.bro, line 119: can't find packages
which makes me think there is be a package it cannot load either
because of corruption or said package is just not there. Is there a
way to crank up the verbose level so I can see what it was doing when
it went boink?
Hi all,
Since we won’t be holding any in-person Zeek events for the foreseeable
future, we’d like to invite you to be part of a new weekly ‘Zeek From Home’
webinar series to kick off in April. The schedule will be announced once we
have a few submissions queued up.
These presentations will be recorded and shared via the Zeek mailing list,
blog and Twitter account.
Please take a look at the blog post (link below) and consider submitting a
presentation for the Zeek From Home series.
https://zeek.org/2020/03/31/zeek-from-home/
If you have any questions you can email me, reply to this thread or email
info(a)zeek.org.
With gratitude,
~Amber
Dear Zeek Community,
It is our hope that all of you are staying safe and healthy during this
uncertain time. We’re all navigating unfamiliar territory together, as the
COVID 19 crisis affects every aspect of our lives both personally and
professionally.
We all wish we knew what the future might hold for 1 month, 3 months, 6
months or more from now. It would make planning for events easier and more
efficient; however, that is not the case. While we sincerely hope the
world and our daily activities will be back to normal in the fall, we can’t
be assured of that.
Given the uncertainty, we’ve made the difficult decision to cancel ZeekWeek
2020 in Austin. Rest assured that we are looking at other options to bring
the community together as things improve and become more predictable. Those
options include a virtual event during the same time frame, and if it’s
safe to bring people together, then we will look at holding a smaller event
in a different location. However, we won’t know until we get closer to
October.
Don’t file away those ZeekWeek talks you were going to pitch!! We will be
announcing some new initiatives for you to share your knowledge and bring
the community together.
In the meantime, there are many ways for you to connect with the Zeek
Community - Mailing Lists <https://zeek.org/mailing-lists/>, Slack Workspace
<https://join.slack.com/t/zeekorg/shared_invite/enQtOTc3MzMxNDI1NDYxLTA1Nzhh…>,
Webinars
<http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-March/015193.html>
and more.
We look forward to seeing you in-person once it is safe to do so. Until
then, remember, without you there is no community! Together we are better,
whether in-person or online.
Stay Safe and Zeek on!!
The Zeek Leadership Team
Blog Post of this message -
https://zeek.org/2020/03/31/zeekweek-2020-austin-cancelled-open-letter-to-t…
Hi all,
I have enable bro doctor plugin in my Zeek 3.0.3 cluster and I see the following error:
###################################################################
# Checking if connections are unevenly distributed across workers #
###################################################################
error: Traceback (most recent call last):
File "/usr/lib64/python3.6/cmd.py", line 214, in onecmd
func = getattr(self, 'do_' + cmd)
AttributeError: 'ZeekCtlCmdLoop' object has no attribute 'do_doctor'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py", line 596, in cmd_custom
results.ok = f() and results.ok
File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py", line 457, in check_connection_distribution
variance = reduce(lambda var, cnt: var + (cnt - mean)**2, nodes.values(), 0) / len(nodes)
NameError: name 'reduce' is not defined
All other doctor options works ok, but not this one … Is it a bug? Do I need to install some other python module? Zeek is running as unprivileged user …
--
Regards,
C. L. Martinez
I have a configuration of FreeBSD with Zeek, my goal is to analyze network
traffic on one network interface and block (IPS) the packet to the other
interface, if this falls within my list of signatures that I have defined
in my signatures.sig.
I have searched far and wide for a solution, but I have not come up with
feasible solutions for this purpose (since Zeek was not born as IPS, as
snort and suricata), do you have any advice?
Zeek 3.0.3
FreeBSD 11
bro-netmap installed
Thanks very much
Hi All,
I'm testing Zeek/Bro capabilities in terms of detecting different types of
steganography. After working with the ICMP protocol now I am trying to
inspect the TCP protocol. I want to detect if the reserved bits in TCP are
changed with help of TCP events. Unfortunately without success.
Is it possible to inspect TCP reserved bits with Zeek events? If not is
there any other possible way to detect wheter those bits where changed?
Best regards,
Tomasz Koziak
Hi all,
Just a reminder that this week's ASK THE ZEEKSPERTS webinar will be hosted
by Seth Hall on Thursday 26 March at 12:30pm PST/3:30pm EST.
==========================
What is ASK THE ZEEKSPERTS?
==========================
This is an hour long bi-monthly webinarl for the open-source Zeek (formerly
Bro) community to interface directly with leading contributors to the
open-source project and ask questions live to better understand, expand or
troubleshoot deployments of the network security monitoring software.
===================
How to join the Webinar
===================
These webinars are free, but registration is required. You can register
at:
https://attendee.gotowebinar.com/register/5207290772886395917
=====================
Calendar Reminder Opt-In
=====================
If you would like to receive calendar reminders and you haven't opt'd in,
but would like to do so, please fill out the following form:
https://www.surveymonkey.com/r/X5W5YQZ
===============================
Zeek ask-the zeeksperts Slack Channel
===============================
If you'd like to ask questions ahead of the webinar, so that the host will
have time to prepare for your questions you can do so by replying to this
email or joining the #ask-the-zeeksperts slack channel.
If you haven't joined the Slack channel yet you can do so with the link
below:
http://bit.ly/ZeekOrgSlackInvite
=================================
Future ASK THE ZEEKSPERTS Webinars
=================================
* April 9th - Host Fatema Bannat Wala -
https://attendee.gotowebinar.com/register/2632319203581363981
* April 23 - Host TBD
- https://attendee.gotowebinar.com/register/1763308093940786957
* May 14 - Host TBD
- https://attendee.gotowebinar.com/register/328979782344155149
We look forward to your questions and connecting with you on the ASK THE
ZEEKSPERTS calls.
Please let us know if you have any questions.
Thanks,
~Amber