zeek March 2020

zeek@lists.zeek.org

41 participants
40 discussions

"zq" command-line processor for Zeek logs

by Phil Rzewski

Zeek community, We’re writing to let you know about zq <https://github.com/brimsec/zq>, an open source command-line processor for structured logs, built for Zeek. (In fact, we’ve been told zq is “like zeek-cut on steroids”.) Those of you who were on the “Ask the Zeeksperts” call on January 16th saw Seth Hall and Justin Azoff give an early peek of zq (thanks guys!), so this is just an “official” announcement. Come one, come all! You can get involved by: • Checking out the zq GitHub repo <https://github.com/brimsec/zq> for install info, code, and docs • Joining our public Slack <https://join.slack.com/t/brimsec/shared_invite/enQtOTMwMDczODg2ODgyLTk1NTdj…> workspace for announcements, Q&A, and to trade query ideas • Contacting us directly via email <mailto:info@brimsecurity.com> to schedule a Zoom videoconference All you need is some Zeek logs (and there’s sample logs <https://github.com/brimsec/zq-sample-data> to help you get started). Here’s just a taste of what’s possible: - A table of top hosts in a subnet that are experiencing the most SYNs-without-ACK: zq -f table "10.164.94.0/24 conn_state=S0 | count() by id.orig_h | sort -r" * - A regex search for certain HTTP methods, with full events output as NDJSON: zq -f ndjson "method=/^(PUT|PATCH|UPDATE)$/" * - Connections open a long time with low traffic, printed as a Zeek TSV log: zq -f zeek "duration>1000 orig_bytes<10 resp_bytes<10" * Of course, that’s just scratching the surface. Please try it out and let us know what you think on GitHub <https://github.com/brimsec/zq> or Slack <https://join.slack.com/t/brimsec/shared_invite/enQtOTMwMDczODg2ODgyLTk1NTdj…>. Happy hunting, Zeeking, & zq’ing! -- The Brim team

8 months, 2 weeks

Long running connection using threshold

by Petr Medonos

Hi, I tried to write simple script to detect long running connection using zeek (3.0) threshold. I set duration in connection established event and then using duration_threshold_crossed logged connection above the limit. But Notice log is then flooded with every new established connection. Simple PoC bellow. Did I missed something? Is there any better way to detect long running connection? I tried Corelight bro-long-connections but there is lot overhead in my environment. Thanks for pointing me the right way! -- Petr PoC: @load base/protocols/conn module LongConnection; export { redef enum Log::ID += { LOG }; redef enum Notice::Type += { LongConnection::found }; const duration: interval = 12hr &redef; } event connection_established(c: connection) { ConnThreshold::set_duration_threshold(c, duration); } event ConnThreshold::duration_threshold_crossed(c: connection, threshold: interval, is_orig: bool) { local message = fmt("%s:%s -> %s:%s remained alive for longer than %s", c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p, threshold); NOTICE([$note=LongConnection::found, $msg=message, $sub=fmt("%.2f", threshold), $conn=c]); }

9 months, 2 weeks

Zeek and CLA

by Matteo Rizzo

Hello, I wanted to ask whether contributing code to Zeek requires signing a Contributor License Agreement (CLA). I have not seen any mentions of this in Zeek's documentation but I'm asking just to make sure. Thanks in advance, Matteo Rizzo

9 months, 2 weeks

How to turn verbose on (Can't load packages)?

by Mauricio Tavares

So in my local.bro file I have @load packages <---- line 119 When I run zeekctl check I get manager scripts failed. fatal error in /usr/local/bro/site/local.bro, line 119: can't find packages which makes me think there is be a package it cannot load either because of corruption or said package is just not there. Is there a way to crank up the verbose level so I can see what it was doing when it went boink?

9 months, 3 weeks

Announcing Zeek From Home Webinar Series

by Amber Graner

Hi all, Since we won’t be holding any in-person Zeek events for the foreseeable future, we’d like to invite you to be part of a new weekly ‘Zeek From Home’ webinar series to kick off in April. The schedule will be announced once we have a few submissions queued up. These presentations will be recorded and shared via the Zeek mailing list, blog and Twitter account. Please take a look at the blog post (link below) and consider submitting a presentation for the Zeek From Home series. https://zeek.org/2020/03/31/zeek-from-home/ If you have any questions you can email me, reply to this thread or email info(a)zeek.org. With gratitude, ~Amber

9 months, 3 weeks

ZeekWeek 2020 Austin - Cancelled - Open Letter to the Community

by Keith Lehigh

Dear Zeek Community, It is our hope that all of you are staying safe and healthy during this uncertain time. We’re all navigating unfamiliar territory together, as the COVID 19 crisis affects every aspect of our lives both personally and professionally. We all wish we knew what the future might hold for 1 month, 3 months, 6 months or more from now. It would make planning for events easier and more efficient; however, that is not the case. While we sincerely hope the world and our daily activities will be back to normal in the fall, we can’t be assured of that. Given the uncertainty, we’ve made the difficult decision to cancel ZeekWeek 2020 in Austin. Rest assured that we are looking at other options to bring the community together as things improve and become more predictable. Those options include a virtual event during the same time frame, and if it’s safe to bring people together, then we will look at holding a smaller event in a different location. However, we won’t know until we get closer to October. Don’t file away those ZeekWeek talks you were going to pitch!! We will be announcing some new initiatives for you to share your knowledge and bring the community together. In the meantime, there are many ways for you to connect with the Zeek Community - Mailing Lists <https://zeek.org/mailing-lists/>, Slack Workspace <https://join.slack.com/t/zeekorg/shared_invite/enQtOTc3MzMxNDI1NDYxLTA1Nzhh…>, Webinars <http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-March/015193.html> and more. We look forward to seeing you in-person once it is safe to do so. Until then, remember, without you there is no community! Together we are better, whether in-person or online. Stay Safe and Zeek on!! The Zeek Leadership Team Blog Post of this message - https://zeek.org/2020/03/31/zeekweek-2020-austin-cancelled-open-letter-to-t…

9 months, 3 weeks

Anyone using Bro doctor plugin?

by Carlos Lopez

Hi all, I have enable bro doctor plugin in my Zeek 3.0.3 cluster and I see the following error: ################################################################### # Checking if connections are unevenly distributed across workers # ################################################################### error: Traceback (most recent call last): File "/usr/lib64/python3.6/cmd.py", line 214, in onecmd func = getattr(self, 'do_' + cmd) AttributeError: 'ZeekCtlCmdLoop' object has no attribute 'do_doctor' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py", line 596, in cmd_custom results.ok = f() and results.ok File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py", line 457, in check_connection_distribution variance = reduce(lambda var, cnt: var + (cnt - mean)**2, nodes.values(), 0) / len(nodes) NameError: name 'reduce' is not defined All other doctor options works ok, but not this one … Is it a bug? Do I need to install some other python module? Zeek is running as unprivileged user … -- Regards, C. L. Martinez

9 months, 3 weeks

Subject: Drop packet by signature event

by Vincenzo

I have a configuration of FreeBSD with Zeek, my goal is to analyze network traffic on one network interface and block (IPS) the packet to the other interface, if this falls within my list of signatures that I have defined in my signatures.sig. I have searched far and wide for a solution, but I have not come up with feasible solutions for this purpose (since Zeek was not born as IPS, as snort and suricata), do you have any advice? Zeek 3.0.3 FreeBSD 11 bro-netmap installed Thanks very much

10 months

Is it possible to inspect TCP reserved bits with Zeek?

by Tomek Koziak

Hi All, I'm testing Zeek/Bro capabilities in terms of detecting different types of steganography. After working with the ICMP protocol now I am trying to inspect the TCP protocol. I want to detect if the reserved bits in TCP are changed with help of TCP events. Unfortunately without success. Is it possible to inspect TCP reserved bits with Zeek events? If not is there any other possible way to detect wheter those bits where changed? Best regards, Tomasz Koziak

10 months

Ask The Zeeksperts - Reminders - Next Webinar is 26 March 2020

by Amber Graner

Hi all, Just a reminder that this week's ASK THE ZEEKSPERTS webinar will be hosted by Seth Hall on Thursday 26 March at 12:30pm PST/3:30pm EST. ========================== What is ASK THE ZEEKSPERTS? ========================== This is an hour long bi-monthly webinarl for the open-source Zeek (formerly Bro) community to interface directly with leading contributors to the open-source project and ask questions live to better understand, expand or troubleshoot deployments of the network security monitoring software. =================== How to join the Webinar =================== These webinars are free, but registration is required. You can register at: https://attendee.gotowebinar.com/register/5207290772886395917 ===================== Calendar Reminder Opt-In ===================== If you would like to receive calendar reminders and you haven't opt'd in, but would like to do so, please fill out the following form: https://www.surveymonkey.com/r/X5W5YQZ =============================== Zeek ask-the zeeksperts Slack Channel =============================== If you'd like to ask questions ahead of the webinar, so that the host will have time to prepare for your questions you can do so by replying to this email or joining the #ask-the-zeeksperts slack channel. If you haven't joined the Slack channel yet you can do so with the link below: http://bit.ly/ZeekOrgSlackInvite ================================= Future ASK THE ZEEKSPERTS Webinars ================================= * April 9th - Host Fatema Bannat Wala - https://attendee.gotowebinar.com/register/2632319203581363981 * April 23 - Host TBD - https://attendee.gotowebinar.com/register/1763308093940786957 * May 14 - Host TBD - https://attendee.gotowebinar.com/register/328979782344155149 We look forward to your questions and connecting with you on the ASK THE ZEEKSPERTS calls. Please let us know if you have any questions. Thanks, ~Amber

10 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek March 2020