zeek June 2020

zeek@lists.zeek.org

24 participants
33 discussions

by Mauricio Tavares

Using the drawing from https://docs.zeek.org/en/current/cluster/ as reference, I have some workers which are being used for other tasks. As such, I would like to offload as much as I can to the proxies as I can build them to fit my needs instead of just riding on an already running server (the workers). How can I tune the analysis done at worker vs the proxy to fit my need?

10 months, 3 weeks

Need help splitting HTTP log

by Jorge Garcia Rodriguez

Hi everyone! Im trying to Split the http logs in two. What I want to accomplish is that when the http event tags have the "URI_SQLI", instead of being logged in the normal http.log I want it to be logged in a new http-sqli.log. I have tried a lot of different ways but with no success, since this is the very first script that im writing for Zeek. This is one of the ways that i´ve tried: event zeek_init() { Log::remove_default_filter(HTTP::LOG); Log::add_filter(HTTP::LOG, [$name = "http-sqli", $path_func(id: Log::ID, path: string, rec: HTTP::Info) = { return ([URI_SQLI] in c$http$tags ? "http-sqli" : "http"); }]); } The problem here seems that I cannot refer properly to the "tags" field. Thanks for your time. Regards! Jorge García Rodríguez Technical Consultant Security Infrastructures jgarciar(a)sia.es<mailto:jgarciar@sia.es> Grupo SIA Avda.Europa,2 - Alcor Plaza, Edificio B - Parque Oeste Alcorcón 28922 Alcorcón - Madrid Tlf: +34 902 480 580<nxphone:+34%20902%20480%20580> Fax: +34 91 307 79 80<nxphone:+34%2091%20307%2079%2080> www.siainternational.com<http://www.siainternational.com/> delivering value This e-mail and any attached files are intended solely for the addresse/s identified herein. It may contain confidential and/or legally privileged information and may not necessarily represent the opinion of SIA. No legally binding commitments will be created by this E-mail message. Where we intend to create legally binding commitments these will be made through hard copy correspondence or documents. If you receive this message by mistake, please immediately notify the sender and delete it since you are not authorized to use, disclose, distribute, print or copy all or part of the contained information Thank you. It is understood that the message was sent to you accidentally, although you appear as the addressee, you can see from the frame of existing relations that you were not the final addressee.

1 year

Adding flow and packet stats on conn log

by Federico Foschini

Hello, I'm reading a bunch of papers on interesting features for machine learning applied on network traffic. For example CSE-CIC ( https://www.unb.ca/cic/datasets/ids-2018.html) My question is: is it possible to add this type of statistic on conn.log? - average packet size - minimum packet size - maximum packet size - total time between two packets - mean time between two packets etc. - etc. Reading in the documentation I saw this events https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_TCP.events.b… but, as state by the documentation itself, it will lead to very poor performance. The other code I think it could be relevant is the TCP analyzer: https://github.com/zeek/zeek/blob/1affbad4b7b8c8cf230ded8224c9c364607b67e9/… I've never contributed to Zeek before and I don't know the codebase at all, so do you think Zeek would be capable of generating this type of stats? Is TCP.cc the right place to implement those features? Are there issues I am overlooking? -- Federico Foschini.

1 year

syslog

by Scot Harris

Does zeek have support to send syslog events? Looked in the logger and notice frameworks but did not see anything there. Documentation has a fair amount about ingesting syslog messages but nothing about outputting them. Running zeek 3.1.1 currently. Wanted to be able to send certain events such as SSH password guessing events to a syslog server which can open tickets on such events. Guessing would need to add another type to the logger framework with config items in zeekctl.cfg for the syslog server address. And use logger -n with that option to send the message to the specific host. Ideas?

1 year

Zeek From Home - 24 June 2020 - Corelight's Role in the Zeek Project - Presented by Greg Bell

by Amber Graner

Hi all, Over the past 2 years there have been many questions, speculations and misunderstandings about Corelight and its role in the Zeek Project. Many of your questions have been answered in direct conversations or at Zeek Week, but we realize many in the Zeek community are new and may not know the history and the commitment Corelight has to the project. This week on Wednesday, 24 June, Greg Bell, CEO of Corelight will be giving a presentation on Corelight's Role in The Zeek Project. Richard Bejtlich will be hosting the discussion. Zeek From Home is recorded and will be shared with the community. These webinars are free and open to the public, but registration is required. You can register to attend at: https://corelight.zoom.us/webinar/register/WN_88w_WCX_TnOen7uUI_YckA If you have any questions about the Corelight and it's relationship and commitment to the Zeek Project and its community please help me queue up those questions so that Greg can make sure he includes the answers and addresses each of them. Sample questions include (have been asked over the past year): * Does Corelight own the Zeek Project? * Does Corelight drive the technical direction of the Zeek Project? * What all does Corelight contribute in terms of time, resources and financial support? * The project uses a lot of Corelight resources is information shared with Corelight Sales or Marketing? How is it kept separate and compartmentalized? Please feel free to add your questions to this thread or to the webform (link below): https://forms.gle/mXbGWEXM5zfqwSEs7 You can also drop your questions into the slack Webinars channel. You can join the slack space at: http://bit.ly/ZeekOrgSlackInvite I'll send your questions to Greg and Richard before the call. Thanks in advance everyone and we look forward to seeing you on the call! With gratitude, ~Amber

1 year, 1 month

TCP History

by Greg Grasmehr

Hello, Given that this appears to be scanning originating from Google DNS, I just want to make sure there is no chance this is in error or maybe I am misunderstanding what I am reading here. Lines like this are written to a custom log on event connection_state_remove ts orig_ip orig_port dest_ip dest_port conn_state orig_pkts dest_pkts proto 2020-06-21T01:19:55 8.8.8.8 22979 redacted 8080 S0 2 0 tcp 2020-06-21T01:19:59 8.8.8.8 53096 redacted 8080 S0 1 0 tcp 2020-06-21T01:22:02 8.8.8.8 53096 redacted 8080 S0 2 0 tcp Thanks in advance for any insight. Greg

1 year, 1 month

Zeek Monthly Newsletter - Issue 5 - June 2020 - Now Available!

by Amber Graner

Zeek Monthly Newsletter - Issue 5 - June 2020 - Now Available! You can view the blog post at: https://zeek.org/2020/06/18/zeek-monthly-newsletter-issue-5-june-2020/ Below is the plain text version. ++++++++++++++++++++++++++++ Welcome to the Zeek Monthly Newsletter, Issue 5 covers May 2020 as well as upcoming events. ________________________________ IN THIS ISSUE: > TD;LR > Development Updates > Zeek Blog > Zeek In The Community > New Zeek Related Packages > Zeek in Enterprise > Upcoming Events > Zeek Related Jobs > Get Involved ________________________________ TD;LR This newsletter covers items found in, near and around the community in May 2020. You’ll also see upcoming events for the remainder of June and July. For those events that have already happened we have included the links. We’ve also included a list of Zeek related jobs, Zeek Packages that were added in May and we have added a new section - Zeek in Enterprise. + We Need Your Feedback + We are always looking for ways to improve our engagement opportunities and as such we have a few surveys we’d like to get your feedback on. Depending on your areas of interest please take a moment to give us your feedback. > Cloud Security - https://www.surveymonkey.com/r/ZeekCloudSecuritySurvey > Webinar Survey - https://www.surveymonkey.com/r/zeekwebinarsurvey > Governance Survey - https://www.surveymonkey.com/r/zeekgovernancesurvey > Package Contest Survey - https://www.surveymonkey.com/r/zeekpackagecontestsurvey + Live Streaming + Zeek YouTube Channel - https://www.youtube.com/zeekurity We are now Live Streaming all our recorded webinars to YouTube. We have also added a Zeek From Home Playlist. - https://www.youtube.com/watch?v=-iwD1BYA1s0&list=PL2EYTX8UVCMiLeD0NwUK0_QqA… ________________________________ DEVELOPMENT UPDATES Zeek 3.0.6 and 3.1.3 release (security + bug fixes) - http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-May/015308.html Announcing the (New) Spicy Parser Generator - The Spicy parser generator makes it substantially easier for Zeek to support and parse new protocols and file formats. - https://zeek.org/2020/05/18/announcing-the-new-spicy-parser-generator/ ________________________________ ZEEK BLOG 1 May 2020 - Community Call Notes and Recording - Each month we have an open call with the community. This is the summary of the May 2020 call. http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-May/015306.html People of Zeek Interview Series – Matthias Vallentin of Tenzir - Matthias is the Co-Founder and CEO of Tenzir as well as an active Zeek community member. - https://zeek.org/2020/05/05/people-of-zeek-interview-series-matthias-vallen… People of Zeek – Interview Series – Phil Rzewski of Brim Security - Phil is the Technical Director at Brim Security and an active Zeek community member. - https://zeek.org/2020/05/06/people-of-zeek-interview-series-phil-rzewski-of… Zeek From Home – Episode 2- Looking Deeper into the Zeek 3.0 – Major Changes, Point Releases and more – Recording Now Available! - https://zeek.org/2020/05/15/zeek-from-home-episode-2-looking-deeper-into-th… Zeek From Home – Episode 3- Suricata - Recording Now Available! - https://zeek.org/2020/05/27/zeek-from-home-episode-3-suricata/ Zeek (Bro) Install Session - with Fatama Bannat Wala and Virtually Testing Foundation - Issue 4 of the Zeek Monthly Newsletter - https://zeek.org/2020/05/11/zeek-monthly-newsletter-issue-4-may-2020/ ________________________________ ZEEK IN THE COMMUNITY University supercomputers shut down over cryptocurrency mining malware - Leading educational facilities among those whose supercomputers were infected - in the UK, Switzerland Germany and one suspected in Spain - according to reports. - https://www.scmagazineuk.com/university-supercomputers-shut-down-cryptocurr… Expert Reaction On Supercomputers Across Europe Infected with Cryptomining Malware - Multiple supercomputers across Europe have been infected with cryptocurrency mining malware and have shut down to investigate the intrusions, according to ZDNet. Security incidents have been reported in the UK, Germany, and Switzerland, while a similar intrusion is rumoured to have also happened at a high-performance computing centre located in Spain.See what experts have to say on the matter. https://www.informationsecuritybuzz.com/expert-comments/expert-reaction-on-… Security Onion Hybrid Hunter 1.3.0 - Beta 2 Available for Testing! - Help test the next major release of Security Onion - https://blog.securityonion.net/2020/05/security-onion-hybrid-hunter-130-bet… securityonion-capme - 20121213-0ubuntu0securityonion79 resolves a Reflected XSS - vulnerability - Kevin Breen responsibly disclosed a Reflected XSS vulnerability in CapMe. We've improved input validation to address this vulnerability and a package is now available - https://blog.securityonion.net/2020/05/securityonion-capme-20121213.html 20200501 Edition of Security Onion Documentation printed book now available! - A printed version of Security Onions Official online documentation is now available in print. Check it out at: https://blog.securityonion.net/2020/05/20200501-edition-of-security-onion.h… Zeek 3.0.6 now available for Security Onion! - https://blog.securityonion.net/2020/05/zeek-306-now-available-for-security.… Security Onion 16.04.6.6 ISO image now available featuring Zeek 3.0.5, Suricata 4.1.8, Elastic 6.8.8, CyberChef 9.20.3, and more! - https://blog.securityonion.net/2020/05/security-onion-160466-iso-image-now.… How to install Zeek (aka bro) - Virtually Testing (Video) - Fatema Bannat Wala, CISSP walks participants through how to install Zeek on an Ubuntu. https://www.youtube.com/watch?v=4b_dW5JdE5U ________________________________ NEW ZEEK PACKAGES > SMB Fingerprinting Zeek package - https://github.com/micrictor/smbfp > Zeek-known-outbound - https://github.com/dopheide-esnet/zeek-known-outbound > Rdfp - https://github.com/yahoo/rdfp > icannTLD - https://github.com/corelight/icannTLD ________________________________ ZEEK IN ENTERPRISE Corelight Co-founders Receive Prestigious IEEE Test of Time Award - Dr. Vern Paxson and Dr. Robin Sommer's landmark 2010 paper on the challenges of machine learning for intrusion detection honored for its enduring influence on the security industry - https://www.prnewswire.com/news-releases/corelight-co-founders-receive-pres… Latest Version of the Bricata Network Security Platform Adds MITRE ATT&CK Support and Simplified Workflows - This update adds powerful support for the MITRE ATT&CK framework, support for high-density data nodes to improve storage and scalability, alert grouping for streamlined management and response, support for virtualization on Amazon Web Services (AWS), and more. https://securityboulevard.com/2020/05/latest-version-of-the-bricata-network… ________________________________ UPCOMING EVENTS (JUNE AND JULY) About Zeek From Home: A weekly webinar presentation series where Zeek users, developers and invited guests can present on Zeek related topics. These presentations are recorded and shared with the community. These webinars ARE recorded. You can find out more about Zeek From Home at: https://zeek.org/2020/03/31/zeek-from-home/ About Ask The Zeeksperts: Is a bi-weekly webinar series where Zeek users, developers and invited guests can answer technical questions about adopting, implementing and using Zeek data. The community is invited to “drop in” to these calls and ask your questions. These webinars are NOT recorded (unless otherwise noted). About Zeek Community CTF (Capture the Flag) Events: Players will compete head-to-head on dozens of security challenges using Zeek data in both Splunk and Elastic. Players can also use open-source Zeek tools on a CLI. Sign up Today! Game winner will take home bragging rights and a $100 Amazon Gift Card. About Monthly Zeek Community Call: These are monthly calls that are open to the community to discuss topics related to the growth, governance and administration of the community. These calls are open to the community and recorded. UPCOMING JUNE EVENTS > 24 June 2020 – ZEEK FROM HOME -11am PDT/2pm EDT – Corelight’s role in the Zeek Project – host Greg Bell – Registration: https://corelight.zoom.us/webinar/register/WN_88w_WCX_TnOen7uUI_YckA > 25 June 2020 – ASK THE ZEEKSPERTS – 12:30pm PDT/3:30pm EDT – Zeek – host Seth Hall (UPDATED LINK) Registration Link: https://corelight.zoom.us/meeting/register/tJcqdeuopz8sGNTaVIuNLcfiuoghJ4Qg… UPCOMING JULY EVENTS (Events will be updated as we get more information.) > 8 July 2020 – ZEEK FROM HOME –11am PDT/2pm EDT - Topic and Presenter TBD Registration Link - https://corelight.zoom.us/webinar/register/WN_88o6MH5zTXargf731ZNSwg > 9 July 2020 – ASK THE ZEEKSPERTS – 12:30pm PDT/3:30pm EDT Registration Link - https://corelight.zoom.us/meeting/register/tJMtdOChqTIoHtM3eOLVs6gq2KwI9-pW… > 10 July 2020 - Monthly Community Call - 3pm EDT - This is a recurring call and you will be able to select all upcoming community calls. Registration Link: https://corelight.zoom.us/meeting/register/tJcldO6qrTMrG9Kwsu6_qHsUeAvdjLmM… > 15 July 2020 – ZEEK FROM HOME –11am PDT/2pm EDT - Topic and Presenter TBD Registration Link - https://corelight.zoom.us/webinar/register/WN_sSTXJPODRSeTGhBrXKZc3Q > 15 July 2020 – ZEEK COMMUNITY CTF –1-3pm PDT/4-6pm EDT Registration Link - https://corelight.zoom.us/meeting/register/tJYqceGgqjwvGNXFYKgLYVQheMs8KhZn… > 22 July 2020 – ZEEK FROM HOME –11am PDT/2pm EDT - Topic and Presenter TBD Registration Link - https://corelight.zoom.us/webinar/register/WN_W_cJVVykQh-jT6ogoPCKTw > 23 July 2020 – ASK THE ZEEKSPERTS – 12:30pm PDT/3:30pm EDT Registration Link - https://corelight.zoom.us/meeting/register/tJAlce6trjIsHtPe4jx4h12JTEzYhSRd… > 29 July 2020 – ZEEK FROM HOME –11am PDT/2pm EDT - JA3 and presented by Jeff Atkinson. Registration Link - https://corelight.zoom.us/webinar/register/WN_Gjh6eHImT56SUHP6XSs7BA PAST WEBINARS - JUNE (LINKS TO RECORDINGS BELOW): > 5 June 2020 – MONTHLY COMMUNITY CALL -Noon PDT/3pm EDT - Link Notes and Recording - http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-May/015306.html > 10 June 2020 – ZEEK FROM HOME –11am PDT/2pm EDT – Zeek Scripts – 101 to 595 – host Aashish Sharma Links to Blog Post and Recording - https://zeek.org/2020/06/17/zeek-from-home-episode-6-zeek-scripting-101-to-… > 11 June 2020 – ASK THE ZEEKSPERTS – 12:30pm PDT/3:30pm EDT – Security Onion – host Doug Burks Link to Video - https://youtu.be/UBqTsQTOv90 > 17 June 2020 – ZEEK FROM HOME -11am PDT/2pm EDT – Spicy – host Robin Sommer – Link to Video: https://youtu.be/FZWVbKQyBmM If you know of any Zeek related events that you would like to share with the community in the monthly newsletter, please email news(a)zeek.org or share on the Zeek mailing list (zeek(a)zeek.org). ________________________________ ZEEK RELATED JOBS > From Brim Front End Engineer - https://www.brimsecurity.com/team/front-end-engineer/ > From LinkedIN Network-Based System Analyst Lead - https://www.linkedin.com/jobs/view/1875715533/ Network-Based System Analyst Lead - https://www.linkedin.com/jobs/view/1883331295/ Sr Cyber DefenseTechnologist I - https://www.linkedin.com/jobs/view/1854283720/ Sr Cyber Defense Technologist I - https://www.linkedin.com/jobs/view/1883301962/ Cyber Defense Technologist II - https://www.linkedin.com/jobs/view/1897092520/ Cyber Defense Technologist II - https://www.linkedin.com/jobs/view/1893187670/ Cyber Network Defense (CND) Architect - https://www.linkedin.com/jobs/view/1854258959/ Cyber Defense Technologist II - https://www.linkedin.com/jobs/view/1893737933/ Cyber Network Defense (CND) Architect - https://www.linkedin.com/jobs/view/1903965203/ ________________________________ GET INVOLVED If you are interested in getting involved with the Zeek Newsletter, please email news(a)zeek.org. Stay up to date by subscribing to the Zeek Mailing List: http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek Follow us on Twitter: https://twitter.com/zeekurity Join our slack channel: http://bit.ly/ZeekOrgSlackInvite

1 year, 1 month

make install fails on Ubuntu

by Monah Baki

Hi all, Running ubuntu 18.04 and I download zeek-3.1.4. Ran ./configure && make no issues, when I ran make install, CMake Error at src/cmake_install.cmake:47 (file): file INSTALL cannot copy file "/home/mbaki/zeek-3.1.4/build/src/zeek" to "/usr/local/zeek/bin/zeek". Call Stack (most recent call first): cmake_install.cmake:138 (include) Makefile:85: recipe for target 'install' failed make[1]: *** [install] Error 1 make[1]: Leaving directory '/home/mbaki/zeek-3.1.4/build' Makefile:18: recipe for target 'install' failed make: *** [install] Error 2 Thanks Monah

1 year, 1 month

Trying https://github.com/WqyJh/zeek-netmap

by Carlos Lopez

Hi all, Has anyone tried installing https://github.com/WqyJh/zeek-netmap under FreeBSD 12.1<https://github.com/WqyJh/zeek-netmap%20under%20FreeBSD%2012.1>? In my installation returns: Scanning dependencies of target bro-plugin-Zeek_Netmap [ 20%] Creating __bro_plugin__ for Zeek::Netmap [ 20%] Built target bro-plugin-Zeek_Netmap Scanning dependencies of target copy-scripts-Zeek_Netmap [ 20%] Built target copy-scripts-Zeek_Netmap Scanning dependencies of target generate_outputs [ 20%] Built target generate_outputs Scanning dependencies of target Zeek-Netmap.freebsd-amd64 [ 40%] Building CXX object CMakeFiles/Zeek-Netmap.freebsd-amd64.dir/src/Plugin.cc.o In file included from /tmp/oo/zeek-netmap/src/Plugin.cc:3: In file included from /tmp/oo/zeek-netmap/src/Netmap.h:10: In file included from /usr/include/net/netmap_user.h:104: In file included from /usr/include/net/netmap.h:816: /usr/include/stdatomic.h:141:21: error: reference to 'memory_order' is ambiguous atomic_thread_fence(memory_order __order __unused) ^ /usr/include/stdatomic.h:134:3: note: candidate found by name lookup is 'memory_order' } memory_order; ^ /usr/include/c++/v1/atomic:628:3: note: candidate found by name lookup is 'std::__1::memory_order' } memory_order; ^ In file included from /tmp/oo/zeek-netmap/src/Plugin.cc:3: In file included from /tmp/oo/zeek-netmap/src/Netmap.h:10: In file included from /usr/include/net/netmap_user.h:104: In file included from /usr/include/net/netmap.h:816: /usr/include/stdatomic.h:154:21: error: reference to 'memory_order' is ambiguous atomic_signal_fence(memory_order __order __unused) ^ /usr/include/stdatomic.h:134:3: note: candidate found by name lookup is 'memory_order' } memory_order; ^ /usr/include/c++/v1/atomic:628:3: note: candidate found by name lookup is 'std::__1::memory_order' } memory_order; ^ In file included from /tmp/oo/zeek-netmap/src/Plugin.cc:3: In file included from /tmp/oo/zeek-netmap/src/Netmap.h:10: In file included from /usr/include/net/netmap_user.h:104: In file included from /usr/include/net/netmap.h:816: /usr/include/stdatomic.h:186:17: error: unknown type name '_Bool' typedef _Atomic(_Bool) atomic_bool; …… Regards, C. L. Martinez

1 year, 1 month

Re: [Zeek] [EXT] Question on Zeek SMB Logs and action "SMB::FILE OPEN"

by Mark I Fernandez

For the “SMB::FILE OPEN” action, I believe you would see this action when viewing a network shared folder. The SMB::FILE OPEN action applies to both files and directories, and I believe there is a flag in one of the SMB headers that specifies if it is a folder. For the “extracted files” issue, that sounds strange, but if the files appear in the “extracted” folder, then those executables are being transferred across the wire. I don’t think Zeek could collect those files otherwise. The only thing I can think of at the moment is that Microsoft Windows has a feature called AutoRun or AutoPlay. Best practice is to disable it, but if it is enabled on your Windows machines, then perhaps it could explain the behavior. Microsoft article on how to disable AutoRun/AutoPlay: https://docs.microsoft.com/en-us/windows/win32/shell/autoplay-reg Mark From: zeek-bounces(a)zeek.org <zeek-bounces(a)zeek.org> On Behalf Of security devops Sent: Tuesday, June 16, 2020 4:28 AM To: zeek(a)zeek.org Subject: [EXT] [Zeek] Question on Zeek SMB Logs and action "SMB::FILE OPEN" Hi I'm running Security Onion with Zeek 3.0.7. I have a client accessing a NAS. Whenever a client accesses a folder containing executables, Zeek will detect a "bro_smb_files" event type for all the executable in the folder, even though the client did not open these executables. There would be an action of "SMB::FILE OPEN" for all these executables and it would be extracted to the "nsm/bro/extracted" folder. Is this the default behaviour as it seems odd that the files are extracted even though they did not cross the wire? I'm also a little confused over "SMB::FILE OPEN" action when I referenced Zeek documentation. Does it mean the file was "open" even though the client only accessed the mapped folder? The follow up question on this would be forensic integrity of the files. Would this weird SMB behavior affect the "access" date of the file (I am referring to MACB dates of file). thank you

1 year, 1 month

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek June 2020