zeek August 2020

zeek@lists.zeek.org

14 participants
25 discussions

Start a nNew thread

Any news about netmap plugin?

by Carlos Lopez

Good morning, Any news about this plugin to test it in FreeBSD/HardenedBSD systems? Regards, C. L. Martinez

11 months

Worker vs Proxy load

by Mauricio Tavares

Using the drawing from https://docs.zeek.org/en/current/cluster/ as reference, I have some workers which are being used for other tasks. As such, I would like to offload as much as I can to the proxies as I can build them to fit my needs instead of just riding on an already running server (the workers). How can I tune the analysis done at worker vs the proxy to fit my need?

11 months

PostgreSQL traffic analyzer script

by Yuval Khalifa

Hi, I'm using Zeek for quite some time now and I must say that it is one of the best IDSs out there today. Thanks a lot for a the hard work!! I know and use Zeek's ability to extract mysql commands, users, rows count and status from the network traffic. Is it possible to do the same for PostgreSQL? If not, how complicated do you think it would be for me to implement it? Thanks in advance, Yuval.

11 months

REMINDER - Call for Presentations - Virtual ZeekWeek 2020

by Amber Graner

Hi all, If you would like to submit a talk for Virtual ZeekWeek 2020 you have until 6pm PDT today, 31 August. NOTE: talks are only 20 mins for the day 2 user track this year - If you've given a talk in the past please consider submitting a talk. More information can be found at: https://zeek.org/2020/08/17/virtual-zeekweek-2020-call-for-presentations-an… Please let me know if you have any questions. Thanks, ~Amber

11 months, 1 week

Virtual ZeekWeek 2020 - Call for Presentations and Registration Now Open

by Amber Graner

Hi all, Virtual ZeekWeek will be held online from 13-15 October. Registration for Virtual ZeekWeek and Call For Presentations is now open. If you are interested in attending or giving a talk please take a look at the blog post - https://zeek.org/2020/08/17/virtual-zeekweek-2020-call-for-presentations-an… If you have any questions please let me know. Thanks, ~Amber

11 months, 1 week

simulation network

by Dr. Mostafa Abdallah. Ammar

Dear All, Kindly I want to create a simulation environment for Zeek detection capability as IDS and calculate detection time. The simulation environment will be on citrix xencenter hypervisor. I want to install 2 virtual machines , one of them is zeek IDS and the other one is the attacker machine. I want to send traffic from attacker machine and the traffic is mirrored to Zeek vm to detect attack. Any help for this setup. Best Regards,

11 months, 1 week

Developer Phase of the Zeek Package Contest (ZPC-3) Now Open.

by Amber Graner

Hi all, Here are the idea submissions we received for the Ideas Phase of ZPC-3 <https://zeek.org/2020/07/15/zeek-package-contest-zpc-3/>: * Package to detect known C2 frameworks such as Empire, Koadic, FactionC2, Covenant, Merlin, etc. based on their unique traffic patterns. * Package to generate a new ARP log, and to detect known attacks such as ARP spoofing, flooding, scanning, etc * Package to generate NFS log, and detect anomalous NFS activity. * Spicy parser for IGMP If you're a developer and you'd like to help with one of the ideas that were submitted then take a look at the following blog post https://zeek.org/2020/08/21/zpc-3-developers-phase-open/ for more information. Thanks, ~Amber

11 months, 2 weeks

PacketFilter::Dropped_packets very large counts

by Darren S.

Hoping to understand the data in PacketFilter::Dropped_packets notices better. What do each of the counts indicate? Wondering because I have a small percentage of notices from a variety of sensors that are logging the following in the notices, and the counts end up being too large of integers for some post-processing utilities to help compute some metrics on. I suspect that these come from Bro 2.6 sensors. Examples: 18446744069482849436 packets dropped after filtering, 18446744069489230937 received, 6381501 on link 18446744069467467531 packets dropped after filtering, 18446744069467980684 received, 513153 on link 18446744069774533196 packets dropped after filtering, 18446744069778234931 received, 3701735 on link 18446744069437332601 packets dropped after filtering, 18446744069462690099 received, 25357498 on link 18446744069540779703 packets dropped after filtering, 18446744069561221983 received, 20442280 on link 18446744069457313223 packets dropped after filtering, 18446744069457748075 received, 434852 on link 18446744069561323156 packets dropped after filtering, 18446744069583649097 received, 22325941 on link I was attempting to track percentage of dropped packets from this notice by dividing the total received (2nd number) by the count dropped after filtering (1st number) based on what seems like the more common types of reports we see, like this one: 1 packets dropped after filtering, 2724370 received, 2724369 on link (1/2724370 => 0.000000367057338). But I can't conceive that the messages above are carrying realistic numbers to calculate on. -- Darren Spruell phatbuckett(a)gmail.com

11 months, 2 weeks

Question about new FAQ and anchors

by Darren S.

A resource I keep going to with 3rd parties is an FAQ at https://zeek.org/faq/. This page, in comparison with the old FAQ (https://old.zeek.org/documentation/faq.html) does not currently support anchors on the page to link directly to a specific entry. Would it be possible to renovate the FAQ to make this possible? (And/or: what about moving the FAQ into the better documentation engine at https://docs.zeek.org/ and linking to it there)? Regards, -- Darren Spruell

11 months, 2 weeks

New Zeek Leadership Team Governance Framework and Elections Process Announced

by Amber Graner

Hi all, In case you didn't see the blog posts, the Zeek LT has announced the Zeek project governance framework and voting process. If you're interested in any being part of the leadership team or taking a more active role, please take a moment to read the following. New Zeek Governance Framework Announced - https://zeek.org/2020/08/12/new-zeek-governance-framework-announced/ Zeek Leadership Team Elections – Nominations Phase Now Open - https://zeek.org/2020/08/12/zeek-leadership-team-elections-nominations-phas… Please let me know if you have any questions. Thanks, ~Amber

11 months, 3 weeks

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek August 2020