zeek September 2020

zeek@lists.zeek.org

14 participants
16 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

5 months

-help for zeek dns cache poisoning detection script

by dsridha＠gmail.com

hi all ; i am new and i don't have experience with zeek i try to test this script to detect dns cache poisoning with zeek : global query_and_id: set[string, int] &write_expire=1min; event dns_query_reply (c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) { if([c$dns$query , c$dns$trans_id] in query_and_id){ print fmt ("Possible DNS cache poisoning attempt --> Source IP: %s, Destination IP: %s, Query: %s", c$id$orig_h, c$id$resp_h, c$dns$query); return; } if(!([c$dns$query, c$dns$trans_id] in query_and_id)){ add query_and_id[c$dns$query, c$dns$trans_id]; } } but when i try this script i face this issue 1462583138.084234 expression error in ././try.zeek, line 5: field value missing (c$dns$query) any help plz

1 year, 9 months

Volunteers for Virtual ZeekWeek 2020

by Amber Graner

Hi all, If any would like to help with Virtual ZeekWeek 2020 please let me know We need: 5 -6 x Volunteers to help co-host 1 x Volunteer to help with Sched to keep the schedule synced 1 x Volunteer to help with Social Media Please let me know if you are interested in helping. Thanks, ~Amber

1 year, 9 months

Zeek Monthly Newsletter! Issue 7

by Amber Graner

Link to this issue - https://zeek.org/2020/09/17/zeek-monthly-newsletter-issue-7-september-2020/ Plain Text Version Below: Welcome to the Zeek Monthly Newsletter! Issue 7 covers July and August 2020, as well as upcoming events. ________________________________ IN THIS ISSUE * TL;DR * Development Updates * Zeek Blog * Zeek In The Community * New Zeek Packages * Zeek in Enterprise * Upcoming Events * Zeek Related Jobs * Volunteer Opportunities * Get Involved _______________________________ TL;DR Zeek releases: 3.2.0 and 3.0.8 / 3.1.5 releases. Notable blog posts topics: Zeek Package Contest (ZPC-3), Zeek Leadership Team (LT) Elections and Virtual ZeekWeek 2020. Related to Zeek: releases from Brim, Security Onion, Corelight and more. Eric Ooi continues his blog series on Zeekurity. Since our last newsletter, we have seen 6 new Zeek Packages added to the Zeek Package Manager. Zeek Events Webinars for September include a special presentation by Alex Kirk, “Open Source Brewing”. If you're a beer-brewing, open source enthusiast... then this webinar is for you! Check out the full description below or on the registration page. Zeek Events for October include Virtual Zeek Week 2020, which will be held online from 9am - 1:20pm PDT on 13-15 October 2020. Registration is open, and the full agenda will be announced later this week. Volunteer Opportunities: Do you have an hour or two a week that you would like to give to the project? We have several areas where your help would be greatly appreciated. ________________________________ DEVELOPMENT UPDATES Zeek 3.2.0 released - https://lists.zeek.org/archives/list/zeek@lists.zeek.org/thread/QTW6HGVMGOD… Zeek 3.0.8 and 3.1.5 released (security + bug fixes) - https://lists.zeek.org/archives/list/zeek@lists.zeek.org/thread/RG4GYWS5WZH… Zeek 3.2.0 Release Candidate 1 Now Available - https://lists.zeek.org/archives/list/zeek@lists.zeek.org/thread/I4UNZMIFNST… More information about project release cadence: https://github.com/zeek/zeek/wiki/Release-Cadence https://github.com/zeek/zeek/wiki/Security-Release-Process ________________________________ ZEEK BLOG ZPC-3 Developers Phase Open - https://zeek.org/2020/08/21/zpc-3-developers-phase-open/ Virtual ZeekWeek 2020 – Call For Presentations, and Registration Now Open - https://zeek.org/2020/08/17/virtual-zeekweek-2020-call-for-presentations-an… Save the Date – Virtual ZeekWeek 2020 – Announced - https://zeek.org/2020/08/14/save-the-date-virtual-zeekweek-2020-announced/ Zeek Leadership Team Elections – Nominations Phase Now Open - https://zeek.org/2020/08/12/zeek-leadership-team-elections-nominations-phas… New Zeek Governance Framework Announced - h ttps://zeek.org/2020/08/12/new-zeek-governance-framework-announced/ Zeek 3.2 Released - https://zeek.org/2020/08/10/zeek-3-2-released/ Zeek Mailing List Migration - https://zeek.org/2020/07/30/zeek-mailing-list-migration/ Zeek 3.2 Release Candidate Available—and Zeek 3.1.5 and Zeek 3.0.8 as well - https://zeek.org/2020/07/27/zeek-3-2-release-candidate-available-and-zeek-3… Zeek Package Contest – ZPC-3 - https://zeek.org/2020/07/15/zeek-package-contest-zpc-3/ ________________________________ ZEEK IN THE COMMUNITY Part VI: Zeek File Analysis Framework - https://www.ericooi.com/zeekurity-zen-part-vi-zeek-file-analysis-framework/ Together is faster: Zeek for vulnerabilities - https://corelight.blog/2020/08/18/together-is-faster-zeek-for-vulnerabiliti… Security Onion 2.1 (RC2), Import Node, and so-import-pcap! - https://blog.securityonion.net/2020/08/security-onion-21-rc2-import-node-an… Security Onion 2.1 (Release Candidate 2) Available for Testing! - https://blog.securityonion.net/2020/08/security-onion-21-release-candidate-… Security Onion 16.04.7.1 ISO image now available featuring Zeek 3.0.8, Snort 2.9.16.1, Elastic 6.8.11, CyberChef 9.21.0, and more! - https://blog.securityonion.net/2020/08/security-onion-160471-iso-image-now.… CyberChef 9.21.0 now available for Security Onion 16.04! - https://blog.securityonion.net/2020/08/cyberchef-9210-now-available-for.html Snort 2.9.16.1 now available for Security Onion 16.04! - https://blog.securityonion.net/2020/08/snort-29161-now-available-for-securi… Security Onion 2.0 RC1: so-import-pcap is back! - https://blog.securityonion.net/2020/08/security-onion-20-rc1-so-import-pcap… Security Onion 2.0.3 RC1 Available for Testing! - https://blog.securityonion.net/2020/07/security-onion-203-rc1-available-for… Zeek 3.0.8 now available for Security Onion 16.04! - https://blog.securityonion.net/2020/07/zeek-308-now-available-for-security.… Elastic Stack 6.8.11 now available for Security Onion 16.04! - https://blog.securityonion.net/2020/07/elastic-stack-6811-now-available-for… Security Onion 2.0 Release Candidate 1 (RC1) Available for Testing! - https://blog.securityonion.net/2020/07/security-onion-20-release-candidate-… New Brim and ZQ releases available (August) - https://twitter.com/brimsecurity/status/1290646543729647623?s=20 https://twitter.com/brimsecurity/status/1295829323421605889?s=20 Brim Overview for Developers - https://youtu.be/CPel0iu1pig (Video) <https://youtu.be/CPel0iu1pig> New Brim and ZQ releases (July) - https://twitter.com/brimsecurity/status/1282364392017780736?s=20 Reducing MTTD with Threat Bus - A User Introduction https://tenzir.com/blog/reducing-mttd-with-threat-bus-a-user-introduction/ ________________________________ NEW ZEEK PACKAGES detect-ransomware-filenames - https://github.com/corelight/detect-ransomware-filenames Ztest - https://github.com/corelight/ztest CVE-2020-5902-F5BigIP - https://github.com/corelight/CVE-2020-5902-F5BigIP Zeek-new-domains - https://github.com/rvictory/zeek-new-domains geoip-conn - https://github.com/brimsec/geoip-conn rdfp - https://github.com/yahoo/rdfp ________________________________ ZEEK IN THE ENTERPRISE Reducing MTTD with Threat Bus - A User Introduction - https://tenzir.com/blog/reducing-mttd-with-threat-bus-a-user-introduction/ Security Onion Hybrid Hunter 1.4.1 Available for Testing! - https://blog.securityonion.net/2020/07/security-onion-hybrid-hunter-141-now… ________________________________ UPCOMING EVENTS Zeek Webinar Series - This is a bi-weekly webinar series that includes Zeek related presentations, Zeek Q&A and more. We are consolidating the webinars previously known as ‘Ask the Zeekperts’ and ‘Zeek from Home’ into a single series, with a diversity of content planned. About Monthly Zeek Community Call: Monthly calls that are open to everyone to discuss topics related to the growth, governance and administration of the community. These calls ARE recorded. September Zeek Webinar Series – 23 September 2020 from 2:00pm – 3:00pm EDT – Open Source Brewing – Presented by Alex Kirk of Corelight. The home brewing and open source communities share many similarities. Established members of both communities actively seek to draw in new adherents to the cause, touting the awesome power of customizability inherent in an open process. Both communities use walkthroughs of known-good recipes to get beginners moving, and have active forums and events where experts in the craft can help troubleshoot the problems that arise as people of all skill levels apply the tools of the trade in the real world, and people of all skill levels can come together to make cool things happen. Taking existing recipes and modifying them to fit new tastes and techniques is encouraged, especially when the successes are contributed back to the community. This session will explore those similarities while walking through a brew of Zeek Porter - with helpful pointers for how to become more involved in the Zeek and Suricata communities along the way. Alex Kirk is an open source security veteran, with over 15 years combined experience working with Snort/Suricata, Nessus, and Zeek. He has presented globally at security conferences on topics from "Malware Mythbusting" to "Is Zeek an IDS?", and currently works as Corelight's Global Principal for Suricata. His brewing style leans towards high-gravity styles, including an almost award-winning Tripel. Register at: https://corelight.zoom.us/webinar/register/WN_2KO0DA5SSqqDMtZpd6w71A October Virtual Zeek Week - 13-15 October Register at: https://www.eventbrite.com/e/virtual-zeek-week-tickets-117288632457 ________________________________ ZEEK RELATED JOBS Front End Engineer Position - https://bricata.com/careers/front-end-engineer-position/ Senior Software Engineer Position - https://bricata.com/careers/senior-software-engineer-position/ NorthEast Sales Engineer - https://www.corelight.com/company/careers/2329648 Cloud Architect - https://www.corelight.com/company/careers/2294603 DACH Regional Sales Director - https://www.corelight.com/company/careers/2315621 Director of Strategic Alliances - https://www.corelight.com/company/careers/2206292 Inside Sales Representative - https://www.corelight.com/company/careers/2317580 Sr. Zeek/Bro Engineer - https://www.linkedin.com/jobs/view/2002831241 ________________________________ VOLUNTEER OPPORTUNITIES * Newsletter - adopt a section, contribute links, help edit, help promote * Blog Content - we are always in search of new Zeek content, how to’s and more * Interviews - we have a list of people we would like to interview....would you like to get to know people in the community, tell their stories and promote their work? * Community Calls - would you like to get involved and help lead these calls? * Webinars - Everything from helping to upload to Youtube, write a summary post and help promote. If you are interested in helping with any of the above, please let me know. We’ll work with you and help keep it light and easy. Thanks in advance! ________________________________ GET INVOLVED If you are interested in getting involved with the Zeek Newsletter, please email news(a)zeek.org. More information about the newsletter can be found at: https://docs.google.com/document/d/1Jo6EBdExKgiYgi6MKIoUougJRJevjuV4wv58fmP… <https://docs.google.com/document/d/1Jo6EBdExKgiYgi6MKIoUougJRJevjuV4wv58fmP…> Stay up to date by subscribing to the Zeek Mailing List at: https://lists.zeek.org/mailman3/lists/zeek.lists.zeek.org/ Join the conversation on Slack at: http://bit.ly/ZeekOrgSlackInvite Follow us on Twitter at: https://twitter.com/zeekurity

1 year, 9 months

UDP long running "connections"

by Gary Huband

I'm using Zeek 3.1.5. I need to monitor long running UDP "connections", some lasting two or three days. If I understand correctly, Zeek only logs UDP connections in conn.log on the connection termination. I would also like to log the start of the connection in conn.log. Any suggestions on how to start with this? Thanks Gary [MSi] : : : : : : : : : : : : : : : : : : : : : : : : : : : Gary Huband Sr. Software and Systems Engineer Office: 434.284.8071 x720 Direct: 434.260.4995 Gary(a)MissionSecure.com : : : : : : : : : : : : : : : : : : : : : : : : : : : This email and any files transmitted with it are confidential and proprietary and intended solely for the use of the individual or entity to whom they are addressed. Any dissemination, distribution or copying of this communication is strictly prohibited without our prior permission. If you received this in error, please contact the sender and delete the material from any computer.

1 year, 9 months

add protocol analyzer to bro

by Charles Dillard

Hello, we run bro 2.5 on 300+ CentOS 7 servers. We want to add https://docs.zeek.org/en/current/script-reference/proto-analyzers.html#zeek… and https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_DCE_RPC.even… base/bif/plugins/Zeek_DCE_RPC.events.bif.zeek — Zeek User Manual v3.2.0<https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_DCE_RPC.even…> Generated for every DCE-RPC alter context request message. Since RPC offers the ability for a client to request connections to multiple endpoints, this event can occur multiple times for a single RPC message. docs.zeek.org Is this possible on our current platform? If not, what are you recommendations? Thank-you.

1 year, 9 months

Re: Error upgrading to Zeek 3.0.10 in RHEL8 host (SOLVED)

by Carlos Lopez

Problem solved. I don’t know the reason but there is another zeek instance running in the same host. I have stopped all zeek processes and all it is ok now. Sorry for the noise. From: Carlos Lopez <clopmz(a)outlook.com> Date: Wednesday, 16 September 2020 at 12:25 To: "zeek(a)lists.zeek.org" <zeek(a)lists.zeek.org> Subject: Error upgrading to Zeek 3.0.10 in RHEL8 host Hi all, After upgrading my Zeek’s cluster and executing “zeekctl deploy” the following error appears: ==== stderr.log error in /opt/zeek/share/zeek/base/frameworks/cluster/./setup-connections.zeek, lines 93-95: Failed to listen on INADDR_ANY:47761 (Broker::listen(Broker::default_listen_address, Cluster::self$p, Broker::d efault_listen_retry)) fatal error: errors occurred while initializing Maybe is AF_PACKET config related? My current config is: [manager] type=manager host=172.22.58.3 [logger] type=logger host=172.22.58.3 [proxy] type=proxy host=172.22.58.3 [idps-prod-dmz] type=worker host=172.22.58.4 interface=af_packet::idsif0 af_packet_buffer_size=192*1024*1024 [idps-mgmt-vpn] type=worker host=172.22.58.5 interface=af_packet::idsif0 af_packet_buffer_size=192*1024*1024 Version 3.0.8 was working perfectly with this config. Regards, C. L. Martinez

1 year, 9 months

Error upgrading to Zeek 3.0.10 in RHEL8 host

by Carlos Lopez

Hi all, After upgrading my Zeek’s cluster and executing “zeekctl deploy” the following error appears: ==== stderr.log error in /opt/zeek/share/zeek/base/frameworks/cluster/./setup-connections.zeek, lines 93-95: Failed to listen on INADDR_ANY:47761 (Broker::listen(Broker::default_listen_address, Cluster::self$p, Broker::d efault_listen_retry)) fatal error: errors occurred while initializing Maybe is AF_PACKET config related? My current config is: [manager] type=manager host=172.22.58.3 [logger] type=logger host=172.22.58.3 [proxy] type=proxy host=172.22.58.3 [idps-prod-dmz] type=worker host=172.22.58.4 interface=af_packet::idsif0 af_packet_buffer_size=192*1024*1024 [idps-mgmt-vpn] type=worker host=172.22.58.5 interface=af_packet::idsif0 af_packet_buffer_size=192*1024*1024 Version 3.0.8 was working perfectly with this config. Regards, C. L. Martinez

1 year, 9 months

Zeek Community Monthly Call - 11 Sep 2020 - 3:00 - 3:30pm EDT

by Amber Graner

Hi all, Below is the agenda and registration link for the monthly community call. Please let me know if you have any questions. Thanks, ~Amber *Registration Link. - * https://corelight.zoom.us/meeting/register/tJcldO6qrTMrG9Kwsu6_qHsUeAvdjLmM… Zeek Community Call - 11 Sep 2020 (30 Minutes) - ZeekWeek (10 mins) - Schedule can be found at: https://zeek.org/2020/08/14/save-the-date-virtual-zeekweek-2020-announced/ - Agenda: Publish end of next week - 18 Sep 2020 - Registration - You can register at: https://www.eventbrite.com/e/virtual-zeek-week-tickets-117288632457 - Zeek Leadership Team (LT) Elections (10 Mins) - Current Phase- https://zeek.org/2020/09/10/testimonial-phase-for-zeek-leadership-team-elec… - Nominees - Aashish Sharma - Fatema Bannat Wala - Jeff Atkinson - Johanna Amann - Keith Lehigh - Nick Turley - Scott Campbell - Seth Hall - Vlad Grigorescu - More information about the election process - https://zeek.org/2020/08/12/zeek-leadership-team-elections-nominations-phas… - Zeek Package Contest (ZPC-3) (10 Mins) - Current Phase - Developer - https://zeek.org/2020/08/21/zpc-3-developers-phase-open/ - More Information - https://zeek.org/2020/07/15/zeek-package-contest-zpc-3/ - Important Upcoming Dates - - 15 September 2020 – Team Notices – We will send out notices to the Developers and Idea submitters and create a list of teams - 29 September 2020 – Open Submission of Packages – Individuals and teams can begin to submit their Zeek Packages via this webform. - 26 October 2020 – Close Submissions – Individuals and teams will have until 12 Oct 2020 at 6pm PDT to submit their Zeek Packages. - 16 November 2020 – Notify Winners – Winners will be notified privately on this date and arrangements for prize distributions finalized. - 30 November 2020 – Announce Winners- On this date we will announce the winners to the public via the Zeek Blog, Mailing List and Twitter account. This announcement will also be updated.

1 year, 9 months

Testimonial Phase for Zeek Leadership Team Elections Now Open

by Amber Graner

Hi all, The Testimonial Phase for Zeek Leadership Team (LT) elections are now open: https://zeek.org/2020/09/10/testimonial-phase-for-zeek-leadership-team-elec… You can find out more about who is running for a seat on the Zeek LT as well as the election process at the above link. Please let me know if you have any questions. Thanks, ~Amber

1 year, 9 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek September 2020