zeek May 2021

zeek@lists.zeek.org

15 participants
13 discussions

by Vlad Grigorescu

We recently purchased some Intel XXV710 NICs for our Zeek systems. However, symmetric hashing does not seem to work on them, at least not completely. There was some discussion here regarding adding some functionality to the driver to make it work, however this never landed: https://sourceforge.net/p/e1000/mailman/message/35199068/ This post discusses how the X710 controller must be configured differently from the 82599 10G controller (used by the X520 cards): https://haryachyy.wordpress.com/2019/01/18/learning-dpdk-symmetric-rss/ The odd part is that following the SEPTun-MarkII guide[1] makes it *mostly* work, but we're consistently finding that ~1-2% of the traffic is not being symmetrically hashed. We're testing with can-i-use-afpacket-fanout[2] and Zeek 3.2. The most damning evidence is an Intel rep telling[3] a customer: > Unfortunately, we have been informed that the only support to setup symmetric RSS is via DPDK. Searching the mailing list archives, I found a couple of posts where people were encouraged to use X710-based cards, so I'm left wondering: Are there people using these? Are they also seeing this 1-2% asymmetry? Or am I missing a configuration tweak? Thanks, --Vlad [1] - < https://github.com/pevma/SEPTun-Mark-II/blob/master/SEPTun-Mark-II.rst> [2] - <https://github.com/JustinAzoff/can-i-use-afpacket-fanout> [3] - < https://community.intel.com/t5/Ethernet-Products/X-L-710-supports-symmetric… >

2 months

Adding command line option to configuration file

by zeek＠zaminit.com

Hi everyone, Zeek documentation states one way to ignore bad packet checksums is to add '-C' options to the zeek command. I use zeekctl to start the zeek process. Which configuration file and/or variable should I use to specify this option? Regards,

7 months, 3 weeks

New Ways to Speed Up Zeek Script Execution - Replay now available

by Amber Graner

Hi all, If you missed today's Zeek Webinar on New Ways to Speed Up Zeek Script Execution presented by Vern Paxson, here's the replay link - https://event.webinarjam.com/replay/25/vlq6ytvva69f5qfv1 Thanks, ~Amber

7 months, 3 weeks

Unable to generate Intel log

by Dheeraj Gupta

Hi, I have been reading the Zeek Intel docs ( https://docs.zeek.org/en/master/frameworks/intel.html) and trying to get it to work on my Zeek (4.0.0 on CentOS-7). I have correctly formatted Intel files and a custom script to load them redef Intel::read_files += { "/usr/share/feed/ip.txt", "/usr/share/feed/domain.txt", "/usr/share/feed/email.txt", }; @load frameworks/intel/seen @load frameworks/intel/do_notice On trying to do a DNS query for a known bad domain, nothing gets logged in intel.log or notice.log However, I do get the following entry in reporter.log xxxxxx.xxx Reporter::WARNING failed to convert remote event 'Intel::match_remote' arg #0, got vector, expected record (empty) If anybody has any pointers on how to proceed, I will be grateful. Thanks, Dheeraj

8 months

ThreatBus or Dovehawk for MISP integration

by Carlos Lopez

Good afternoon, Has anyone used threatbus to integrate MISP IOCs into Zeek? Personally I have used DoveHawk in some installations and the result was satisfactory. This time I have to integrate more than one CTI platform with Zeek and I was thinking of using ThreatBus. Any experiences or problems encountered with ThreatBUS? Or is it better to keep Dovehawk? Many thanks.

8 months

Zeek Monthly Newsletter - Issue 10 - May 2021 - Now Available

by Amber Graner

Here's the link to the blog post - https://zeek.org/2021/05/19/zeek-monthly-newsletter-issue-10-may-2021/ In this Issue: * Highlights * Zeek Blog * Zeek In The Community * New Zeek Packages * Upcoming Events * Zeek Related Jobs * Volunteer Opportunities * Get Involved Join <http://bit.ly/ZeekOrgSlackInvite> over 1500+ Zeek users and fans in 21 Zeek related Slack channels <http://bit.ly/ZeekOrgSlackInvite> for real-time Q&A, feedback and discussion. ________________________________ Highlights Two new Zeek Subgroups were announced: Training <https://zeek.org/2021/04/27/announcing-the-zeek-training-subgroup/> and Testing <https://zeek.org/2021/04/21/announcing-the-zeek-testing-subgroup/> ‘Zeek in Action’ is a new series of videos that explain how Zeek can be used in real world situations. The first two contributions (with more coming soon): Introduction and How to Set Up a Windows Workstation Using Brim Security <https://zeek.org/2021/04/06/zeek-in-action-introduction-and-how-to-set-up-a…>and Suspected Malware Compromise <https://zeek.org/2021/04/14/welcome-to-zeek-in-action-video-1-suspected-mal…> Zeek in Enterprise Day <https://zeek.org/2021/04/22/zeek-in-enterprise-day/>is scheduled for 16 June 2021, and ZeekWeek 2021 <https://zeek.org/2021/02/03/save-the-date-zeekweek-2021-hybrid-event/> will take place on 13-15 October 2021 in Austin, Texas. Registration and sponsorship information coming soon. ________________________________ Zeek Blog Zeek Monthly Newsletter – Issue 9 – April 2021 - https://zeek.org/2021/04/30/zeek-monthly-newsletter-issue-9-april-2021/ Announcing the Zeek Training Subgroup - https://zeek.org/2021/04/27/announcing-the-zeek-training-subgroup/ Zeek in Enterprise Day - https://zeek.org/2021/04/22/zeek-in-enterprise-day/ Announcing the Zeek Testing Subgroup - https://zeek.org/2021/04/21/announcing-the-zeek-testing-subgroup/ Zeek’s IPSec Protocol Analyzer - https://zeek.org/2021/04/20/zeeks-ipsec-protocol-analyzer/ Welcome to Zeek in Action, Video 1, Suspected Malware Compromise - https://zeek.org/2021/04/14/welcome-to-zeek-in-action-video-1-suspected-mal… Spicy 1.0 — Robust Parsers for Protocols & File Formats - https://zeek.org/2021/04/13/spicy-1-0-robust-parsers-for-protocols-file-for… ZPC-3 Winners Announced - https://zeek.org/2021/04/08/zpc-3-winners-announced/ A Zeek OpenVPN Protocol Analyzer in Spicy - https://zeek.org/2021/04/08/a-zeek-openvpn-protocol-analyzer-in-spicy/ Zeek in Action: Introduction and How to Set Up a Windows Workstation Using Brim Security - https://zeek.org/2021/04/06/zeek-in-action-introduction-and-how-to-set-up-a… Zeek Blog - https://zeek.org/blog/ Zeek Mailing list - April <https://lists.zeek.org/archives/list/zeek@lists.zeek.org/2021/4/> ________________________________ Zeek in the Community Public funds, public code! By Henrik Kramselund Jereminsen - https://www.version2.dk/blog/offentlige-midler-offentlig-kode-1092626 Detect C2 ‘RedXOR’ with state-based functionality - https://corelight.blog/2021/04/20/detect-c2-redxor-with-state-based-functio… Pingback: ICMP Tunneling Malware - https://corelight.blog/2021/05/07/pingback-icmp-tunneling-malware/ H&R Block seeks out open-source expertise for SOC - https://www.scmagazine.com/home/security-news/network-security/hr-block-see… Malcolm v3.1.0 - https://github.com/idaholab/Malcolm/releases Security Onion Documentation printed book now updated for Security Onion 2.3.50! - https://blog.securityonion.net/2021/05/security-onion-documentation-printed… Security Onion 2.3.50 Hotfix available! - https://blog.securityonion.net/2021/05/security-onion-2350-hotfix-available… Security Onion 2.3.50 now available! - https://blog.securityonion.net/2021/04/security-onion-2350-now-available.ht… Security Onion 16.04 has reached End Of Life - https://blog.securityonion.net/2021/04/security-onion-1604-has-reached-end-… OpenCTI Integration and a Mature VAST Plugin Framework (Release 2021.04.29) - https://tenzir.com/blog/release-2021-04-29/ ________________________________ New Zeek Packages Pingback - https://github.com/corelight/pingback ________________________________ Upcoming Events May 27 May 2021 – Zeek Webinar Series – New Ways to Speed Up Zeek Script Execution - 10am Pacific/1pm Eastern – Join Vern Paxson, Founder of Zeek, as he goes over his latest work around compiling-scripts-to-C++. Zeek’s performance depends in part on how quickly the system executes the user’s scripts, as well as the many predefined scripts Zeek makes available. To date, this execution has used a high-level interpreter, which imposes considerable overhead. This talk will sketch two new experimental features for executing scripts much more quickly: compiling them to a low-level form (“ZAM”), and directly to C++. Register at: https://event.webinarjam.com/register/25/x4kmyhmm June 2 June 2021 - Zeek Monthly Community Call - Join the monthly call to discuss topics related to the growth, governance and administration of the community. Register at: https://corelight.zoom.us/meeting/register/tJAqdu6gqzgvG9LqPt_zpfGex7NtR_HW… 8 June 2021 – Zeek Webinar Series – TBA - 10am Pacific/1pm Eastern - Registration link -TBA 16 June 2021 - Zeek in Enterprise Day - 9am-1pm Pacific/12pm - 4pm Eastern - This is a virtual event. Organizations which offer Zeek as part of its commercial solutions will be able to present to the Zeek Community. If you would like to present at this event please see the announcement. Registration link coming soon. 22 June 2021 – Zeek Webinar Series – TBA - 10am Pacific/1pm Eastern - Registration link -TBA October 13-15 October 2021 – ZeekWeek 2021 – Save the date! We are currently planning for an in-person ZeekWeek event in Austin, Texas. Seating will be limited at this event, and we will also have a remote participation option. More information coming soon. Past Webinars for 2021 (replay links) You can see past webinars here <https://zeek.org/zeek-from-home/>. May Community Call Zeek Monthly Community Call - 5 May 2021 - Notes, Links to the Recording and more can be found at: https://lists.zeek.org/archives/list/zeek@lists.zeek.org/thread/22TCOR5HLJ2… Zeek Webinar Series - This is a bi-weekly webinar series that includes Zeek related presentations, Zeek Q&A and more. We are consolidating the webinars previously known as ‘Ask the Zeekperts’ and ‘Zeek from Home’ into a single series, with a diversity of content planned. About Monthly Zeek Community Call: Monthly calls that are open to everyone to discuss topics related to the growth, governance and administration of the community. These calls ARE recorded. ________________________________ Zeek Related Jobs SOC Lead - https://www.linkedin.com/jobs/view/2382720691 Sr. Zeek/Bro Engineer - https://www.linkedin.com/jobs/view/2430522106 Principal Software Engineer, Security - https://www.linkedin.com/jobs/view/2484370829 Sr. Zeek/Bro Engineer - https://www.linkedin.com/jobs/view/2294604452 Director, Incident Response (Remote) - https://www.linkedin.com/jobs/view/2404837718 Incident Response Specialist - https://www.linkedin.com/jobs/view/2407692778 FedGov Sr. Consultant, Incident Response - https://www.linkedin.com/jobs/view/2484034544 Escalation Engineer - https://www.linkedin.com/jobs/view/2535097439 Director, Applications - https://www.linkedin.com/jobs/view/2493165163 Principal Software Engineer, Security - https://www.linkedin.com/jobs/view/2398741146 Defensive Cyber Operations Network Sensor SME with Security Clearance - https://www.linkedin.com/jobs/view/2554955722 Security Analyst - https://www.linkedin.com/jobs/view/2523781880 And more - https://www.linkedin.com/jobs/search/?currentJobId=2523781880&keywords=zeek ________________________________ Volunteer Opportunities Newsletter - adopt a section, contribute links, help edit, help promote. Find out more information at: https://github.com/zeek/zeek/wiki/News-Group Blog Content - we are always in search of new Zeek content, how to’s and more Interviews - we have a list of people we would like to interview....would you like to get to know people in the community, tell their stories and promote their work? Community Calls - would you like to get involved and help lead these calls? Webinars - Everything from helping to upload to Youtube, write a summary post and help promote. Zeek in Action - is a series of videos for Zeek users and fans. The purpose of the series is to show how analysts can interpret data in Zeek and related formats to solve various networking challenges. Documentation Subgroup - is the group that is responsible for keeping the Zeek Documentation up to date. If you would like to participate in this group, give feedback etc then this is the group for you. Find out more information at: https://github.com/zeek/zeek/wiki/Documentation-Group Training Subgroup - The Zeek training subgroup that will focus on formulating some preliminary goals for Zeek approved training and tackle broader topics in the area of Zeek training. Frequently, we are asked about where people can find Zeek-related training and whether there is a central place to find Zeek-related training content. Hence to address the needs of the community and in general have some training programs that are approved by the Zeek project, we are creating this subgroup to focus on these goals. Find out more information at: https://github.com/zeek/zeek/wiki/Training-Group Testing Subgroup - The goal of the testing subgroup is to stress-test new versions of Zeek with real live traffic from a variety of environments to identify problems and bugs early, to ensure that new Zeek releases are stable and ready for the Zeek community. Find out more information at: https://github.com/zeek/zeek/wiki/Testing-Group If you are interested in helping with any of the above, please let me know. We’ll work with you and help keep it light and easy. Thanks in advance! ________________________________ Get Involved If you are interested in getting involved with the Zeek Newsletter, please email news(a)zeek.org. More information about the newsletter can be found here <https://github.com/zeek/zeek/wiki/News-Group>. Stay up to date by subscribing to the Zeek Mailing List <http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek>. Join the conversation on Slack <http://bit.ly/ZeekOrgSlackInvite>. Follow us on Twitter <https://twitter.com/Zeekurity>

8 months

Filtering traffic by worker in cluster environments

by Carlos Lopez

Hi all, I have detected a behaviour in my Zeek cluster that I would like to avoid, if it is possible. I am using Zeek 4.0.1 under FreeBSD 13. The problem comes because Zeek detects multiple duplicate packages, as reported to me by bro-doctor: ###################################################################### # Checking if any recent connections have been logged multiple times # ###################################################################### error: 98.80%, 1731 out of 1752 connections appear to be duplicate As you can see, Zeek detects too much duplicated sessions. This is because I have workers monitoring three networks: net1, net2 and net3. On net1,I have services exposed to all my internal networks such as DNS, SMTP, HTTPS ..... These services are consumed from all the networks and I understand that for that reason, Zeek tells me that there are duplicate sessions. My question is: is it possible to filter traffic (using bpf filters) by worker in a cluster environments? Or is it only possible to avoid this situation by deploying Zeek in standalone mode? Best regards, C. L. Martinez

8 months, 1 week

I have some problems with zeek-agent

by 白彧

Hi, everyone. When I use zeek-agent, I have some problems. This is my enviroment: CentOS Linux release 7.8.2003 OSquery 4.2.0 zeek 3.0.12 zeek-agent 1.0.2 zeek-agent-framework 0.4 My work: - installed zeek, OSquery, zeek-agent, zeek-agent-framework successfully - config zeek-agent { "server_address": "127.0.0.1", "server_port": 9999, "log_folder": "/var/log/zeek", "max_queued_row_count": 5000, "osquery_extensions_socket": "/var/osquery/osquery.em", "group_list": [] }-  config /opt/zeek/share/zeek/site/local.zeek , add this at the end: @load zeek-agent- config /opt/zeek/share/zeek/site/zeek-agent/__load__.zeek , add this at the end: @load ./examples/auditd- start auditd service, start osqueryd - start zeek-agent sudo zeek-agent- start zeekctl zeekctl deployzeekctl [ZeekControl] > start Everything is right. I could find logs in /opt/zeek/logs/current: broker.log conn.log dns.log ntp.log stats.log stdout.log zeek-agent.log capture_loss.log dhcp.log loaded_scripts.log packet_filter.log stderr.log weird.logbut I can't see any log name starting with "agent_" , such as: agent_socket_events.log agent_process_events.log (from vZW20 - Day 2 - Zeek Agent: Correlating Host & Network Logs for Better Forensics - Wajih Ul Hassan). My questions: 1. Was there any wrong in my actions? 2. Where are agent_socket_events.log agent_process_events.log? 3. What is the relation between virtual tables and "agent_*.log" ? 4. Virtual tables are stored in sqlite or osquery? Thank you very much!

8 months, 2 weeks

Host field empty in http.log

by craig bowser

Forgot a subject... On Wed, May 5, 2021, 8:25 PM craig bowser <reswob10(a)gmail.com> wrote: > > I'm have a VM running in VMWARE workstation that I've installed Splunk and > zeek. Splunk is not running while I trouble shoot this problem. > The VM has 4 sockets with 2 cores and 8GB ram. There is only one NIC. > And the vm is configured to do NAT > > > I've disabled syslog, ssh, shop, ssl, x509, and weird streams. > > The goal is to build a simple environment for testing and teaching. > So I'm focused on the conn.log, the dns.log, and the http.log > > To test, I'm using curl -L, wget, and python requests. > > The dns.log is capturing queries. And the conn.log is showing connections. > However, the http log is not capturing the host. > > Am I missing something? > Tips for troubleshooting? > > > Thanks >

8 months, 2 weeks

Untraceable zeekygen "warning:" messages

by Brett D. Rasmussen

Hello. I've included a "write-up" of the problem issue in the attached .zip file (see the enclosed "zeek_warning.txt" file) Thanks! Brett Rasmussen Cyber Security Researcher Supporting the CISA Advanced Analytical Lab Phone: (208) 526-5486 Fax: (208) 526-6173 Email: Brett.Rasmussen(a)inl.gov<mailto:Jan.Wright@inl.gov>

8 months, 2 weeks

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek May 2021