zeek February 2022

zeek@lists.zeek.org

11 participants
6 discussions

by Tewodros Ambasa

Good Day I have noticed while viewing the conn.log file, that some of the timestamp fields in the entries are not in chronological order. For example, viewing a section of this file I see: 2022-02-08T21:14:03+0200 2022-02-08T21:14:04+0200 2022-02-08T21:13:14+0200 2022-02-08T21:12:49+0200 2022-02-08T21:14:05+0200 Is this normal?

3 months, 3 weeks

Arista question

by Avila, Kay

Could anyone running an Arista DCS-7280 for tap aggregation please reach out to me off-list to compare notes with an issue we're seeing? Thanks! Kay Avila Senior Security Engineer, Cybersecurity and Networking Division National Center for Supercomputing Applications (NCSA) University of Illinois, Urbana-Champaign P: (217) 300-1754 F: (217) 244-1987

3 months, 4 weeks

OS Fingerprinting

by Charles Dillard

Hello, I was asked by a supervisor if we at my company were logging OS Fingerprinting.? Checked logs for various "operating", "system", "os" "windows", "ATTACK" without luck. I see there is this policy: /opt/bro/share/bro/policy/frameworks/signatures/detect-windows-shells.sig Can you help us answer the question on whether OS Fingerprinting is being logged and which log would I look in? Also, what would I look for? We are running the following: zeek version 4.0.3 bro version 2.5 Also, if not present, how would we enable? Looking to see ANY os hitting our network.

4 months, 1 week

Gathering only DNS Logs

by Blason R

Hi Team, I have zeek installed on my DNS server and I need to collect only dns.log. I am struggling to find that configuration where I could stop monitoring all other protocols and wanted to monitor only the dns protocol. Can someone please help? TIA Blason R

4 months, 1 week

Decode or decapsulation of HP ERM (Encapsulated Remote Mirroring)

by gino.gamba＠gmail.com

Hello all, I apologize if this is a newbie question, but that's it, I am new to this system so I am having a hard time finding out how to add a script snippet to the Zeek configuration files. I had opened an issue on Zeek Github with the same subject: https://github.com/zeek/zeek/issues/1968 And a developer kindly super-quickly replied with the following code snippet: ============================================== export { redef PacketAnalyzer::SKIP::skip_bytes = 8; redef PacketAnalyzer::SKIP::default_analyzer = PacketAnalyzer::ANALYZER_ETHERNET; } event zeek_init() { PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 7932, PacketAnalyzer::ANALYZER_SKIP); } ============================================== which is dedicated to change the Skip packet analyzer behaviour in order to strip the HP ERM encapsulation from the UDP packet leaving the raw ehternet frame that Zeek can then analyze. I have read through all the documentation but I cannot figure out where and how the add the above code. So I kindly ask you to suggest to which file and syntax insert the above definitions. Platform is a debian 11, with the 4.2.0 binary packages installed from the opensuse repositories, single node, and all in all the installation and first operation was a breeze. Thank you in advance GG

4 months, 1 week

Zeek Newsletter - Issue 15 - December 2021-January 2022

by richard＠corelight.com

Welcome to the Zeek Newsletter! In this Issue: TL;DR Development Updates Zeek Blog and Mailing List Zeek in the Community Zeek Package Updates Zeek in the Enterprise Upcoming Events Zeek Related Jobs Get Involved TL;DR We finished a big year for the Zeek community. Log4j vulnerabilities continue to be a challenge, but Zeek was able to help. We hope you had a pleasant holiday and we’re looking forward to 2022. This newsletter includes two items from the first week in January, due to their importance. Development Updates On January 5, Tim Wojtulewicz published the first release candidate of Zeek 4.2.0, and followed with Zeek 4.2.0 on January 22. https://zeek.org/get-zeek https://download.zeek.org/zeek-4.2.0.tar.gz See the release notes for details of the addressed bugs and security issues: https://github.com/zeek/zeek/releases/tag/v4.2.0 Downloads for Zeek 4.0.5 are also available, as of January 25: https://zeek.org/get-zeek https://download.zeek.org/zeek-4.0.5.tar.gz See the release notes for details of the addressed bugs and security issues: https://github.com/zeek/zeek/releases/tag/v4.0.5 Binary packages for the new releases are available: https://github.com/zeek/zeek/wiki/Binary-Packages We encourage readers to report any issues to the project. Thank you. Concerning how the release process works, Tim offered the following. - The LTS releases follow an x.0.y versioning scheme and come out roughly once per year, with patch releases as necessary. The current LTS release is 4.0.4. - Feature releases come out during the interim, and follow a x.a.b versioning, with x being the same as the current LTS. Patch releases happen as necessary. The current feature release is 4.1.1. We released 4.2.0-RC1 this week, and 4.2 will supersede 4.1 once it is fully released. We generally try to follow a 4-month cadence for the feature releases, but schedules slip, etc. We’re currently in the development cycle for the next LTS release, which at this point should be 5.0.0. 5.0.0 will supersede the 4.0 line and become the new LTS release for the following year or so. See these links for more information about project release cadence: https://github.com/zeek/zeek/wiki/Release-Cadence https://github.com/zeek/zeek/wiki/Security-Release-Process Zeek Blog and Mailing List A recent notable blog post featured details and links on all the videos from ZeekWeek21. See this post for details: https://zeek.org/2021/12/10/zeekweek-2021-summary-slides-videos-and-more-no… One of the more interesting exchanges on the Zeek mailing list involved different options for disabling dns.log entries. See this thread for details: https://lists.zeek.org/archives/list/zeek@lists.zeek.org/thread/FMEIVTBC3NJ… For more, see the blog and mailing list archive: https://zeek.org/blog/ https://lists.zeek.org/archives/list/zeek@lists.zeek.org/ Zeek in the Community On January 5, CISA (the United States’ Cybersecurity and Infrastructure Security Agency) released Malcolm 5.1, following its release of 5.0 in December. https://github.com/cisagov/Malcolm/releases/tag/v5.1.0 According to its description, “Malcolm provides an easily deployable network analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.” Malcolm integrates Arkime (formerly Moloch), “a large scale, open source, indexed packet capture and search tool.” https://github.com/arkime/arkime Richard Bejtlich and Keith Jones published new Zeek in Action videos on YouTube: Zeek in Action, Video 9, Radius Protocol Analyzer with Spicy https://www.youtube.com/watch?v=oJprmlB3eNo Zeek in Action, Video 10, Examining the Four Types of Network Security Monitoring Data https://www.youtube.com/watch?v=PYekUOCBBrY Zeek in Action, Video 11, Using Spicy Driver https://www.youtube.com/watch?v=2q4jZdCUbEg Zeek In Action, Video 12, zeek2es https://www.youtube.com/watch?v=Ahe4jmdB2uQ Zeek in Action, Video 13, Running Brim Inside Windows Sandbox https://www.youtube.com/watch?v=W-dlsDPyBtE Keith’s video 9 is two hours long and is an amazing tutorial on developing an analyzer for the Radius protocol using Spicy. Stay tuned for more from Keith, and check out his new Python application that translates Zeek's ASCII TSV and JSON logs into ElasticSearch's bulk load JSON format. https://github.com/corelight/zeek2es Zeek Package Updates The following packages reported updates recently (as of February 9), via this search: https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed Add cve-2022-21907. #177 by keithjjones was merged 14 days ago Add zeek-packages/zeek-agent-v2. #176 by rsmmr was merged 15 days ago Add ICSNPP-OPCUA-Binary #175 by Kleinspider was merged 22 days ago Add cve-2022-21907. #174 by keithjjones was closed 20 days ago • Draft Log4j detection heuristics #173 by initconf was merged on Dec 22, 2021 Add Corelight Log4j detection package #172 by ynadji was merged on Dec 16, 2021 Add a couple of Spicy-based analyzers #171 by bbannier was merged on Dec 10, 2021 Zeek in the Enterprise Corelight offered several blog posts and a new Zeek package to detect Log4j exploitation. The blog posts are here: https://corelight.com/blog/tag/log4j The Zeek package is here: https://github.com/corelight/cve-2021-44228 Upcoming Events See https://zeek.org/events/ for the latest details. Zeek Related Jobs The following are a sampling of job opportunities that mention Zeek skills. Cyber Security Information Assurance Lead ICF, Arlington, VA https://www.linkedin.com/jobs/search/?currentJobId=2833005761 Threat Intel Investigator, OCI Oracle, Reston, VA https://www.linkedin.com/jobs/view/2840457175 Senior Network Security Researcher Battelle, Chantilly, VA https://www.linkedin.com/jobs/search/?currentJobId=2859106319 For more, see https://www.linkedin.com/jobs/search/?geoId=103644278&keywords=zeek Get Involved If you have any comments or material for the newsletter please email news(a)zeek.org or join the #news Slack channel. https://zeekorg.slack.com Here is an invitation link: https://join.slack.com/t/zeekorg/shared_invite/zt-12z1pjy93-zuVGuT1BF~yUJJv… Stay up to date by subscribing to the Zeek mailing list: http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek Follow us on Twitter: https://twitter.com/Zeekurity Subscribe to our video channel: https://www.youtube.com/channel/UC1K5-MWaM1XZcEFPCMrmNMw See you next time!

4 months, 2 weeks

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek February 2022