zeek

zeek@lists.zeek.org

5574 discussions

Mailing list migration starting May 24th 2022

by Johanna Amann

Hi everyone, as previously announced (https://lists.zeek.org/archives/list/zeek-announce@lists.zeek.org/thread/33…), we will move all our mailing lists to Discourse. All mailing lists will be switched into read-only mode on Tuesday, May 24th 2022. The current state of the mailing lists will then be imported into Discourse. We will expect this to take up to two days. Thus, on or before Thursday, May 26th, the Zeek Discourse server will be available at https://community.zeek.org. We will send one last posting on this mailing list when the Discourse server is operational. Please note that you will have to manually re-subscribe to the lists that you are interested in. If you have any questions or concerns about this, either email me directly, or email the Zeek Leadership team at lt(a)zeek.org. Johanna Amann (for the Zeek LT)

1 month

Scripting for parsing file names from a directory

by zrobinette＠outlook.com

I'm currently using the Seiso/Kafka plugin to stream each unique Zeek log type to a different topic in Kafka and it works great https://github.com/SeisoLLC/zeek-kafka#example-4---send-each-zeek-log-to-a-…. I've been using SSL configurations to specify the directory path + filename for my .crt, .key and .pem files so in the $config variable, my table looks like this: $config = table( ["metadata.broker.ist"] = "broker1:9092", ["ssl.ca.location"] = "/path/to/ca/file.pem", ["ssl.certificate.location"] = "/path/to/certificate/file.crt", ["ssl.key.location"] = "/path/to/key/file.key", ["security.protocol"] = "ssl" Instead of manually entering the "/path/to/certificate/file.crt" along with ca and key, I'd like to use either a bif (but I can't find one specifically for this use case) or create a function to parse the file names. I only need to be able to grab the file names, not the full directory path. Here's what I have so far: @load base/utils/exec redef exit_only_after_terminate=T; global command: string = "ls -A"; function get_certificate(): string { local cmd = Exec::Command($cmd=command); when (local res = Exec::run(cmd)) { local results = res$stdout; for ( i in results ) { if ( ends_with(results[i], ".crt") ) { local match = match_pattern(results[i], /^([^.]+)\.crt/); return match$str; } } } } event zeek_init() { local certificate: string = get_certificate(); print $certificate; } I'm attempting to assign the return of the function (match$str) because that gives me the file name I'm looking for. Once I have the string in a variable, I think I should be able to insert that into the Kafka $config table for ssl.certificate.location. This script currently fails though with this error. warning: non-void function returning without a value: get_certificate expression error in ./get_certs.zeek, line 28: value used but not set (certificate) fatal error: errors occurred while initializing If I change return match$str to print match$str, then just simply call get_certificate() in the zeek_init(), it successfully prints the file name I want. How can I get this function to return match$str so I can save it into a variable for later use? Thanks!

1 month, 3 weeks

zeek-long-connections fails to install with zeek 4.0.6

by Carlos López Martínez

Hi all, I am trying to install zeek-long-connections in a Zeek 4.0.6 under FreeBSD 13 and returns the following errors: root@fbsdmgmt:~ # zpkg install zeek/corelight/zeek-long-connections The following packages will be INSTALLED: zeek/corelight/zeek-long-connections (v1.3.0) Proceed? [Y/n] Running unit tests for "zeek/corelight/zeek-long-connections" error: "zeek/corelight/zeek-long-connections" tests failed, inspect contents of /opt/zeek/var/lib/zkg/testing/zeek-long-connections for details, especially any "zkg.test_command.{stderr,stdout}" files within /opt/zeek/var/lib/zkg/testing/zeek-long-connections/clones/zeek-long-connections Proceed to install anyway? [N/y] Abort. With Zeek 4.0.5 works perfect ... Any idea why fails under Zeek 4.0.6? -- Best regards, C. L. Martinez

1 month, 3 weeks

Subject: Mailing list migration to Discourse

by Johanna Amann

Hi Everyone, You might remember our post about the state of the mailing lists in November 2021 (see https://lists.zeek.org/archives/list/zeek@lists.zeek.org/thread/VLAAMGVG3NW…), where we proposed to migrate our mailing lists to Discourse. The feedback on this has been universally positive. As a result of this, we are going to migrate all Zeek project mailing lists to Discourse. We expect this migration process to be finished around mid-May. We are going to copy the entire history of all our mailing lists to Discourse – so there will be no loss of information; all posts will still be available. For technical reasons, we are not going to migrate subscription information to discourse. This means that you will have to sign up to our discourse server once it is available, and manually enable notifications for posts if you wish to receive them. We will post an announcement here once the Discourse server is publicly available, and you can sign up to it. At that time we will also put the mailing lists into read-only mode. If you have any questions or concerns about this, either email me directly, or email the Zeek Leadership team at lt(a)zeek.org. Johanna Amann (for the Zeek LT)

2 months

Zeek Newsletter - Issue 17 - April 2022

by richard＠corelight.com

Welcome to the Zeek Newsletter. In this Issue: TL;DR Development Updates Zeek Blog and Mailing List Zeek in the Community Zeek Package Updates Zeek in the Enterprise Upcoming Events Zeek Related Jobs Get Involved TL;DR Please note the security vulnerability in versions of Zeek prior to 4.0.6 and 4.2.1, discussed in Development Updates. Also see the Upcoming Events section for details on free training on May 20. Development Updates On April 21, Tim Wojtulewicz announced the release of Zeek 4.0.6 and Zeek 4.2.1. Both address a security issue. Previous versions of Zeek shipped a vulnerability in the File Transfer Protocol (FTP) analyzer. If an intruder provided specially-crafted input, Zeek might crash due to a buffer overflow condition. Please update to the new versions of Zeek as soon as possible to mitigate this vulnerability. The Zeek Project would like to thank Jason Ish from the Open Information Security Foundation (OISF) for reporting this vulnerability. These new versions of Zeek include other fixes as well. See the release notes for details: https://github.com/zeek/zeek/releases/tag/v4.0.6 https://github.com/zeek/zeek/releases/tag/v4.2.1 Binary packages for the new releases will also be available shortly: https://github.com/zeek/zeek/wiki/Binary-Packages Updated source code is already available: https://zeek.org/get-zeek https://download.zeek.org/zeek-4.0.6.tar.gz https://download.zeek.org/zeek-4.2.1.tar.gz On April 12, Benjamin Bannier published a bug fix for Spicy, version 1.4.1. The code is posted here: https://github.com/zeek/spicy/releases/tag/v1.4.1 Details on the changes are posted here: https://github.com/zeek/spicy/blob/v1.4.1/CHANGES Zeek Blog and Mailing List The mailing list featured several interesting threads. The longest involved how to uninstall Zeek: https://lists.zeek.org/archives/list/zeek@lists.zeek.org/thread/QTTPW5QYCNO… The blog featured two stories. The first appears in the Upcoming Events section. The second involved Johanna Amann’s notice that ZeekWeek 2022 will be held the week of October 11-14, in Austin, Texas, USA. The project will open a call for presentations soon. For more, see the blog and mailing list archive: https://zeek.org/blog/ https://lists.zeek.org/archives/list/zeek@lists.zeek.org/ Zeek in the Community Richard Bejtlich published two Zeek in Action videos, on March 24 and April 8: Comparing Zeek Connection Logs with NetFlow Records https://www.youtube.com/watch?v=RHAL9tr2gi4 Revisiting NetFlow and Zeek Data https://www.youtube.com/watch?v=BrGHfWkbYlg On April 6, Fatema Bannat Wala hosted a Zeek community call. The recording is here: https://www.youtube.com/watch?v=sFjovzmmrls Keith Jones’ presentation on importing Zeek logs into Elastic is now available: https://www.youtube.com/watch?v=n1x4ShzhAo8 Johanna Amann’s keynote to the 2022 Passive and Active Measurement Conference, titled "Expect the Unexpected: Lessons from a Decade of Passive Network Measurements" is now available: https://youtu.be/CH9Z66EmMdI?t=1706 Zeek Package Updates The following packages recently reported updates (as of April 22), via this search: https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed Update EternalSafety package index file #180 by 0xl3x1 was merged 3 days ago Remove ReservoirLabs packages since their repos have vanished #179 by ckreibich was merged 25 days ago The packages.zeek.org site reported the last 5 updates as of April 22: 4/21/22, 8:34 PM zeek-kafka 4/21/22, 2:50 PM spicy-plugin 4/19/22, 5:18 AM zeek-EternalSafety 4/18/22, 2:27 PM zeek-spicy-openvpn 4/15/22, 5:29 PM zeek-httpattacks Zeek in the Enterprise On April 21 Corelight published a blog post on Detection Windows NFS [Network File System] Portmap Vulnerabilities. https://corelight.com/blog/detecting-windows-nfs-portmap-vulnerabilities Corelight developed and published two Zeek packages to detect attempts to exploit these vulnerabilities: https://github.com/corelight/CVE-2022-24491 https://github.com/corelight/CVE-2022-24497 See the blog post as well for links to packet captures used to test and develop these Zeek packages. Crowdstrike’s Humio Community Edition now features demo data from a Corelight sensor, powered by Zeek. See Ken Greene’s blog post for details: https://www.humio.com/whats-new/blog/corelight-demo-data-now-in-humio-commu… Humio Community Edition is a no-cost, cloud-based offering that accepts up to 16 GB of data ingested per day, with a 7-day retention period. https://www.humio.com/getting-started/community-edition/ Upcoming Events The project is delighted to announce that members of the training team will offer free online training on May 20. The event will consist of two sessions, beginning at 8 am US Pacific Time (3 pm UTC). 8:00 am - 12:00 pm (Pacific Time) Beginner training is aimed at users who have little to no experience with Zeek. Keith Lehigh and Fatema Bannat Wala will introduce basic architecture, show how to run and customize Zeek on the command line, and give guidance on basic log analysis. 1:00pm - 4:30pm (Pacific Time) In this hands-on session, Aashish Sharma will walk attendees through the fundamentals of Zeek scripting and will offer some practical exercises. The training is free but registration is required, on a first-come, first-served basis. If you want to attend both sessions, you must register for both sessions: https://www.eventbrite.com/e/zeek-training-tickets-319863188407 See https://zeek.org/events/ for other events. Zeek Related Jobs The following are a sampling of job opportunities that mention Zeek skills. Sr. Zeek/Bro Engineer Latitude Inc Tysons Corner, VA https://www.linkedin.com/jobs/view/sr-zeek-bro-engineer-at-latitude-inc-298… Lead Engineer - Network Security Target Brooklyn Park, MN https://www.linkedin.com/jobs/view/lead-engineer-network-security-at-target… Senior Consultant, Incident Response (Remote) CrowdStrike Sunnyvale, CA https://www.linkedin.com/jobs/view/senior-consultant-incident-response-remo… For more, see https://www.linkedin.com/jobs/search/?geoId=103644278&keywords=zeek Get Involved If you have any comments or material for the newsletter please email news(a)zeek.org or join the #news Slack channel. https://zeekorg.slack.com The Slack channel has been very active during the past month. Join today! Here is an invitation link: https://join.slack.com/t/zeekorg/shared_invite/zt-12z1pjy93-zuVGuT1BF~yUJJv… Stay up to date by subscribing to the Zeek mailing list: http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek Follow us on Twitter: https://twitter.com/Zeekurity Subscribe to our video channel: https://www.youtube.com/channel/UC1K5-MWaM1XZcEFPCMrmNMw See you next time!

2 months

Zeek bugfix/security releases: 4.0.6 and 4.2.1

by Tim Wojtulewicz

Downloads for Zeek 4.0.6 and Zeek 4.2.1 are available: https://zeek.org/get-zeek https://download.zeek.org/zeek-4.0.6.tar.gz https://download.zeek.org/zeek-4.2.1.tar.gz See the release notes for details of the addressed bugs and security issues: https://github.com/zeek/zeek/releases/tag/v4.0.6 https://github.com/zeek/zeek/releases/tag/v4.2.1 Binary packages for the new releases will also be available shortly: https://github.com/zeek/zeek/wiki/Binary-Packages

2 months, 1 week

spicy plugin , Corelight, and btest

by Jean Luc Couillard

Hi All I need assistance with spicy plugin,the btest failed dad with the error "can't find base/init-bare.zeek" , I did not install zeek because I'm using corelight platform, but should I install zeek, however I did install spicy shortly after the corelight installation. I'm still new in the world of zeeky , I'm ready to create my first plugin but I realized that my environment and btest is not working with the fresh download plugin provide with spicy team. Those 3 projects give the same error: zeek_spicy_openvpn/ zeek-spicy-radius/csv_naive/ those projects compile fine but btest fails , also I had some issue when I installed the plugin : zkg create (failed) zkg test . ( failed) cmake install . ( work) make install . ( work) created .hlto / and copy in corelight modules btest --> [ 0%] analyzer.availability ... failed % 'zeek -NN | grep -qi ANALYZER_SPICY_OpenVPN' failed unexpectedly (exit code 1) % cat .stderr fatal error: can't find base/init-bare.zeek [ 16%] analyzer.openvpn ... failed % 'zeek -C -r ${TRACES}/openvpn.pcap /home/jl/zeek-spicy-openvpn/tests/.tmp/analyzer.openvpn/openvpn.zeek >openvpn.out' failed unexpectedly (exit code 1) % cat .stderr fatal error: can't find base/init-bare.zeek [ 33%] analyzer.openvpnhmac ... failed % 'zeek -C -r ${TRACES}/openvpn_udp_tls-auth.pcap /home/jl/zeek-spicy-openvpn/tests/.tmp/analyzer.openvpnhmac/openvpnhmac.zeek >openvpn.out' failed unexpectedly (exit code 1) % cat .stderr fatal error: can't find base/init-bare.zeek [ 50%] analyzer.openvpnhmac256 ... failed % 'zeek -C -r ${TRACES}/openvpn_udp_hmac_256.pcap /home/jl/zeek-spicy-openvpn/tests/.tmp/analyzer.openvpnhmac256/openvpnhmac256.zeek >openvpn.out' failed unexpectedly (exit code 1) % cat .stderr fatal error: can't find base/init-bare.zeek [ 66%] analyzer.openvpntcp ... failed % 'zeek -C -r ${TRACES}/openvpn_tcp_nontlsauth.pcap /home/jl/zeek-spicy-openvpn/tests/.tmp/analyzer.openvpntcp/openvpntcp.zeek >openvpn.out' failed unexpectedly (exit code 1) % cat .stderr fatal error: can't find base/init-bare.zeek [ 83%] analyzer.openvpntcphmac ... failed % 'zeek -C -r ${TRACES}/openvpn-tcp-tls-auth.pcap /home/jl/zeek-spicy-openvpn/tests/.tmp/analyzer.openvpntcphmac/openvpntcphmac.zeek >openvpn.out' failed unexpectedly (exit code 1) % cat .stderr fatal error: can't find base/init-bare.zeek Thanks *JeanLuc* Software Engineer MedSec +1 305 396 6900 JeanlucCouillard(a)medsec.com <YourEmail(a)medsec.com> -- CONFIDENTIALITY NOTICE: This message (including any attachments) may contain proprietary, business-confidential, and/or privileged material intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

2 months, 1 week

Kafka plugin and Zeek version 4.0.5?

by Kurtis Lawson

Hey Zeekers, I've been running several production instances of Zeek version 3.0.11 with the Kafka library (version 1.4.2) and the older Metreon Kafka Plugin. No problems and it is very stable, but it is time to upgrade to LTS and I've been having serious issues getting a good build of 4.0.5 with a functional Zeek plugin. I have tried the newer (supported?) version of the plugin ( https://github.com/SeisoLLC/zeek-kafka), following the instructions (zkg install seisollc/zeek-kafka --version 1.0.0), and it fails because the 1.0.0 brianch is no longer there. The compile and install works if I leave the version off or specify --main, but it just never tries to send to Kafka. I've tried Kafka library version 1.4.2, which is called out in the docs, and I've even tried the newer stable version 1.6.2. I even tried using the older Metreon plugin on Zeek 4.0.5, which compiles but doesn't pass the zeekctl check. I've tried clean installs from scratch, and upgrades. Does anyone have Zeek 4.0.5 working with the Kafka plugin? My OS is Ubuntu 18.0.4. Kurtis Lawson

2 months, 1 week

Spicy bugfix release 1.4.1

by Benjamin Bannier

The bugfix release spicy-1.4.1 is available[^1]. See the CHANGES file[^2] for a detailed list of changes that went into this release. Thanks to everyone who contributed to making this happen! Cheers, Benjamin [^1]: https://github.com/zeek/spicy/releases/tag/v1.4.1 [^2]: https://github.com/zeek/spicy/blob/v1.4.1/CHANGES

2 months, 2 weeks

uninstalling zeek

by craig bowser

OK, maybe it's cause it's the end of the week and my brain is fried, but I can't find the documentation to uninstall zeek. Basically, I need to remove an old version from one server so I can install a new version somewhere else... a link to the documentation would be great.... thanks zeek version 4.0.1 Craig L Bowser ____________________________ This email is measured by size. Bits and bytes may have settled during transport.

2 months, 2 weeks

Jump to page:

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek