zeek

zeek@lists.zeek.org

4 participants
5475 discussions

by bhavyaraj.chauhan611＠gmail.com

I'm trying to learn zeek signature signature file name: dns.sig signature dns-intel{ ip-proto == udp dst-port == 53 payload /.*life|.*bar/ event "[Suspicious DNS Query]" } Zeek file name: myfirst.zeek event signature_match (state: signature_state, msg: string, data: string) { if (state$sig_id == "dns-intel") { print fmt ("[Suspicious DNS query] %s", state$conn$dns$query) } I'm getting error in line 5 : rule defined twice what's the problem here ?? }

22 hours, 25 minutes

Zeek security/bugfix release: 4.0.2

by Tim Wojtulewicz

Downloads for Zeek 4.0.2 are available: https://zeek.org/get-zeek https://download.zeek.org/zeek-4.0.2.tar.gz See the release notes for details of the addressed bugs and security issues: https://github.com/zeek/zeek/releases/tag/v4.0.2 Binary packages for the new releases will also be available shortly: https://github.com/zeek/zeek/wiki/Binary-Packages

1 week, 3 days

Zeek Stepping Stone analyzer

by Johanna Amann

Hi Everyone, We are considering removing the Stepping Stone analyzer from Zeek. Currently the analyser is deactivated by default (this has been the case since at least release 2.0). It also is basically undocumented, does not work in cluster setups, potentially has a few bugs - and is integrated into the codebase in a bit of an oddball way. We are interested to hear if anyone is actively using the Stepping Stone analyser - and what you are using it for. If you are using it - could you either answer here or to me directly. Thank you, Johanna

1 week, 3 days

REMINDER - ZEEK MONTHLY COMMUNITY CALL - 2 JUNE 2021

by Amber Graner

Hi all, We have our monthly community call tomorrow. It's a quick 30 minute meeting full of updates and opportunities. *2 June 2021 – ZEEK MONTHLY COMMUNITY CALL – 10am Pacific/1pm Eastern *– Join the monthly call to discuss topics related to the growth, governance and administration of the community. *AGENDA:* ======= > Zeek Leadership Team Update > Zeek Technical Update > Zeek Subgroup Update * Documentation * Training * Testing * News > Events * Zeek Webinars * ZeekWeek 2021 *Register at:* https://corelight.zoom.us/meeting/register/tJAqdu6gqzgvG9LqPt_zpfGex7NtR_HW… Please let me know if you have any questions. Thanks, ~Amber

1 week, 4 days

Adding command line option to configuration file

by zeek＠zaminit.com

Hi everyone, Zeek documentation states one way to ignore bad packet checksums is to add '-C' options to the zeek command. I use zeekctl to start the zeek process. Which configuration file and/or variable should I use to specify this option? Regards,

1 week, 5 days

New Ways to Speed Up Zeek Script Execution - Replay now available

by Amber Graner

Hi all, If you missed today's Zeek Webinar on New Ways to Speed Up Zeek Script Execution presented by Vern Paxson, here's the replay link - https://event.webinarjam.com/replay/25/vlq6ytvva69f5qfv1 Thanks, ~Amber

2 weeks, 4 days

Unable to generate Intel log

by Dheeraj Gupta

Hi, I have been reading the Zeek Intel docs ( https://docs.zeek.org/en/master/frameworks/intel.html) and trying to get it to work on my Zeek (4.0.0 on CentOS-7). I have correctly formatted Intel files and a custom script to load them redef Intel::read_files += { "/usr/share/feed/ip.txt", "/usr/share/feed/domain.txt", "/usr/share/feed/email.txt", }; @load frameworks/intel/seen @load frameworks/intel/do_notice On trying to do a DNS query for a known bad domain, nothing gets logged in intel.log or notice.log However, I do get the following entry in reporter.log xxxxxx.xxx Reporter::WARNING failed to convert remote event 'Intel::match_remote' arg #0, got vector, expected record (empty) If anybody has any pointers on how to proceed, I will be grateful. Thanks, Dheeraj

3 weeks, 1 day

ThreatBus or Dovehawk for MISP integration

by Carlos Lopez

Good afternoon, Has anyone used threatbus to integrate MISP IOCs into Zeek? Personally I have used DoveHawk in some installations and the result was satisfactory. This time I have to integrate more than one CTI platform with Zeek and I was thinking of using ThreatBus. Any experiences or problems encountered with ThreatBUS? Or is it better to keep Dovehawk? Many thanks.

3 weeks, 2 days

Zeek Monthly Newsletter - Issue 10 - May 2021 - Now Available

by Amber Graner

Here's the link to the blog post - https://zeek.org/2021/05/19/zeek-monthly-newsletter-issue-10-may-2021/ In this Issue: * Highlights * Zeek Blog * Zeek In The Community * New Zeek Packages * Upcoming Events * Zeek Related Jobs * Volunteer Opportunities * Get Involved Join <http://bit.ly/ZeekOrgSlackInvite> over 1500+ Zeek users and fans in 21 Zeek related Slack channels <http://bit.ly/ZeekOrgSlackInvite> for real-time Q&A, feedback and discussion. ________________________________ Highlights Two new Zeek Subgroups were announced: Training <https://zeek.org/2021/04/27/announcing-the-zeek-training-subgroup/> and Testing <https://zeek.org/2021/04/21/announcing-the-zeek-testing-subgroup/> ‘Zeek in Action’ is a new series of videos that explain how Zeek can be used in real world situations. The first two contributions (with more coming soon): Introduction and How to Set Up a Windows Workstation Using Brim Security <https://zeek.org/2021/04/06/zeek-in-action-introduction-and-how-to-set-up-a…>and Suspected Malware Compromise <https://zeek.org/2021/04/14/welcome-to-zeek-in-action-video-1-suspected-mal…> Zeek in Enterprise Day <https://zeek.org/2021/04/22/zeek-in-enterprise-day/>is scheduled for 16 June 2021, and ZeekWeek 2021 <https://zeek.org/2021/02/03/save-the-date-zeekweek-2021-hybrid-event/> will take place on 13-15 October 2021 in Austin, Texas. Registration and sponsorship information coming soon. ________________________________ Zeek Blog Zeek Monthly Newsletter – Issue 9 – April 2021 - https://zeek.org/2021/04/30/zeek-monthly-newsletter-issue-9-april-2021/ Announcing the Zeek Training Subgroup - https://zeek.org/2021/04/27/announcing-the-zeek-training-subgroup/ Zeek in Enterprise Day - https://zeek.org/2021/04/22/zeek-in-enterprise-day/ Announcing the Zeek Testing Subgroup - https://zeek.org/2021/04/21/announcing-the-zeek-testing-subgroup/ Zeek’s IPSec Protocol Analyzer - https://zeek.org/2021/04/20/zeeks-ipsec-protocol-analyzer/ Welcome to Zeek in Action, Video 1, Suspected Malware Compromise - https://zeek.org/2021/04/14/welcome-to-zeek-in-action-video-1-suspected-mal… Spicy 1.0 — Robust Parsers for Protocols & File Formats - https://zeek.org/2021/04/13/spicy-1-0-robust-parsers-for-protocols-file-for… ZPC-3 Winners Announced - https://zeek.org/2021/04/08/zpc-3-winners-announced/ A Zeek OpenVPN Protocol Analyzer in Spicy - https://zeek.org/2021/04/08/a-zeek-openvpn-protocol-analyzer-in-spicy/ Zeek in Action: Introduction and How to Set Up a Windows Workstation Using Brim Security - https://zeek.org/2021/04/06/zeek-in-action-introduction-and-how-to-set-up-a… Zeek Blog - https://zeek.org/blog/ Zeek Mailing list - April <https://lists.zeek.org/archives/list/zeek@lists.zeek.org/2021/4/> ________________________________ Zeek in the Community Public funds, public code! By Henrik Kramselund Jereminsen - https://www.version2.dk/blog/offentlige-midler-offentlig-kode-1092626 Detect C2 ‘RedXOR’ with state-based functionality - https://corelight.blog/2021/04/20/detect-c2-redxor-with-state-based-functio… Pingback: ICMP Tunneling Malware - https://corelight.blog/2021/05/07/pingback-icmp-tunneling-malware/ H&R Block seeks out open-source expertise for SOC - https://www.scmagazine.com/home/security-news/network-security/hr-block-see… Malcolm v3.1.0 - https://github.com/idaholab/Malcolm/releases Security Onion Documentation printed book now updated for Security Onion 2.3.50! - https://blog.securityonion.net/2021/05/security-onion-documentation-printed… Security Onion 2.3.50 Hotfix available! - https://blog.securityonion.net/2021/05/security-onion-2350-hotfix-available… Security Onion 2.3.50 now available! - https://blog.securityonion.net/2021/04/security-onion-2350-now-available.ht… Security Onion 16.04 has reached End Of Life - https://blog.securityonion.net/2021/04/security-onion-1604-has-reached-end-… OpenCTI Integration and a Mature VAST Plugin Framework (Release 2021.04.29) - https://tenzir.com/blog/release-2021-04-29/ ________________________________ New Zeek Packages Pingback - https://github.com/corelight/pingback ________________________________ Upcoming Events May 27 May 2021 – Zeek Webinar Series – New Ways to Speed Up Zeek Script Execution - 10am Pacific/1pm Eastern – Join Vern Paxson, Founder of Zeek, as he goes over his latest work around compiling-scripts-to-C++. Zeek’s performance depends in part on how quickly the system executes the user’s scripts, as well as the many predefined scripts Zeek makes available. To date, this execution has used a high-level interpreter, which imposes considerable overhead. This talk will sketch two new experimental features for executing scripts much more quickly: compiling them to a low-level form (“ZAM”), and directly to C++. Register at: https://event.webinarjam.com/register/25/x4kmyhmm June 2 June 2021 - Zeek Monthly Community Call - Join the monthly call to discuss topics related to the growth, governance and administration of the community. Register at: https://corelight.zoom.us/meeting/register/tJAqdu6gqzgvG9LqPt_zpfGex7NtR_HW… 8 June 2021 – Zeek Webinar Series – TBA - 10am Pacific/1pm Eastern - Registration link -TBA 16 June 2021 - Zeek in Enterprise Day - 9am-1pm Pacific/12pm - 4pm Eastern - This is a virtual event. Organizations which offer Zeek as part of its commercial solutions will be able to present to the Zeek Community. If you would like to present at this event please see the announcement. Registration link coming soon. 22 June 2021 – Zeek Webinar Series – TBA - 10am Pacific/1pm Eastern - Registration link -TBA October 13-15 October 2021 – ZeekWeek 2021 – Save the date! We are currently planning for an in-person ZeekWeek event in Austin, Texas. Seating will be limited at this event, and we will also have a remote participation option. More information coming soon. Past Webinars for 2021 (replay links) You can see past webinars here <https://zeek.org/zeek-from-home/>. May Community Call Zeek Monthly Community Call - 5 May 2021 - Notes, Links to the Recording and more can be found at: https://lists.zeek.org/archives/list/zeek@lists.zeek.org/thread/22TCOR5HLJ2… Zeek Webinar Series - This is a bi-weekly webinar series that includes Zeek related presentations, Zeek Q&A and more. We are consolidating the webinars previously known as ‘Ask the Zeekperts’ and ‘Zeek from Home’ into a single series, with a diversity of content planned. About Monthly Zeek Community Call: Monthly calls that are open to everyone to discuss topics related to the growth, governance and administration of the community. These calls ARE recorded. ________________________________ Zeek Related Jobs SOC Lead - https://www.linkedin.com/jobs/view/2382720691 Sr. Zeek/Bro Engineer - https://www.linkedin.com/jobs/view/2430522106 Principal Software Engineer, Security - https://www.linkedin.com/jobs/view/2484370829 Sr. Zeek/Bro Engineer - https://www.linkedin.com/jobs/view/2294604452 Director, Incident Response (Remote) - https://www.linkedin.com/jobs/view/2404837718 Incident Response Specialist - https://www.linkedin.com/jobs/view/2407692778 FedGov Sr. Consultant, Incident Response - https://www.linkedin.com/jobs/view/2484034544 Escalation Engineer - https://www.linkedin.com/jobs/view/2535097439 Director, Applications - https://www.linkedin.com/jobs/view/2493165163 Principal Software Engineer, Security - https://www.linkedin.com/jobs/view/2398741146 Defensive Cyber Operations Network Sensor SME with Security Clearance - https://www.linkedin.com/jobs/view/2554955722 Security Analyst - https://www.linkedin.com/jobs/view/2523781880 And more - https://www.linkedin.com/jobs/search/?currentJobId=2523781880&keywords=zeek ________________________________ Volunteer Opportunities Newsletter - adopt a section, contribute links, help edit, help promote. Find out more information at: https://github.com/zeek/zeek/wiki/News-Group Blog Content - we are always in search of new Zeek content, how to’s and more Interviews - we have a list of people we would like to interview....would you like to get to know people in the community, tell their stories and promote their work? Community Calls - would you like to get involved and help lead these calls? Webinars - Everything from helping to upload to Youtube, write a summary post and help promote. Zeek in Action - is a series of videos for Zeek users and fans. The purpose of the series is to show how analysts can interpret data in Zeek and related formats to solve various networking challenges. Documentation Subgroup - is the group that is responsible for keeping the Zeek Documentation up to date. If you would like to participate in this group, give feedback etc then this is the group for you. Find out more information at: https://github.com/zeek/zeek/wiki/Documentation-Group Training Subgroup - The Zeek training subgroup that will focus on formulating some preliminary goals for Zeek approved training and tackle broader topics in the area of Zeek training. Frequently, we are asked about where people can find Zeek-related training and whether there is a central place to find Zeek-related training content. Hence to address the needs of the community and in general have some training programs that are approved by the Zeek project, we are creating this subgroup to focus on these goals. Find out more information at: https://github.com/zeek/zeek/wiki/Training-Group Testing Subgroup - The goal of the testing subgroup is to stress-test new versions of Zeek with real live traffic from a variety of environments to identify problems and bugs early, to ensure that new Zeek releases are stable and ready for the Zeek community. Find out more information at: https://github.com/zeek/zeek/wiki/Testing-Group If you are interested in helping with any of the above, please let me know. We’ll work with you and help keep it light and easy. Thanks in advance! ________________________________ Get Involved If you are interested in getting involved with the Zeek Newsletter, please email news(a)zeek.org. More information about the newsletter can be found here <https://github.com/zeek/zeek/wiki/News-Group>. Stay up to date by subscribing to the Zeek Mailing List <http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek>. Join the conversation on Slack <http://bit.ly/ZeekOrgSlackInvite>. Follow us on Twitter <https://twitter.com/Zeekurity>

3 weeks, 3 days

Filtering traffic by worker in cluster environments

by Carlos Lopez

Hi all, I have detected a behaviour in my Zeek cluster that I would like to avoid, if it is possible. I am using Zeek 4.0.1 under FreeBSD 13. The problem comes because Zeek detects multiple duplicate packages, as reported to me by bro-doctor: ###################################################################### # Checking if any recent connections have been logged multiple times # ###################################################################### error: 98.80%, 1731 out of 1752 connections appear to be duplicate As you can see, Zeek detects too much duplicated sessions. This is because I have workers monitoring three networks: net1, net2 and net3. On net1,I have services exposed to all my internal networks such as DNS, SMTP, HTTPS ..... These services are consumed from all the networks and I understand that for that reason, Zeek tells me that there are duplicate sessions. My question is: is it possible to filter traffic (using bpf filters) by worker in a cluster environments? Or is it only possible to avoid this situation by deploying Zeek in standalone mode? Best regards, C. L. Martinez

1 month

Jump to page:

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek