From chavez243 at gmail.com Thu Jul 2 08:44:35 2020 From: chavez243 at gmail.com (Rick Chisholm) Date: Thu, 2 Jul 2020 11:44:35 -0400 Subject: [Zeek] Ripple20 Message-ID: Zeek seems uniquely positioned to deal with detection of either attack activity or detection of assets with Treck-based IP stacks. Anything like this being done with Zeek as yet? -- Rick Chisholm ========================= -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200702/dc964c17/attachment.html From vern at corelight.com Thu Jul 2 08:48:54 2020 From: vern at corelight.com (Vern Paxson) Date: Thu, 02 Jul 2020 08:48:54 -0700 Subject: [Zeek] Ripple20 In-Reply-To: References: Message-ID: <3ABB7299-7858-4906-A965-616EFC00E50B@corelight.com> On 2 Jul 2020, at 8:44, Rick Chisholm wrote: > Zeek seems uniquely positioned to deal with detection of either attack > activity or detection of assets with Treck-based IP stacks. Anything like > this being done with Zeek as yet? See https://corelight.blog/2020/06/30/ripple20-zeek-package-open-sourced/ ! -- Vern From daviderobusto at gmail.com Thu Jul 2 08:50:24 2020 From: daviderobusto at gmail.com (Davide Robusto) Date: Thu, 2 Jul 2020 17:50:24 +0200 Subject: [Zeek] Reporter.log problem with NetControl Message-ID: Is it possible to disable the reporter.log of the Netcontrol Framework? My problem is that when I start a broker communication with a python software, I can make the communication and also actually carry out the command requested in the message. The problem is that the reporter.log is created with the following message: " - 1593701753.778553 Reporter :: WARNING failed to convert remote event 'NetControl :: rule_added' arg # 1, got vector, expected record (empty) - 1593701853.778553 Reporter :: WARNING failed to convert remote event 'NetControl :: rule_expire' arg # 1, got vector, expected record (empty) - 1593701963.778553 Reporter :: WARNING failed to convert remote event 'NetControl :: rule_timeout' arg # 1, got vector, expected record (empty) " Repeated hundreds of times for each communication between Zeek and the Broker. For me the warning in the reporter.log actually don't mean a real error but i want get rid of it, i want be able to have the reporter free from this error. Thanks in advance for a future reply -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200702/b505206a/attachment.html From chavez243 at gmail.com Thu Jul 2 08:54:21 2020 From: chavez243 at gmail.com (Rick Chisholm) Date: Thu, 2 Jul 2020 11:54:21 -0400 Subject: [Zeek] Ripple20 In-Reply-To: <3ABB7299-7858-4906-A965-616EFC00E50B@corelight.com> References: <3ABB7299-7858-4906-A965-616EFC00E50B@corelight.com> Message-ID: Fantastic! Thanks. On Thu, Jul 2, 2020 at 11:48 AM Vern Paxson wrote: > On 2 Jul 2020, at 8:44, Rick Chisholm wrote: > > > Zeek seems uniquely positioned to deal with detection of either attack > > activity or detection of assets with Treck-based IP stacks. Anything like > > this being done with Zeek as yet? > > See https://corelight.blog/2020/06/30/ripple20-zeek-package-open-sourced/ > ! > > -- Vern > -- Rick Chisholm ========================= -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200702/93b1de58/attachment-0001.html From greg.grasmehr at caltech.edu Thu Jul 2 11:09:55 2020 From: greg.grasmehr at caltech.edu (Greg Grasmehr) Date: Thu, 2 Jul 2020 11:09:55 -0700 Subject: [Zeek] Ripple20 In-Reply-To: <3ABB7299-7858-4906-A965-616EFC00E50B@corelight.com> References: <3ABB7299-7858-4906-A965-616EFC00E50B@corelight.com> Message-ID: <20200702180955.GG3751@dakine> This is great, many thanks to the Corelight team for open sourcing this, we're not yet on Zeek in production, happy to report it loaded in Bro 2.6.1 Greg On 07/02/20 08:48:54, Vern Paxson wrote: > On 2 Jul 2020, at 8:44, Rick Chisholm wrote: > > > Zeek seems uniquely positioned to deal with detection of either attack > > activity or detection of assets with Treck-based IP stacks. Anything like > > this being done with Zeek as yet? > > See https://corelight.blog/2020/06/30/ripple20-zeek-package-open-sourced/ ! > > -- Vern > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From greg at corelight.com Thu Jul 2 17:10:46 2020 From: greg at corelight.com (Gregory Bell) Date: Thu, 2 Jul 2020 17:10:46 -0700 Subject: [Zeek] Ripple20 In-Reply-To: <20200702180955.GG3751@dakine> References: <3ABB7299-7858-4906-A965-616EFC00E50B@corelight.com> <20200702180955.GG3751@dakine> Message-ID: Glad this is useful. I'm sure Ben - the author - would appreciate feedback, if you have it. Here are a few other recent packages, all aimed at high-severity CVEs: Curveball (CVE-2020-0601) - Johanna Amann: https://zeek.org/2020/01/16/detecting-cve-2020-0601-with-zeek/ CallStranger (CVE-2020-12695) - Ryan Victory: https://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/ GnuTLS (CVE-2020-13777) - Johanna Amann: https://corelight.blog/2020/06/11/detecting-gnutls-cve-2020-13777-using-zeek/ For those on the community Slack (https://zeek.org/ -> connect -> Slack), note that the #packages channel is another good place to exchange info. All the best. - Greg On Thu, Jul 2, 2020 at 11:12 AM Greg Grasmehr wrote: > This is great, many thanks to the Corelight team for open sourcing this, > we're not yet on Zeek in production, happy to report it loaded in Bro 2.6.1 > > Greg > > On 07/02/20 08:48:54, Vern Paxson wrote: > > On 2 Jul 2020, at 8:44, Rick Chisholm wrote: > > > > > Zeek seems uniquely positioned to deal with detection of either attack > > > activity or detection of assets with Treck-based IP stacks. Anything > like > > > this being done with Zeek as yet? > > > > See > https://corelight.blog/2020/06/30/ripple20-zeek-package-open-sourced/ ! > > > > -- Vern > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200702/5b33babe/attachment.html From akgraner at corelight.com Mon Jul 6 09:31:27 2020 From: akgraner at corelight.com (Amber Graner) Date: Mon, 6 Jul 2020 12:31:27 -0400 Subject: [Zeek] ASK THE ZEEKSPERTS - Restructuring the Call Message-ID: Hi all, We know everyone's time is valuable and we want everyone to get the most out of our online calls and webinars. ASK THE ZEEKSPERTS is meant to be like Zeek Office Hours where you can get help with Zeek in real time. Starting this month we are going to ask for questions in advance. This way we can group similar questions/topics, ensure we have the subject matter experts on the call, and promote what will be answered. Whether you just learned about Zeek yesterday or have been using it for decades, if you have a question chances are someone else has the same question. Ask away! Maybe you're thinking I have questions, but not sure if this is the right place, do you have any questions related to any of the following? - Installing and Setting up Zeek - Getting the most out of the Zeek Logs - Understanding Zeek as a Language - Writing Scripts and plugins - Using Spicy to generate parsers for Zeek - Getting your Zeek Package into the Zeek Package Manager - Getting the most out of the current Zeek Documentation (Where do I find [topic]?) - Zeek and Sigma - Zeek Agent - Zeek and SIEMS - And anything else you can think of or need help with as it relates to Zeek So send in those Zeek related questions and we'll get it scheduled to be answered on one of the ASK THE ZEEKSPERTS Calls. We'll let you know in advance what date and time it will be answered or if any followup information is needed. (so be sure to give us your name and email address) You can send your questions to me, drop them in the #webinar channel on slack or add them to the following webform: https://forms.gle/z9umcLSvG2s9JK8CA If we don't get any questions for a particular week then we will cancel the "office hours" for that week. Ideally we'd like to get 8-10 questions for each ASK THE ZEEKSPERTS call. Thanks, ~Amber -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200706/4eea7661/attachment.html From justin at corelight.com Mon Jul 6 09:44:20 2020 From: justin at corelight.com (Justin Azoff) Date: Mon, 6 Jul 2020 12:44:20 -0400 Subject: [Zeek] Reporter.log problem with NetControl In-Reply-To: References: Message-ID: Hmm, that looks like something that needs to be fixed. None of the events that are being sent back from the client are being received properly. You could just ignore those messages, but fixing the events will make all the features work properly and stop the messages. What version of everything are you using? On Thu, Jul 2, 2020 at 11:52 AM Davide Robusto wrote: > > Is it possible to disable the reporter.log of the Netcontrol Framework? > My problem is that when I start a broker communication with a python software, I can make the communication and also actually carry out the command requested in the message. The problem is that the reporter.log is created with the following message: > " > > 1593701753.778553 Reporter :: WARNING failed to convert remote event 'NetControl :: rule_added' arg # 1, got vector, expected record (empty) > 1593701853.778553 Reporter :: WARNING failed to convert remote event 'NetControl :: rule_expire' arg # 1, got vector, expected record (empty) > 1593701963.778553 Reporter :: WARNING failed to convert remote event 'NetControl :: rule_timeout' arg # 1, got vector, expected record (empty) > > " > > Repeated hundreds of times for each communication between Zeek and the Broker. > For me the warning in the reporter.log actually don't mean a real error but i want get rid of it, i want be able to have the reporter free from this error. > > > Thanks in advance for a future reply > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Justin From daviderobusto at gmail.com Tue Jul 7 00:08:32 2020 From: daviderobusto at gmail.com (Davide Robusto) Date: Tue, 7 Jul 2020 09:08:32 +0200 Subject: [Zeek] Reporter.log problem with NetControl In-Reply-To: References: Message-ID: Hi, first of all thanks. I have zeek at version 3.0.6 Broker library at version v1.2.4 (tag) and I compiled and installed the package for python ver. 3.7. My comunication with zeek is between a "Broker" that is the python code on a different machines where zeek run, meanwhile zeek is the client on the comunication. The problem is that i can't Debug what zeek want as a response when send the first command and so on. The reporter it's really strange whit that sentence because if i'm not wrong there isn't a type for record in python. In the end when i start the whole system when zeek and the python code excange the messages, all the comunication work so i don't really understeand why the reporter go wild. Il giorno lun 6 lug 2020 alle ore 18:44 Justin Azoff ha scritto: > Hmm, that looks like something that needs to be fixed. None of the > events that are being sent back from the client are being received > properly. You could just ignore those messages, but fixing the events > will make all the features work properly and stop the messages. > > What version of everything are you using? > > On Thu, Jul 2, 2020 at 11:52 AM Davide Robusto > wrote: > > > > Is it possible to disable the reporter.log of the Netcontrol Framework? > > My problem is that when I start a broker communication with a python > software, I can make the communication and also actually carry out the > command requested in the message. The problem is that the reporter.log is > created with the following message: > > " > > > > 1593701753.778553 Reporter :: WARNING failed to convert remote event > 'NetControl :: rule_added' arg # 1, got vector, expected record (empty) > > 1593701853.778553 Reporter :: WARNING failed to convert remote event > 'NetControl :: rule_expire' arg # 1, got vector, expected record (empty) > > 1593701963.778553 Reporter :: WARNING failed to convert remote event > 'NetControl :: rule_timeout' arg # 1, got vector, expected record (empty) > > > > " > > > > Repeated hundreds of times for each communication between Zeek and the > Broker. > > For me the warning in the reporter.log actually don't mean a real error > but i want get rid of it, i want be able to have the reporter free from > this error. > > > > > > Thanks in advance for a future reply > > > > > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > -- > Justin > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200707/e81f5d6f/attachment.html From justin at corelight.com Tue Jul 7 05:26:42 2020 From: justin at corelight.com (Justin Azoff) Date: Tue, 7 Jul 2020 08:26:42 -0400 Subject: [Zeek] Reporter.log problem with NetControl In-Reply-To: References: Message-ID: Are you using the zeek-netcontrol package or just broker directly? Looking how that library does things, sending a message to broker should look something like this: args = [broker.Count(pluginid), rawrule, msg] ev = broker.zeek.Event("NetControl::broker_rule_added", *args) endpoint.publish(queuename, ev) or just written out as ev = broker.zeek.Event("NetControl::broker_rule_added", broker.Count(pluginid), rawrule, msg) endpoint.publish(queuename, ev) On Tue, Jul 7, 2020 at 3:11 AM Davide Robusto wrote: > > Hi, first of all thanks. > I have zeek at version 3.0.6 > Broker library at version v1.2.4 (tag) and I compiled and installed the package for python ver. 3.7. > My comunication with zeek is between a "Broker" that is the python code on a different machines where zeek run, meanwhile zeek is the client on the comunication. > The problem is that i can't Debug what zeek want as a response when send the first command and so on. The reporter it's really strange whit that sentence because if i'm not wrong there isn't a type for record in python. In the end when i start the whole system when zeek and the python code excange the messages, all the comunication work so i don't really understeand why the reporter go wild. > > Il giorno lun 6 lug 2020 alle ore 18:44 Justin Azoff ha scritto: >> >> Hmm, that looks like something that needs to be fixed. None of the >> events that are being sent back from the client are being received >> properly. You could just ignore those messages, but fixing the events >> will make all the features work properly and stop the messages. >> >> What version of everything are you using? >> >> On Thu, Jul 2, 2020 at 11:52 AM Davide Robusto wrote: >> > >> > Is it possible to disable the reporter.log of the Netcontrol Framework? >> > My problem is that when I start a broker communication with a python software, I can make the communication and also actually carry out the command requested in the message. The problem is that the reporter.log is created with the following message: >> > " >> > >> > 1593701753.778553 Reporter :: WARNING failed to convert remote event 'NetControl :: rule_added' arg # 1, got vector, expected record (empty) >> > 1593701853.778553 Reporter :: WARNING failed to convert remote event 'NetControl :: rule_expire' arg # 1, got vector, expected record (empty) >> > 1593701963.778553 Reporter :: WARNING failed to convert remote event 'NetControl :: rule_timeout' arg # 1, got vector, expected record (empty) >> > >> > " >> > >> > Repeated hundreds of times for each communication between Zeek and the Broker. >> > For me the warning in the reporter.log actually don't mean a real error but i want get rid of it, i want be able to have the reporter free from this error. >> > >> > >> > Thanks in advance for a future reply >> > >> > >> > _______________________________________________ >> > Zeek mailing list >> > zeek at zeek.org >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> >> >> -- >> Justin > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Justin From daviderobusto at gmail.com Tue Jul 7 05:45:03 2020 From: daviderobusto at gmail.com (Davide Robusto) Date: Tue, 7 Jul 2020 14:45:03 +0200 Subject: [Zeek] Reporter.log problem with NetControl In-Reply-To: References: Message-ID: I'm using the netcontrol package but what i need to send is the " response " to the client that already had sent a message to the broker. Zeek it's the client, send a message to the broker and here the broker do the action asked from Zeek and respond with the status of the command executed. Maybe the problem is in the response that i send from the broker to zeek in the python code ? Il giorno mar 7 lug 2020 alle ore 14:40 Davide Robusto < daviderobusto at gmail.com> ha scritto: > I'm using the netcontrol package but what i need to send is the " response > " to the client that already had sent a message to the broker. > Zeek it's the client, send a message to the broker and here the broker do > the action asked from Zeek and respond with the status of the command > executed. > Maybe the problem is in the response that i send from the broker to zeek > in the python code ? > > Il Mar 7 Lug 2020, 14:27 Justin Azoff ha scritto: > >> Are you using the zeek-netcontrol package or just broker directly? >> Looking how that library does things, sending a message to broker >> should look something like this: >> >> args = [broker.Count(pluginid), rawrule, msg] >> ev = broker.zeek.Event("NetControl::broker_rule_added", *args) >> endpoint.publish(queuename, ev) >> >> or just written out as >> >> ev = broker.zeek.Event("NetControl::broker_rule_added", >> broker.Count(pluginid), rawrule, msg) >> endpoint.publish(queuename, ev) >> >> >> On Tue, Jul 7, 2020 at 3:11 AM Davide Robusto >> wrote: >> > >> > Hi, first of all thanks. >> > I have zeek at version 3.0.6 >> > Broker library at version v1.2.4 (tag) and I compiled and installed the >> package for python ver. 3.7. >> > My comunication with zeek is between a "Broker" that is the python code >> on a different machines where zeek run, meanwhile zeek is the client on the >> comunication. >> > The problem is that i can't Debug what zeek want as a response when >> send the first command and so on. The reporter it's really strange whit >> that sentence because if i'm not wrong there isn't a type for record in >> python. In the end when i start the whole system when zeek and the python >> code excange the messages, all the comunication work so i don't really >> understeand why the reporter go wild. >> > >> > Il giorno lun 6 lug 2020 alle ore 18:44 Justin Azoff < >> justin at corelight.com> ha scritto: >> >> >> >> Hmm, that looks like something that needs to be fixed. None of the >> >> events that are being sent back from the client are being received >> >> properly. You could just ignore those messages, but fixing the events >> >> will make all the features work properly and stop the messages. >> >> >> >> What version of everything are you using? >> >> >> >> On Thu, Jul 2, 2020 at 11:52 AM Davide Robusto < >> daviderobusto at gmail.com> wrote: >> >> > >> >> > Is it possible to disable the reporter.log of the Netcontrol >> Framework? >> >> > My problem is that when I start a broker communication with a python >> software, I can make the communication and also actually carry out the >> command requested in the message. The problem is that the reporter.log is >> created with the following message: >> >> > " >> >> > >> >> > 1593701753.778553 Reporter :: WARNING failed to convert remote event >> 'NetControl :: rule_added' arg # 1, got vector, expected record (empty) >> >> > 1593701853.778553 Reporter :: WARNING failed to convert remote >> event 'NetControl :: rule_expire' arg # 1, got vector, expected record >> (empty) >> >> > 1593701963.778553 Reporter :: WARNING failed to convert remote event >> 'NetControl :: rule_timeout' arg # 1, got vector, expected record (empty) >> >> > >> >> > " >> >> > >> >> > Repeated hundreds of times for each communication between Zeek and >> the Broker. >> >> > For me the warning in the reporter.log actually don't mean a real >> error but i want get rid of it, i want be able to have the reporter free >> from this error. >> >> > >> >> > >> >> > Thanks in advance for a future reply >> >> > >> >> > >> >> > _______________________________________________ >> >> > Zeek mailing list >> >> > zeek at zeek.org >> >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> >> >> >> >> >> >> -- >> >> Justin >> > >> > _______________________________________________ >> > Zeek mailing list >> > zeek at zeek.org >> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek >> >> >> >> -- >> Justin >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200707/279f4502/attachment-0001.html From justin at corelight.com Tue Jul 7 05:55:56 2020 From: justin at corelight.com (Justin Azoff) Date: Tue, 7 Jul 2020 08:55:56 -0400 Subject: [Zeek] Reporter.log problem with NetControl In-Reply-To: References: Message-ID: On Tue, Jul 7, 2020 at 8:46 AM Davide Robusto wrote: > > I'm using the netcontrol package but what i need to send is the " response " to the client that already had sent a message to the broker. > Zeek it's the client, send a message to the broker and here the broker do the action asked from Zeek and respond with the status of the command executed. > Maybe the problem is in the response that i send from the broker to zeek in the python code ? Sorry, i meant this specifically: https://github.com/zeek/zeek-netcontrol That project has some python code for how to receive and respond to the netcontrol events. Not sure if you are using that or if you are using broker directly. The problem is definitely the response being sent from broker back to zeek.. it's expecting one type of message but getting a different one. -- Justin From daviderobusto at gmail.com Tue Jul 7 06:06:41 2020 From: daviderobusto at gmail.com (Davide Robusto) Date: Tue, 7 Jul 2020 15:06:41 +0200 Subject: [Zeek] Reporter.log problem with NetControl In-Reply-To: References: Message-ID: Yeah it's this one that i'm using on the python. But exactly for tell to Netcontrol that the rule that he sent ( and wait a response ) it's added correctly ? Il giorno mar 7 lug 2020 alle ore 14:56 Justin Azoff ha scritto: > On Tue, Jul 7, 2020 at 8:46 AM Davide Robusto > wrote: > > > > I'm using the netcontrol package but what i need to send is the " > response " to the client that already had sent a message to the broker. > > Zeek it's the client, send a message to the broker and here the broker > do the action asked from Zeek and respond with the status of the command > executed. > > Maybe the problem is in the response that i send from the broker to zeek > in the python code ? > > Sorry, i meant this specifically: https://github.com/zeek/zeek-netcontrol > > That project has some python code for how to receive and respond to > the netcontrol events. Not sure if you are using that or if you are > using broker directly. > > The problem is definitely the response being sent from broker back to > zeek.. it's expecting one type of message but getting a different one. > > -- > Justin > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200707/95c97614/attachment.html From akgraner at corelight.com Wed Jul 8 07:22:40 2020 From: akgraner at corelight.com (Amber Graner) Date: Wed, 8 Jul 2020 10:22:40 -0400 Subject: [Zeek] Zeek Monthly Newsletter - Issue 6 - July 2020 - Now Available! Message-ID: Zeek Monthly Newsletter - Issue 6 - July 2020 - Now Available! You can view the blog post at: https://zeek.org/2020/07/08/zeek-monthly-newsletter-issue-6-july-2020/ Below is the plain text version. ++++++++++++++++++++++++++ Issue 6 ? July 2020 Welcome to the Zeek Monthly Newsletter! Issue 6 covers June 2020 as well as upcoming events. _______________________________ In this Issue: > TL;DR > Development Updates > Zeek Blog > Zeek In The Community > New Zeek Packages > Zeek in Enterprise > Upcoming Events > Zeek Related Jobs > Get Involved ______________________________ TL;DR Three new community packages are now available for detecting CallStranger, GnuTLS CVE-2020-13777, and Ripple20.. Notable webinars topics included Security Onion, Brim, Zeek Scripting, Spicy and Corelight?s role in the Zeek Community. The Zeek Project, Brim, Security Onion Solutions and Corelight all released software updates in June. The Zeek LT is soliciting feedback on Zeek governance: https://www.surveymonkey.com/r/zeekgovernancesurvey More information about upcoming changes to the project governance: http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-June/015382.html ________________________________ Development Updates Zeek 3.0.7 and 3.1.4 now released (containing security + bug fixes): http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-June/015372.html More information about project release cadence: https://github.com/zeek/zeek/wiki/Release-Cadence https://github.com/zeek/zeek/wiki/Security-Release-Process ________________________________ Zeek Blog 5 June 2020 ? Community Call Notes and Recording ? Each month we have an open call with the community. This is the summary of the June 2020 call. http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-June/015372.html 7 Dos And Don?ts For Zeek Scripting ? In this blog post, Anthony Kasza of Corelight gives an introduction to some of the pitfalls he had to learn about when writing Zeek scripts. Anthony includes code snippets and more. https://zeek.org/2020/06/08/7-dos-and-donts-for-zeek-scripting/ Zeek From Home ? Episode 4 ? Security Onion (Part 1) ? Recording Now Available! ? Doug Burks, Founder of Security Onion and CEO of Security Onion Solutions discussed the history of the project and explained what?s new. https://zeek.org/2020/06/09/zeek-from-home-episode-4-security-onion-recording-now-available/ Zeek From Home ? Episode 5 ? Brim Security ? Recording Now Available! ? Phil Rzewski, Technical Director and Steve McCanne, Coding CEO at Brim Security discussed Brim?s open source app and more. https://zeek.org/2020/06/09/zeek-from-home-episode-5-brim-security-recording-now-available/ Zeek Package Contest ? ZPC-2 ? Winners Announced! ? Find out who won ZPC-2 and what packages were submitted. https://zeek.org/2020/06/15/zeek-package-contest-zpc-2-winners-announced/ Zeek From Home ? Episode 6 ? Zeek Scripting 101 to 495 in 45 Mins. ? Recording Now Available! ? Aashish Sharma of Berkeley Lab and the Zeek Project Leadership Team made a lively presentation on Zeek Scripting. https://zeek.org/2020/06/17/zeek-from-home-episode-6-zeek-scripting-101-to-495-in-45-mins-recording-now-available/ Zeek From Home ? Episode 7 ? Spicy ? Recording Now Available! ? Robin Sommer, CTO of Corelight and the Zeek Project Lead updated the community on the new Zeek parser generator. https://youtu.be/FZWVbKQyBmM Zeek From Home ? Episode 8 ? Corelight?s Role in the Zeek Community. ? Recording Now Available! ? Greg Bell, CEO of Corelight updated the Community on Corelight?s commitment to support the Zeek Project and its community. https://youtu.be/kgC9nxIqlCc Zeek Monthly Newsletter ? Issue 5 ? June 2020 ? https://zeek.org/2020/06/18/zeek-monthly-newsletter-issue-5-june-2020/ ________________________________ Zeek in the Community Webcast ? On June 25, 2020, John Gamble, Alex Kirk, and Matt Bromiley presented ?The Power of Using Network Alerts and Evidence with Open-Source Suricata and Zeek (Bro)?. The webcast focused on bringing the power of both FOSS tools together via the Community ID, and shows the power of combining signal + evidence. https://www.sans.org/webcasts/power-fusing-network-alerts-evidence-open-source-suricata-zeek-bro-115855 Webinar ? Zeek And Ye Shall Find! ? A Zeek Primer by Fatema Bannat Wala of ESnet ? This tutorial was targeted towards the basics of Zeek NMS, and helping answer basic questions about architecture, deployment, and value as an open source NSM. https://youtu.be/29SEaMVF7Fg New versions of Brim (v0.12.0) and zq (v0.16.0) released ? JA3 and HASSH fields are now populated in the Zeek logs for encrypted traffic imported into Brim. Several bugs have also been fixed. The Brim downloads page has links for the latest versions for Windows, macOS, and Linux. https://github.com/brimsec/brim/releases and https://github.com/brimsec/zq/releases Elastic 6.8.10 now available for Security Onion! ? https://blog.securityonion.net/2020/06/elastic-6810-now-available-for-security.html Zeek 3.0.7 now available for Security Onion! ? https://blog.securityonion.net/2020/06/zeek-307-now-available-for-security.html securityonion-sostat ? 20120722-0ubuntu0securityonion145 now available for Security Onion! ? https://blog.securityonion.net/2020/06/securityonion-sostat-20120722.html Security Onion Hybrid Hunter Beta 3, Community ID, and Sysmon! ? https://blog.securityonion.net/2020/06/security-onion-hybrid-hunter-beta-3.html Detecting the New CallStranger UPnP Vulnerability With Zeek -Corelight?s Ryan Victory explains the motivation behind his new open-source package for detecting the CallStranger exploit. https://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/ Detecting GnuTLS CVE-2020-13777 using Zeek ? Corelight?s Johanna Amanngives a technical description of the GnuTLS CVE-2020-13777 vulnerability shows how it can be identified in network traffic, and provides a short Zeek script for detection. . https://corelight.blog/2020/06/11/detecting-gnutls-cve-2020-13777-using-zeek/ Ripple20 Zeek package open sourced ? Corelight?s Ben Reardon discusses his new open-source Zeek package that detects the presence of tell-tale signs associated with exploitation of Ripple20. https://corelight.blog/2020/06/30/ripple20-zeek-package-open-sourced/ ________________________________ New Zeek Packages > Detecting the New CallStranger UPnP Vulnerability With Zeek ? https://github.com/corelight/callstranger-detector > Detecting GnuTLS CVE-2020-13777 using Zeek ?https://github.com/0xxon/cve-2020-13777 > Ripple20 Zeek package open sourced ? https://github.com/corelight/ripple20 ________________________________ Zeek In Enterprise Security Onion Hybrid Hunter 1.4.0 ? Beta 3 Available for Testing! ? Security Onion Solutions announced the release of ?Hybrid Hunter? 1.4.0 AKA Beta 3. In this release, Security Onion Solutions continues to embrace Community ID as a way to correlate different data types. They also sponsored the development of an Elasticsearch Ingest Processor that can automatically generate Community ID values for ANY logs that contain the necessary IP address and port information. https://blog.securityonion.net/2020/06/security-onion-hybrid-hunter-140-beta-3.html Security Onion Hybrid Hunter 1.4.1 Available for Testing! ? https://blog.securityonion.net/2020/07/security-onion-hybrid-hunter-141-now.html Chocolate and Peanut Butter: Zeek and Suricata ? Corelight Chief Product Officer Brian Dye announced a new software release that closely integrates Zeek and Suricata, with three key benefits. https://corelight.blog/2020/06/16/zeek-and-suricata-corelight-v19/ Zeek & Sigma: Fully Compatible for Cross-SIEM Detections ? Corelight?s Alex Kirk explains how the company teamed up with SOC Prime to integrate Zeek logs with Sigma, a generic signature language that enables cross-SIEM detections from a single toolset. https://corelight.blog/2020/06/25/zeek-sigma-fully-compatible-for-cross-siem-detections/ ________________________________ Upcoming Events July (Events will be updated as we get more information.) > 9 July 2020 ? Brim Webinar ? 11am PDT/2pm EDT ? This webinar will cover some of the developer basics (material will be JavaScript-centric as Brim is written with Electron/React). Invite link: https://zoom.us/j/94487542434?pwd=YUh2NDlJVUdJUWRVUWpRU2xrYTIxUT09 > 10 July 2020 ? Monthly Community Call ? Noon PDT/3pm EDT ? This is a recurring call and you will be able to select all upcoming community calls. Registration Link: https://corelight.zoom.us/meeting/register/tJcldO6qrTMrG9Kwsu6_qHsUeAvdjLmMw6-i > 15 July 2020 ? ZEEK FROM HOME ?11am PDT/2pm EDT ? DPD (Dynamic Protocols Detection) and presented by Jan Grashoefer his talk will be based on https://arxiv.org/abs/1912.03962 which is a research paper entitled ?Attacks on Dynamic Protocol Detection of Open Source Network Security Monitoring Tools? Registration Link ? https://corelight.zoom.us/webinar/register/WN_sSTXJPODRSeTGhBrXKZc3Q > 15 July 2020 ? ZEEK COMMUNITY CTF ?1-3pm PDT/4-6pm EDT Registration Link ? https://corelight.zoom.us/meeting/register/tJYqceGgqjwvGNXFYKgLYVQheMs8KhZnCQpu > 22 July 2020 ? ZEEK FROM HOME ?11am PDT/2pm EDT ? Topic and Presenter TBD Registration Link ? https://corelight.zoom.us/webinar/register/WN_W_cJVVykQh-jT6ogoPCKTw > 23 July 2020 ? ASK THE ZEEKSPERTS ? 12:30pm PDT/3:30pm EDT Registration Link ? https://corelight.zoom.us/meeting/register/tJAlce6trjIsHtPe4jx4h12JTEzYhSRdv96w > 29 July 2020 ? ZEEK FROM HOME ?11am PDT/2pm EDT ? JA3 and presented by Jeff Atkinson. Registration Link ? https://corelight.zoom.us/webinar/register/WN_Gjh6eHImT56SUHP6XSs7BA If you know of any Zeek related events that you would like to share with the community in the monthly newsletter, please email news at zeek.org or share on the Zeek mailing list (zeek at zeek.org). About Zeek From Home: A weekly webinar featuring Zeek users, developers and invited guests These presentations ARE recorded and shared with the community. https://zeek.org/2020/03/31/zeek-from-home/ About Ask The Zeeksperts: A bi-weekly webinar in which Zeek users, developers and invited guests answer technical questions. The community is invited to ?drop in? to these calls and ask questions. These webinars are NOT recorded (unless otherwise noted). About Zeek Community CTF (Capture the Flag) Events: Players will compete head-to-head on dozens of security challenges using Zeek data using Splunk, Elastic, or CLI tools.. Sign up Today! Game winner will take home bragging rights and a $100 Amazon Gift Card. About Monthly Zeek Community Call: Monthly calls that are open to everyone to discuss topics related to the growth, governance and administration of the community. These calls ARE recorded. ________________________________ Zeek Related Jobs > From Bricata Front End Engineer Position ? https://bricata.com/careers/front-end-engineer-position/ Senior Software Engineer Position ? https://bricata.com/careers/senior-software-engineer-position/ > From Brim Front End Engineer ? https://www.brimsecurity.com/team/front-end-engineer/ >From Corelight Cloud Architect ? https://www.corelight.com/company/careers/2220883 Principal Engineer, CI and Infrastructure ? https://www.corelight.com/company/careers/2220598 > From LinkedIn Sr. Zeek/Bro Engineer ? https://www.linkedin.com/jobs/view/1863997545/ BRO/ZEEK SME Engineer and Programmer with Security Clearance ? https://www.linkedin.com/jobs/view/1935842486/ ZEEK Engineer/ Subject Matter Expert (Active Secret Clearance Desired) ? https://www.linkedin.com/jobs/view/1855505919/ BRO/ZEEK SME Engineer and Programmer with Security Clearance ? https://www.linkedin.com/jobs/view/1903016798/ Cyber Threat Hunter ? Great Benefits & Company Equity (REMOTE) ? https://www.linkedin.com/jobs/view/1898353609/ Cyber Threat Hunter ? Great Benefits & Company Equity (REMOTE) ? https://www.linkedin.com/jobs/view/1898351761/ Senior Cyber Threat Hunter ? Company Equity (REMOTE) ? https://www.linkedin.com/jobs/view/1898354628/ Incident Response / Triage Team Lead ? https://www.linkedin.com/jobs/view/1906760359/ Cyber Security Analyst ? https://www.linkedin.com/jobs/view/1926562351/ Strategic Initiatives Lead Analyst ? https://www.linkedin.com/jobs/view/1910034594/ CSIS Cyber Program DevOps Team Lead ? https://www.linkedin.com/jobs/view/1906764185/ ________________________________ Get Involved If you are interested in getting involved with the Zeek Newsletter, please email news at zeek dot org Stay up to date by subscribing to the Zeek Mailing List: http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek Follow us on Twitter: https://twitter.com/zeekurity Join our slack channel: http://bit.ly/ZeekOrgSlackInvite From Joseph.Fischetti at marist.edu Thu Jul 9 06:48:25 2020 From: Joseph.Fischetti at marist.edu (Joseph Fischetti) Date: Thu, 9 Jul 2020 13:48:25 +0000 Subject: [Zeek] Memory usage climbs and never recovers Message-ID: Hi All, Rather than resurrect an old thread that I had I wanted to start a new one. Our cluster has been mostly stable thanks to some suggestions (thanks Justin!). That said, we're still getting out of hand memory consumption and eventual swap usage. The (2) workers are bare metal, fully populated with 24 x 16GB memory modules. Attached is the relevant parts of node.cfg [1] (note, we WERE pinning the CPU's but had a terrible time getting things to start up with them that way, so now we're not. Packet loss and CPU usage is well within the acceptable range) [2]. The memory usage isn't what's confusing so much as the fact that it just never comes back down. Where should we look? [cid:image001.png at 01D655D6.15C25D30] ======================== [1] ------------- [worker-1] type=worker host=HOST_A lb_method=custom lb_procs=10 #pin_cpus=1,2,3,4,5,6,7,8,9,10 interface=myricom::eth4 env_vars=SNF_APP_ID=1,SNF_DATARING_SIZE=8192MB,SNF_DESCRING_SIZE=4096MB,SNF_DEBUG_MASK=3 # [worker-2] type=worker host=HOST_B lb_method=custom lb_procs=10 #pin_cpus=1,2,3,4,5,6,7,8,9,10 interface=myricom::eth4 env_vars=SNF_APP_ID=1,SNF_DATARING_SIZE=8192MB,SNF_DESCRING_SIZE=4096MB,SNF_DEBUG_MASK=3 [worker-3] type=worker host=HOST_A lb_method=custom lb_procs=10 #pin_cpus=18,19,20,21,22,23,24,25,26,27 interface=myricom::eth5 env_vars=SNF_APP_ID=1,SNF_DATARING_SIZE=8192MB,SNF_DESCRING_SIZE=4096MB,SNF_DEBUG_MASK=3 # [worker-4] type=worker host=HOST_B lb_method=custom lb_procs=10 #pin_cpus=18,19,20,21,22,23,24,25,26,27 interface=myricom::eth5 env_vars=SNF_APP_ID=1,SNF_DATARING_SIZE=8192MB,SNF_DESCRING_SIZE=4096MB,SNF_DEBUG_MASK=3 # ----------------- [2] (uptime - since Jul 2) worker-1 dropped=39637970 rx=12144046412 0.33% worker-2 dropped=13113250 rx=6088981004 0.22% worker-3 dropped=0 rx=830605595 0.00% worker-4 dropped=0 rx=781722953 0.00% Totals dropped=52751220 rx=19845355964 0.27% -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200709/62427cd6/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 21838 bytes Desc: image001.png Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200709/62427cd6/attachment-0001.bin From justin at corelight.com Thu Jul 9 08:07:58 2020 From: justin at corelight.com (Justin Azoff) Date: Thu, 9 Jul 2020 11:07:58 -0400 Subject: [Zeek] Memory usage climbs and never recovers In-Reply-To: References: Message-ID: Are you building zeek against jemalloc? This plugin I put together for zeekctl makes it easy to enable jemalloc profiling and really understand the memory usage: https://github.com/JustinAzoff/zeek-jemalloc-profiling Sometimes the memory just doesn't go down because malloc doesn't necessarily return freed memory to the OS. I think jemalloc will, but might not if swap is enabled on the host. On Thu, Jul 9, 2020 at 9:51 AM Joseph Fischetti wrote: > Hi All, > > Rather than resurrect an old thread that I had I wanted to start a new one. > > Our cluster has been mostly stable thanks to some suggestions (thanks > Justin!). > > > > That said, we?re still getting out of hand memory consumption and eventual > swap usage. The (2) workers are bare metal, fully populated with 24 x 16GB > memory modules. Attached is the relevant parts of node.cfg [1] (note, we > WERE pinning the CPU?s but had a terrible time getting things to start up > with them that way, so now we?re not. Packet loss and CPU usage is well > within the acceptable range) [2]. > > > > The memory usage isn?t what?s confusing so much as the fact that it just > never comes back down. > > Where should we look? > > > > > > > > ======================== > > [1] > ------------- > > [worker-1] > > type=worker > > host=HOST_A > > lb_method=custom > > lb_procs=10 > > #pin_cpus=1,2,3,4,5,6,7,8,9,10 > > interface=myricom::eth4 > > > env_vars=SNF_APP_ID=1,SNF_DATARING_SIZE=8192MB,SNF_DESCRING_SIZE=4096MB,SNF_DEBUG_MASK=3 > > # > > [worker-2] > > type=worker > > host=HOST_B > > lb_method=custom > > lb_procs=10 > > #pin_cpus=1,2,3,4,5,6,7,8,9,10 > > interface=myricom::eth4 > > > env_vars=SNF_APP_ID=1,SNF_DATARING_SIZE=8192MB,SNF_DESCRING_SIZE=4096MB,SNF_DEBUG_MASK=3 > > > > [worker-3] > > type=worker > > host=HOST_A > > lb_method=custom > > lb_procs=10 > > #pin_cpus=18,19,20,21,22,23,24,25,26,27 > > interface=myricom::eth5 > > > env_vars=SNF_APP_ID=1,SNF_DATARING_SIZE=8192MB,SNF_DESCRING_SIZE=4096MB,SNF_DEBUG_MASK=3 > > # > > [worker-4] > > type=worker > > host=HOST_B > > lb_method=custom > > lb_procs=10 > > #pin_cpus=18,19,20,21,22,23,24,25,26,27 > > interface=myricom::eth5 > > > env_vars=SNF_APP_ID=1,SNF_DATARING_SIZE=8192MB,SNF_DESCRING_SIZE=4096MB,SNF_DEBUG_MASK=3 > > # > > ----------------- > > [2] > > (uptime ? since Jul 2) > > worker-1 dropped=39637970 rx=12144046412 0.33% > worker-2 dropped=13113250 rx=6088981004 0.22% > worker-3 dropped=0 rx=830605595 0.00% > worker-4 dropped=0 rx=781722953 0.00% > > > > Totals dropped=52751220 rx=19845355964 0.27% > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200709/35da23a1/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 21838 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200709/35da23a1/attachment-0001.bin From Joseph.Fischetti at marist.edu Thu Jul 9 08:19:39 2020 From: Joseph.Fischetti at marist.edu (Joseph Fischetti) Date: Thu, 9 Jul 2020 15:19:39 +0000 Subject: [Zeek] Memory usage climbs and never recovers In-Reply-To: References: Message-ID: Negative, perhaps I should? bro at bro-master-1:/opt/zeek/etc$ zeekctl jeprof.check Warning: ZeekControl plugin uses legacy BroControl API. Use 'import ZeekControl.plugin' instead of 'import BroControl.plugin' Error: unknown command 'jeprof.check' Wouldn?t others experience the same issues if the software just didn?t behave as expected? Is it that we?re undersized (and still eventually get to the point where the memory is needed)? Should I remove swap (so that it just starts dropping things rather than consuming swap?) From: Justin Azoff Sent: Thursday, July 9, 2020 11:08 AM To: Joseph Fischetti Cc: zeek at zeek.org Subject: Re: [Zeek] Memory usage climbs and never recovers [EXTERNAL EMAIL] Are you building zeek against jemalloc? This plugin I put together for zeekctl makes it easy to enable jemalloc profiling and really understand the memory usage: https://github.com/JustinAzoff/zeek-jemalloc-profiling Sometimes the memory just doesn't go down because malloc doesn't necessarily return freed memory to the OS. I think jemalloc will, but might not if swap is enabled on the host. On Thu, Jul 9, 2020 at 9:51 AM Joseph Fischetti > wrote: Hi All, Rather than resurrect an old thread that I had I wanted to start a new one. Our cluster has been mostly stable thanks to some suggestions (thanks Justin!). That said, we?re still getting out of hand memory consumption and eventual swap usage. The (2) workers are bare metal, fully populated with 24 x 16GB memory modules. Attached is the relevant parts of node.cfg [1] (note, we WERE pinning the CPU?s but had a terrible time getting things to start up with them that way, so now we?re not. Packet loss and CPU usage is well within the acceptable range) [2]. The memory usage isn?t what?s confusing so much as the fact that it just never comes back down. Where should we look? [cid:image001.png at 01D655E2.D4644800] ======================== [1] ------------- [worker-1] type=worker host=HOST_A lb_method=custom lb_procs=10 #pin_cpus=1,2,3,4,5,6,7,8,9,10 interface=myricom::eth4 env_vars=SNF_APP_ID=1,SNF_DATARING_SIZE=8192MB,SNF_DESCRING_SIZE=4096MB,SNF_DEBUG_MASK=3 # [worker-2] type=worker host=HOST_B lb_method=custom lb_procs=10 #pin_cpus=1,2,3,4,5,6,7,8,9,10 interface=myricom::eth4 env_vars=SNF_APP_ID=1,SNF_DATARING_SIZE=8192MB,SNF_DESCRING_SIZE=4096MB,SNF_DEBUG_MASK=3 [worker-3] type=worker host=HOST_A lb_method=custom lb_procs=10 #pin_cpus=18,19,20,21,22,23,24,25,26,27 interface=myricom::eth5 env_vars=SNF_APP_ID=1,SNF_DATARING_SIZE=8192MB,SNF_DESCRING_SIZE=4096MB,SNF_DEBUG_MASK=3 # [worker-4] type=worker host=HOST_B lb_method=custom lb_procs=10 #pin_cpus=18,19,20,21,22,23,24,25,26,27 interface=myricom::eth5 env_vars=SNF_APP_ID=1,SNF_DATARING_SIZE=8192MB,SNF_DESCRING_SIZE=4096MB,SNF_DEBUG_MASK=3 # ----------------- [2] (uptime ? since Jul 2) worker-1 dropped=39637970 rx=12144046412 0.33% worker-2 dropped=13113250 rx=6088981004 0.22% worker-3 dropped=0 rx=830605595 0.00% worker-4 dropped=0 rx=781722953 0.00% Totals dropped=52751220 rx=19845355964 0.27% _______________________________________________ Zeek mailing list zeek at zeek.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200709/8d40cf6b/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 21838 bytes Desc: image001.png Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200709/8d40cf6b/attachment-0001.bin From akgraner at corelight.com Thu Jul 9 08:38:01 2020 From: akgraner at corelight.com (akgraner at corelight.com) Date: Thu, 09 Jul 2020 15:38:01 +0000 Subject: [Zeek] Canceled event with note: Reoccurring Zeek Community Call @ Fri Jul 10, 2020 3pm - 3:45pm (EDT) (zeek@zeek.org) Message-ID: <0000000000006ffd0605aa0402f2@google.com> This event has been canceled with this note: "Added Agenda and updated the link." Title: Reoccurring Zeek Community Call AGENDA* ZPC-3   - Launches on 15 July (Show the Challenge Coins)* Virtual ZeekWeek - Go over proposed schedule and see who is interested in participating and or attending* Ask The Zeeksperts - New Structure* Feedback on Governance Proposal - Go over non-code contributions* Other - Topic Suggestions from the CommunityRegistrationThe link has been updated: Register in advance for this meeting:https://corelight.zoom.us/meeting/register/tJcldO6qrTMrG9Kwsu6_qHsUeAvdjLmMw6-i After registering, you will receive a confirmation email containing information about joining the meeting. When: Fri Jul 10, 2020 3pm ? 3:45pm Eastern Time - New York Where: https://corelight.zoom.us/webinar/register/WN_lJ9VY2I_RMi_b4VcH4KIhw Calendar: zeek at zeek.org Who: * akgraner at corelight.com - organizer Invitation from Google Calendar: https://www.google.com/calendar/ You are receiving this courtesy email at the account zeek at zeek.org because you are an attendee of this event. To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://www.google.com/calendar/ and control your notification settings for your entire calendar. Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn more at https://support.google.com/calendar/answer/37135#forwarding -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200709/009514ab/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/calendar Size: 1877 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200709/009514ab/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: invite.ics Type: application/ics Size: 1928 bytes Desc: not available Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200709/009514ab/attachment-0001.bin From akgraner at corelight.com Thu Jul 9 08:49:27 2020 From: akgraner at corelight.com (Amber Graner) Date: Thu, 9 Jul 2020 11:49:27 -0400 Subject: [Zeek] [Reminder] - Monthly Community Call - July Message-ID: Hi all, We have our monthly community call tomorrow 10 July 2020 - Noon PDT/3pm EDT. If you have a topic suggestion that you would like to see added to the agenda, please let me know. AGENDA * ZPC-3 - Launches on 15 July (Show the Challenge Coins) * Virtual ZeekWeek - Go over the proposed schedule and see who is interested in participating and/or attending. * Ask The Zeeksperts - New Structure * Feedback on Governance Proposal - Go over non-code ways to contribute and get involved * Other - Topic Suggestions from the Community REGISTRATION Register in advance for this meeting: https://corelight.zoom.us/meeting/register/tJcldO6qrTMrG9Kwsu6_qHsUeAvdjLmMw6-i After registering, you will receive a confirmation email containing information about joining the meeting. PARTICIPATION If you would be interested in getting involved and helping out with these calls please let me know. Thanks, ~Amber From cpearson at uidaho.edu Thu Jul 9 09:26:27 2020 From: cpearson at uidaho.edu (Pearson, Carl (cpearson@uidaho.edu)) Date: Thu, 9 Jul 2020 16:26:27 +0000 Subject: [Zeek] Memory usage climbs and never recovers In-Reply-To: References: Message-ID: Hi Joseph, We had similar memory utilization when we first deployed Zeek, our usage graph was like yours. We ended up disabling the scan detection script in local.zeek and memory usage stabilized afterwards. If you are loading the scan script, might be worth disabling it and see if it makes a difference? Changing @load misc/scan to #@load misc/scan in //share/zeek/site/local.zeek stops the script from loading when Zeek starts. Carl Pearson | IT Security Analyst | University of Idaho (208) 885-0957 | 875 Perimeter Drive MS 3155 | Moscow, ID 83844 From: zeek-bounces at zeek.org On Behalf Of Joseph Fischetti Sent: Thursday, July 9, 2020 08:20 To: Justin Azoff Cc: zeek at zeek.org Subject: Re: [Zeek] Memory usage climbs and never recovers Negative, perhaps I should? bro at bro-master-1:/opt/zeek/etc$ zeekctl jeprof.check Warning: ZeekControl plugin uses legacy BroControl API. Use 'import ZeekControl.plugin' instead of 'import BroControl.plugin' Error: unknown command 'jeprof.check' Wouldn?t others experience the same issues if the software just didn?t behave as expected? Is it that we?re undersized (and still eventually get to the point where the memory is needed)? Should I remove swap (so that it just starts dropping things rather than consuming swap?) From: Justin Azoff > Sent: Thursday, July 9, 2020 11:08 AM To: Joseph Fischetti > Cc: zeek at zeek.org Subject: Re: [Zeek] Memory usage climbs and never recovers [EXTERNAL EMAIL] Are you building zeek against jemalloc? This plugin I put together for zeekctl makes it easy to enable jemalloc profiling and really understand the memory usage: https://github.com/JustinAzoff/zeek-jemalloc-profiling Sometimes the memory just doesn't go down because malloc doesn't necessarily return freed memory to the OS. I think jemalloc will, but might not if swap is enabled on the host. On Thu, Jul 9, 2020 at 9:51 AM Joseph Fischetti > wrote: Hi All, Rather than resurrect an old thread that I had I wanted to start a new one. Our cluster has been mostly stable thanks to some suggestions (thanks Justin!). That said, we?re still getting out of hand memory consumption and eventual swap usage. The (2) workers are bare metal, fully populated with 24 x 16GB memory modules. Attached is the relevant parts of node.cfg [1] (note, we WERE pinning the CPU?s but had a terrible time getting things to start up with them that way, so now we?re not. Packet loss and CPU usage is well within the acceptable range) [2]. The memory usage isn?t what?s confusing so much as the fact that it just never comes back down. Where should we look? [cid:image001.png at 01D655D3.03D2B7D0] ======================== [1] ------------- [worker-1] type=worker host=HOST_A lb_method=custom lb_procs=10 #pin_cpus=1,2,3,4,5,6,7,8,9,10 interface=myricom::eth4 env_vars=SNF_APP_ID=1,SNF_DATARING_SIZE=8192MB,SNF_DESCRING_SIZE=4096MB,SNF_DEBUG_MASK=3 # [worker-2] type=worker host=HOST_B lb_method=custom lb_procs=10 #pin_cpus=1,2,3,4,5,6,7,8,9,10 interface=myricom::eth4 env_vars=SNF_APP_ID=1,SNF_DATARING_SIZE=8192MB,SNF_DESCRING_SIZE=4096MB,SNF_DEBUG_MASK=3 [worker-3] type=worker host=HOST_A lb_method=custom lb_procs=10 #pin_cpus=18,19,20,21,22,23,24,25,26,27 interface=myricom::eth5 env_vars=SNF_APP_ID=1,SNF_DATARING_SIZE=8192MB,SNF_DESCRING_SIZE=4096MB,SNF_DEBUG_MASK=3 # [worker-4] type=worker host=HOST_B lb_method=custom lb_procs=10 #pin_cpus=18,19,20,21,22,23,24,25,26,27 interface=myricom::eth5 env_vars=SNF_APP_ID=1,SNF_DATARING_SIZE=8192MB,SNF_DESCRING_SIZE=4096MB,SNF_DEBUG_MASK=3 # ----------------- [2] (uptime ? since Jul 2) worker-1 dropped=39637970 rx=12144046412 0.33% worker-2 dropped=13113250 rx=6088981004 0.22% worker-3 dropped=0 rx=830605595 0.00% worker-4 dropped=0 rx=781722953 0.00% Totals dropped=52751220 rx=19845355964 0.27% _______________________________________________ Zeek mailing list zeek at zeek.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200709/d07ee643/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 21838 bytes Desc: image001.png Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200709/d07ee643/attachment-0001.bin From greg.grasmehr at caltech.edu Fri Jul 10 11:01:34 2020 From: greg.grasmehr at caltech.edu (Greg Grasmehr) Date: Fri, 10 Jul 2020 11:01:34 -0700 Subject: [Zeek] Ripple20 In-Reply-To: References: Message-ID: <20200710180134.GL3192@dakine> Hello, I was wondering if anyone could provide an idea of how prone this is to false positives? Thanks! Greg On 07/02/20 11:44:35, Rick Chisholm wrote: > Zeek seems uniquely positioned to deal with detection of either attack > activity or detection of assets with Treck-based IP stacks. Anything like > this being done with Zeek as yet? > > -- > Rick Chisholm > ========================= > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From bramiejim at gmail.com Fri Jul 10 11:24:32 2020 From: bramiejim at gmail.com (jamie brim) Date: Fri, 10 Jul 2020 14:24:32 -0400 Subject: [Zeek] Ripple20 In-Reply-To: <20200710180134.GL3192@dakine> References: <20200710180134.GL3192@dakine> Message-ID: hi greg, i was chatting with ben (the author) about this last night. per ben: there are actually two types of detections, medium fidelity detections (Treck_TCP_observed), and high fidelity detections (the others). medium fidelity means that there could well be FP detected there. however, if a device has more than one medium fidelity notice type, then it is more likely to be a true positive. for this reason, by default all notices are enabled. if the medium fidelity notices are too noisy you can disable them in scripts/config.zeek with enable_medium_fidelity_notices = F. hope this helps, jamie On Fri, Jul 10, 2020 at 2:04 PM Greg Grasmehr wrote: > > Hello, > > I was wondering if anyone could provide an idea of how prone this is to > false positives? > > Thanks! > > Greg > > On 07/02/20 11:44:35, Rick Chisholm wrote: > > Zeek seems uniquely positioned to deal with detection of either attack > > activity or detection of assets with Treck-based IP stacks. Anything like > > this being done with Zeek as yet? > > > > -- > > Rick Chisholm > > ========================= > > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200710/a396302f/attachment.html From bramiejim at gmail.com Fri Jul 10 11:29:32 2020 From: bramiejim at gmail.com (jamie brim) Date: Fri, 10 Jul 2020 14:29:32 -0400 Subject: [Zeek] Ripple20 In-Reply-To: References: <20200710180134.GL3192@dakine> Message-ID: sorry, i forgot to mention Treck_IP_in_IP_outer_packet_observed is medium as well On Fri, Jul 10, 2020 at 2:24 PM jamie brim wrote: > hi greg, i was chatting with ben (the author) about this last night. > > per ben: there are actually two types of detections, medium fidelity > detections (Treck_TCP_observed), and high fidelity detections (the others). > medium fidelity means that there could well be FP detected there. however, > if a device has more than one medium fidelity notice type, then it is more > likely to be a true positive. for this reason, by default all notices are > enabled. > > if the medium fidelity notices are too noisy you can disable them in > scripts/config.zeek with enable_medium_fidelity_notices = F. > > hope this helps, > jamie > > On Fri, Jul 10, 2020 at 2:04 PM Greg Grasmehr > wrote: > > > > Hello, > > > > I was wondering if anyone could provide an idea of how prone this is to > > false positives? > > > > Thanks! > > > > Greg > > > > On 07/02/20 11:44:35, Rick Chisholm wrote: > > > Zeek seems uniquely positioned to deal with detection of either attack > > > activity or detection of assets with Treck-based IP stacks. Anything > like > > > this being done with Zeek as yet? > > > > > > -- > > > Rick Chisholm > > > ========================= > > > > > _______________________________________________ > > > Zeek mailing list > > > zeek at zeek.org > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > _______________________________________________ > > Zeek mailing list > > zeek at zeek.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200710/ca66b52c/attachment.html From greg.grasmehr at caltech.edu Fri Jul 10 11:33:24 2020 From: greg.grasmehr at caltech.edu (Greg Grasmehr) Date: Fri, 10 Jul 2020 11:33:24 -0700 Subject: [Zeek] Ripple20 In-Reply-To: References: <20200710180134.GL3192@dakine> Message-ID: <20200710183324.GO3192@dakine> Great thank you for this info, very helpful indeed. Greg On 07/10/20 14:29:32, jamie brim wrote: > sorry, i forgot to mention Treck_IP_in_IP_outer_packet_observed is medium > as well > > On Fri, Jul 10, 2020 at 2:24 PM jamie brim wrote: > > > hi greg, i was chatting with ben (the author) about this last night. > > > > per ben: there are actually two types of detections, medium fidelity > > detections (Treck_TCP_observed), and high fidelity detections (the others). > > medium fidelity means that there could well be FP detected there. however, > > if a device has more than one medium fidelity notice type, then it is more > > likely to be a true positive. for this reason, by default all notices are > > enabled. > > > > if the medium fidelity notices are too noisy you can disable them in > > scripts/config.zeek with enable_medium_fidelity_notices = F. > > > > hope this helps, > > jamie From greg.grasmehr at caltech.edu Fri Jul 10 17:30:55 2020 From: greg.grasmehr at caltech.edu (Greg Grasmehr) Date: Fri, 10 Jul 2020 17:30:55 -0700 Subject: [Zeek] pf_ring Message-ID: <20200711003055.GE30485@dakine> Hello Zeek Community, I know there is a penchant for those in this community to recommend af_packet over pf_ring - which is fine, even so, I just want to say using pf_ring, especially if you are an EDU, makes perfect sense and it is super high performance. I have set up Zeek monitoring on a single Zeek-in-a-box using Fiberblaze FGPA and pf_ring. Zeek is easily keeping up with bursts of traffic up to 12 Gbps with very minimal packet loss, less than 1% if I am not utilizing Dumbno to shunt traffic, using Dumbno to shunt traffic causes Zeek to report increased packet loss which makes perfect sense. I recommend pf_ring for certain, and if you want to utilize a less expensive Intel FGPA; pf_ring ZC. -- Sincerely, Greg Grasmehr Lead Information Security Analyst California Institute of Technology (Caltech) GPGMe: 38E2 F9BD A95E 9824 20AB 331A 9E29 D1A1 AAEE 5F42 http://keys.gnupg.net/pks/lookup?search=0x9E29D1A1AAEE5F42 From greg.grasmehr at caltech.edu Fri Jul 10 17:39:00 2020 From: greg.grasmehr at caltech.edu (Greg Grasmehr) Date: Fri, 10 Jul 2020 17:39:00 -0700 Subject: [Zeek] pf_ring In-Reply-To: <20200711003055.GE30485@dakine> References: <20200711003055.GE30485@dakine> Message-ID: <20200711003900.GF30485@dakine> I'm sorry, s/12/17/ for the Gbps bursts, my bad! On 07/10/20 17:30:55, Greg Grasmehr wrote: > Hello Zeek Community, > > I know there is a penchant for those in this community to recommend > af_packet over pf_ring - which is fine, even so, I just want to say > using pf_ring, especially if you are an EDU, makes perfect sense and it > is super high performance. > > I have set up Zeek monitoring on a single Zeek-in-a-box using Fiberblaze > FGPA and pf_ring. Zeek is easily keeping up with bursts of traffic up > to 12 Gbps with very minimal packet loss, less than 1% if I am not > utilizing Dumbno to shunt traffic, using Dumbno to shunt traffic causes > Zeek to report increased packet loss which makes perfect sense. > > I recommend pf_ring for certain, and if you want to utilize a less > expensive Intel FGPA; pf_ring ZC. > > -- > Sincerely, > > Greg Grasmehr > Lead Information Security Analyst > California Institute of Technology (Caltech) > GPGMe: 38E2 F9BD A95E 9824 20AB 331A 9E29 D1A1 AAEE 5F42 > http://keys.gnupg.net/pks/lookup?search=0x9E29D1A1AAEE5F42 > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek From iyuvalk at gmail.com Mon Jul 13 07:28:23 2020 From: iyuvalk at gmail.com (Yuval Khalifa) Date: Mon, 13 Jul 2020 17:28:23 +0300 Subject: [Zeek] PostgreSQL traffic analyzer script In-Reply-To: References: Message-ID: Hi, I'm using Zeek for quite some time now and I must say that it is one of the best IDSs out there today. Thanks a lot for a the hard work!! I know and use Zeek's ability to extract mysql commands, users, rows count and status from the network traffic. Is it possible to do the same for PostgreSQL? If not, how complicated do you think it would be for me to implement it? Thanks in advance, Yuval. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200713/fe478d0c/attachment.html From mus3 at lehigh.edu Tue Jul 14 05:25:28 2020 From: mus3 at lehigh.edu (Munroe Sollog) Date: Tue, 14 Jul 2020 08:25:28 -0400 Subject: [Zeek] Zeek-agent and dns queries Message-ID: Is it possible to configure the zeek-agent to listen on udp 53 and log/analyze/categorize dns queries to the host (the example host would be a dns server). Or I guess more generally, can the zeek-agent listen to a network interface and treat it more like a remote sensor for zeek? -- Munroe Sollog Senior Network Engineer munroe at lehigh.edu -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200714/25471bf5/attachment.html From bramiejim at gmail.com Tue Jul 14 05:46:46 2020 From: bramiejim at gmail.com (jamie brim) Date: Tue, 14 Jul 2020 08:46:46 -0400 Subject: [Zeek] Zeek-agent and dns queries In-Reply-To: References: Message-ID: zeek-agent doesn't do this. zeek-agent leverages operating system facilities like mac os's endpoint security framework and linux's audit system to provide host process activity. underway is work to collect file writes and network activity (connections, not full DPI), but a zeek remote sensor is not on the zeek-agent roadmap that i'm aware of. the agent is intended to complement zeek's network vantage point with endpoint specific telemetry, not provide a secondary network collection point. On Tue, Jul 14, 2020 at 8:27 AM Munroe Sollog wrote: > Is it possible to configure the zeek-agent to listen on udp 53 and > log/analyze/categorize dns queries to the host (the example host would be a > dns server). Or I guess more generally, can the zeek-agent listen to a > network interface and treat it more like a remote sensor for zeek? > > > -- > Munroe Sollog > Senior Network Engineer > munroe at lehigh.edu > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200714/63b638f1/attachment.html From akgraner at corelight.com Wed Jul 15 06:08:37 2020 From: akgraner at corelight.com (Amber Graner) Date: Wed, 15 Jul 2020 09:08:37 -0400 Subject: [Zeek] Community Capture the Flag Event TODAY - 15 July 2020 Message-ID: Hi all, Just a reminder we have our monthly Community CTF happening today, 15 July 2020, from 1-3pm Pacific/4-6pm Eastern if you'd like to join. Players will compete head-to-head on dozens of security challenges using Zeek data in both Splunk and Elastic. Players can also use open-source Zeek tools on a CLI. Winner takes home a $100 Amazon gift card. Sign up today at: https://corelight.zoom.us/meeting/register/tJYqceGgqjwvGNXFYKgLYVQheMs8KhZnCQpu Please let me know if you have any questions. Thanks, ~Amber From akgraner at corelight.com Wed Jul 15 08:06:38 2020 From: akgraner at corelight.com (Amber Graner) Date: Wed, 15 Jul 2020 11:06:38 -0400 Subject: [Zeek] Zeek Package Contest (ZPC-3) Announced. Call for Ideas phase is now open!! Message-ID: Hi all, We're announcing the next Zeek Package Contest. We took all your ideas and suggestions and hopefully have captured them in this contest. The ZPC contest series is intended to inspire Zeek users to demonstrate their creativity and ingenuity while winning the admiration of their peers, and giving back to the community. The ZPC-3 contest will be open to all Zeek Packages, including protocol and file analyzers implemented through Spicy. For ZPC-3 we will also add ?Ideas? and ?Developer? phases to allow for team participation, in addition to individual contributions. See post details and timeline at: https://zeek.org/2020/07/15/zeek-package-contest-zpc-3/ After reading the post, please let me know if you have any questions. Thanks, ~Amber From promero at cenic.org Thu Jul 16 10:45:11 2020 From: promero at cenic.org (Philip Romero) Date: Thu, 16 Jul 2020 10:45:11 -0700 Subject: [Zeek] CVE-2020-1350 Detection Inquiry Message-ID: <8745d975-b71d-8510-58c9-4abd5b8efb0e@cenic.org> I see that there was a recent inquiry about DNS monitoring to the community, but I'm not sure if that was related to the current CVE-2020-1350 being discussed on many security threats and announcements. Is there a way for the Zeek DNS monitoring to detect this, or has anyone built a script to enhance monitoring to detect the types of queries that are called out by the reported vulnerability that needs to be addressed? Thanks in advance for any feedback/input on this topic.? -- Philip Romero, CISSP, CISA Sr. Enterprise Security Architect CENIC promero at cenic.org Phone: (714) 220-3430 Mobile: (562) 445-2529 From caliskanfurkan at gmail.com Thu Jul 16 10:49:20 2020 From: caliskanfurkan at gmail.com (=?UTF-8?B?RnVya2FuIMOHQUxJxZ5LQU4=?=) Date: Thu, 16 Jul 2020 20:49:20 +0300 Subject: [Zeek] CVE-2020-1350 Detection Inquiry In-Reply-To: <8745d975-b71d-8510-58c9-4abd5b8efb0e@cenic.org> References: <8745d975-b71d-8510-58c9-4abd5b8efb0e@cenic.org> Message-ID: Hi, There is a Zeek script for this; https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/ Philip Romero , 16 Tem 2020 Per, 20:47 tarihinde ?unu yazd?: > I see that there was a recent inquiry about DNS monitoring to the > community, but I'm not sure if that was related to the current > CVE-2020-1350 being discussed on many security threats and > announcements. Is there a way for the Zeek DNS monitoring to detect > this, or has anyone built a script to enhance monitoring to detect the > types of queries that are called out by the reported vulnerability that > needs to be addressed? Thanks in advance for any feedback/input on this > topic. > > -- > Philip Romero, CISSP, CISA > Sr. Enterprise Security Architect > CENIC > promero at cenic.org > Phone: (714) 220-3430 > Mobile: (562) 445-2529 > > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Furkan ?al??kan, GCFA, GREM, CISM, CISA -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200716/28f2dac6/attachment.html From patrick.kelley at criticalpathsecurity.com Thu Jul 16 10:59:21 2020 From: patrick.kelley at criticalpathsecurity.com (Patrick Kelley) Date: Thu, 16 Jul 2020 13:59:21 -0400 Subject: [Zeek] CVE-2020-1350 Detection Inquiry In-Reply-To: References: <8745d975-b71d-8510-58c9-4abd5b8efb0e@cenic.org> Message-ID: We did something slightly different, but the same approach. Fires a notice with a bit more of a descriptive answer into the notice.log. ##! DNS Detections ##! Developed for L?argas by Patrick Kelley ##! 2020-07-16 ##! www.leargassecurity.com ##! Identifier="2020-07-15" ##! Iteration="1.0" ##! Description="Detects CVE-2020-1350" ##! Protocol="DNS" ##! CreationDate="2020-07-15" ##! LastUpdate="2020-07-15" module CVE_2020_1350; export { redef enum Notice::Type += { CVE_2020_1350 }; event dns_unknown_reply(c: connection, msg: dns_msg, ans: dns_answer) { if ( c$resp$size > 65000 && ans$qtype==24) { NOTICE([$note=CVE_2020_1350, $conn=c, $msg=fmt("%s is attempting to exploit %s using CVE-2020-1350. query is %s.", c$id$orig_h, c$id$resp_h, ans), $sub=fmt("Severity: 9"), $identifier=cat(c$id$orig_h)]); } } } On Thu, Jul 16, 2020 at 1:50 PM Furkan ?ALI?KAN wrote: > > Hi, > > There is a Zeek script for this; https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/ > > Philip Romero , 16 Tem 2020 Per, 20:47 tarihinde ?unu yazd?: >> >> I see that there was a recent inquiry about DNS monitoring to the >> community, but I'm not sure if that was related to the current >> CVE-2020-1350 being discussed on many security threats and >> announcements. Is there a way for the Zeek DNS monitoring to detect >> this, or has anyone built a script to enhance monitoring to detect the >> types of queries that are called out by the reported vulnerability that >> needs to be addressed? Thanks in advance for any feedback/input on this >> topic. >> >> -- >> Philip Romero, CISSP, CISA >> Sr. Enterprise Security Architect >> CENIC >> promero at cenic.org >> Phone: (714) 220-3430 >> Mobile: (562) 445-2529 >> >> >> >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > -- > Furkan ?al??kan, GCFA, GREM, CISM, CISA > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- Patrick Kelley, CISSP, C|EH, ITIL CTO patrick.kelley at criticalpathsecurity.com (o) 770-224-6482 From smoot at corelight.com Thu Jul 16 11:00:43 2020 From: smoot at corelight.com (Steve Smoot) Date: Thu, 16 Jul 2020 11:00:43 -0700 Subject: [Zeek] CVE-2020-1350 Detection Inquiry In-Reply-To: References: <8745d975-b71d-8510-58c9-4abd5b8efb0e@cenic.org> Message-ID: Ben Reardon also posted what may be more complete than the snippet (but still open for improvements): https://github.com/corelight/SIGRed -s On Thu, Jul 16, 2020 at 10:50 AM Furkan ?ALI?KAN wrote: > Hi, > > There is a Zeek script for this; > https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/ > > Philip Romero , 16 Tem 2020 Per, 20:47 tarihinde ?unu > yazd?: > >> I see that there was a recent inquiry about DNS monitoring to the >> community, but I'm not sure if that was related to the current >> CVE-2020-1350 being discussed on many security threats and >> announcements. Is there a way for the Zeek DNS monitoring to detect >> this, or has anyone built a script to enhance monitoring to detect the >> types of queries that are called out by the reported vulnerability that >> needs to be addressed? Thanks in advance for any feedback/input on this >> topic. >> >> -- >> Philip Romero, CISSP, CISA >> Sr. Enterprise Security Architect >> CENIC >> promero at cenic.org >> Phone: (714) 220-3430 >> Mobile: (562) 445-2529 >> >> >> >> _______________________________________________ >> Zeek mailing list >> zeek at zeek.org >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > > -- > Furkan ?al??kan, GCFA, GREM, CISM, CISA > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- *Stephen R. Smoot, PhD* VP, Customer Success Corelight -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200716/e50f61e9/attachment-0001.html From don.thomas.cissp at gmail.com Thu Jul 16 16:21:02 2020 From: don.thomas.cissp at gmail.com (Don Thomas) Date: Thu, 16 Jul 2020 16:21:02 -0700 Subject: [Zeek] What version of Zeek is going to map to ECS ? Message-ID: Just curious what version of Zeek is going to have the ECS mapping ? Thank you, *Don Thomas, CISSP, CISA* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200716/68a419a2/attachment.html From ericooi at gmail.com Thu Jul 16 19:35:37 2020 From: ericooi at gmail.com (Eric Ooi) Date: Thu, 16 Jul 2020 21:35:37 -0500 Subject: [Zeek] What version of Zeek is going to map to ECS ? In-Reply-To: References: Message-ID: Hi Don, Assuming you?re using Filebeat?s Zeek module, it looks like ECS mapping is supported as of Zeek 2.6.1 (https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-zeek.html ). This Github PR (https://github.com/elastic/beats/pull/17738 ) references an update to the Zeek module to support ECS 1.5 (latest). I have Zeek 3.1.4 sending logs to Elasticsearch 7.8 and can confirm that fields appear to be mapped properly. Hope that helps! Eric ericooi.com > On Jul 16, 2020, at 6:21 PM, Don Thomas wrote: > > Just curious what version of Zeek is going to have the ECS mapping ? > > Thank you, > > Don Thomas, CISSP, CISA > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200716/4f129f66/attachment.html From smoot at corelight.com Thu Jul 16 21:17:41 2020 From: smoot at corelight.com (Steve Smoot) Date: Thu, 16 Jul 2020 21:17:41 -0700 Subject: [Zeek] What version of Zeek is going to map to ECS ? In-Reply-To: References: Message-ID: If you have other avenues in mind, see also: https://github.com/corelight/ecs-mapping -s On Thu, Jul 16, 2020 at 7:38 PM Eric Ooi wrote: > Hi Don, > > Assuming you?re using Filebeat?s Zeek module, it looks like ECS mapping is > supported as of Zeek 2.6.1 ( > https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-zeek.html). > This Github PR (https://github.com/elastic/beats/pull/17738) references > an update to the Zeek module to support ECS 1.5 (latest). > > I have Zeek 3.1.4 sending logs to Elasticsearch 7.8 and can confirm that > fields appear to be mapped properly. > > Hope that helps! > Eric > ericooi.com > > > On Jul 16, 2020, at 6:21 PM, Don Thomas > wrote: > > Just curious what version of Zeek is going to have the ECS mapping ? > > Thank you, > > *Don Thomas, CISSP, CISA* > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek > > > _______________________________________________ > Zeek mailing list > zeek at zeek.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek -- *Stephen R. Smoot, PhD* VP, Customer Success Corelight -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200716/36ac4d15/attachment.html From clopmz at outlook.com Mon Jul 20 23:14:30 2020 From: clopmz at outlook.com (Carlos Lopez) Date: Tue, 21 Jul 2020 06:14:30 +0000 Subject: [Zeek] Any news about netmap plugin? Message-ID: <6D828F5F-8EF3-4607-BB96-09582BE21D53@outlook.com> Good morning, Any news about this plugin to test it in FreeBSD/HardenedBSD systems? Regards, C. L. Martinez -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200721/98995b5f/attachment.html From akgraner at corelight.com Tue Jul 21 14:54:50 2020 From: akgraner at corelight.com (Amber Graner) Date: Tue, 21 Jul 2020 17:54:50 -0400 Subject: [Zeek] Reminder - Zeek Webinars This week 22 and 23 July 2020 Message-ID: Hi all, This week we have 2 events - Zeek From Home and Ask The Zeeksperts. Below is information on both of these events. Please note for the ask the Zeeksperts we have included some of the questions we have been asked. You can add more questions for the Zeeksperts at: https://forms.gle/Phx3DydWvSq6a7NC9 ________ 22 July 2020 ? ZEEK FROM HOME ?11am PDT/2pm EDT ? SPICY (Part 2) and presented by Robin Sommer In this Zeek Webinar, Robin continues the conversation about Spicy. If you missed Part 1 you can find out more at. https://zeek.org/2020/06/09/zeek-from-home-episode-4-security-onion-recording-now-available/ REGISTRATION LINK ? https://corelight.zoom.us/webinar/register/WN_W_cJVVykQh-jT6ogoPCKTw ________ 23 July 2020 ? ASK THE ZEEKSPERTS ? 12:30pm PDT/3:30pm EDT - Zeeksperts - Seth Hall, Jeff Atkinson, Ryan Victory, Justin Azoff, and Richard Bejtlich REGISTRATION LINK ? https://corelight.zoom.us/meeting/register/tJAlce6trjIsHtPe4jx4h12JTEzYhSRdv96w Below are the questions we'll be answering on Thursday. Q1 - Regarding the UID generating function. Is it possible to have a custom function that will not be affected by start time of the process or some random seed. The motivation is to get the same UID when processing the same PCAP file twice. Another option is getting the same UID for the same 5tuple (id.orig_h, id.resp_h, id.orig_p, id.resp_p) for different sessions on a live traffic capture mode. Q2. What is the purpose of try.zeek.org? Is it the best way to learn Zeek scripting, when in my learning process should I be using it? Q3. Could we have an author of one of the 4-5 recent detection packages talk through their process for creating the script? How did they get the idea, what tools & data did they use, how long did it take, etc? Q4. I've heard that the 'history' field in the CONN log is one of Zeek's coolest features, but I'd like a walk-through please. And could we get some discussion of the new 'logarithmic' features for some of the letters? Q5. I see that some questions are answered on the mailing list, some on Slack, and there is also Zeek related discussion that happens with github issues. What's the best way for me to communicate a question or comment? Q6. Are there plans for a virtual Zeek Week this year? Q7. I'm new to Zeek and not a strong coder, but I really want to contribute to the community. What are 3-4 things I could do that would help Amber and help the community as I learn the ropes? Q8. I'm interested in contributing to the Zeek Package Contest, but I'm still a beginner. Is it easier to get started with Zeek scripting or with Spicy? Thanks! ~Amber -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200721/174f4d9c/attachment.html From johanna at icir.org Wed Jul 22 11:32:00 2020 From: johanna at icir.org (Johanna Amann) Date: Wed, 22 Jul 2020 11:32:00 -0700 Subject: [Zeek] Zeek mailing list move (zeek.org -> lists.zeek.org) Message-ID: <0DB62DEF-66AE-4553-820F-14BAED24F084@icir.org> Hello everyone, We are going to switch the zeek.org mailing lists to a new provider on Monday the 27th. This change means that the domain-part of all zeek.org mailing lists is going to change from ?zeek.org? to ?lists.zeek.org?. What changes does this entail / what does this mean for you: * All zeek.org mailing list domains will switch to lists.zeek.org. So, ?zeek at zeek.org? will be ?zeek at lists.zeek.org? afterwards. However, you will still be able to send messages to the old list address for the foreseeable future - they will automatically be forwarded to the new address If you are using mailing list filters to automatically sort Zeek mailing lists into folders, you will probably have to update them. * The mailing list archives and administrative interface will move to https://lists.zeek.org/. The old interface at http://mailman.icsi.berkeley.edu/mailman/listinfo will no longer be available; archives will also no longer be available at the old address. * Your subscription will automatically move, you do not have to take any action. When will this happen: * This change will happen on Monday the 27th of July, starting at approximately 9am PDT/noon EDT/4pm GMT/5pm BST/6pm CEST. Messages sent to the Zeek mailing lists during this time will be held. We will try to make sure that any messages that happen to be sent during this timeframe will make it over after the migration, but your message will probably make it faster if you wait till we are done. * The change will take a few hours; I will send another message to the individual lists once migration is done. Why are we moving the mailing lists: The current setup that we are using is being retired and we have to switch to a new provider. We are switching to a new domain because this makes our setup easier to maintain. If you have any questions or concerns, please let me know. Johanna From akgraner at corelight.com Thu Jul 23 12:40:26 2020 From: akgraner at corelight.com (Amber Graner) Date: Thu, 23 Jul 2020 15:40:26 -0400 Subject: [Zeek] Ask The Zeeksperts Starting now - Message-ID: Ask The Zeeksperts starting now - https://corelight.zoom.us/meeting/register/tJAlce6trjIsHtPe4jx4h12JTEzYhSRdv96w In case you missed the link. ~Amber -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200723/42cd0eac/attachment.html