[Zeek] Brim application for Zeek logs & packet captures

Phil Rzewski phil at brimsecurity.com
Tue Mar 24 17:10:33 PDT 2020


Zeek community,

I'm reaching out to announce another open source project... specifically the Brim <https://www.brimsecurity.com/download/> desktop application.

In its first version, the Brim workflow is tuned for starting from a packet capture (even a big one), which the app turns into Zeek logs for you. Then you've got an intuitive UI experience for querying those Zeek logs using the same ZQL <https://github.com/brimsec/zq/tree/master/zql/docs> language you may already know from zq <https://github.com/brimsec/zq> (see prior announcement below). And should your Zeek explorations lead you to a flow for which you want to see the packets, a single click in the app quickly extracts the flow from the big pcap and opens it immediately in Wireshark.

For more details, here's some links for Brim:
Download page <https://www.brimsecurity.com/download/> for the application
GitHub repo <https://github.com/brimsec/brim> for the project
Brim's YouTube channel <https://www.youtube.com/channel/UC0ju7Esmh13oLS8FTS-B3Eg> with a complete video on how to use Brim
Join our public Slack workspace <https://join.slack.com/t/brimsec/shared_invite/zt-cy34xoxg-hZiTKUT~1KdGjlaBIuUUdg> for announcements, Q&A, feedback, and to trade ideas
...or contact us via email <mailto:info at brimsecurity.com> 

There's more coming soon, so keep your eye on the repo for updates.

Happy hunting!

--
The Brim team


> On Feb 11, 2020, at 3:42 PM, Phil Rzewski <phil at brimsecurity.com> wrote:
> 
> Zeek community,
> 
> We’re writing to let you know about zq <https://github.com/brimsec/zq>, an open source command-line processor for structured logs, built for Zeek. (In fact, we’ve been told zq is “like zeek-cut on steroids”.)
> 
> Those of you who were on the “Ask the Zeeksperts” call on January 16th saw Seth Hall and Justin Azoff give an early peek of zq (thanks guys!), so this is just an “official” announcement. Come one, come all!
> 
> You can get involved by:
> 	• Checking out the zq GitHub repo <https://github.com/brimsec/zq> for install info, code, and docs
> 	• Joining our public Slack <https://join.slack.com/t/brimsec/shared_invite/enQtOTMwMDczODg2ODgyLTk1NTdjOTQxNmI0OGYwOThiYzNlNDc5OWI5NjczZDljNDdmZGZjNGI3NTNiOWRiNzJkMzg4OTEwZWM0Y2NiYWQ> workspace for announcements, Q&A, and to trade query ideas
> 	• Contacting us directly via email <mailto:info at brimsecurity.com> to schedule a Zoom videoconference
> 
> All you need is some Zeek logs (and there’s sample logs <https://github.com/brimsec/zq-sample-data> to help you get started). Here’s just a taste of what’s possible:
> 
> - A table of top hosts in a subnet that are experiencing the most SYNs-without-ACK:
>    zq -f table "10.164.94.0/24 conn_state=S0 | count() by id.orig_h | sort -r" *
> 
> - A regex search for certain HTTP methods, with full events output as NDJSON:
>     zq -f ndjson "method=/^(PUT|PATCH|UPDATE)$/" *
> 
> - Connections open a long time with low traffic, printed as a Zeek TSV log:
>    zq -f zeek "duration>1000 orig_bytes<10 resp_bytes<10" *
> 
> Of course, that’s just scratching the surface. Please try it out and let us know what you think on GitHub <https://github.com/brimsec/zq> or Slack <https://join.slack.com/t/brimsec/shared_invite/enQtOTMwMDczODg2ODgyLTk1NTdjOTQxNmI0OGYwOThiYzNlNDc5OWI5NjczZDljNDdmZGZjNGI3NTNiOWRiNzJkMzg4OTEwZWM0Y2NiYWQ>.
> 
> Happy hunting, Zeeking, & zq’ing!
> 
> --
> The Brim team
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200324/555bc118/attachment.html 


More information about the Zeek mailing list