[Zeek] 1 May 2020 - Community Call Notes and Recording

Amber Graner akgraner at corelight.com
Wed May 6 07:04:30 PDT 2020

Hi all,

Thank you so much for all those who attended the Community Call on Friday 1

Below are the links to the recordings of the call:

Video Recording -
Audio only -

These monthly calls occur on the 1st Friday of each month and are open to
anyone in the community. On these calls we look at ways to help the
community get the most out of Zeek Project. This call is for discussion
around non-code contributions, participation, suggestions, problems and

If you have questions, ideas, suggestion, feedback or would like to help
with any of the below listed topics/ideas please let me know.


******* Notes and links from call below *******

We had 14 people on the call Friday.  The agenda was an open agenda with a
goal of how to get the most out of these monthly calls.  What would make
the calls better and what would the community like to see more of? The
following is a summary of the discussion and do not always follow the order
of the conversation:

  - That the call is a great place to bring up Issues, Problems,
Suggestions, Ideas as well as the areas below:
    * the mailing list [0] and slack [1] are good places to start
    * Issue tracker on GitHub is also a good place to file tickets against
the Zeek Release

 - Zeek Package Contest
    * ZPC-2  [2] - Reminder that it is still underway and that everyone can
still participate and have the opportunity to win prizes.
    * Idea brought up by the community have a contest that matches people
with package ideas but may not know how to write the packages with
developers who know how.  (Think Google's Summer of Code [3] and Season of
Doc's [4] style events, but around Zeek Packages) - An idea registry to
start - have someone keep it organized by skill level and classification of
ideas.  Build in some incentives.

- Spicy[5] has been released and there seems to be a lot of activity on
Slack around using Spicy to write parsers. Check out this and more on

 - Information Sharing
   * Encouraging people and organizations to share the cool stuff they are
doing with Zeek.  What are some ways the community can encourage one
another to do that.  Some folks volunteered to talk more about what they
were doing.  We do have the SIEM slack Channel where people are sharing
queries, but is that enough?  Should we have a "use cases" channel or
should the SIEM channel be repurposed for "use cases".

  * Sigma [6] discussion and explanation - (Sigma is a generic and open
signature format that allows you to describe relevant log events in a
straightforward manner.) Nick also mention the uncoder.io[7] site by SOC

  * Add a space and encourage discussion about threat hunting principles,
threat modeling, best practices. (Documentation and Training Sessions)

  * Folks on the call were asking about getting more information and
tutorials around scripting at all levels.

  * Encourage organizations who are using Zeek and have written packages to
open source those packages[9] and share with the community.

  * Easily searchable Knowledge Base for those getting started is needed. -
this would be in addition to Read The Docs [10] and try.zeek.org [11] -
things like a list of Packages that people would like to see written,
Howtos, List of PCAPs people can use to test Packages, HowTo webinars etc.

   * Best Practice/guides to analyzing the Zeek Logs with Elastic[12] and
Kibana [13] to start.

  * Feedback - It was brought up that someone had filed a ticket [14] and
hadn't gotten an answer or a response in a couple days.  We told them we'd
look into it, but it is an open source project, most everyone working on
the Zeek Project is a volunteer and to also try bringing it up on the
mailing list and the slack channel.

  * Corelight's Support of the Zeek Project - Greg Bell, CEO of Corelight
volunteered to give a report to the community on how Corelight [15]
allocates resources in support of the Zeek Project.  (We'll get this
scheduled for a later date and give plenty of notice to the community as it
is a topic that comes up often)

[0] - Zeek Mailing lists - https://zeek.org/mailing-lists
[1] - Zeek Slack Space -
[2} - ZPC-2 - https://zeek.org/2020/04/06/zeek-package-contest-zpc-2/
[3]  - Google Summer of Code - https://summerofcode.withgoogle.com/
[4] - Google Season of Docs - https://developers.google.com/season-of-docs
[5] - Spicy - https://docs.zeek.org/projects/spicy/en/latest/
[6] - Sigma - https://github.com/Neo23x0/sigma
[7] - uncoder.io - https://uncoder.io/
[8] - SOC Prime - https://socprime.com/en/
[9] - Open Source Zeek Packages - https://packages.zeek.org/
[10] - Read the Docs - https://packages.zeek.org/
[11] - Try.zeek.org - https://try.zeek.org/#/?example=hello
[12] - Elastic - https://www.elastic.co/
[13] - Kibana - https://www.elastic.co/guide/en/kibana/current/index.html
[14] - Issue tracker - https://github.com/zeek/zeek/issues
[15] - Corelight - https://www.corelight.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200506/07312d06/attachment-0001.html 

More information about the Zeek mailing list