[Zeek] Brim application for Zeek logs & packet captures (update)

Wed May 6 12:22:55 PDT 2020

Zeek community,

It's been a while since we first notified folks here when we initially released our Brim desktop app. Here's an update that we expect will interest the Zeek community.

Whereas the first version of Brim was all about starting from packet captures and turning those into Zeek logs, the new version v0.9.1 we just released introduces direct import of Zeek logs (default TSV format or JSON <https://github.com/brimsec/brim/wiki/Zeek-JSON-Import>). So you can now have all the querying, workflows, etc. for working with your Zeek data in Brim even if you don't have pcaps.

For more details, here's some links for Brim:
Download page <https://www.brimsecurity.com/download/> for the application
GitHub repo <https://github.com/brimsec/brim> for the project
Brim's YouTube channel <https://www.youtube.com/channel/UC0ju7Esmh13oLS8FTS-B3Eg> with a complete video on how to use Brim (which covers the pcap-centric workflow, but includes plenty of coverage for working with Zeek data)
Join our public Slack workspace <https://join.slack.com/t/brimsec/shared_invite/zt-cy34xoxg-hZiTKUT~1KdGjlaBIuUUdg> for announcements, Q&A, feedback, and to trade ideas
...or contact us via email <mailto:info at brimsecurity.com> 

On a separate-but-related topic, while it's not visible in the Brim app yet, our related project zq <https://github.com/brimsec/zq> includes an experimental prototype for working with archived Zeek logs called "zar" that's referenced in a new README <https://github.com/brimsec/zq/blob/master/cmd/zar/README.md>. If this topic interests you, check it out and come talk to us on our Slack <https://join.slack.com/t/brimsec/shared_invite/zt-cy34xoxg-hZiTKUT~1KdGjlaBIuUUdg> in the #zar channel.

Happy hunting!

--
The Brim team

> On Mar 24, 2020, at 5:10 PM, Phil Rzewski <phil at brimsecurity.com> wrote:
> 
> Zeek community,
> 
> I'm reaching out to announce another open source project... specifically the Brim <https://www.brimsecurity.com/download/> desktop application.
> 
> In its first version, the Brim workflow is tuned for starting from a packet capture (even a big one), which the app turns into Zeek logs for you. Then you've got an intuitive UI experience for querying those Zeek logs using the same ZQL <https://github.com/brimsec/zq/tree/master/zql/docs> language you may already know from zq <https://github.com/brimsec/zq> (see prior announcement below). And should your Zeek explorations lead you to a flow for which you want to see the packets, a single click in the app quickly extracts the flow from the big pcap and opens it immediately in Wireshark.
> 
> For more details, here's some links for Brim:
> Download page <https://www.brimsecurity.com/download/> for the application
> GitHub repo <https://github.com/brimsec/brim> for the project
> Brim's YouTube channel <https://www.youtube.com/channel/UC0ju7Esmh13oLS8FTS-B3Eg> with a complete video on how to use Brim
> Join our public Slack workspace <https://join.slack.com/t/brimsec/shared_invite/zt-cy34xoxg-hZiTKUT~1KdGjlaBIuUUdg> for announcements, Q&A, feedback, and to trade ideas
> ...or contact us via email <mailto:info at brimsecurity.com> 
> 
> There's more coming soon, so keep your eye on the repo for updates.
> 
> Happy hunting!
> 
> --
> The Brim team
> 
> 
>> On Feb 11, 2020, at 3:42 PM, Phil Rzewski <phil at brimsecurity.com <mailto:phil at brimsecurity.com>> wrote:
>> 
>> Zeek community,
>> 
>> We’re writing to let you know about zq <https://github.com/brimsec/zq>, an open source command-line processor for structured logs, built for Zeek. (In fact, we’ve been told zq is “like zeek-cut on steroids”.)
>> 
>> Those of you who were on the “Ask the Zeeksperts” call on January 16th saw Seth Hall and Justin Azoff give an early peek of zq (thanks guys!), so this is just an “official” announcement. Come one, come all!
>> 
>> You can get involved by:
>> 	• Checking out the zq GitHub repo <https://github.com/brimsec/zq> for install info, code, and docs
>> 	• Joining our public Slack <https://join.slack.com/t/brimsec/shared_invite/enQtOTMwMDczODg2ODgyLTk1NTdjOTQxNmI0OGYwOThiYzNlNDc5OWI5NjczZDljNDdmZGZjNGI3NTNiOWRiNzJkMzg4OTEwZWM0Y2NiYWQ> workspace for announcements, Q&A, and to trade query ideas
>> 	• Contacting us directly via email <mailto:info at brimsecurity.com> to schedule a Zoom videoconference
>> 
>> All you need is some Zeek logs (and there’s sample logs <https://github.com/brimsec/zq-sample-data> to help you get started). Here’s just a taste of what’s possible:
>> 
>> - A table of top hosts in a subnet that are experiencing the most SYNs-without-ACK:
>>    zq -f table "10.164.94.0/24 conn_state=S0 | count() by id.orig_h | sort -r" *
>> 
>> - A regex search for certain HTTP methods, with full events output as NDJSON:
>>     zq -f ndjson "method=/^(PUT|PATCH|UPDATE)$/" *
>> 
>> - Connections open a long time with low traffic, printed as a Zeek TSV log:
>>    zq -f zeek "duration>1000 orig_bytes<10 resp_bytes<10" *
>> 
>> Of course, that’s just scratching the surface. Please try it out and let us know what you think on GitHub <https://github.com/brimsec/zq> or Slack <https://join.slack.com/t/brimsec/shared_invite/enQtOTMwMDczODg2ODgyLTk1NTdjOTQxNmI0OGYwOThiYzNlNDc5OWI5NjczZDljNDdmZGZjNGI3NTNiOWRiNzJkMzg4OTEwZWM0Y2NiYWQ>.
>> 
>> Happy hunting, Zeeking, & zq’ing!
>> 
>> --
>> The Brim team
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200506/2963f952/attachment.html 