1 May 2020 - Community Call Notes and Recording

Hi all,

Thank you so much for all those who attended the Community Call on Friday 1 May.

Below are the links to the recordings of the call:

Video Recording - https://www.dropbox.com/s/lsitmuhgfrbauai/1May20_ZeekCommunityCall_Video.mp4?dl=0
Audio only - https://www.dropbox.com/s/bpndd9f1foymnph/1May20_ZeekCommunityCall_Audio.m4a?dl=0

These monthly calls occur on the 1st Friday of each month and are open to anyone in the community. On these calls we look at ways to help the community get the most out of Zeek Project. This call is for discussion around non-code contributions, participation, suggestions, problems and feedback.

If you have questions, ideas, suggestion, feedback or would like to help with any of the below listed topics/ideas please let me know.


******* Notes and links from call below *******

We had 14 people on the call Friday. The agenda was an open agenda with a goal of how to get the most out of these monthly calls. What would make the calls better and what would the community like to see more of? The following is a summary of the discussion and do not always follow the order of the conversation:

  • That the call is a great place to bring up Issues, Problems, Suggestions, Ideas as well as the areas below:
  • the mailing list [0] and slack [1] are good places to start
  • Issue tracker on GitHub is also a good place to file tickets against the Zeek Release
  • Zeek Package Contest
  • ZPC-2 [2] - Reminder that it is still underway and that everyone can still participate and have the opportunity to win prizes.
  • Idea brought up by the community have a contest that matches people with package ideas but may not know how to write the packages with developers who know how. (Think Google’s Summer of Code [3] and Season of Doc’s [4] style events, but around Zeek Packages) - An idea registry to start - have someone keep it organized by skill level and classification of ideas. Build in some incentives.
  • Spicy[5] has been released and there seems to be a lot of activity on Slack around using Spicy to write parsers. Check out this and more on slack.

  • Information Sharing

  • Encouraging people and organizations to share the cool stuff they are doing with Zeek. What are some ways the community can encourage one another to do that. Some folks volunteered to talk more about what they were doing. We do have the SIEM slack Channel where people are sharing queries, but is that enough? Should we have a “use cases” channel or should the SIEM channel be repurposed for “use cases”.

  • Sigma [6] discussion and explanation - (Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner.) Nick also mention the uncoder.io[7] site by SOC Prime[8]

  • Add a space and encourage discussion about threat hunting principles, threat modeling, best practices. (Documentation and Training Sessions)

  • Folks on the call were asking about getting more information and tutorials around scripting at all levels.

  • Encourage organizations who are using Zeek and have written packages to open source those packages[9] and share with the community.

  • Easily searchable Knowledge Base for those getting started is needed. - this would be in addition to Read The Docs [10] and try.zeek.org [11] - things like a list of Packages that people would like to see written, Howtos, List of PCAPs people can use to test Packages, HowTo webinars etc.

  • Best Practice/guides to analyzing the Zeek Logs with Elastic[12] and Kibana [13] to start.

  • Feedback - It was brought up that someone had filed a ticket [14] and hadn’t gotten an answer or a response in a couple days. We told them we’d look into it, but it is an open source project, most everyone working on the Zeek Project is a volunteer and to also try bringing it up on the mailing list and the slack channel.

  • Corelight’s Support of the Zeek Project - Greg Bell, CEO of Corelight volunteered to give a report to the community on how Corelight [15] allocates resources in support of the Zeek Project. (We’ll get this scheduled for a later date and give plenty of notice to the community as it is a topic that comes up often)

[0] - Zeek Mailing lists - https://zeek.org/mailing-lists
[1] - Zeek Slack Space - https://join.slack.com/t/zeekorg/shared_invite/enQtOTc3MzMxNDI1NDYxLTA1NzhhMTgxNWI1OTk2NjlkMTdjNzY1Nzk5NDk2ZDY1MDBkYWIxOWNjNDE2NDc2MGI5OWM3ZDllYzBmZmNhNDM
[2} - ZPC-2 - https://zeek.org/2020/04/06/zeek-package-contest-zpc-2/
[3] - Google Summer of Code - https://summerofcode.withgoogle.com/
[4] - Google Season of Docs - https://developers.google.com/season-of-docs
[5] - Spicy - https://docs.zeek.org/projects/spicy/en/latest/
[6] - Sigma - https://github.com/Neo23x0/sigma
[7] - uncoder.io - https://uncoder.io/
[8] - SOC Prime - https://socprime.com/en/
[9] - Open Source Zeek Packages - https://packages.zeek.org/
[10] - Read the Docs - https://packages.zeek.org/
[11] - Try.zeek.org - https://try.zeek.org/#/?example=hello
[12] - Elastic - https://www.elastic.co/
[13] - Kibana - https://www.elastic.co/guide/en/kibana/current/index.html
[14] - Issue tracker - https://github.com/zeek/zeek/issues
[15] - Corelight - https://www.corelight.com/