Ripple20

Zeek seems uniquely positioned to deal with detection of either attack activity or detection of assets with Treck-based IP stacks. Anything like this being done with Zeek as yet?

See https://corelight.blog/2020/06/30/ripple20-zeek-package-open-sourced/ !

-- Vern

Fantastic! Thanks.

This is great, many thanks to the Corelight team for open sourcing this,
we're not yet on Zeek in production, happy to report it loaded in Bro 2.6.1

Greg

Glad this is useful. Iā€™m sure Ben - the author - would appreciate feedback, if you have it.

Here are a few other recent packages, all aimed at high-severity CVEs:

Curveball (CVE-2020-0601) - Johanna Amann: https://zeek.org/2020/01/16/detecting-cve-2020-0601-with-zeek/
CallStranger (CVE-2020-12695) - Ryan Victory: https://corelight.blog/2020/06/10/detecting-the-new-callstranger-upnp-vulnerability-with-zeek/
GnuTLS (CVE-2020-13777) - Johanna Amann: https://corelight.blog/2020/06/11/detecting-gnutls-cve-2020-13777-using-zeek/

For those on the community Slack (https://zeek.org/ ā†’ connect ā†’ Slack), note that the #packages channel is another good place to exchange info.

All the best.

  • Greg

Hello,

I was wondering if anyone could provide an idea of how prone this is to
false positives?

Thanks!

Greg

hi greg, i was chatting with ben (the author) about this last night.

per ben: there are actually two types of detections, medium fidelity detections (Treck_TCP_observed), and high fidelity detections (the others). medium fidelity means that there could well be FP detected there. however, if a device has more than one medium fidelity notice type, then it is more likely to be a true positive. for this reason, by default all notices are enabled.

if the medium fidelity notices are too noisy you can disable them in scripts/config.zeek with enable_medium_fidelity_notices = F.

hope this helps,
jamie

sorry, i forgot to mention Treck_IP_in_IP_outer_packet_observed is medium as well

Great thank you for this info, very helpful indeed.

Greg