Zeek Monthly Newsletter – Issue 4 – May 2020

Below is Issue 4 of the Zeek Monthly Newsletter. You can also find it at: https://zeek.org/2020/05/11/zeek-monthly-newsletter-issue-4-may-2020/

==Issue 4 - May 2020==

Welcome to the Zeek Monthly Newsletter, Issue 4 covers April 2020 as well as upcoming events.

===In this Issue:===

• General Community News/Updates
• Development Updates
• Zeek in the News
• Zeek In, Near and Around then Community
• Interviews/Blog Posts
• Threat of the Month
• Upcoming Events
• New Zeek Related Packages
• Publication Schedule
• Get Involved

===General Community News/Updates===

• The Zeek Package Contest Is Still OPEN - ZPC-2 - The ZPC contest series is intended to inspire Zeek users to demonstrate their creativity and ingenuity while winning the admiration of their peers, and giving back to the community. The ZPC-2 contest will focus on the MITRE ATT&CK™ Framework, more specifically packages that help detect C2 Techniques. Find out more about how you can participate in ZPC-2 at: https://zeek.org/2020/04/06/zeek-package-contest-zpc-2/

• Check out the Virtual Events this month!! - We have a full line up of events in May. Presentations for Zeek From Home include Looking Deeper into the Zeek 3.0 - Major Changes, Point Releases and more; Suricate and Security Onion. Ask the Zeeksperts will be hosted by Suricate and Brim and new for this month is a virtual Zeek community CTF (Capture the Flag) event. You can find out more about how to register for these events below in the events section.

===Development Updates===

• Zeek 3.0.4 and 3.1.2 release (security + bug fixes) - These releases fix several bugs, including one potential security issue due to a stack overflow in the POP3 analyzer (thanks to Matteo Rizzo for the report). - http://mailman.icsi.berkeley.edu/pipermail/zeek/2020-April/015262.html

• The New IO Loop in Zeek 3.1 - This blog post describes the new architecture for the IO loop and changes made to IO sources to support the new architecture. - https://zeek.org/2020/04/03/the-new-io-loop-in-zeek-3-1/

• Issue Tracker: If you would like to see the issues currently being tracked, help resolve a few or file an issue you can do so at: : https://github.com/zeek/zeek/issues

===Zeek In, Near and Around The Community===

• Zeek 3.0.5 now available for Security Onion! - More details, documentation and release notes can be found at: https://blog.securityonion.net/2020/04/zeek-305-now-available-for-security.html

• Brim’s Open Source Desktop application which was first announced in March, but still being seen in Twitter feeds and mailing lists around the community. You can find out more about it at: https://github.com/brimsec/brim

• New Research: Open Source Tools! - By Augusto Barros - In this Gartner blog post, author Augusto’s Barros is looking for some input on some research that he is doing. “The intent is to look at the most popular open source tools used by security operations teams out there. Things like the ELK stack, Osquery, MISP and Zeek.” If you’d like to learn more what he’s looking for or event lend a hand, check out: https://blogs.gartner.com/augusto-barros/2020/04/17/new-research-open-source-tools/

• Four Key Elements for Comprehensive Network Threat Detection - This article by Bricata looks at the following key elements for a better understanding of network threat detection: Deep Packet Inspection (Signature-Based) Detection, Behavioral Anomaly-Based (Stateful) Detection, File Hashing and Detection, Artificial Intelligence and Machine Learning Detection and more. https://securityboulevard.com/2020/04/four-key-elements-for-comprehensive-network-threat-detection/

• COVID-19 CTI LEAGUE and CRITICAL PATH SECURITY Intel feed - CTI League and Critical Path Security has shared an updated COVID-19 threat feed for Zeek. It includes COVID-19 CTI public data, Critical Path Security data collection from dns.log, as well as data from PREDICT. Find out more at: https://github.com/CriticalPathSecurity/COVID-THREAT-INTEL-PUBLIC-ZEEK/blob/master/README.md

===Interviews/Blog Posts===

• Zeek From Home – Episode 1 – Zeek-Agent – Recording Now Available - Zeek-Agent is an endpoint monitoring agent that provides host activity to Zeek. More information about Zeek-Agent can be found on the Zeek blog and Github

These webinars are recorded and if you were unable to attend the Zeek-Agent Zeek From Home episode we have made the following available: video, audio only and slides.
Many thanks to all those who participated!! Keep those questions and feedback coming!!
Find out more at: https://zeek.org/2020/04/17/zeek-from-home-episode-1-zeek-agent-recording-now-available/

• Writing My First Protocol Analyzer - Anthony Kasza from Corelight walks you through his experience with writing his first protocol analyzer for Zeek. - https://zeek.org/2020/04/16/writing-my-first-protocol-analyzer/

• Got Zoom? - This may be helpful for some out there. It’s a simple package that works on Zoom TLS traffic. - https://zeek.org/2020/04/14/got-zoom/

• Zeek Package Contest – ZPC-2 - Announcing a new Zeek Package Contest (ZPC-2). This contest will focus on the MITRE ATT&CK™ Framework, more specifically packages that help detect C2 Techniques. $2500.00 USD to the first prize winner. (Some restrictions apply) See Blog post for more details. - https://zeek.org/2020/04/06/zeek-package-contest-zpc-2/

• 2019 Zeek Package Contest Summary & Winners - In case you weren’t at ZeekWeek last year, here’s the list of winning submissions and a summary of each Package contributed to the first Zeek Package Contest (ZPC-1) Many thanks to all those who made it a success! -
  https://zeek.org/2020/04/06/2019-zeek-package-contest-summary-and-winners-zpc-1/

===Threat of the Month===

Do you have a threat you’d like to share with the community and how using Zeek in your security stack helped you identify that threat? Please email news@zeek.org and we’ll work with you to get it written up and shared in the next newsletter.

===Upcoming Events===

The following is a list of Zeek Related online/virtual events for May 2020.

====Ask the Zeeksperts====

Ask the Zeeksperts is a one hour bi-weekly call that is hosted by various “Zeeksperts” in the community. This is where you can drop by and ask your Zeek Related questions. The webinars are free to attend, but registration is required.

• 14 May 2020 - 12:30pm PST/3:30pm EST - Suricata - Jason Ish, Suricata Senior Developer and Peter Manev, Lead QA for Suricata - Bring those Suricate related questions and ask the experts!
  Registration: https://corelight.zoom.us/webinar/register/WN_KN8qo9ZDTfKL1nKl1inmQA

• 28 May 2020 - 12:30pm PST/3:30pm EST - Brim Security - Phil Rzewski - 3:30 - Brim experts will be on hand to answer all your questions about their latest open source desktop application release.
  Registration: https://corelight.zoom.us/webinar/register/WN_lXJb4F5WTRSQ1BQasln9HA

====Zeek From Home====

This is a new weekly webinar series, where the community can share their Zeek Related presentations (scripts, use cases, how to’s, unique usages, lessons learned etc). These will be recorded.

• 12 May 2020 - 2pm EST/11am PST - Looking Deeper into the Zeek 3.0 - Major Changes, Point Releases and more with Tim Wojtulewicz. If you have questions about the Zeek 3.0 release then this is the presentation for you.
  Registration: https://corelight.zoom.us/webinar/register/WN_Hbp2Xm-mSbSRTgbwRMqtPA

• 20 May 2020 - 2pm EST/11am PST - Suricata - Victor Julien, OISF Founder and Suricata’s Lead Developer and Josh Stroschein, Ph.D., Director of Training and Academic Initiatives
  Registration: https://corelight.zoom.us/webinar/register/WN_9haXhmcKR7aSEhKyzT9ICA

• 27 May 2020 - 2pm EST/11am PST - Security Onion - Doug Burks
  Registration: https://corelight.zoom.us/webinar/register/WN_5t5TdekCQYSkYp_b2K5Ngw

====Capture the Flag Events====

These events are free but registration is required. See links below for more information.

• 15 May 2020 4-6pm Eastern - Zeek Community CTF (Capture the Flag) - Players will compete head-to-head on dozens of security challenges using Zeek data in both Splunk and Elastic. Players can also use open-source Zeek tools on a CLI.
  Registration: https://www.eventbrite.com/e/zeek-community-ctf-capture-the-flag-tickets-10477636894

• Corelight Virtual Hunt from Home (Every Tuesday and Thursday) - A free, 2-hour Virtual Capture the Flag event hosted by Corelight, where players compete to answer security challenges using Zeek data in Splunk and Elastic. The security challenges model realistic IR and hunting queries and can help you uplevel your Zeek log proficiency. Corelight experts will be on hand during the game to guide players of all skill levels through two exciting hunt scenarios. Sign up for one of eight virtual CTF spots in May. Game winners will take home bragging rights and a $100 Amazon Gift Card. https://www3.corelight.com/ctf/hunt-from-home

If you know of any Zeek related events that you would like to share with the community in the monthly newsletter, please email news@zeek.org or share on the Zeek mailing list (zeek@zeek.org).

====Zeek Related Packages/New Packages Added to packages.zeek.org====

• SPL-SPT - Sequence of Payload Lengths/Sequence of Payload Times -
  https://packages.zeek.org/packages/view/6b874e00-7ece-11ea-9321-0a645a3f3086

• Got Zoom ? - https://packages.zeek.org/packages/view/bb1d635f-8060-11ea-9321-0a645a3f3086

====Publication Schedule (Updated)====

Issue 1 - January 2020 (Covers December 2019) - 14 January 2020 - https://zeek.org/2020/01/14/zeek-monthly-newsletter-issue-1-january-2020/
Issue 2 - March 2020 (Covers January and February 2020) - 2 March 2020 - https://zeek.org/2020/03/02/zeek-monthly-newsletter-issue-2-march-2020/
Issue 3 - April 2020 (Covers March 2020) - 7 April 2020 - https://zeek.org/2020/04/07/zeek-monthly-newsletter-issue-3-april-2020/
Issue 4 - May 2020 (Covers April 2020) - 8 May 2020 - https://zeek.org/2020/05/11/zeek-monthly-newsletter-issue-4-may-2020/
Issue 5 - June 2020 (Covers May 2020) - 1 June 2020
Issue 6 - July 2020 (Covers June 2020) - 6 July 2020
Issue 7 - August 2020 (Covers July 2020) - 3 August 2020
Issue 8 - September 2020 (Covers August 2020) - 7 September 2020
Issue 9 - October 2020 (Covers September 2020) - 5 October 2020
Issue 10 - November 2020 (Covers October 2020) - 2 November 2020
Issue 11 - December 2020 (Covers November 2020) - 7 December 2020
Issue 12 - Special Issue - (Year End Review) - 21 December 2020

====Get Involved====

If you are interested in getting involved with the Zeek Newsletter, please email news@zeek.org.

Join the News Slack Channel at: https://join.slack.com/t/zeekorg/shared_invite/enQtOTc3MzMxNDI1NDYxLTA1NzhhMTgxNWI1OTk2NjlkMTdjNzY1Nzk5NDk2ZDY1MDBkYWIxOWNjNDE2NDc2MGI5OWM3ZDllYzBmZmNhNDM

Follow us on Twitter at: https://twitter.com/Zeekurity