Welcome to the Zeek Newsletter!
In this Issue:
TL;DR
Development Updates
Zeek Blog and Mailing List
Zeek in the Community
Zeek Package Updates
Zeek in the Enterprise
Upcoming Events
Zeek Related Jobs
Get Involved
TL;DR
We finished a big year for the Zeek community. Log4j vulnerabilities continue to be a challenge, but Zeek was able to help. We hope you had a pleasant holiday and we’re looking forward to 2022. This newsletter includes two items from the first week in January, due to their importance.
Development Updates
On January 5, Tim Wojtulewicz published the first release candidate of Zeek 4.2.0, and followed with Zeek 4.2.0 on January 22.
https://download.zeek.org/zeek-4.2.0.tar.gz
See the release notes for details of the addressed bugs and security issues:
https://github.com/zeek/zeek/releases/tag/v4.2.0
Downloads for Zeek 4.0.5 are also available, as of January 25:
https://download.zeek.org/zeek-4.0.5.tar.gz
See the release notes for details of the addressed bugs and security issues:
https://github.com/zeek/zeek/releases/tag/v4.0.5
Binary packages for the new releases are available:
https://github.com/zeek/zeek/wiki/Binary-Packages
We encourage readers to report any issues to the project. Thank you.
Concerning how the release process works, Tim offered the following.
- The LTS releases follow an x.0.y versioning scheme and come out roughly once per year, with patch releases as necessary. The current LTS release is 4.0.4.
- Feature releases come out during the interim, and follow a x.a.b versioning, with x being the same as the current LTS. Patch releases happen as necessary. The current feature release is 4.1.1. We released 4.2.0-RC1 this week, and 4.2 will supersede 4.1 once it is fully released. We generally try to follow a 4-month cadence for the feature releases, but schedules slip, etc.
We’re currently in the development cycle for the next LTS release, which at this point should be 5.0.0. 5.0.0 will supersede the 4.0 line and become the new LTS release for the following year or so.
See these links for more information about project release cadence:
https://github.com/zeek/zeek/wiki/Release-Cadence
https://github.com/zeek/zeek/wiki/Security-Release-Process
Zeek Blog and Mailing List
A recent notable blog post featured details and links on all the videos from ZeekWeek21. See this post for details:
https://zeek.org/2021/12/10/zeekweek-2021-summary-slides-videos-and-more-now-available/
One of the more interesting exchanges on the Zeek mailing list involved different options for disabling dns.log entries. See this thread for details:
https://lists.zeek.org/archives/list/zeek@lists.zeek.org/thread/FMEIVTBC3NJTTW5C72SJ3YAXMOHPOU3H/
For more, see the blog and mailing list archive:
https://lists.zeek.org/archives/list/zeek@lists.zeek.org/
Zeek in the Community
On January 5, CISA (the United States’ Cybersecurity and Infrastructure Security Agency) released Malcolm 5.1, following its release of 5.0 in December.
https://github.com/cisagov/Malcolm/releases/tag/v5.1.0
According to its description, “Malcolm provides an easily deployable network analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.” Malcolm integrates Arkime (formerly Moloch), “a large scale, open source, indexed packet capture and search tool.”
https://github.com/arkime/arkime
Richard Bejtlich and Keith Jones published new Zeek in Action videos on YouTube:
Zeek in Action, Video 9, Radius Protocol Analyzer with Spicy
https://www.youtube.com/watch?v=oJprmlB3eNo
Zeek in Action, Video 10, Examining the Four Types of Network Security Monitoring Data
https://www.youtube.com/watch?v=PYekUOCBBrY
Zeek in Action, Video 11, Using Spicy Driver
https://www.youtube.com/watch?v=2q4jZdCUbEg
Zeek In Action, Video 12, zeek2es
https://www.youtube.com/watch?v=Ahe4jmdB2uQ
Zeek in Action, Video 13, Running Brim Inside Windows Sandbox
https://www.youtube.com/watch?v=W-dlsDPyBtE
Keith’s video 9 is two hours long and is an amazing tutorial on developing an analyzer for the Radius protocol using Spicy. Stay tuned for more from Keith, and check out his new Python application that translates Zeek's ASCII TSV and JSON logs into ElasticSearch's bulk load JSON format.
https://github.com/corelight/zeek2es
Zeek Package Updates
The following packages reported updates recently (as of February 9), via this search:
https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed
Add cve-2022-21907.
#177 by keithjjones was merged 14 days ago
Add zeek-packages/zeek-agent-v2.
#176 by rsmmr was merged 15 days ago
Add ICSNPP-OPCUA-Binary
#175 by Kleinspider was merged 22 days ago
Add cve-2022-21907.
#174 by keithjjones was closed 20 days ago • Draft
Log4j detection heuristics
#173 by initconf was merged on Dec 22, 2021
Add Corelight Log4j detection package
#172 by ynadji was merged on Dec 16, 2021
Add a couple of Spicy-based analyzers
#171 by bbannier was merged on Dec 10, 2021
Zeek in the Enterprise
Corelight offered several blog posts and a new Zeek package to detect Log4j exploitation.
The blog posts are here:
https://corelight.com/blog/tag/log4j
The Zeek package is here:
https://github.com/corelight/cve-2021-44228
Upcoming Events
See https://zeek.org/events/ for the latest details.
Zeek Related Jobs
The following are a sampling of job opportunities that mention Zeek skills.
Cyber Security Information Assurance Lead
ICF, Arlington, VA
https://www.linkedin.com/jobs/search/?currentJobId=2833005761
Threat Intel Investigator, OCI
Oracle, Reston, VA
https://www.linkedin.com/jobs/view/2840457175
Senior Network Security Researcher
Battelle, Chantilly, VA
https://www.linkedin.com/jobs/search/?currentJobId=2859106319
For more, see https://www.linkedin.com/jobs/search/?geoId=103644278&keywords=zeek
Get Involved
If you have any comments or material for the newsletter please email news@zeek.org or join the #news Slack channel.
Here is an invitation link:
https://join.slack.com/t/zeekorg/shared_invite/zt-12z1pjy93-zuVGuT1BF~yUJJvERxhp7g
Stay up to date by subscribing to the Zeek mailing list:
http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek
Follow us on Twitter:
Subscribe to our video channel:
https://www.youtube.com/channel/UC1K5-MWaM1XZcEFPCMrmNMw
See you next time!