Zeek Newsletter - Issue 15 - December 2021-January 2022

Welcome to the Zeek Newsletter!

In this Issue:
TL;DR
Development Updates
Zeek Blog and Mailing List
Zeek in the Community
Zeek Package Updates
Zeek in the Enterprise
Upcoming Events
Zeek Related Jobs
Get Involved

TL;DR

We finished a big year for the Zeek community. Log4j vulnerabilities continue to be a challenge, but Zeek was able to help. We hope you had a pleasant holiday and we’re looking forward to 2022. This newsletter includes two items from the first week in January, due to their importance.

Development Updates

On January 5, Tim Wojtulewicz published the first release candidate of Zeek 4.2.0, and followed with Zeek 4.2.0 on January 22.

https://zeek.org/get-zeek

https://download.zeek.org/zeek-4.2.0.tar.gz

See the release notes for details of the addressed bugs and security issues:

https://github.com/zeek/zeek/releases/tag/v4.2.0

Downloads for Zeek 4.0.5 are also available, as of January 25:

https://zeek.org/get-zeek

https://download.zeek.org/zeek-4.0.5.tar.gz

See the release notes for details of the addressed bugs and security issues:

https://github.com/zeek/zeek/releases/tag/v4.0.5

Binary packages for the new releases are available:

https://github.com/zeek/zeek/wiki/Binary-Packages

We encourage readers to report any issues to the project. Thank you.

Concerning how the release process works, Tim offered the following.

- The LTS releases follow an x.0.y versioning scheme and come out roughly once per year, with patch releases as necessary. The current LTS release is 4.0.4.

- Feature releases come out during the interim, and follow a x.a.b versioning, with x being the same as the current LTS. Patch releases happen as necessary. The current feature release is 4.1.1. We released 4.2.0-RC1 this week, and 4.2 will supersede 4.1 once it is fully released. We generally try to follow a 4-month cadence for the feature releases, but schedules slip, etc.

We’re currently in the development cycle for the next LTS release, which at this point should be 5.0.0. 5.0.0 will supersede the 4.0 line and become the new LTS release for the following year or so.

See these links for more information about project release cadence:

https://github.com/zeek/zeek/wiki/Release-Cadence
https://github.com/zeek/zeek/wiki/Security-Release-Process

Zeek Blog and Mailing List

A recent notable blog post featured details and links on all the videos from ZeekWeek21. See this post for details:

https://zeek.org/2021/12/10/zeekweek-2021-summary-slides-videos-and-more-now-available/

One of the more interesting exchanges on the Zeek mailing list involved different options for disabling dns.log entries. See this thread for details:

https://lists.zeek.org/archives/list/zeek@lists.zeek.org/thread/FMEIVTBC3NJTTW5C72SJ3YAXMOHPOU3H/

For more, see the blog and mailing list archive:

https://zeek.org/blog/

https://lists.zeek.org/archives/list/zeek@lists.zeek.org/

Zeek in the Community

On January 5, CISA (the United States’ Cybersecurity and Infrastructure Security Agency) released Malcolm 5.1, following its release of 5.0 in December.

https://github.com/cisagov/Malcolm/releases/tag/v5.1.0

According to its description, “Malcolm provides an easily deployable network analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.” Malcolm integrates Arkime (formerly Moloch), “a large scale, open source, indexed packet capture and search tool.”

https://github.com/arkime/arkime

Richard Bejtlich and Keith Jones published new Zeek in Action videos on YouTube:

Zeek in Action, Video 9, Radius Protocol Analyzer with Spicy

https://www.youtube.com/watch?v=oJprmlB3eNo

Zeek in Action, Video 10, Examining the Four Types of Network Security Monitoring Data

https://www.youtube.com/watch?v=PYekUOCBBrY

Zeek in Action, Video 11, Using Spicy Driver

https://www.youtube.com/watch?v=2q4jZdCUbEg

Zeek In Action, Video 12, zeek2es

https://www.youtube.com/watch?v=Ahe4jmdB2uQ

Zeek in Action, Video 13, Running Brim Inside Windows Sandbox

https://www.youtube.com/watch?v=W-dlsDPyBtE

Keith’s video 9 is two hours long and is an amazing tutorial on developing an analyzer for the Radius protocol using Spicy. Stay tuned for more from Keith, and check out his new Python application that translates Zeek's ASCII TSV and JSON logs into ElasticSearch's bulk load JSON format.

https://github.com/corelight/zeek2es

Zeek Package Updates

The following packages reported updates recently (as of February 9), via this search:

https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed

Add cve-2022-21907.
#177 by keithjjones was merged 14 days ago

Add zeek-packages/zeek-agent-v2.
#176 by rsmmr was merged 15 days ago

Add ICSNPP-OPCUA-Binary
#175 by Kleinspider was merged 22 days ago

Add cve-2022-21907.
#174 by keithjjones was closed 20 days ago • Draft

Log4j detection heuristics
#173 by initconf was merged on Dec 22, 2021

Add Corelight Log4j detection package
#172 by ynadji was merged on Dec 16, 2021

Add a couple of Spicy-based analyzers
#171 by bbannier was merged on Dec 10, 2021

Zeek in the Enterprise

Corelight offered several blog posts and a new Zeek package to detect Log4j exploitation.

The blog posts are here:

https://corelight.com/blog/tag/log4j

The Zeek package is here:

https://github.com/corelight/cve-2021-44228

Upcoming Events

See https://zeek.org/events/ for the latest details.

Zeek Related Jobs

The following are a sampling of job opportunities that mention Zeek skills.

Cyber Security Information Assurance Lead
ICF, Arlington, VA
https://www.linkedin.com/jobs/search/?currentJobId=2833005761

Threat Intel Investigator, OCI
Oracle, Reston, VA
https://www.linkedin.com/jobs/view/2840457175

Senior Network Security Researcher
Battelle, Chantilly, VA
https://www.linkedin.com/jobs/search/?currentJobId=2859106319

For more, see https://www.linkedin.com/jobs/search/?geoId=103644278&keywords=zeek

Get Involved

If you have any comments or material for the newsletter please email news@zeek.org or join the #news Slack channel.

https://zeekorg.slack.com

Here is an invitation link:

https://join.slack.com/t/zeekorg/shared_invite/zt-12z1pjy93-zuVGuT1BF~yUJJvERxhp7g

Stay up to date by subscribing to the Zeek mailing list:

http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek

Follow us on Twitter:

https://twitter.com/Zeekurity

Subscribe to our video channel:

https://www.youtube.com/channel/UC1K5-MWaM1XZcEFPCMrmNMw

See you next time!