Welcome to the Zeek Newsletter!
In this Issue:
TL;DR
Development Updates
Zeek Blog and Mailing List
Zeek in the Community
Zeek Package Updates
Zeek in the Enterprise
Upcoming Events
Zeek Related Jobs
Get Involved
TL;DR
A lot has happened since issue 15, so this newsletter captures as much of that development as possible. The biggest news involves a vulnerability in OpenSSL, as addressed next.
Development Updates
On March 16, Johanna Amann noted that Zeek was affected by CVE-2022-0778, a vulnerability in OpenSSL.
The OpenSSL advisory is here:
https://www.openssl.org/news/secadv/20220315.txt
Johnna notes:
“A Zeek process will hang when parsing traffic that contains a malicious certificate that is aimed to exploit this vulnerability. Updating to patched versions of OpenSSL, and restarting Zeek, will fix
this issue.”
In a Twitter thread, Johanna noted that Zeek “can detect exploitation attempts using this script that was originally written for a different exploit in 2020 that had a similar-ish mechanic:”
https://github.com/0xxon/cve-2020-0601
For more information, see Johanna’s Twitter thread:
https://twitter.com/0xxon/status/1504188199731671040
On March 11, Benjamin Bannier released Spicy 1.4.0. Developers can leverage Spicy to more easily create new protocol parsers.
See the NEWS file for a high-level summary:
https://github.com/zeek/spicy/blob/v1.4.0/NEWS.rst#version-14
See the CHANGES file for a detailed list of changes that went into this release.
https://github.com/zeek/spicy/blob/v1.4.0/CHANGES
To take full advantage of the new features in this release, spicy-plugin-1.3.8 is
required:
https://packages.zeek.org/packages/view/cfa999bc-9348-11eb-81e7-0a598146b5c6
Zeek Blog and Mailing List
In addition to discussions of the OpenSSL vulnerability and the Spicy release, the mailing list was fairly active since the last newsletter.
This discussion offered thoughts on how Zeek creates timestamps in the connection log:
https://lists.zeek.org/archives/list/zeek@lists.zeek.org/thread/7KT2H7WY222SJJDZ56LZUWFOQA32GIIN/
This thread talked about ways to only create the DNS log:
https://lists.zeek.org/archives/list/zeek@lists.zeek.org/thread/PNIYGLJKL2MQPKQLE5PZRFXT6YQXGN62/
For now, the project is not updating the blog.
For more, see the blog and mailing list archive:
https://lists.zeek.org/archives/list/zeek@lists.zeek.org/
Zeek in the Community
On February 10, Dynamite Analytics released NSM 1.1, which includes Zeek (and Suricata, and other capabilities):
https://github.com/DynamiteAI/dynamite-nsm
On March 2, Fatema Bannat Wala hosted a Zeek community call. The recording is here:
https://www.youtube.com/watch?v=2RAJjiX8HY4
Fatema highlighted the progress made by the Zeek training group on the Zeek Project Approved Training Framework. See this page for details:
On March 9, Security Onion solutions released Security Onion 2.3.110, which includes an intrusion detection honeypot:
https://blog.securityonion.net/2022/03/security-onion-23110-now-available.html
Finally, Patrick Kelley continues to release updated threat intelligence feeds formatted for use by Zeek:
https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds
Zeek Package Updates
The following packages reported updates recently (as of March 17), via this search:
https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed
Added mvlnetdev and the zkg.index file
#178 by mvlnetdev was merged 17 days ago
The packages.zeek.org site reported the following updates as of March 17:
3/15/22, 2:06 PM spicy-plugin
3/15/22, 1:22 PM zeek-agent-v2
3/14/22, 2:51 PM zeek-long-connections
3/9/22, 10:59 AM bzar
3/8/22, 5:34 PM zeek-xor-exe-plugin
Zeek in the Enterprise
On February 28, Alex Kirk described how to use Zeek and Suricata to detect nation-state digital attacks:
https://corelight.com/blog/acting-on-cisas-advice-for-detecting-russian-cyberattacks
The post highlighted the feed of IP addresses that Greynoise had observed attacking its honeypot infrastructure in Ukraine. This Twitter thread has details:
https://twitter.com/Andrew___Morris/status/1496986196874043392