Welcome to the Zeek Newsletter.
In this Issue:
TL;DR
Development Updates
Zeek Blog and Mailing List
Zeek in the Community
Zeek Package Updates
Zeek in the Enterprise
Upcoming Events
Zeek Related Jobs
Get Involved
TL;DR
Please note the security vulnerability in versions of Zeek prior to 4.0.6 and 4.2.1, discussed in Development Updates. Also see the Upcoming Events section for details on free training on May 20.
Development Updates
On April 21, Tim Wojtulewicz announced the release of Zeek 4.0.6 and Zeek 4.2.1. Both address a security issue. Previous versions of Zeek shipped a vulnerability in the File Transfer Protocol (FTP) analyzer. If an intruder provided specially-crafted input, Zeek might crash due to a buffer overflow condition. Please update to the new versions of Zeek as soon as possible to mitigate this vulnerability.
The Zeek Project would like to thank Jason Ish from the Open Information Security Foundation (OISF) for reporting this vulnerability.
These new versions of Zeek include other fixes as well. See the release notes for details:
https://github.com/zeek/zeek/releases/tag/v4.0.6
https://github.com/zeek/zeek/releases/tag/v4.2.1
Binary packages for the new releases will also be available shortly:
https://github.com/zeek/zeek/wiki/Binary-Packages
Updated source code is already available:
https://download.zeek.org/zeek-4.0.6.tar.gz
https://download.zeek.org/zeek-4.2.1.tar.gz
On April 12, Benjamin Bannier published a bug fix for Spicy, version 1.4.1.
The code is posted here:
https://github.com/zeek/spicy/releases/tag/v1.4.1
Details on the changes are posted here:
https://github.com/zeek/spicy/blob/v1.4.1/CHANGES
Zeek Blog and Mailing List
The mailing list featured several interesting threads. The longest involved how to uninstall Zeek:
https://lists.zeek.org/archives/list/zeek@lists.zeek.org/thread/QTTPW5QYCNO7MAJGPE6GZAVZAZMWTQNM/
The blog featured two stories. The first appears in the Upcoming Events section. The second involved Johanna Amann’s notice that ZeekWeek 2022 will be held the week of October 11-14, in Austin, Texas, USA. The project will open a call for presentations soon.
For more, see the blog and mailing list archive:
https://lists.zeek.org/archives/list/zeek@lists.zeek.org/
Zeek in the Community
Richard Bejtlich published two Zeek in Action videos, on March 24 and April 8:
Comparing Zeek Connection Logs with NetFlow Records
https://www.youtube.com/watch?v=RHAL9tr2gi4
Revisiting NetFlow and Zeek Data
https://www.youtube.com/watch?v=BrGHfWkbYlg
On April 6, Fatema Bannat Wala hosted a Zeek community call. The recording is here:
https://www.youtube.com/watch?v=sFjovzmmrls
Keith Jones’ presentation on importing Zeek logs into Elastic is now available:
https://www.youtube.com/watch?v=n1x4ShzhAo8
Johanna Amann’s keynote to the 2022 Passive and Active Measurement Conference, titled "Expect the Unexpected: Lessons from a Decade of Passive Network Measurements" is now available:
https://youtu.be/CH9Z66EmMdI?t=1706
Zeek Package Updates
The following packages recently reported updates (as of April 22), via this search:
https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed
Update EternalSafety package index file
#180 by 0xl3x1 was merged 3 days ago
Remove ReservoirLabs packages since their repos have vanished
#179 by ckreibich was merged 25 days ago
The packages.zeek.org site reported the last 5 updates as of April 22:
4/21/22, 8:34 PM zeek-kafka
4/21/22, 2:50 PM spicy-plugin
4/19/22, 5:18 AM zeek-EternalSafety
4/18/22, 2:27 PM zeek-spicy-openvpn
4/15/22, 5:29 PM zeek-httpattacks
Zeek in the Enterprise
On April 21 Corelight published a blog post on Detection Windows NFS [Network File System] Portmap Vulnerabilities.
https://corelight.com/blog/detecting-windows-nfs-portmap-vulnerabilities
Corelight developed and published two Zeek packages to detect attempts to exploit these vulnerabilities:
https://github.com/corelight/CVE-2022-24491
https://github.com/corelight/CVE-2022-24497
See the blog post as well for links to packet captures used to test and develop these Zeek packages.
Crowdstrike’s Humio Community Edition now features demo data from a Corelight sensor, powered by Zeek. See Ken Greene’s blog post for details:
https://www.humio.com/whats-new/blog/corelight-demo-data-now-in-humio-community-edition/
Humio Community Edition is a no-cost, cloud-based offering that accepts up to 16 GB of data ingested per day, with a 7-day retention period.
https://www.humio.com/getting-started/community-edition/
Upcoming Events
The project is delighted to announce that members of the training team will offer free online training on May 20. The event will consist of two sessions, beginning at 8 am US Pacific Time (3 pm UTC).
8:00 am - 12:00 pm (Pacific Time)
Beginner training is aimed at users who have little to no experience with Zeek. Keith Lehigh and Fatema Bannat Wala will introduce basic architecture, show how to run and customize Zeek on the command line, and give guidance on basic log analysis.
1:00pm - 4:30pm (Pacific Time)
In this hands-on session, Aashish Sharma will walk attendees through the fundamentals of Zeek scripting and will offer some practical exercises.
The training is free but registration is required, on a first-come, first-served basis. If you want to attend both sessions, you must register for both sessions:
https://www.eventbrite.com/e/zeek-training-tickets-319863188407
See https://zeek.org/events/ for other events.
Zeek Related Jobs
The following are a sampling of job opportunities that mention Zeek skills.
Sr. Zeek/Bro Engineer
Latitude Inc Tysons Corner, VA
https://www.linkedin.com/jobs/view/sr-zeek-bro-engineer-at-latitude-inc-2987609780
Lead Engineer - Network Security
Target Brooklyn Park, MN
https://www.linkedin.com/jobs/view/lead-engineer-network-security-at-target-3014101774
Senior Consultant, Incident Response (Remote)
CrowdStrike Sunnyvale, CA
https://www.linkedin.com/jobs/view/senior-consultant-incident-response-remote-at-crowdstrike-2938197212
For more, see https://www.linkedin.com/jobs/search/?geoId=103644278&keywords=zeek
Get Involved
If you have any comments or material for the newsletter please email news@zeek.org or join the #news Slack channel.
The Slack channel has been very active during the past month. Join today! Here is an invitation link:
https://join.slack.com/t/zeekorg/shared_invite/zt-12z1pjy93-zuVGuT1BF~yUJJvERxhp7g
Stay up to date by subscribing to the Zeek mailing list:
http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek
Follow us on Twitter:
Subscribe to our video channel:
https://www.youtube.com/channel/UC1K5-MWaM1XZcEFPCMrmNMw
See you next time!