Welcome to the Zeek Newsletter.
In this Issue:
- TL;DR
- Development Updates
- Zeek Blog and Mailing List
- Zeek in the Community
- Zeek Package Updates
- Zeek in the Enterprise
- Upcoming Events
- Zeek Related Jobs
- Get Involved
TL;DR
There’s a lot of news in this issue, particularly regarding new code. A release candidate for Zeek 5.0 is here, as well as a security and bug fix release for the current branches. Please update your sensors and consider testing the 5.0 RC.
Development Updates
On June 3, Tim Wojtulewicz announced the release of Zeek 4.0.7 and 4.2.2. Both address a potential denial of service vulnerability in the DNS analyzer. Thank you to Google’s OSS-Fuzz project for reporting this vulnerability. Please update Zeek as soon as possible.
These new versions may include other fixes as well. See the release notes for details:
https://github.com/zeek/zeek/releases/tag/v4.0.7
https://github.com/zeek/zeek/releases/tag/v4.2.2
Binary packages for the new releases are available:
https://github.com/zeek/zeek/wiki/Binary-Packages
Updated source code is available:
https://download.zeek.org/zeek-4.0.7.tar.gz
https://download.zeek.org/zeek-4.2.2.tar.gz
On June 3 Tim also published the first release candidate for Zeek 5.0.0. Zeek now includes support for building Spicy and spicy-plugin as part of Zeek. This feature is enabled by default, and can be turned off by passing the --disable-spicy flag to ./configure. Spicy is the new and easier way to build protocol parsers for Zeek.
See the release notes for details:
https://github.com/zeek/zeek/releases/tag/v5.0.0-rc1
Updated source code is available:
https://download.zeek.org/zeek-5.0.0-rc1.tar.gz
Along with the Zeek 5.0.0 release candidate, there is also a new Broker release:
https://github.com/zeek/broker/releases/tag/v2.3.0
Finally, a new version of zkg, version 2.13.0, is available. Details on the minor updates are here:
https://github.com/zeek/package-manager/blob/master/CHANGES#L1-L54
Users can work with the version bundled with Zeek or install zkg using PyPI.
Zeek Blog and Mailing List
Johanna Amann migrated the mailing list to a Discourse platform in late May. The site is available here:
If you create a new account with the same email address that you used with the previous mailing list, all your old posts will be assigned to you. Please let us know if you encounter any issues, either by Slack, email, or the site-feedback category on Discourse.
For now the old mailing list archives are still available at the previous site:
https://lists.zeek.org/archives/list/zeek@lists.zeek.org/
Zeek in the Community
Richard Bejtlich published one new Zeek in Action video, on May 13:
Zeek in Action, Video 16, Interpreting Cyber Threat Intelligence Reports
https://www.youtube.com/watch?v=dCbwEProKxg
On May 4, Fatema Bannat Wala hosted a Zeek community call. The recording is here:
https://www.youtube.com/watch?v=7Bgo_Jlv0zs
On Jun 1, Fatema Bannat Wala hosted another Zeek community call. The recording is here:
https://www.youtube.com/watch?v=J6QH9369f84
The Zeek training team conducted a free community training session on May 20. Thank you to everyone who taught and participated, especially instructors Keith Lehigh, Fatema Bannat Wala, and Aashish Sharma.
Zeek Package Updates
The following packages recently reported updates (as of June 6), via this search:
https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed
Added two new detection packages for recent MS disclosure.
#185 by keithjjones was merged 6 days ago
Add CVE-2022-22954 detector
#184 by ynadji was merged 17 days ago
Add CVE-2022-26809 detector
#183 by ynadji was merged 20 days ago
Added parser for Genisys to CISA ICSNPP package index
#182 by mmguero was merged on May 3
Add two CVE detection packages.
#181 by keithjjones was merged on Apr 25
The packages.zeek.org site reported the last 5 updates as of June 6:
6/3/22, 2:30 PM zeek-netmap
6/3/22, 9:04 AM spicy-http
6/3/22, 9:01 AM spicy-dns
6/2/22, 2:59 PM icsnpp-opcua-binary
6/2/22, 1:51 PM spicy-plugin
Zeek in the Enterprise
In May, Corelight published several blog posts showing how to use Zeek to detect exploitation of the following vulnerabilities:
CVE-2022-26809 (Windows)
CVE-2022-22954 (VMWare)
CVE-2022-26937 (Windows NFS)
CVE-2022-23270 (PPTP)
See the Corelight blog for details:
On May 16, Seth Grover announced the version 6.0.0 release of Malcolm, with Suricata version 6.0.0, Arkime version 3.4.2, and Zeek version 4.2.1 as network traffic metadata providers. Check out the release page on GitHub:
https://github.com/idaholab/Malcolm/releases
Upcoming Events
Stay tuned for word on the call for papers for ZeekWeek 2022. The project will hold the conference the week of October 11-14, in Austin, Texas, USA.
See https://zeek.org/events/ for other events.
Zeek Related Jobs
The following are a sampling of job opportunities that mention Zeek skills.
Cyber Threat Hunter, Senior
Booz Allen Hamilton
Washington, DC
Remote
https://www.linkedin.com/jobs/view/3028110754/
National Space Program Blue Force Support
MITRE
Chantilly, VA
On-site
https://www.linkedin.com/jobs/view/3060803187/
Manager, Compromise Assessments (East, Remote)
CrowdStrike
Baltimore, MD
Remote
https://www.linkedin.com/jobs/view/3050273170/
For more, see https://www.linkedin.com/jobs/search/?geoId=103644278&keywords=zeek
Get Involved
If you have any comments or material for the newsletter please email news@zeek.org or join the #news Slack channel.
The Slack channel has been very active during the past month. Here is an invitation link:
https://join.slack.com/t/zeekorg/shared_invite/zt-12z1pjy93-zuVGuT1BF~yUJJvERxhp7g
Stay up to date by subscribing to the Zeek mailing list:
Follow us on Twitter:
Subscribe to our video channel:
https://www.youtube.com/channel/UC1K5-MWaM1XZcEFPCMrmNMw
See you next time!