Zeek Newsletter - Issue 43 - September 2024

Announcements
1

Welcome to the Zeek Newsletter.

In this Issue:

  • TL;DR
  • Development Updates
  • Zeek in the Community
  • Zeek in the Enterprise
  • Friends of Zeek
  • Upcoming Events
  • Zeek Package Updates
  • Get Involved

[TL;DR]

Updates for Zeek and Spicy continue. See Development Updates for details.

Zeek webinars return on 16 October. See Upcoming Events for details.

Development Updates

Tim released Zeek versions 6.0.7 and 7.0.2. These are bugfix and security releases.

https://zeek.org/get-zeek

https://download.zeek.org/zeek-6.0.7.tar.gz

https://download.zeek.org/zeek-7.0.2.tar.gz

See the release notes for details of the addressed bugs and security issues:

https://github.com/zeek/zeek/releases/tag/v6.0.7

https://github.com/zeek/zeek/releases/tag/v7.0.2

Binary packages for the new releases will also be available shortly:

https://github.com/zeek/zeek/wiki/Binary-Packages

Benjamin released Spicy 1.11.2 and 1.11.3. These are bugfix releases. Use the latest.

https://github.com/zeek/spicy/releases/tag/v1.11.3

See the NEWS file for a high-level summary, or the CHANGES file for a detailed list of changes which went into this release.

With the arrival of 7.0, the 6.2 feature release series is now unmaintained. There will be no other 6.2 releases. The 6.0 long term support (LTS) series will continue to get patches until 7.1 is released in a few months. Users running 6.2 should upgrade to 7.0.

For more information on release cadence, see:

https://github.com/zeek/zeek/wiki/Release-Cadence

Zeek in the Community

Seth published a new version of Malcolm. Please see the project site for details:

https://malcolm.fyi/

Zeek in the Enterprise

The Corelight Labs Team published a blog post titled Detecting Abuse of NetSupport Manager. It features Zeek, and includes using the Zeek signature capability.

https://corelight.com/blog/detecting-netsupport-manager-abuse

The recording of the 25 September webinar, How to visualize OT/ICS networks for security measures, by Jiajian Zheng and Jia Wang from NTT Communications, is live here:

https://www.youtube.com/watch?v=rsx1jl284aI

Friends of Zeek

The Suricata project released version 7.0.7. Visit their site for details:

https://suricata.io/download/

Upcoming Events

Join Robin Sommer and Corelight Open Source on 22 October at 10 am GMT and 10 am PT to learn more about Spicy, a new parser generator—now integrated into Zeek—that makes it much easier to create robust analyzers for network protocols, file formats, and more.
This webcast will explain:

  • Why parsing is a key component of any network monitor like Zeek, it remains challenging to implement correctly, and efficiently with traditional approaches.

  • We will present Spicy’s novel take on the task, which enables developers to extend Zeek with new protocol and file analyzers without writing a single line of C++ code.

  • We’ll go through Spicy’s design, see examples of its capabilities, and recap the project’s history and current state.

This will be a technical presentation—we’ll be looking at code!

Register now!

https://go.corelight.com/os-getting-started-with-spicy

The next Training Group Call is 11 October at 12 noon ET. Here is the Zoom link:

https://ESnet.zoom.us/j/6445948648

Meeting ID: 644 594 8648

Passcode: Rockon!

On Wednesday 16 October at 1 pm ET, Hamza Motiwalla will present the next Zeek webinar, titled Zeek@Meta: Scale, Log Enrichment and Detections.

The ever-evolving threat landscape has made network security monitoring (NSM) imperative for Meta to safeguard assets and provide crucial network forensics. To address this need, we deploy Zeek and Suricata using commodity hardware across our network infrastructure. This presentation will dive into tap deployments at scale for our enterprise network (logging 15 billion connections daily), establish the need for downstream conn.log enrichment (IP->Hostname attribution) and give an overview of the active network detections across our network boundaries.

Register here:

https://us06web.zoom.us/webinar/register/WN_5ROOBD2OSOCzVlfgLriAQg

The next Zeek Community Call is 4 December at 1 pm ET. There is no need to register. Here is the Zoom link:

https://us06web.zoom.us/j/99882457331?pwd=WVZLRGtpbmx1V2FqSnlRT1FLRC9lQT09

We are sorry that BSides Augusta and the Security Onion conference were canceled due to Hurricane Helene. We wish our colleagues in the affected region a speedy recovery.

Zeek Package Updates

Changes to packages are available via this search:

https://github.com/zeek/packages/pulls?q=is%3Apr+is%3Aclosed

The https://packages.zeek.org site reported the last 5 updates as of 2 June:

10/3/24, 4:14 AM shodan-zeek

10/2/24, 4:32 PM icsnpp-genisys

10/2/24, 3:48 PM ja4

10/1/24, 4:34 PM 2024-09-cups-linux-rce

9/30/24, 1:58 PM ssl-extensions

Get Involved

If you have any comments or material for the newsletter please email news@zeek.org or join the #news Slack channel.

https://zeekorg.slack.com

Here is an invitation to the Slack channel:

https://join.slack.com/t/zeekorg/shared_invite/zt-12z1pjy93-zuVGuT1BF~yUJJvERxhp7g

Stay up to date by joining the Zeek Discourse:

https://community.zeek.org

Subscribe to our YouTube channel:

https://youtube.com/c/Zeekurity

Follow us on Mastodon:

https://infosec.exchange/@zeek

The old mailing list archives now redirect to this site:

https://community.zeek.org/archives/list/zeek@lists.zeek.org/

If you’d like to read the Leadership Team meeting notes, they are here:

https://github.com/zeek/zeek/wiki/LT-Meeting-Notes

Follow us on LinkedIn:

https://www.linkedin.com/company/zeekurity

To search LinkedIn for jobs mentioning Zeek skills, use this query:

https://www.linkedin.com/jobs/search/?&keywords=zeek

See you next time!

1 Like