You
MUST register through eventbrite to gain access to this session (Day 3).
In this talk, we will introduce two new file analyzers for Zeek: ZIP and PDF analyzers. The ZIP analyzer was developed from scratch and is capable of identifying and decompressing all files with ZIP signatures in real time. The analyzer triggers Zeek events that allow security analysts to examine compressed files and apply analytics on them. Of special interest is its capability to perform recursive file analysis of ZIP files contained within ZIP files up to an arbitrary number of levels and to dynamically attach other Zeek file analyzers onto the extracted files. Maximum memory usage and depth can be tuned from a Zeek script, which protects a Zeek sensor against decompression bombs. Furthermore, the ZIP analyzer can take regular expressions and analyzer tag pairs to recursively forward decompressed files into any other file analyzer supported by Zeek. The PDF analyzer extends the work in [1] by adding new capabilities to extract the body text, embedded URLs, and embedded files from the PDF document. This additional information is captured in the PDF info record which can be accessed through the analyzer’s events. This talk will include a live demonstration of the ZIP analyzer, recursively extracting files, discovering a PDF inside of a ZIP and activating the PDF and the SHA256 analyzers to trigger PDF events on it. We plan to open source both analyzers during ZeekWeek using the Zeek Package Manager. References [1] https://github.com/lilyinstarlight/bro-pdf-analyzer
Slack Channel for this session - #vzw-day3-talk5-recursive-file-analysis
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQLink to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9
Video Stream
