Virtual ZeekWeek 2020 is free to attend, but registration is required. 
Back To Schedule
Thursday, October 15 • 1:20pm - 1:40pm
Day 3 - Recursive File Analysis in Zeek LIMITED

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

In this talk, we will introduce two new file analyzers for Zeek: ZIP and PDF analyzers. The ZIP analyzer was developed from scratch and is capable of identifying and decompressing all files with ZIP signatures in real time. The analyzer triggers Zeek events that allow security analysts to examine compressed files and apply analytics on them. Of special interest is its capability to perform recursive file analysis of ZIP files contained within ZIP files up to an arbitrary number of levels and to dynamically attach other Zeek file analyzers onto the extracted files. Maximum memory usage and depth can be tuned from a Zeek script, which protects a Zeek sensor against decompression bombs. Furthermore, the ZIP analyzer can take regular expressions and analyzer tag pairs to recursively forward decompressed files into any other file analyzer supported by Zeek. The PDF analyzer extends the work in [1] by adding new capabilities to extract the body text, embedded URLs, and embedded files from the PDF document. This additional information is captured in the PDF info record which can be accessed through the analyzer’s events. This talk will include a live demonstration of the ZIP analyzer, recursively extracting files, discovering a PDF inside of a ZIP and activating the PDF and the SHA256 analyzers to trigger PDF events on it. We plan to open source both analyzers during ZeekWeek using the Zeek Package Manager. References [1] https://github.com/lilyinstarlight/bro-pdf-analyzer

Slack Channel for this session - #vzw-day3-talk5-recursive-file-analysis
Haven't joined the Zeek Slack space yet you can do so at:

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

avatar for Kazi Alom

Kazi Alom

Intern, Reservoir Labs
Kazi is an undergraduate majoring in computer science and electrical engineering at the Massachusetts Institute of Technology (MIT).  Since 2018, Kazi has been actively engaged in embedded systems security research at MIT Lincoln Laboratory.  Throughout 2020, Kazi has been an intern... Read More →

Thursday October 15, 2020 1:20pm - 1:40pm PDT
Online - Zoom Meeting Room