Virtual ZeekWeek 2020: Full Schedule

Virtual ZeekWeek 2020 is free to attend, but registration is required.

9:00am PDT

Virtual ZeekWeek 2020 - Day 1 Training Session 1 - Hands on Introduction to setting up and running Zeek

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 1 Session 1). Seating is limited.

After this training you should be able to : - Install, configure Zeek - Understand basic functions of Zeek - Be familiar with filesystem layout - Run Zeek on CLI - Be familiar with cluster config - Process logs - Perform basic customization.

Slack Channel (Private invite sent to registered attendees) - #vzw-training-intro-to-zeek

Speakers

Fatema Bannat Wala

ESNet

I am a big fan of Zeek and a security enthusiast , working in the industry as a Security Engineer for past 5 years. Recently I joined ESnet's security team where I work on the centralized SIEM solution, making IDS/NSM monitoring better and doing IR and threat hunting.

Keith Lehigh

University Information Security Officer, Indiana University

I lead a team of security engineers at Indiana University as my day job. I've been involved in the Zeek community for 10+ years in a variety of ways. When I'm not working, I'm probably cooking or grilling.

Tuesday October 13, 2020 9:00am - 1:20pm PDT
Online - Zoom Meeting Room

Day 1 Training, Session 1

9:00am PDT

Virtual ZeekWeek 2020 - Day 1 Training Session 2 - Hands on Zeek Scripting

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 1 Session 2). Seating is limited.

Slack Channel (Private invite sent to registered attendees) - #vzw-training-zeek-scripting

Speakers

Aashish Sharma

Lawrence Berkeley National Laboratory (Berkeley Lab)

Tuesday October 13, 2020 9:00am - 1:20pm PDT
Online - Zoom Meeting Room 2

Day 1 Training, Session 2

11:00am PDT

Break

Limited Capacity seats available

Tuesday October 13, 2020 11:00am - 11:20am PDT
Break

Day 1 Training, Break

9:00am PDT

Day 2 - Welcome /LT Introductions and Governance Update - Keith Lehigh

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

Slack Channel for this session - #vzw-day2-talk1-welcome-lt-introductions-and-governance
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Keith Lehigh

University Information Security Officer, Indiana University

ZeekWeek2020OpeningRemarks pdf

Wednesday October 14, 2020 9:00am - 9:20am PDT
Online - Zoom Meeting Room

Day 2 - User Track, User Track

9:20am PDT

Day 2 - An Overview of Zeek Performance - Vern Paxson

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

Achieving high performance has been a central goal for Zeek’s
operation since its original design. We’ll discuss the different
elements that go into Zeek’s overall performance, how its architecture
has evolved over the years to support faster processing, and a new
approach I’ve developed for optimizing Zeek script execution.

Slack Channel for this session - #vzw-day2-talk2-zeek-performance
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Vern Paxson

Professor of Computer Science at UC Berkeley and Zeek (fka Bro), Co-founder and Chief Scientist at Corelight, Inc.

Vern is co-founder and Chief Scientist at Corelight, and Professor of Computer Science at UC Berkeley. A prolific and internationally-recognized researcher, Vern also leads the Networking and Security Group at the International Computer Science Institute and for decades held a position... Read More →

Zeek Perf Overview.14Oct20 pdf

Wednesday October 14, 2020 9:20am - 9:40am PDT
Online - Zoom Meeting Room

Day 2 - User Track, User Track

9:40am PDT

Day 2 - I have an IT inventory! Now what? - Nick Turley

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

I have an IT inventory! Now what? - Nick Turley

Summary: Zeek is not only a powerful platform for network security analysis, but Zeek can also play an important role in identifying, classifying, and inventorying your systems. Learn about the importance of contextual enrichment and correlation in Zeek for security and IT operations.

Abstract: Zeek is not only a powerful platform for network security analysis, but Zeek can also play an important role in your overall IT enterprise and operations strategy. Many organizations struggle with the ability to build and maintain inventory, apply real-time contextual enrichment, and understand the "hidden issues" that can lead to larger operational problems down the road. Using Zeek's powerful Input Framework, you can provide real-time data enrichment that can help bridge gaps with your inventory/CMDB platforms and help you find answers to important security and operational questions about your environment.

Slack Channel for this session - #vzw-day2-talk3-it-inventory
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Nick Turley

BYU

Nick Turley is an IT Enterprise Architect at Brigham Young University where he is responsible for directing technology-related architectural efforts, including security and SecOps architecture. Nick has held prior roles as a software engineer, penetration tester, security manager... Read More →

vzw day 2 nickturley pdf

Wednesday October 14, 2020 9:40am - 10:00am PDT
Online - Zoom Meeting Room

Day 2 - User Track, User Track

10:00am PDT

Day 2 - Is Weird still weird? Take-2 @ESnet - Fatema Bannat Wala

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

Is Weird still weird? Take-2 @ESnet - Fatema Bannat Wala

Summary: This presentation is going to be about the findings and resolution done to mitigate some of the heavily triggered weirds at ESnet network. Similar to the analysis done in an earlier version of this talk back in 2018 (Is weird really weird?), however this time, it's new findings on the different network.

Abstract: The weird log file is one of the most interesting log files to analyze that Zeek generates. It reveals information about network activity that is not categorized as normal according to the TCP/IP and other protocol standards. I started to pay more attention to the weird.log file for the last few years and there was a talk related to the same in 2018, which talked about the network misconfigurations found and how they were fixed, based on the weird.log file analysis. Similarly, this time as well, the talk is going to be presenting findings and results done on the ESnet's network traffic, and whether they are really ‘weird’, or just a misconfigured application or misconfigured firewall rules, which is causing the weird patterns in the traffic.

Slack Channel for this session - #vzw-day2-talk4-is-weird-still-weird
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Fatema Bannat Wala

ESNet

Weird ZeekWeek20 Final pdf

Wednesday October 14, 2020 10:00am - 10:20am PDT
Online - Zoom Meeting Room

Day 2 - User Track, User Track

10:20am PDT

Day 2 - Zeek Agent: Correlating Host and Network Logs for Better Forensics - Wajih Ul Hassan

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

Zeek Agent: Correlating Host and Network Logs for Better Forensics

Summary: I'll present Zeek Agent, an open source endpoint monitoring framework that seamlessly correlates endpoint activity with Zeek network logs. I'll talk about Zeek Agent architecture, implementation, and its use-cases.

Abstract: There's a potentially great power for security analysis in having both endpoint and network visibility, but one big challenge is how to tie the two together in a meaningful way. In this talk, I’ll present Zeek Agent, an endpoint monitoring tool that provides deeper visibility into organization-wide activities through transparently observing endpoint activity and correlating it with Zeek network logs. I’ll describe the design and implementation of the Zeek Agent framework and the techniques that we employ to derive correlations between host and network logs. Later in this talk, I’ll explain how we use the notion of causal analysis on the correlated host and network logs to accelerate the threat investigation process. Causal analysis can generate contextual history around the alert through automatically reconstructing the chain of events that lead to the alert event. Using such analysis, security analysts can better understand alerts without needing to write long ad-hoc queries to chain together context during threat investigation. Finally, I’ll present an attack case study to show the effectiveness of the causal analysis technique during attack investigation.

Slack Channel for this session - #vzw-day2-talk5-zeek-agent
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Wajih Ul Hassan

Research Intern, Corelight, Inc.

Wajih Ul Hassan is a Ph.D. candidate in the CS Department of the University of Illinois at Urbana Champaign, where he is advised by Adam Bates. His research interests are in system and network security, with an emphasis on intrusion detection, forensic analysis, and data provenance... Read More →

zeekagent zeekweek pdf

Wednesday October 14, 2020 10:20am - 10:40am PDT
Online - Zoom Meeting Room

Day 2 - User Track, User Track

10:40am PDT

Day 2 - BSD Honeypots with Zeek - Of course it runs on BSD - Michael Shirk

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

BSD Honeypots with Zeek - Of course it runs on BSD

Summary: I did a talk at BSDCan 2020 highlighting the use of BSD as a platform for honeypots. Central to this talk was the use of Zeek and the intel framework to correlate all of this data together while utilizing FreeBSD jails to separate the honeypot from Zeek. I emulated services using a honeypot Python framework in one jail, while using Zeek to monitor all of the traffic going towards the jail. I intend to update this talk to be more focused on the setup of Zeek.

Abstract: In the past, there was some interest in the setting up of honeypots on BSD operating systems with tools like honeyd. Honeypots attempt to capture malicious code, network worms and attackers by emulating vulnerable services using a variety of methods. An opportunity came up for me to try to capture some malicious code using a simple setup with Zeek and FreeBSD jails. The setup was simple and easy to replicate as a way to perform security research on current attacks across the Internet and correlate with other threat sources for analysis.

Slack Channel for this session - vzw-day2-talk6-bsd-honeypots
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Michael Shirk

Daemon Security

Michael Shirk is a BSD zealot who has worked with OpenBSD and FreeBSD for over 15 years. He works in the security community and supports open source security products that run on BSD operating systems (Snort, Suricata, Zeek, AIDE).

BSDHoneypotsWithZeek pdf

Wednesday October 14, 2020 10:40am - 11:00am PDT
Online - Zoom Meeting Room

Day 2 - User Track, User Track

11:00am PDT

Break

Limited Capacity seats available

Wednesday October 14, 2020 11:00am - 11:20am PDT
Break

Day 2 - User Track, Break

11:20am PDT

Day 2 - Using Zeek in ESnet6 management network security monitoring - Scott Campbell

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

Summary: ESnet is building a greenfield implementation for its next generation network. This presentation describes how we are using Zeek as an integral part of our monitoring and security strategy, focusing on architecting traffic patterns to maximize intruder visibility as well as providing critical feedback on device misconfiguration.

Abstract: ESnet is building a greenfield implementation for its next generation network. In it the Management plane represents the command and control infrastructure of our network, so security has to be a significant component of its design and operation. This presentation describes how we are using Zeek as part of our monitoring and security strategy, focusing on architecting traffic patterns to maximize intruder visibility as well as providing critical feedback on device misconfiguration.

Slack Channel for this session - #vzw-day2-talk7-zeek-in-esnet6
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Scott Campbell

ESNet

I have been at Lawrence Berkeley National Lab since 2001 working in the security groups for high performance computing (NERSC) as well as scientific networking (ESnet). This whole time I have been using Zeek for a variety of interesting things, and have done quite a bit of research... Read More →

Using Zeek in ESnet6 management network security monitoring pdf

Wednesday October 14, 2020 11:20am - 11:40am PDT
Online - Zoom Meeting Room

Day 2 - User Track, User Track

11:40am PDT

Day 2 - A Structural Approach to Modeling Encrypted Connections - Anthony Kasza

Limited Capacity seats available

A Structural Approach to Modeling Encrypted Connections - Anthony Kasza

Summary: Attendees will gain insights into a proven and scalable method for analyzing encrypted flows without breaking and inspecting their contents. This talk is meant to expand the audience's understanding of techniques for summarizing network connections and approaches to encrypted traffic analysis. The mechanism of the SSH, SSL, and RDP protocols will be explored using both techniques.

Abstract: To weary network users, encryption provides privacy for data in transit. To network operators and security analysts, encryption hinders visibility. Breaking encryption and inspecting content can be costly and error prone. By analyzing the lengths and ordering of encrypted data exchanged throughout a connection (i.e., signals that don't require breaking encryption) network monitoring systems can infer protocol state without parsing the content of the connection. By modeling a protocol's state transitions and overlaying that model on a connection's sequence of lengths (SOL), inferences can be made about how the protocol is being use. This provides a sort of compromise between privacy and visibility. Attendees will gain insights into a proven and scalable method for analyzing encrypted flows without breaking and inspecting their contents. This talk is meant to expand the audience's understanding of techniques for summarizing network connections and approaches to encrypted traffic analysis. The mechanism of the SSH, SSL, and RDP protocols will be explored using both techniques.

Slack Channel for this session - #vzw-day2-talk8-modeling-encrypted-connections
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Anthony K

Technical Director, Corelight, Inc.

Anthony Kasza is a Technical Director for Corelight. At Corelight, Anthony is responsible for developing prototypes that provide insights into network activity. Prior to working at Corelight, Anthony was responsible for discovering new and tracking known threats, creating scalable... Read More →

ZeekWeek 2020 Anthony Kasza pdf

Wednesday October 14, 2020 11:40am - 12:00pm PDT
Online - Zoom Meeting Room

Day 2 - User Track, User Track

12:00pm PDT

Day 2 - Zeek, and Splunk, and Alertus, oh My - Brian Allen

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

Zeek, and Splunk, and Alertus, oh My - Brian Allen

Summary: Learn how to find useful information at the intersection of Zeek, Splunk, and Alertus logs

Abstract: WashU has a communication tool called Alertus which is used to share info with every user on campus during an emergency. The Alertus clients are very chatty and include a lot of useful information when they phone home. Zeek sees this, so we looked for ways to use that data in Splunk. We'll look at some ways we added Alertus user data to Splunk searches to track down machines on campus.

Slack Channel for this session - #vzw-day2-talk9-zeek-splunk-and-alertus
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Brian Allen

Information Security Manager, Washington University in St. Louis

Brian Allen started in IT as a Unix admin in 2000, and has been working in information security at Washington University for 14 years

zeek week alertus pdf

Wednesday October 14, 2020 12:00pm - 12:20pm PDT
Online - Zoom Meeting Room

Day 2 - User Track, User Track

12:20pm PDT

Day 2 - How to set your logs on fire with Emoji-🔥 - Benjamin Berens & Jan Grashöfer

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

How to set your logs on fire with Emoji-🔥 - Benjamin Berens & Jan Grashöfer

Summary: First Jan will present the idea of the Emojifier, explain how we
implemented it and how the Emojifier can be extended (~10min). Then
Benjamin will give a brief introduction to our plans to investigate
potential benefits of applying the emojifier in production or education
(~2min). Finally we would like to discuss the Emojifier's practical
relevance with the audience (using polls, if possible).

Abstract: The Emojifier is a small Zeek script that saw the of the day in the
first Zeek contest. The script extends Zeek's connection log with
emojies that visualize special properties of a connection. In our talk
we will describe how we brought color into Zeek logs and present our
plan to investigate possible real- applications. Finally, we would
like to learn: What do you think about in your logs?

Slack Channel for this session - #vzw-day2-talk10-how-to-set-your-logs-on-fire-with-emojji
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Jan Grashöfer

KIT - Karlsruher Institute for Technology

Jan is a PhD student at Karlsruhe Institute of Technology (KIT). In his research he focuses on performance aspects of network monitoring. Jan started to work with Zeek in 2015. Among his contributions are the AF_Packet plugin and a rework of the intelligence framework.

Benjamin Berens

KIT - Karlsruher Institute for Technology

Benjamin is a PhD candidate at Karlsruhe Institute of Technology (KIT).In his research he focuses on various security aspects in conjunctionwith human factors. Benjamin tries to help users get more familiar withand enjoy using IT security.

Emojifier Zeek Week 2020 pdf

Wednesday October 14, 2020 12:20pm - 12:40pm PDT
Online - Zoom Meeting Room

Day 2 - User Track, User Track

12:40pm PDT

Day 2 - Gamification of Zeek: Demonstrating the Power of Zeek through CTFs - Aaron Soto

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

Gamification of Zeek: Demonstrating the Power of Zeek through CTFs - Aaron Soto ABSTRACT: If you're at ZeekWeek 2020, I'll bet it's because you love Zeek. You try to show it off to your peers. You might even talk about it at parties. (That's ill advised -- doubly-so in 2020.) But how can you really show off Zeek?Capture The Flag (CTF) exercises are popular in Information Security because they give participants the chance to see attacks, tools, and techniques in practice. So, I (along with Matt Bromiley and members of Corelight) created a CTF at ZeekWeek 2019, aiming to show off the pure usefulness of open-source Zeek. Over the past year, it has exploded in popularity and has introduced hundreds of people to Zeek data. In this talk, I'll discuss how we created the event, what we've learned along the way, and what we'd do differently. My hope is that this talk inspires you to participate in CTFs and also to change the way you show off your love of Zeek.

Slack Channel for this session -#vzw-day2-talk11-gamification-of-zeek
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Aaron Soto

Director of Learning, Corelight, Inc.

Aaron Soto is at Corelight, training users on the Zeek (formerly Bro) network monitoring platform. He was recently on Rapid7's Metasploit team. In his off-time, he enjoys endurance automotive racing.

ZeekWeek 2020 Gamifying Zeek pdf

Wednesday October 14, 2020 12:40pm - 1:00pm PDT
Online - Zoom Meeting Room

Day 2 - User Track, User Track

1:00pm PDT

Day 2 - Community/2021 Strategic Plan Update

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

In this talk, Amber will go over the high level strategic Zeek Community goals for the 2021. She'll also go over stats from the past year to highlight the amazing work being done by you, the Zeek Community. In this talk she'll go over various ways that you can get involved and help shape the future of the Zeek Project.

Slack Channel for this session - #vzw-day2-talk12-community-strategic-plan-update
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Amber Graner

Director of Community, Corelight, Inc.

Amber’s open source journey started in 2009 when she started blogging about Ubuntu. Since then she’s written for Ubuntu User Magazine, co-authored The Official Ubuntu Book (6th & 7th edit.) and served as a technical reviewer for Jono Bacon’s Art of Community. She was the first... Read More →

Zeek Community 2021 Strategic Plan Updates and Input pdf

Wednesday October 14, 2020 1:00pm - 1:20pm PDT
Online - Zoom Meeting Room

Day 2 - User Track, User Track

1:20pm PDT

Day 2 -Going Beyond Alerts - Maximizing Network Defense with Suricata 6.0

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

Securing a network often begins with the ability to generate alerts when malicious or
non-standard network traffic is observed. This is routinely accomplished through intrusion
detection and prevention systems (IDPS) such as Suricata, as well as other open-source tools.
Unfortunately, an alert only provides a narrow view into a possible incident. Data surrounding an
alert also needs to be available to help an analyst build context before and after an alert. In this
talk, we’ll introduce the latest features available in the newly released Suricata 6.0 and discuss
how protocol-specific logs, full-packet capture and other features of Suricata and Zeek can be
used to build a more comprehensive view into an organization’s network. This context allows for
an organization to understand the threats they face and gives them the ability to respond to
incidents quickly and more accurately.

Slack Channel for this session -
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

ZeekWeek 2020 pptx

Wednesday October 14, 2020 1:20pm - 1:40pm PDT
Online - Zoom Meeting Room

Day 2 - User Track, User Track

9:00am PDT

Day 3 - Zeek 4.0 and beyond: High-level Roadmap

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

We'll begin the day with a high-level take on Zeek's development roadmap: what's in the works for the next couple of versions, where are we headed longer term, and how can you help? Subsequent presentations will then dive into specific areas in more detail.

Slack Channel for this session -#vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9 (this is part of the roadmap session number 15 on the survey)

Speakers

Robin Sommer

Co-Founder and CTO, Corelight, Inc.

Robin is co-founder and CTO at Corelight, a prominent computer science researcher, and long-time open-source lead for the Zeek project. Robin received his doctorate from the Technical University Munich, completed his postdoc at the International Computer Science Institute, and subsequently... Read More →

ZeekWeek 2020 Roadmap pdf

Thursday October 15, 2020 9:00am - 9:30am PDT
Online - Zoom Meeting Room

Day 3 - Developer Track, Developer Track

9:30am PDT

Day 3 - Packet Analyzers

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

The new packet analysis plugin architecture handles parsing of packet headers at layers below Zeek's existing Session analysis. In particular, this allows to add new link and network layer protocols to Zeek. In our talk, we will discuss the recently merged changes and provide an outlook on the roadmap for packet analysis.

Slack Channel for this session -#vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9 (this is part of the roadmap session number 15 on the survey)

Speakers

Jan Grashöfer

KIT - Karlsruher Institute for Technology

Tim Wojtulewicz

Corelight, Imc.

Tim is a software engineer at Corelight. He works on the core of Zeek, focusing mostly on code modernization and architecture improvements. Tim started working on Zeek in 2019.

Packet Analysis pdf

Thursday October 15, 2020 9:30am - 10:00am PDT
Online - Zoom Meeting Room

Day 3 - Developer Track, Developer Track

10:00am PDT

Day 3 - Introducing Spicy

Limited Capacity seats available

Spicy is a C++ parser generator that makes it easy to create robust parsers for network protocols, file formats, and more. Developers describe data grammars once in a declarative, neutral format from which Spicy generates C++ parsers for consumption by downstream projects. Spicy provides mechanisms to extend the behavior of parsers via attributes and hooks to allow adapting them to different use cases. Spicy seamlessly integrates with Zeek and enables developers to rapidly go from high-level protocol descriptions to Zeek package analyzers. This talk gives an introduction of Spicy.

Slack Channel for this session - vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Benjamin Bannier

Corelight, Inc.

Benjamin works on the Spicy parser generator at Corelight. Before that he worked on large distributed systems as an Apache Mesos committer at D2iQ and on columnar databases at ParStream after a live in High-energy nuclear physics.

slides pdf

Thursday October 15, 2020 10:00am - 10:30am PDT
Online - Zoom Meeting Room

Day 3 - Developer Track, Developer Track

10:30am PDT

Day 3 - Compiling Zeek Scripts

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

Zeek executes scripts by compiling them into Abstract Syntax Trees (ASTs) and then, for each instance of a function call or event handler, recursively evaluating the nodes in the AST. This approach provides flexibility and ease-of-implementation, but comes with some performance costs. We'll discuss those costs and give an overview of an experimental new approach based on further compiling the ASTs down to a low-level abstract machine.

Slack Channel for this session -#vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9 (this is part of the roadmap session number 15 on the survey)

Speakers

Vern Paxson

Professor of Computer Science at UC Berkeley and Zeek (fka Bro), Co-founder and Chief Scientist at Corelight, Inc.

Zeek Script Comp.15Oct20 pdf

Thursday October 15, 2020 10:30am - 11:00am PDT
Online - Zoom Meeting Room

Day 3 - Developer Track, Developer Track

11:00am PDT

Day 3 - Packaging Zeek's policy scripts with better zkg templating

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3)

Out of the box, Zeek comes with scripts for identifying malicious or suspicious traffic. These scripts are designed to be customizable to your environment, as "malicious" and "suspicious" are highly subjective. In this talk, we'll report on an emerging effort to migrate these to zkg packages. This provides a number of benefits, including faster iteration, a more community-driven feature set, explicit dependencies, and a more manageable codebase. To streamline this migration with consistent, maintainable, CI-enabled packages, we will also present a new open-source zkg package template authored by ESnet that lets script authors hit the ground running and avoid several potential pitfalls during package creation.

Slack Channel for this session -#vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9 (this is part of the roadmap session number 15 on the survey)

Speakers

Vlad Grigorescu

ESnet

Vlad Grigorescu has been working in information security since 2005, with a focus on open-source tool development, especially with Bro/Zeek. Most of this work has been in the academic and high-performance computing and networking space, as a security engineer at the University of... Read More →

Christian Kreibich

Corelight, Inc.

Christian works at Corelight, where he's currently dedicating all his time to open-source Zeek. Prior to Corelight, he built and led the networking team at Lastline, served on the OISF advisory board, and was a staff researcher at the International Computer Science Institute. He holds... Read More →

zeekweek packaging(1) pdf

Thursday October 15, 2020 11:00am - 11:30am PDT
Online - Zoom Meeting Room

Day 3 - Developer Track, Developer Track

11:30am PDT

Day 3 - Towards a New Management Framework for Zeek Clusters

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

This talk will present an overview of Zeek's future cluster controller. Designed to eventually replace the aging ZeekControl, the cluster controller targets both single- and multi-system deployments, layering a high-level management abstraction on top of the maturing lower-level Supervisor API. A new front-end client, zeekc, provides command-line management. We will provide an overview of the emerging architecture and present common cluster management use cases.

Slack Channel for this session -#vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9 (this is part of the roadmap session number 15 on the survey)

Speakers

Robin Sommer

Co-Founder and CTO, Corelight, Inc.

ZeekWeek 2020 Cluster Controller pdf

Thursday October 15, 2020 11:30am - 12:00pm PDT
Online - Zoom Meeting Room

Day 3 - Developer Track, Developer Track

12:00pm PDT

Break

Limited Capacity seats available

Thursday October 15, 2020 12:00pm - 12:20pm PDT
Break

Day 3 - Developer Track, Break

12:20pm PDT

Day - 3 - Starting to Zeek

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

Watch my mistakes as I write a Zeek script. A way to see how one person approaches Zeek scripting, see the progress including watching me make a fool of myself as I write a Zeek Package Contest entry. The hope is that watching this will help newer Zeek programmers avoid the errors, or pick up how to resolve them. Much less expert than Seth!

Slack Channel for this session - #vzw-day3-talk2-starting-to-zeek
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Steve Smoot

VP, Corelight, Inc.

Dr. Smoot is a graduate of MIT and holds a PhD in Computer Science from the University of California at Berkeley. He is currently Corelight's VP of Customer Success. He played a catalytic role at Riverbed, scaling from 10 to 2600 people, and before that brought the FastForward Networks... Read More →

ZeekWeek2020 smoot Starting to Zeek pdf

Thursday October 15, 2020 12:20pm - 12:40pm PDT
Online - Zoom Meeting Room

Day 3 - Developer Track, Developer Track

12:40pm PDT

Day 3 - Test before Production: Introducing ZTest, a Unit Testing Framework for Zeek

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

Unit Testing is a core concept in software construction. As more and more people write Zeek Scripts, it became apparent that a pragmatic Unit Testing library that provides test suites, test cases, and assertions with a rich test result output was needed. I wrote the ZTest library to provide just that! In this talk, I will discuss what ZTest is, show why it's useful, give some examples to demonstrate how it works, and also discuss what I think is a good way forward to improve the Unit Testing process when writing Zeek Scripts (both in packages/plugins and in the core Zeek code). The ZTest framework is open source and currently lives at https://github.com/corelight/ztest.

Slack Channel for this session - #vzw-day3-talk3-test-before-production
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Ryan Victory

Corelight, Inc.

Ryan Victory is a Cyber Security nerd with a strong love for data. He has built large scale distributed security and anti-fraud systems and used Zeek as a critical data source in defending networks against miscreant activity in many ways. He is an avid programmer and currently manages... Read More →

ZTest Zeek Week pdf

Thursday October 15, 2020 12:40pm - 1:00pm PDT
Online - Zoom Meeting Room

Day 3 - Developer Track, Developer Track

1:00pm PDT

Day 3 - Spicy-parser Best-practices

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

While writing Spicy-parsers for a few theretofore unsupported protocols, I learned much. Reflecting on the similarities, and the progressively better implementations, I realized others could benefit from my experience. I'll draw attention to the perhaps elusive value of a few of Spicy's more esoteric features. I'll cover general parser best-practices, and some which are simply good defensive-practices. But in this talk, the Overall theme is presenting ideas in context, to see how they are effectively utilized.

Slack Channel for this session - #vzw-day3-talk4-spicy-parser-best-practices
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Duffy O'Craven

While writing Spicy-parsers for a few theretofore unsupported protocols, I learned much. Reflecting on the similarities, and the progressively better implementations, I realized others could benefit from my experience. I'll draw attention to the perhaps elusive value of a few of Spicy's... Read More →

Spicy Parser ZeekWeek2020 Duffy OCraven Presentation pptx

Thursday October 15, 2020 1:00pm - 1:20pm PDT
Online - Zoom Meeting Room

Day 3 - Developer Track, Developer Track

1:20pm PDT

Day 3 - Recursive File Analysis in Zeek

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

In this talk, we will introduce two new file analyzers for Zeek: ZIP and PDF analyzers. The ZIP analyzer was developed from scratch and is capable of identifying and decompressing all files with ZIP signatures in real time. The analyzer triggers Zeek events that allow security analysts to examine compressed files and apply analytics on them. Of special interest is its capability to perform recursive file analysis of ZIP files contained within ZIP files up to an arbitrary number of levels and to dynamically attach other Zeek file analyzers onto the extracted files. Maximum memory usage and depth can be tuned from a Zeek script, which protects a Zeek sensor against decompression bombs. Furthermore, the ZIP analyzer can take regular expressions and analyzer tag pairs to recursively forward decompressed files into any other file analyzer supported by Zeek. The PDF analyzer extends the work in [1] by adding new capabilities to extract the body text, embedded URLs, and embedded files from the PDF document. This additional information is captured in the PDF info record which can be accessed through the analyzer’s events. This talk will include a live demonstration of the ZIP analyzer, recursively extracting files, discovering a PDF inside of a ZIP and activating the PDF and the SHA256 analyzers to trigger PDF events on it. We plan to open source both analyzers during ZeekWeek using the Zeek Package Manager. References [1] https://github.com/lilyinstarlight/bro-pdf-analyzer

Slack Channel for this session - #vzw-day3-talk5-recursive-file-analysis
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers

Kazi Alom

Intern, Reservoir Labs

Kazi is an undergraduate majoring in computer science and electrical engineering at the Massachusetts Institute of Technology (MIT). Since 2018, Kazi has been actively engaged in embedded systems security research at MIT Lincoln Laboratory. Throughout 2020, Kazi has been an intern... Read More →

Recursive File Analysis in Zeek (Res Template) pdf

Thursday October 15, 2020 1:20pm - 1:40pm PDT
Online - Zoom Meeting Room

Day 3 - Developer Track, Developer Track