Virtual ZeekWeek 2020

You MUST register through eventbrite to gain access to this session (Day 3).

We'll begin the day with a high-level take on Zeek's development roadmap: what's in the works for the next couple of versions, where are we headed longer term, and how can you help? Subsequent presentations will then dive into specific areas in more detail.

Slack Channel for this session -#vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9 (this is part of the roadmap session number 15 on the survey)

You MUST register through eventbrite to gain access to this session (Day 3).

The new packet analysis plugin architecture handles parsing of packet headers at layers below Zeek's existing Session analysis. In particular, this allows to add new link and network layer protocols to Zeek. In our talk, we will discuss the recently merged changes and provide an outlook on the roadmap for packet analysis.

Slack Channel for this session -#vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9 (this is part of the roadmap session number 15 on the survey)

Spicy is a C++ parser generator that makes it easy to create robust parsers for network protocols, file formats, and more. Developers describe data grammars once in a declarative, neutral format from which Spicy generates C++ parsers for consumption by downstream projects. Spicy provides mechanisms to extend the behavior of parsers via attributes and hooks to allow adapting them to different use cases. Spicy seamlessly integrates with Zeek and enables developers to rapidly go from high-level protocol descriptions to Zeek package analyzers. This talk gives an introduction of Spicy.

Slack Channel for this session - vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

You MUST register through eventbrite to gain access to this session (Day 3).

Zeek executes scripts by compiling them into Abstract Syntax Trees (ASTs) and then, for each instance of a function call or event handler, recursively evaluating the nodes in the AST. This approach provides flexibility and ease-of-implementation, but comes with some performance costs. We'll discuss those costs and give an overview of an experimental new approach based on further compiling the ASTs down to a low-level abstract machine.

Slack Channel for this session -#vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9 (this is part of the roadmap session number 15 on the survey)

You MUST register through eventbrite to gain access to this session (Day 3)

Out of the box, Zeek comes with scripts for identifying malicious or suspicious traffic. These scripts are designed to be customizable to your environment, as "malicious" and "suspicious" are highly subjective. In this talk, we'll report on an emerging effort to migrate these to zkg packages. This provides a number of benefits, including faster iteration, a more community-driven feature set, explicit dependencies, and a more manageable codebase. To streamline this migration with consistent, maintainable, CI-enabled packages, we will also present a new open-source zkg package template authored by ESnet that lets script authors hit the ground running and avoid several potential pitfalls during package creation.

Slack Channel for this session -#vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9 (this is part of the roadmap session number 15 on the survey)

You MUST register through eventbrite to gain access to this session (Day 3).

This talk will present an overview of Zeek's future cluster controller. Designed to eventually replace the aging ZeekControl, the cluster controller targets both single- and multi-system deployments, layering a high-level management abstraction on top of the maturing lower-level Supervisor API. A new front-end client, zeekc, provides command-line management. We will provide an overview of the emerging architecture and present common cluster management use cases.

Slack Channel for this session -#vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9 (this is part of the roadmap session number 15 on the survey)

You MUST register through eventbrite to gain access to this session (Day 3).

Watch my mistakes as I write a Zeek script. A way to see how one person approaches Zeek scripting, see the progress including watching me make a fool of myself as I write a Zeek Package Contest entry. The hope is that watching this will help newer Zeek programmers avoid the errors, or pick up how to resolve them. Much less expert than Seth!

Slack Channel for this session - #vzw-day3-talk2-starting-to-zeek
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

You MUST register through eventbrite to gain access to this session (Day 3).

Unit Testing is a core concept in software construction. As more and more people write Zeek Scripts, it became apparent that a pragmatic Unit Testing library that provides test suites, test cases, and assertions with a rich test result output was needed. I wrote the ZTest library to provide just that! In this talk, I will discuss what ZTest is, show why it's useful, give some examples to demonstrate how it works, and also discuss what I think is a good way forward to improve the Unit Testing process when writing Zeek Scripts (both in packages/plugins and in the core Zeek code). The ZTest framework is open source and currently lives at https://github.com/corelight/ztest.

Slack Channel for this session - #vzw-day3-talk3-test-before-production
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

You MUST register through eventbrite to gain access to this session (Day 3).

While writing Spicy-parsers for a few theretofore unsupported protocols, I learned much. Reflecting on the similarities, and the progressively better implementations, I realized others could benefit from my experience. I'll draw attention to the perhaps elusive value of a few of Spicy's more esoteric features. I'll cover general parser best-practices, and some which are simply good defensive-practices. But in this talk, the Overall theme is presenting ideas in context, to see how they are effectively utilized.

Slack Channel for this session - #vzw-day3-talk4-spicy-parser-best-practices
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

You MUST register through eventbrite to gain access to this session (Day 3).

In this talk, we will introduce two new file analyzers for Zeek: ZIP and PDF analyzers. The ZIP analyzer was developed from scratch and is capable of identifying and decompressing all files with ZIP signatures in real time. The analyzer triggers Zeek events that allow security analysts to examine compressed files and apply analytics on them. Of special interest is its capability to perform recursive file analysis of ZIP files contained within ZIP files up to an arbitrary number of levels and to dynamically attach other Zeek file analyzers onto the extracted files. Maximum memory usage and depth can be tuned from a Zeek script, which protects a Zeek sensor against decompression bombs. Furthermore, the ZIP analyzer can take regular expressions and analyzer tag pairs to recursively forward decompressed files into any other file analyzer supported by Zeek. The PDF analyzer extends the work in [1] by adding new capabilities to extract the body text, embedded URLs, and embedded files from the PDF document. This additional information is captured in the PDF info record which can be accessed through the analyzer’s events. This talk will include a live demonstration of the ZIP analyzer, recursively extracting files, discovering a PDF inside of a ZIP and activating the PDF and the SHA256 analyzers to trigger PDF events on it. We plan to open source both analyzers during ZeekWeek using the Zeek Package Manager. References [1] https://github.com/lilyinstarlight/bro-pdf-analyzer

Slack Channel for this session - #vzw-day3-talk5-recursive-file-analysis
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9