Loading…
Virtual ZeekWeek 2020 is free to attend, but registration is required. 

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Day 3 - Developer Track [clear filter]
Thursday, October 15
 

9:00am PDT

Day 3 - Zeek 4.0 and beyond: High-level Roadmap
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

We'll begin the day with a high-level take on Zeek's development roadmap: what's in the works for the next couple of versions, where are we headed longer term, and how can you help? Subsequent presentations will then dive into specific areas in more detail.

Slack Channel for this session -#vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9 (this is part of the roadmap session number 15 on the survey)

Speakers
avatar for Robin Sommer

Robin Sommer

Co-Founder and CTO, Corelight, Inc.
Robin is co-founder and CTO at Corelight, a prominent computer science researcher, and long-time open-source lead for the Zeek project. Robin received his doctorate from the Technical University Munich, completed his postdoc at the International Computer Science Institute, and subsequently... Read More →



Thursday October 15, 2020 9:00am - 9:30am PDT
Online - Zoom Meeting Room

9:30am PDT

Day 3 - Packet Analyzers
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

The new packet analysis plugin architecture handles parsing of packet headers at layers below Zeek's existing Session analysis. In particular, this allows to add new link and network layer protocols to Zeek. In our talk, we will discuss the recently merged changes and provide an outlook on the roadmap for packet analysis.

Slack Channel for this session -#vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9 (this is part of the roadmap session number 15 on the survey)

Speakers
avatar for Jan Grashöfer

Jan Grashöfer

KIT - Karlsruher Institute for Technology
Jan is a PhD student at Karlsruhe Institute of Technology (KIT). In his research he focuses on performance aspects of network monitoring. Jan started to work with Zeek in 2015. Among his contributions are the AF_Packet plugin and a rework of the intelligence framework.
TW

Tim Wojtulewicz

Corelight, Imc.
Tim is a software engineer at Corelight. He works on the core of Zeek, focusing mostly on code modernization and architecture improvements. Tim started working on Zeek in 2019.



Thursday October 15, 2020 9:30am - 10:00am PDT
Online - Zoom Meeting Room

10:00am PDT

Day 3 - Introducing Spicy
Limited Capacity seats available

Spicy is a C++ parser generator that makes it easy to create robust parsers for network protocols, file formats, and more. Developers describe data grammars once in a declarative, neutral format from which Spicy generates C++ parsers for consumption by downstream projects. Spicy provides mechanisms to extend the behavior of parsers via attributes and hooks to allow adapting them to different use cases. Spicy seamlessly integrates with Zeek and enables developers to rapidly go from high-level protocol descriptions to Zeek package analyzers. This talk gives an introduction of Spicy.

Slack Channel for this session - vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers
avatar for Benjamin Bannier

Benjamin Bannier

Corelight, Inc.
Benjamin works on the Spicy parser generator at Corelight. Before that he worked on large distributed systems as an Apache Mesos committer at D2iQ and on columnar databases at ParStream after a live in High-energy nuclear physics.


slides pdf

Thursday October 15, 2020 10:00am - 10:30am PDT
Online - Zoom Meeting Room

10:30am PDT

Day 3 - Compiling Zeek Scripts
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

Zeek executes scripts by compiling them into Abstract Syntax Trees (ASTs) and then, for each instance of a function call or event handler, recursively evaluating the nodes in the AST. This approach provides flexibility and ease-of-implementation, but comes with some performance costs. We'll discuss those costs and give an overview of an experimental new approach based on further compiling the ASTs down to a low-level abstract machine.

Slack Channel for this session -#vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9 (this is part of the roadmap session number 15 on the survey)

Speakers
avatar for Vern Paxson

Vern Paxson

Professor of Computer Science at UC Berkeley and Zeek (fka Bro), Co-founder and Chief Scientist at Corelight, Inc.
Vern is co-founder and Chief Scientist at Corelight, and Professor of Computer Science at UC Berkeley.  A prolific and internationally-recognized researcher, Vern also leads the Networking and Security Group at the International Computer Science Institute and for decades held a position... Read More →



Thursday October 15, 2020 10:30am - 11:00am PDT
Online - Zoom Meeting Room

11:00am PDT

Day 3 - Packaging Zeek's policy scripts with better zkg templating
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3)

Out of the box, Zeek comes with scripts for identifying malicious or suspicious traffic. These scripts are designed to be customizable to your environment, as "malicious" and "suspicious" are highly subjective. In this talk, we'll report on an emerging effort to migrate these to zkg packages. This provides a number of benefits, including faster iteration, a more community-driven feature set, explicit dependencies, and a more manageable codebase. To streamline this migration with consistent, maintainable, CI-enabled packages, we will also present a new open-source zkg package template authored by ESnet that lets script authors hit the ground running and avoid several potential pitfalls during package creation.

Slack Channel for this session -#vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9 (this is part of the roadmap session number 15 on the survey)

Speakers
avatar for Vlad Grigorescu

Vlad Grigorescu

ESnet
Vlad Grigorescu has been working in information security since 2005, with a focus on open-source tool development, especially with Bro/Zeek. Most of this work has been in the academic and high-performance computing and networking space, as a security engineer at the University of... Read More →
avatar for Christian Kreibich

Christian Kreibich

Corelight, Inc.
Christian works at Corelight, where he's currently dedicating all his time to open-source Zeek. Prior to Corelight, he built and led the networking team at Lastline, served on the OISF advisory board, and was a staff researcher at the International Computer Science Institute. He holds... Read More →



Thursday October 15, 2020 11:00am - 11:30am PDT
Online - Zoom Meeting Room

11:30am PDT

Day 3 - Towards a New Management Framework for Zeek Clusters
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

This talk will present an overview of Zeek's future cluster controller. Designed to eventually replace the aging ZeekControl, the cluster controller targets both single- and multi-system deployments, layering a high-level management abstraction on top of the maturing lower-level Supervisor API. A new front-end client, zeekc, provides command-line management. We will provide an overview of the emerging architecture and present common cluster management use cases.

Slack Channel for this session -#vzw-day3-talk1-roadmap
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9 (this is part of the roadmap session number 15 on the survey)

Speakers
avatar for Robin Sommer

Robin Sommer

Co-Founder and CTO, Corelight, Inc.
Robin is co-founder and CTO at Corelight, a prominent computer science researcher, and long-time open-source lead for the Zeek project. Robin received his doctorate from the Technical University Munich, completed his postdoc at the International Computer Science Institute, and subsequently... Read More →



Thursday October 15, 2020 11:30am - 12:00pm PDT
Online - Zoom Meeting Room

12:00pm PDT

Break
Limited Capacity seats available

Thursday October 15, 2020 12:00pm - 12:20pm PDT
Break

12:20pm PDT

Day - 3 - Starting to Zeek
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

Watch my mistakes as I write a Zeek script. A way to see how one person approaches Zeek scripting, see the progress including watching me make a fool of myself as I write a Zeek Package Contest entry. The hope is that watching this will help newer Zeek programmers avoid the errors, or pick up how to resolve them. Much less expert than Seth!

Slack Channel for this session - #vzw-day3-talk2-starting-to-zeek
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers
avatar for Steve Smoot

Steve Smoot

VP, Corelight, Inc.
Dr. Smoot is a graduate of MIT and holds a PhD in Computer Science from the University of California at Berkeley. He is currently Corelight's VP of Customer Success.  He played a catalytic role at Riverbed, scaling from 10 to 2600 people, and before that brought the FastForward Networks... Read More →



Thursday October 15, 2020 12:20pm - 12:40pm PDT
Online - Zoom Meeting Room

12:40pm PDT

Day 3 - Test before Production: Introducing ZTest, a Unit Testing Framework for Zeek
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

Unit Testing is a core concept in software construction. As more and more people write Zeek Scripts, it became apparent that a pragmatic Unit Testing library that provides test suites, test cases, and assertions with a rich test result output was needed. I wrote the ZTest library to provide just that! In this talk, I will discuss what ZTest is, show why it's useful, give some examples to demonstrate how it works, and also discuss what I think is a good way forward to improve the Unit Testing process when writing Zeek Scripts (both in packages/plugins and in the core Zeek code). The ZTest framework is open source and currently lives at https://github.com/corelight/ztest.

Slack Channel for this session - #vzw-day3-talk3-test-before-production
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers
avatar for Ryan Victory

Ryan Victory

Corelight, Inc.
Ryan Victory is a Cyber Security nerd with a strong love for data. He has built large scale distributed security and anti-fraud systems and used Zeek as a critical data source in defending networks against miscreant activity in many ways. He is an avid programmer and currently manages... Read More →



Thursday October 15, 2020 12:40pm - 1:00pm PDT
Online - Zoom Meeting Room

1:00pm PDT

Day 3 - Spicy-parser Best-practices
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

While writing Spicy-parsers for a few theretofore unsupported protocols, I learned much. Reflecting on the similarities, and the progressively better implementations, I realized others could benefit from my experience. I'll draw attention to the perhaps elusive value of a few of Spicy's more esoteric features. I'll cover general parser best-practices, and some which are simply good defensive-practices. But in this talk, the Overall theme is presenting ideas in context, to see how they are effectively utilized.

Slack Channel for this session - #vzw-day3-talk4-spicy-parser-best-practices
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers
avatar for Duffy O'Craven

Duffy O'Craven

While writing Spicy-parsers for a few theretofore unsupported protocols, I learned much. Reflecting on the similarities, and the progressively better implementations, I realized others could benefit from my experience. I'll draw attention to the perhaps elusive value of a few of Spicy's... Read More →



Thursday October 15, 2020 1:00pm - 1:20pm PDT
Online - Zoom Meeting Room

1:20pm PDT

Day 3 - Recursive File Analysis in Zeek
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 3).

In this talk, we will introduce two new file analyzers for Zeek: ZIP and PDF analyzers. The ZIP analyzer was developed from scratch and is capable of identifying and decompressing all files with ZIP signatures in real time. The analyzer triggers Zeek events that allow security analysts to examine compressed files and apply analytics on them. Of special interest is its capability to perform recursive file analysis of ZIP files contained within ZIP files up to an arbitrary number of levels and to dynamically attach other Zeek file analyzers onto the extracted files. Maximum memory usage and depth can be tuned from a Zeek script, which protects a Zeek sensor against decompression bombs. Furthermore, the ZIP analyzer can take regular expressions and analyzer tag pairs to recursively forward decompressed files into any other file analyzer supported by Zeek. The PDF analyzer extends the work in [1] by adding new capabilities to extract the body text, embedded URLs, and embedded files from the PDF document. This additional information is captured in the PDF info record which can be accessed through the analyzer’s events. This talk will include a live demonstration of the ZIP analyzer, recursively extracting files, discovering a PDF inside of a ZIP and activating the PDF and the SHA256 analyzers to trigger PDF events on it. We plan to open source both analyzers during ZeekWeek using the Zeek Package Manager. References [1] https://github.com/lilyinstarlight/bro-pdf-analyzer

Slack Channel for this session - #vzw-day3-talk5-recursive-file-analysis
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers
avatar for Kazi Alom

Kazi Alom

Intern, Reservoir Labs
Kazi is an undergraduate majoring in computer science and electrical engineering at the Massachusetts Institute of Technology (MIT).  Since 2018, Kazi has been actively engaged in embedded systems security research at MIT Lincoln Laboratory.  Throughout 2020, Kazi has been an intern... Read More →



Thursday October 15, 2020 1:20pm - 1:40pm PDT
Online - Zoom Meeting Room
 
  • Timezone
  • Filter By Date Virtual ZeekWeek 2020 Oct 13 -15, 2020
  • Filter By Venue online
  • Filter By Type
  • Day 1 Training
  • Day 2 - User Track
  • Day 3 - Developer Track