zeek 3 0 0 and beyond
play

Zeek 3.0.0 and beyond Robin Sommer robin@corelight.com Just - PowerPoint PPT Presentation

Jul 15, 2023 •768 likes •907 views

Zeek 3.0.0 and beyond Robin Sommer robin@corelight.com Just released: Zeek 3.0.0 bro -> zeek broctl -> zeekctl bro-cut -> zeek-cut bro-pkg -> zkg /usr/local/bro -> /usr/local/zeek *.bro -> *.zeek bro_{init,done} ->

  1. Zeek 3.0.0 — and beyond Robin Sommer robin@corelight.com

  2. Just released: Zeek 3.0.0 bro -> zeek broctl -> zeekctl bro-cut -> zeek-cut bro-pkg -> zkg /usr/local/bro -> /usr/local/zeek *.bro -> *.zeek bro_{init,done} -> zeek_{init_done} 2

  3. We got some new functionality, too New analyzers for MQTT and NTP Extended analyzers for DNS, RDP , SMB, and TLS Support for decapsulating VXLAN tunnels Support for logging in UTF-8 Language extensions: Iteration over tables through for(key,value in t)… Vector slicing through v[2:4] Case-insensitive regular expressions: /foo/i Anonymous functions now capture their closures Efficient matching of a string against a large list of globs (paraglob) 3

  4. New Release Schedule: Stability vs Features 3.0.0 is our first long-term stable release Support with critical fixes for one year (3.0.x) Feature releases will be 3.x.0 About every 4 months, plus bugfixes (3.x.y) Next stable long-term stable release will be 4.0.0 About one year after 3.0.0 We aim to provide backwards compatibility between subsequent stable release Typically, we will deprecate old functionality for one stable cycle Will discuss on mailing list in cases that’s not possible 4

  5. Alright, what’s on the radar for 3.1.0? 5

  6. Process Supervision ZeekControl Persistent Zeek Supervisor Process Manager Logger Worker 1 Worker 2 Worker 3 6

  7. Cluster State Sharing We used to have &synchronize to shares tables across cluster nodes: global my_state[addr] of string &synchronized; We now have Broker data stores, but their API remains cumbersome. Goal: Get the best of both worlds (+ persistence) by mapping tables to a data store: global my_state[addr] of string &backend=Broker::SQLITE; 7

  8. I/O Loop Modernization 8

  9. Performance Baselining Corelight-hosted testbed with traffic generator • Cluster communication benchmark • 9

  10. Code Modernization Move to standard containers Switch to C++17 Apply clang-tidy (and perhaps clang-format) Introduce automatic reference counting, maybe? 10

  11. Osquery integration event bro_init() { local query = [ $ev=host_process_events, $query=" SELECT pid,path,cmdline,cwd,uid,gid,time,parent FROM process_events ” ]; osquery::subscribe(query); } event host_process_events(resultInfo: osquery::ResultInfo, pid: int, path: string, cmdline: string, cwd: string, uid: int, gid: int, start_time: int, parent: int ) { print fmt(“UID %d executed %s”, uid, path); } https://github.com/zeek/osquery-{extension,framework} 11

  12. How to become involved GitHub Follow activity in https://github.com/zeek/zeek File issues & PRs Look for starter tickets Propose ideas, and ask questions, on the development mailing list [1] Watch out for emerging developer’s manual First piece: Style guide on coding conventions [2] [1] https://mailman.icsi.berkeley.edu/mailman/listinfo/zeek-dev [2] https://docs.zeek.org/en/latest/devel/style_guide.html 12

  13. Thanks! Robin Sommer robin@corelight.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How FAST can Zeek RUN? ZeekWeek 2019 Jim Mellander Seattle WA Cybersecurity Engineer October

How FAST can Zeek RUN? ZeekWeek 2019 Jim Mellander Seattle WA Cybersecurity Engineer October

Run, Zeek, RUN! How FAST can Zeek RUN? ZeekWeek 2019 Jim Mellander Seattle WA Cybersecurity Engineer October 11, 2019 ESNet Goals for this presentation The Quest for Efficiency started Long Ago Can Zeek run faster without code

791 views • 25 slides
Realtime Communication of MISP , Zeek, and SIEMs Matthias Vallentin Liviu Vlsan Tenzir

Realtime Communication of MISP , Zeek, and SIEMs Matthias Vallentin Liviu Vlsan Tenzir

Realtime Communication of MISP , Zeek, and SIEMs Matthias Vallentin Liviu Vlsan Tenzir CERN Intelligence in Zeek Architecture Intel::Item represents intelligence Intel::Type one of ADDR, SUBNET, URL, SOFTWARE, EMAIL, DOMAIN,

520 views • 20 slides
Thank you to our Sponsors Zeek Package Contest Winners First Prize EternalSafety Package - Lexi

Thank you to our Sponsors Zeek Package Contest Winners First Prize EternalSafety Package - Lexi

Thank you to our Sponsors Zeek Package Contest Winners First Prize EternalSafety Package - Lexi Brent Second Prize Intel-Limiter Package - Jan GrasHoefer Third Prize zeek-sniffpass Package - Andrew Klaus Fourth Prize Known-hosts-with-dns -

177 views • 7 slides
Contributing to Zeek Tim Wojtulewicz, Corelight PROPRIETARY AND CONFIDENTIAL Thats

Contributing to Zeek Tim Wojtulewicz, Corelight PROPRIETARY AND CONFIDENTIAL Thats

Contributing to Zeek Tim Wojtulewicz, Corelight PROPRIETARY AND CONFIDENTIAL Thats Woah-2-la-wits If you were confused by all of the consonants jammed together PROPRIETARY AND CONFIDENTIAL Talking today about how to open pull requests

574 views • 18 slides
Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader

Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader

Zeek (Bro) Network Security Monitor Sareena K P RISE Lab What is Bro? Facilitates broader spectrum of very different approaches to find malicious activity semantic misuse detection anomaly detection behavioral analysis.

617 views • 23 slides
Visualizing, Analyzing and Filtering Zeek Events using a graphical frontend and OpenGL Nick

Visualizing, Analyzing and Filtering Zeek Events using a graphical frontend and OpenGL Nick

Visualizing, Analyzing and Filtering Zeek Events using a graphical frontend and OpenGL Nick Skelsey ZeekWeek 2019 Seattle, WA 11 October, 2019 AGENDA Motivation 1. State of the art 2. Monopticon 3. Related research 4. 2 CONNECTIVITY

505 views • 24 slides
GradientGraph Analytics: Identifying Small Yet High Impact Flows Using Zeek to Optimize Network

GradientGraph Analytics: Identifying Small Yet High Impact Flows Using Zeek to Optimize Network

GradientGraph Analytics: Identifying Small Yet High Impact Flows Using Zeek to Optimize Network Performance ZeekWeek 2019 Reservoir Labs Jordi Ros-Giralt, Sruthi Yellamraju, Peter Cullen, Troy Hanson, James Ezick, Alison Ryan, Erik Mogus,

424 views • 29 slides
eZeeKonfigurator eZeeKonfigurator Vlad Grigorescu Vlad Grigorescu vlad@es.net Zeek Week 2019

eZeeKonfigurator eZeeKonfigurator Vlad Grigorescu Vlad Grigorescu vlad@es.net Zeek Week 2019

eZeeKonfigurator eZeeKonfigurator Vlad Grigorescu Vlad Grigorescu vlad@es.net Zeek Week 2019 Outline Outline 1. Background & Motivation 2. Demo 3. Design & Architecture 4. Roadmap & Future Plans 5. How To Try It (...and

365 views • 21 slides
Zeek - Incident Response and Beyond Aashish Sharma LBNL ZeekWeek-2019 UNIVERSITY OF CALIFORNIA

Zeek - Incident Response and Beyond Aashish Sharma LBNL ZeekWeek-2019 UNIVERSITY OF CALIFORNIA

Zeek - Incident Response and Beyond Aashish Sharma LBNL ZeekWeek-2019 UNIVERSITY OF CALIFORNIA "Bringing Science Solutions to the World" Hundreds of University staff also LBNL staff Rich history of scientific discovery

697 views • 65 slides
Without U there is No CommUnity: Growing and Nurturing an Active and Contributing Community

Without U there is No CommUnity: Growing and Nurturing an Active and Contributing Community

Without U there is No CommUnity: Growing and Nurturing an Active and Contributing Community Amber Graner @akgraner ZeekWeek 2019 - Seattle, WA Amber Graner Who Am I? @akgraner akgraner@zeek.org What do I do? Zeek Director of Community,

444 views • 20 slides
Bro scripts - 101 to 595 in 45 mins Aashish Sharma UNIVERSITY OF CALIFORNIA Zeek scripts - 101

Bro scripts - 101 to 595 in 45 mins Aashish Sharma UNIVERSITY OF CALIFORNIA Zeek scripts - 101

Bro scripts - 101 to 595 in 45 mins Aashish Sharma UNIVERSITY OF CALIFORNIA Zeek scripts - 101 to 595 in 45 mins Aashish Sharma UNIVERSITY OF CALIFORNIA "Bringing Science Solutions to the World" Hundreds of University

873 views • 66 slides
Dynamite-NSM Open-source project for network traffic analysis with Zeek, Suricata, Flow Data and

Dynamite-NSM Open-source project for network traffic analysis with Zeek, Suricata, Flow Data and

Oleg Sinitsin | Dynamite.AI Dynamite-NSM Open-source project for network traffic analysis with Zeek, Suricata, Flow Data and ELK Dynamite Analytics | Dynamite.AI Dynamite Analytics | Dynamite.AI 2 Dynamite Analytics | Dynamite.AI 3

559 views • 20 slides
Using Zeek for SSL Research Hochschule Darmstadt FH Neu-Ulm CA - G01 Beuth Hochschule Berlin CA

Using Zeek for SSL Research Hochschule Darmstadt FH Neu-Ulm CA - G01 Beuth Hochschule Berlin CA

TU Dortmund CA - G01 UNI-FFM CA BVB-CA IASS Potsdam CA Uni Witten/Herdecke CA - G01 Ruhr-Universitaet Bochum CA Hochschule fuer Film und Fernsehen Konrad Wolf CA Musikhochschule Luebeck CA - G01 BfR CA SRH Hochschule Heidelberg CA-G01 UHH

515 views • 34 slides
Some Companies/Insts. Using Zeek SOC operations overview (Microsoft) HTTPS Connection (SSL / TLS)

Some Companies/Insts. Using Zeek SOC operations overview (Microsoft) HTTPS Connection (SSL / TLS)

http.log | HTTP request/reply details conn.log | IP, TCP, UDP, ICMP connection details FIELD TYPE DESCRIPTION FIELD TYPE DESCRIPTION ts time Timestamp of the HTTP request ts time Timestamp of the fjrst packet uid & id Underlying

428 views • 8 slides
Profiling (in production) Justin Azoff - Sr. Support Engineer justin@corelight.com What do I

Profiling (in production) Justin Azoff - Sr. Support Engineer justin@corelight.com What do I

Profiling (in production) Justin Azoff - Sr. Support Engineer justin@corelight.com What do I meen by in production? There are a lot of things you can do to profile a program to figure out what it is doing. With zeek you can process a pcap

993 views • 67 slides
Interactive Mktg. Mgr. Creative KPIs & Heads in Beds | Passenger Count | ROAS Budget

Interactive Mktg. Mgr. Creative KPIs & Heads in Beds | Passenger Count | ROAS Budget

Zeek Coleman Interactive Mktg. Mgr. Creative KPIs & Heads in Beds | Passenger Count | ROAS Budget Budget: $175,000 Goal: Late Summer, Early Fall & All Winter Bookings Run Dates: August 2016 January 2017 Result:

408 views • 21 slides
File Transfer Protocol (FTP) Chuan-Ming Liu Computer Science and Information Engineering

File Transfer Protocol (FTP) Chuan-Ming Liu Computer Science and Information Engineering

File Transfer Protocol (FTP) Chuan-Ming Liu Computer Science and Information Engineering National Taipei University of Technology Fall 2007 , TAIWAN 1 Contents CONNECTIONS COMMUNICATION COMMAND PROCESSING FILE TRANSFER SIMPLE FTP LAB

666 views • 55 slides
FS Facilities Naming, APIs, and Caching OS Lecture 17 UdS/TUKL WS 2015 MPI-SWS 1 Naming Files

FS Facilities Naming, APIs, and Caching OS Lecture 17 UdS/TUKL WS 2015 MPI-SWS 1 Naming Files

FS Facilities Naming, APIs, and Caching OS Lecture 17 UdS/TUKL WS 2015 MPI-SWS 1 Naming Files MPI-SWS 2 Recall: inodes What is an inode ? the data structure of a filesystem representing a byte stream (= a file) on stable storage How are

878 views • 58 slides
OpenAFS Native Mountpoints on Linux Andrew Deason June 2019 OpenAFS Workshop 2019 1 Background

OpenAFS Native Mountpoints on Linux Andrew Deason June 2019 OpenAFS Workshop 2019 1 Background

OpenAFS Native Mountpoints on Linux Andrew Deason June 2019 OpenAFS Workshop 2019 1 Background Single mountpoints are pretty simple: 2 Background What about multiple mountpoints? What is ..? 3 Dentries and Inodes Inodes:

744 views • 15 slides
Understanding Filenames in the Samba File Server World Opening Windows to a Wider Jeremy

Understanding Filenames in the Samba File Server World Opening Windows to a Wider Jeremy

Understanding Filenames in the Samba File Server World Opening Windows to a Wider Jeremy Allison Samba Team jra@samba.org jra@google.com What is a filename ? Not as simple a question as it seems (streams..). World Opening Windows to a

523 views • 20 slides
Beyond Bash Shell scripting in a typed, OO language Scala by the Bay, 15 August 2015 Slides:

Beyond Bash Shell scripting in a typed, OO language Scala by the Bay, 15 August 2015 Slides:

Beyond Bash Shell scripting in a typed, OO language Scala by the Bay, 15 August 2015 Slides: http://tinyurl.com/beyondbash 0.1 Who am i Li Haoyi Paid $ to work on dev tools @ Dropbox Not paid $ to work on Scala.js Using Scala professionally

809 views • 69 slides
File Systems: Fundamentals Don Porter Portions courtesy Emmett Witchel 1 COMP 530: Operating

File Systems: Fundamentals Don Porter Portions courtesy Emmett Witchel 1 COMP 530: Operating

COMP 530: Operating Systems File Systems: Fundamentals Don Porter Portions courtesy Emmett Witchel 1 COMP 530: Operating Systems Files What is a file? A named collection of related information recorded on secondary storage (e.g.,

824 views • 36 slides
Taming Metadata Storms in Parallel Filesystems with MetaFS Tim Shaffer Motivation A

Taming Metadata Storms in Parallel Filesystems with MetaFS Tim Shaffer Motivation A

Taming Metadata Storms in Parallel Filesystems with MetaFS Tim Shaffer Motivation A (well-meaning) user tried to run a bioinformatics pipeline to analyze a batch of genomic data. MAKER 2 Motivation Shared filesystem performance became

507 views • 35 slides
Day 16: Script Development Suggested Reading: The Story of Mel (slide 5) A good book (not about

Day 16: Script Development Suggested Reading: The Story of Mel (slide 5) A good book (not about

Computer Sciences 368 Introduction to Perl Day 16: Script Development Suggested Reading: The Story of Mel (slide 5) A good book (not about Perl) 2012 Summer Cartwright 1 Computer Sciences 368 Introduction to Perl Homework Review 2012

205 views • 17 slides

More recommend