Friday, July 19, 2019

Zeke on Zeek: Working With Open-Source Zeek: Adding a Key-value For-Loop

By Zach Medley

Getting started working on Zeek can be daunting because of the sheer size of the repository. While designed reasonably, Zeek is big and a lot of reasonable design can still be a lot to handle. This blog post walks through how I added Zeek’s key-value for loop in the hope that it might make it easier for future Zeek developers to get started.

Zeek, formerly Bro, is an open-source network security monitoring tool that transforms raw traffic into rich logs, extracted files, and custom insights via a Turing-complete Zeek programming language. It’s all open source, and developed on GitHub with its community.

Defining the Problem


Before the addition of a key-value for loop in Zeek you can iterate over the items in a container with a standard range based for loop:



However, looping over tables where there are both keys and values requires a separate lookup:



This is less than ideal for both ergonomic and efficiency reasons. At its core, when Zeek does a lookup in a table, it retrieves the corresponding value as well as makes the second lookup unnecessary as Zeek user Jon points out below:




As for the syntax, Zeek’s tables can be indexed by tuples. The existing for loop supported iteration over tables with tuples by wrapping the keys in brackets and unpacking the tuple.



Christian suggested that we extend this tuple unpacking for use with key-value for loops.


Writing Tests


The testing framework Zeek uses is called btest and tests written using it are commonly called “btests.” Zeek's btests live in the testing/btest/ directory. Once you get the hang of them, they are pretty straightforward, but at first glance they can be a little confusing.

A btest usually consists of a test and a baseline. Btest works by running your test and comparing its output to a known baseline. A difference between the output and the baseline results in a failed test. In addition to cloning Zeek, you’ll need to install btest separately, as follows:

To get btest we suggest installing the development version. This will give you access to a more up-to-date btest version that the master version of Zeek may depend on. After cloning Zeek, move to the directory that it’s installed in and run:

     pip install -e aux/btest/

With btest installed, we can begin to write our tests. Zeek already has tests that cover for-loops in testing/btest/language/for.bro, so modifying that file is fine, but I chose to add a separate test file called key-value-for.bro. I wrote a couple tests for key-value for-loops and added one for iterating over tables with more than one index value because there wasn’t a test for that yet. My tests for the key-value look like this:




Note: It's important that your test has the # @TEST-EXEC … line on the top. If you don’t, btest won't know what command to use to run the test. In this case, our btest involves running Zeek on the following content, and a subsequent diff compares to our baseline of expected output.

With the test written, you’ll now have to add a baseline so that btest knows what the desired output should be. The best way to create a btest is fairly nebulous as there are many ways that will work well. Ultimately though, once you find a way you like, and as long as in the end you’re left with a working test, it’s likely fine.

The easiest way to create a simple btest is to replace the test script with some ad-hoc script that produces the same output. For the above we might replace it with some print statements that produce the desired output. Then you can go ahead and run the test with the -U parameter, which will prompt you to make a baseline. Once that’s done, don't forget to go back and change the script back to the one you want to test.

For more complicated tests, though, this ad-hoc method can get troublesome. Here, Christian suggests running the real test, letting it fail, then copying the “out” file it creates over to the baseline directory.

More or less in line with Christian’s suggestion, I created my btests by moving to the /btest/Baseline/ directory. Here I created a new folder with the name <the btest folder your test is in>.<the name of your test file>. For example, my tests were named key-value-for.bro and in the btest/language folder, so I added a folder to the btest/Baseline folder called language.key-value-for. Inside of your new folder add a file called out, and write whatever the expected output of your test is. My out file looks like this:



Now we can run our test and see if it fails. To run the test, first build and install Zeek by running

     ./configure

     make

     make install


Then, change back to the ./btest directory and run:

     btest -d language/key-value-for.bro

Writing Code


Adding new language functionality in Zeek can be done in a couple of simple steps:

Modify parse.y so that the new syntax is recognized and handled properly;

Write the underlying C++ code to make it all work. We’ll start by writing the code to parse the new for-loop.

Parsing


Zeek uses lex and yacc to generate its parser. The part that we’re concerned with can be found in src/parse.y. Specifically, we’re interested in the part that parses the for statement, underneath for_head:



I’ll walk through this code to give an overview of how it works, and then show the new parsing rules for a key-value for-loop.

TOK_FOR ‘(‘ TOK_ID TOK_IN expr ‘)’

Indicates the type of syntax that the following code deals with. Each of the tokens is represented below as a positional number, with TOK_FOR corresponding to the number 1 and ‘)’ corresponding to the number 6.

set_location(@1, @6);

When Zeek is parsed, objects can be associated with a location. For more information on the utility of this, see Bison’s page here. For a little more on how a location is represented, see src/Obj.h.

ID* loop_var = lookup_ID($3, current_module.c_str());

In this case, $3 refers to TOK_ID. Here we get loop_var’s previous definition if it already exists in the current module.





This is the meat of the parse phase. Here, if loop_var already has a definition, we make sure that it is not a global variable. Otherwise, we initialize it.

$$ = new ForStmt(loop_vars, $5);

Finally, we build a new for-statement, and $5, which refers to the thing we’re iterating through.

My implementation follows the basic for-loop’s parsing procedure very closely and calls an alternate version of the constructor that I’ll discuss next.




Core Functionality


In order to preserve as much of the original for-loop’s functionality as possible, I opted to write an alternate constructor for the for-loop that included a variable for values to be stored in as the loop moves through the table. The constructor first calls the regular for-loop constructor on the loop variables and expression, and then runs some additional code to verify the type of the value variable.

The most interesting part of the for-loop is the actual looping. This is done in the DoExec part of the for-loop in src/Stmt.cc.




We’re only interested in the part of the for-loop that deals with looping over tables because they are the only data type supported by key value for-loops. This code is mostly self explanatory with the exception of the usage of Ref() and Unref().

Zeek uses reference counting under the hood to clean up objects when they’re done being used. If you’re familiar with modern C++, this is the same way that shared_ptr works. Each object keeps track of how many references it has, if that number drops to zero, Zeek will clean it up. Whenever we’re setting an element in a frame we need to call Ref() on it. This increases the reference count in the frame, indicating that something needs to use that value until some time in the future when Unref() is called on it.

Keeping track of reference counting in Zeek can be quite difficult to get the hang of and lead to hard to track down bugs. Take care when using a value after passing it elsewhere and if you get a segfault, this is often the cause. Debuggers like gdb and tools like valgrind can be useful to help track down what it was that got deleted.

Conclusion


The addition of key-value for loops to Zeek make the process of iterating over a table simpler and more performant:



When possible, key-value for loops should be preferred to regular loops over tables.

If you’re interested in contributing to Zeek there is no bar to entry. For C and C++ people, the Zeek core is a great place to get your feet wet developing a scripting language. You can also get involved just writing Zeek. Much of Zeek is written in Zeek. Even if you don’t program much, I wrote the README so I’m sure it's got a couple spelling and grammar errors.
No matter how you do it, working on Zeek can be an incredibly rewarding experience. It's fun, challenging, educational, and keeps the world’s networks safe.


Helpful Links and information:

Getting Involved: If you would like to be part of the Open Source Zeek Community and contribute to the success of the project please sign up for our mailing lists, join our IRC Channel, come to our events, follow the blog and/or Twitter feed. If you’re writing scripts or plugins for Zeek we would love to hear from you! Can’t figure out what your next step should be, just reach out. Together we can find a place for you to actively contribute and be a part of this growing community.

About Zeek (formerly Bro): Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. https://www.zeek.org/

Thursday, July 18, 2019

People of Zeek Interview Series - Introducing Fatema Bannat Wala

As we gear up for ZeekWeek 2019, I wanted to introduce you to Fatema Bannat Wala an active Zeek community member, who I had the chance to meet earlier this year at the 2019 Open Source Zeek European Workshop that was held in Geneva, Switzerland at CERN. Fatema is a frequent speaker at Zeek events including BroCon(now ZeekWeek) and multiple Zeek workshops. She recently presented a talk about the weird.zeek log file at CERN and she was a panelist in a discussion about how Zeek is being used to secure university networks. Her excitement about sharing what she learns about Zeek is so contagious that I asked if she’d do a blog post series about weird.log--the weird.log file comes from the weird.bro script which helps users detect unexpected network level activity. To kick off that series, I spoke with her about her work with Zeek and the “Weirds” log and I am pleased to introduce her to the Zeek Community in today’s Q&A blog post.

Amber Graner (AG): Fatema, thank you so much for taking the time to answer my questions and let the community know who you are and what it is about Zeek and the weird.log files that interest you. Can you take a moment to tell the community a little about yourself and what a typical day is like for you?

Fatema Bannat Wala (FW): Firstly, thanks Amber for giving me this opportunity and platform to share my ideas and knowledge with the community. I truly appreciate your efforts! I currently work as a security engineer at the University of Delaware’s Security Operations team, where I got introduced to then Bro, now Zeek. It has been a terrific journey so far working with the team and learning new stuff every day at my job. That’s what keeps me motivated and going throughout the day. My daily activities vary as per the need of the hour, working with the Security Information and Event Management (SIEM) team primarily, firewalls, monitoring and enhancing the intrusion detection in the network traffic using Zeek Network Security Monitor (NSM), and other security tools.

AG: What drew you to Zeek and how did you get involved with the project?

FW: Zeek is different was my first impression when I started playing around with it. Unlike other tools which look for the patterns in the known traffic and records them, Zeek records and scraps everything interesting and useful that passes by for you to later look at. There is a lot of information flowing around on the network, unknown to the user, and Zeek keeps records of everything it sees on the network, which you can later take a look at to draw interesting statistical analysis of the overall network traffic and what transpires on your network. It gives binocular vision to the analysts who are otherwise blind to their network traffic. There are so many use cases of Zeek that I can’t enumerate them all, but whenever I think of an issue to solve, I think: can I use Zeek to solve it? 

That thought process drew me into asking a lot of questions of the awesome Zeek community and eventually getting involved with solving some interesting use cases and sharing it with others in the form of Zeek scripts and contributions to the source code repository.

AG: What was it about the Weird logging that made you want to write documentation, give talks on it and share your knowledge?

FW: What’s weird is, as analysts we are more interested to know what unconventional activity is going on in our network apart from normal protocols traffic, and honestly the name “Weird” for one of the log files that Zeek generates attracted me towards looking into it. I asked myself, ‘what is weird in the eyes of Zeek?’ As I read through the documentation about the weird.log file, I became even more interested in looking at it because it stated that ‘unusual or exceptional activity that can indicate malformed connections, traffic that doesn’t conform to a particular protocol, malfunctioning or misconfigured hardware, or even an attacker attempting to avoid/confuse a sensor.’ This is what you should look for in the network traffic as security analysts, isn’t it?

As I researched through various weird types in our environment I was amazed and excited by the network enhancements we made just based on weird activity logged by Zeek. Those enhancements motivated me to share my research and knowledge with the community, so that if similar conditions are occurring at different networks they don’t have to reinvent the wheel, or start from scratch to find the solution.

AG: In addition to the Weird logs, what’s the most interesting thing you’ve learned about Zeek so far?

FW: Other than Weird logs, the most interesting thing about Zeek is its ability to record enough information that can be used for fingerprinting the devices or unconstrained endpoints in a university network which is practically impossible, or hard to collect via any host/client based agent. As with every semester, comes a flood of all new devices and end points that we don’t manage centrally, and to keep an eye on them (what OS is running, what kind of software fingerprint it has) we use Zeek as our passive scanner. I have bragged enough in detail about this use case of Zeek at UD and in my 2017 BroCon talk UEPtSS - Unconstrained End-Point Security System, if people are interested to learn more about it. Apart from the users’ perspective, Zeek’s Scripting and logging frameworks are among the strongest features available to customize Zeek to achieve any use case that we come up with.

AG: Can you tell the community about the “Weird” blog series we’ll be starting soon and what they can expect to learn from the series?

FW: When I started to research Weird logs, there was very limited information available online. By digging up some of the source code and looking around on the internet in various mailing lists or personal blog posts, I found the answers I was looking for. I am hoping that by sharing the analysis I have done, information I found and some basics about the Weird logs with the community will make it easily available and accessible to the community in one central location.

The series will cover some basics of Weird, where to find them and what to do with some of the noisy ones after finding them. I plan to keep the community up to date regarding the new information I find with my continued research with Weird. If people have any questions or issues about or with the Weird logs they can ask and I will be more than happy to answer those, either via this blog or on the Zeek mailing lists.

AG: For those who want to get involved in the Zeek community, what advice would you give them and where would you tell them to start?

FW: Ask questions, no matter how silly you think they are, ask them any way. This way you will get expert advice and opinions for the things you are struggling with in your Zeek playground. After that you are just going to get better with Zeek. If you have any ideas for Zeek or any use cases that you would love to have Zeek solve, then don’t hesitate to share them on Zeek mailing list/IRC channel or Zeek dev mailing lists. These are the places that are regularly watched by the awesome core team, who is the biggest factor in my success with Zeek. When I started I joined the Zeek mailing list and tried to participate in as many Zeek events like BroCons (now known as ZeekWeek) and Zeek workshops as possible. This participation gives me opportunity to meet the developers face to face, which is a chance you definitely do not want to miss.

AG: Is there anything that you’d like to share about yourself or Zeek that I haven’t asked you about?

FW: Zeek is an outcome of tremendous efforts and time dedicated by some of the brilliant minds of the industry. Making a small effort towards contributing to this amazing open source free project is very satisfying and rewarding. Thanks for giving me the opportunity to be able to be a part of this community and to contribute back. Community involvement and contributing back to the project are key factors for any open source community project that keeps it growing and flourishing. As a part of the community, I would like to say, ‘stay involved and stay connected,’ the rewards are beyond imagination!

Helpful Links and information:
Getting Involved: If you would like to be part of the Open Source Zeek Community and contribute to the success of the project please sign up for our mailing lists, join our IRC Channel, come to our events, follow the blog and/or Twitter feed. If you’re writing scripts or plugins for Zeek we would love to hear from you! Can’t figure out what your next step should be, just reach out. Together we can find a place for you to actively contribute and be a part of this growing community.

About Zeek (formerly Bro): Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. https://www.zeek.org/

Thursday, June 20, 2019

Open Source Zeek - Strategic Community Goals

“Coming together is a beginning, staying together is progress, and working together is success.” 
~ Henry Ford

To all members of the Zeek community: today I’m excited to share the strategic goals I’ll be pursuing over the next year. As a reminder, I joined Corelight as Director of Community for the Zeek project a few months ago. I developed the following list after learning about the community and evaluating where it is, talking to many of you, and gathering feedback from the Zeek Leadership Team and the Corelight Founders.

Please understand, this is only a beginning. I’ll be working on other goals in the future, and would like to get your input on what you most need. But based on my prior experience supporting community efforts in the Ubuntu and Open Compute Projects, it’s often helpful to get started with infrastructure, awareness, engagement, and governance. As we work on these items, I am sure other actionable goals will move onto my plate.

If you or your organization would like to help with any of these goals or if you have questions, comments, feedback of any kind please feel free to reach out and let me know.

I look forward to collaborating with you all. Here’s to stronger communities, safer networks and many successes as we work together!

Community Goals


1. Increase Zeek Awareness - We need to drive greater awareness of Zeek in the cybersecurity / threat hunting / detection ecosystems, while also targeting adjacent open source technologies. To this end, we will:
  • Deliver a monthly newsletter (Including Zeek news/tutorials, other security news, notable CVEs, etc.)
  • Produce an editorial calendar for 2019, to include:
    • Monthly content cadence (tutorials and articles)
    • Information about new releases (including notes/demos)
    • Document editorial process  (for soliciting external contributions)
    • Rewards and incentives (for contributors)

2. Increase Engagement with the Zeek Community - We need more online and in-person engagement opportunities for the Zeek community, because there are many ways to contribute and get involved. To accomplish this, we will seek to have the following:
  • A predictable cadence of in-person meetups, training opportunities, and other events to meet and engage with the community.
  • Engagements and partnerships with adjacent technology communities.
  • Updated / reorganized documentation, tutorials as well as support channels.
  • A calendar of events for the community.
  • Definition for each major type of contribution (what tasks, what skills, what is success and how to reward and retain contributors).

3. Update Zeek Infrastructure - Last year the project was renamed Zeek (formerly Bro). Once a new logo is finalized, we need to rebrand, update, and reorganize the website - with the aim of creating a clean, easy to navigate and intuitive home where Zeek users and developers of all skill levels can go to gain knowledge and know-how. This will help us:
  • Increase brand credibility (making the website convey the same high quality of Zeek project code)
  • Gain community contributors and users (participation is a cornerstone to all successful communities)
  • Encourage contributions and project innovation

4. Design Governance Structure
- While we already have a Zeek Leadership Team (LT) and core committers, we don’t have a system that defines how people can move into either of those roles. This work will be broken down into two phases.
  • Phase 1
    • Shed more light onto the decision making process and publish notes after each LT and Zeek community meeting
    • Solicit input from the Zeek community.
  • Phase 2
    • Define processes for how to become part of the leadership and decision making bodies.

Again, thank you so much for being part of the Zeek Community!! 


Helpful Links and information:

Getting Involved: If you would like to be part of the Open Source Zeek Community and contribute to the success of the project please sign up for our mailing lists, join our IRC Channel, come to our events, follow the blog and/or Twitter feed. If you’re writing scripts or plugins for Zeek we would love to hear from you! Can’t figure out what your next step should be, just reach out. Together we can find a place for you to actively contribute and be a part of this growing community.

About Zeek (formerly Bro): Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. https://www.zeek.org/

Zeke on Zeek: Paraglob

Paraglob is a data structure for quick string matching against a large set of patterns. It was originally designed by Robin Sommer, but an early, experimental implementation was slowed significantly by an internal set data structure that ran in linear time for most of its operations. As a result of a couple of these linear time operations being called together, building a paraglob took O(N2) and other operations took O(Nlog(N) time where N is the number of patterns in data structure. In this Zeke on Zeek post I’ll walk through moving paraglob to C++, and using different data structures to reduce its compile time to linear time and other operations to log(N) time.

But first, a cool looking graph summarizing some benchmarks I ran and a look ahead at the performance characteristics of a paraglob. “Queries” refers to how many strings are being matched and “patterns” refers to the number of patterns those queries are being matched against. I chose to have about 20% of the patterns match in this case. The small spikes aren’t consistent across runs, and are likely just my computer doing something else in the background. Notice how small the time increase is from running 1,000 to 20,000 queries. At the upper right paraglob is compiling a set of 10,000 patterns and running 20,000 queries on them in under 2 seconds.



The Algorithm


At its core paraglob is actually built around a relatively straightforward algorithm. For any pattern, there exists a set of words that an input must contain in order to have any hope of matching against it. For example, consider the pattern “do*”. Anything that matches against “do*” must at the very least contain the substring “do”. This can be easily extended to more complicated patterns by just breaking up the pattern on special glob syntax. For example, “dog*fish*cat” contains the substrings [“dog”, “fish”, “cat”]. We call these substrings “meta words”.

We can then reframe our problem as finding any of the meta words inside an input string and checking the patterns associated with those meta words against it. The Aho-Corasick string-searching algorithm coupled with a map from meta words to patterns solves our problem. We can summarize how paraglob works as follows:

CONSTRUCTION:
    for every input pattern:
         extract the meta words
         map them to their respective patterns
         store the meta words in the Aho-Corasick data structure

QUERYING:
    for every input string:
         get all the meta words it contains with the Aho-Corasick structure
         get candidate patterns with the map
         check those patterns against the string
         return the matches

Implementation


With the algorithm designed, paraglob’s actual implementation is fairly straightforward, but with a couple important nuances. The first lies in the fact that for a given set of patterns there is a non-zero chance that one meta word will be associated with multiple patterns. Consider for example a small pattern set [*mischiev[!o]us*, *mischevous*, *.us*, *.gov*] which might flag mischievous typosquatting and government related urls. Already this pattern set has one meta word (us) mapping to two quite different patterns.

As a result, paraglob can’t use a standard map structure which only allows for a single value for every key. The obvious solution to this is to use some sort of multimap, but in practice this proved to be unacceptably slow. Using a multimap slowed down paraglob by as much as a factor of 10 as opposed to an implementation with a standard map structure that ignores the above issue.

In order to achieve the performance offered by the latter, and still handle the association of multiple patterns with one meta word, paraglob uses a custom “ParaglobNode” class that can store a list of patterns and that is then associated with a meta word in a map. paraglobNodes also contain functionality to quickly merge patterns that they contain matching a string with an input vector. This greatly increases the speed at which paraglob is able to find patterns for an input string.

The second important nuance lies in how paraglob handles duplicate patterns. Using the same example pattern set as above, a query for “mischievious-url.uk” contains the meta words us, and mischiev. Mapping those to their respective pattern words, we get [*mischiev[!o]us*, *.us*] from us and [*mischiev[!o]us*] from mischiev. Initially it seems like we should keep these in a set so as to prevent checking the same pattern twice. As it turns out though, maintaining a set internally is much more expensive that just checking duplicate patterns and using vectors internally. The result of this is that a paraglob doesn’t remove any duplicates until the last step when the vector of matching patterns is at its smallest.

Inside Zeek


Paraglob is integrated with Zeek & provides a simple API inside of its scripting language. In Zeek, paraglob is implemented as an OpaqueType and its syntax closely follows other similar constructs inside Zeek. A paraglob can only be instantiated once from a vector of patterns and then only supports get operations which return a vector of all patterns matching an input string. The syntax is as follows:

local v = vector("*", "d?g", "*og", "d?", "d[!wl]g");
local p = paraglob_init(v);
print paraglob_get(p1, "dog");

Out:

[*, *og, d?g, d[!wl]g]

Paraglob also supports serialization, copy, and unserialization operations inside Zeek. This means that a paraglob can be sent to separate processes using Broker. Keep in mind though that copying a paraglob requires that it be recompiled and for very large paraglobs this can be an expensive operation.

While the absence of an add operation might seem strange, it stems from constraints that emerge in paraglob’s implementation. Adding a pattern to a paraglob that is already compiled requires that the paraglob be re-compiled because the Aho-Corasick tree has to be rebuilt. As a result, adding a pattern to a compiled paraglob takes the same amount of time as building a new paraglob from a vector of patterns.

While it seems reasonable that paraglob support both add and compile operations to get around this, I thought this was more likely to confuse than to provide much real benefit. People using paraglob without knowing about its performance characteristics might attempt to add to the paraglob in a loop or forget to compile it resulting in unexpectedly slow performance or errors.

With that said though, I certainly see an argument for extending the paraglob API to include add and compile operations. For use cases where there is an updating pattern set it would remove the need to keep track of a vector of patterns and a paraglob because the paraglob would maintain the vector of patterns itself. Under the hood paraglob already supports add and compile operations so adding those to Zeek would be as simple as extending ParaglobVal slightly and adding two functions to bro.bif.


Next Steps


A paraglob’s state is defined completely by the patterns inside of it. Paraglobs hold no internal state between calls, nor do they make any updates to their internal Aho-Corasick structure unless a new pattern is added. Presently, their serialization function takes advantage of this and only serializes the vector of patterns contained inside a paraglob. For unserializing, a new paraglob is built from that serialized vector of patterns, and its Aho-Corasick structure is recompiled. This recompilation is expensive though, and can take as long as 10 seconds for very long pattern sets.

Ideally, a paraglob could be serialized in such a way that the recompilation step is not needed. There exists some serialization code inside of the Boost C++ Libraries that might be useful in doing this, but due to how complicated the Aho-Corasick trie becomes when it contains a fair amount of patterns, serializing this would likely take a significant effort. Working out a clean way to serialize a Paraglob properly though would potentially result in a serious increase in its usefulness for distributing frequently changing pattern sets


Finally…


A huge thank you to Kamiar Kanani for his excellent Multifast Aho-Corasick implementation, which he allowed us to use under the BSD license for the Zeek project. Without such a well done string searching algorithm underpinning everything this would have been a much more difficult data structure to implement.


Contributed by: Zeke Medley - Website

Helpful Links and information:

Getting Involved: If you would like to be part of the Open Source Zeek Community and contribute to the success of the project please sign up for our mailing lists, join our IRC Channel, come to our events, follow the blog and/or Twitter feed. If you’re writing scripts or plugins for Zeek we would love to hear from you! Can’t figure out what your next step should be, just reach out. Together we can find a place for you to actively contribute and be a part of this growing community.

About Zeek (formerly Bro): Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. https://www.zeek.org/

Tuesday, June 11, 2019

Open Source Zeek Leadership Team Meeting Minutes - 31 May 2019



The open source Zeek project Leadership Team (LT) is made up of contributors from multiple organizations throughout the community. The LT acts as both a technical steering committee and governance body. You can find out more about the LT on the team page of the website.

Below are the notes from the LT meeting held on 31 May 2019.


Zeek.org Leadership Team Members (Bold indicates attendance)

  • Keith Lehigh (Chair), Indiana University
  • Johanna Amann, International Computer Science Institute/Corelight/Lawrence Berkeley National Laboratory
  • Seth Hall, Corelight
  • Vern Paxson, Corelight & University of California at Berkeley
  • Michal Purzynski, Mozilla Foundation
  • Aashish Sharma, Lawrence Berkeley Lab
  • Adam Slagell, ESnet
  • Robin Sommer, Corelight

  • Amber Graner*, Corelight, Director of Community for the Open Source Zeek Community
         *not a member

Agenda

  • Trademark Discussion  (Amber)
  • Keynotes  (Keith)
  • Zeek Package Contest (Amber)
  • Analytics Discussion Scheduling (Keith)

Minutes

  • Trademark Discussion - The LT Discussed the current Name and Logo Usage Statement - https://www.zeek.org/documentation/marks.html Out of the discussion came the following action items to look into:
    • Create a Reciprocal Logo Usage Agreement
    • Update the Marks Usage Documentation
    • Create a standard Cease and Desist letter
  • Keynotes - LT Members will continue reaching out to potential keynote speakers for ZeekWeek 2019.
  • Zeek Package Contest - Amber brought up the Zeek Package Contest that Corelight would like to host leading up to ZeekWeek 2019. Amber to take LT feedback to the Corelight team and present the details of the program at the next LT meeting.
  • Analytics Discussion Scheduling - Keith to scheduling an additional LT meeting to discuss analytics tools for the website.

Helpful Links and information:


Getting Involved: If you would like to be part of the Open Source Zeek Community and contribute to the success of the project please sign up for our mailing lists, join our IRC Channel, come to our events, follow the blog and/or Twitter feed. If you’re writing scripts or plugins for Zeek we would love to hear from you! Can’t figure out what your next step should be, just reach out. Together we can find a place for you to actively contribute and be a part of this growing community.
About Zeek (formerly Bro): Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. https://www.zeek.org/

Wednesday, June 5, 2019

People of Zeek Interview Series - Introducing Zeke Medley and Zeke on Zeek

Amber Graner (AG): Hi Zeke. Thank you so much for taking the time to answer my questions and let the community know who you are and what Zeek related items you’re working on.

Zeke Medley (ZM): Hi Amber :-)

AG: Zeke can you take a moment to tell people a little about yourself and what you’re doing for the Open Source Zeek Project?


ZM: I started getting interested in programming in 7th grade when I wrote a tiny rock-paper-scissors program over the summer. Since then, I’ve remained fairly interested in rock-paper-scissors, but have branched out a little bit. My first introduction to network security was probably freshman year of high school when one of my friends figured out that he could remotely open disk drives in our schools computer labs with the command line and I wrote him a little script to do it for all the computers in a lab. These days I’m a freshman studying Electrical Engineering and Computer Sciences at Berkeley and also working in a makerspace on campus called the Invention Lab.

On the Zeek side I’m wrapping up work on a data structure to match a string against a large set of patterns that Robin started a while ago and I just finished adding key-value for loops to the Zeek scripting language. Moving forward I hope to stay involved in the open source project, and we’ll see what projects I end up working on.

AG: What drew you to Zeek and how did you get involved with the project?

ZM: My name being Zeke definitely made it stand out to me, but I was actually first introduced to it when I met Christian at a career fair. He seemed like a really nice guy and the whole project was right in line with my interests. I made my first pull request adding some basic string functions to the language and the rest is recent history.

AG: What’s the most interesting thing you’ve learned about Zeek so far?

ZM: At first I was pretty intimidated by just how big Zeek is. There is a lot going on and it's a fairly complex program. The more I’ve learned about it though the better I think it's designed. Zeek is very extensible. Once you get the hang of it .bif files make adding new functionality to the language pretty fun and straightforward.

AG: Can you tell the community about the “Zeke on Zeek” series we’ll be starting soon and what they can expect to read about?

ZM: “Zeke on Zeek” is a series of blog posts we’ve been talking about pretty much since I got started that I hope will offer some sort of roadmap for people getting started working on Zeek. Zeek is a big project and putting together how it all works can be pretty challenging at times, so I’ll be laying out my experience in the hope that it can help other people interested in contributing to the project.

AG: For those who are thinking about interning for the first time, can you share some things you’ve learned or are learning about how to balance your time between school, your internship, and personal projects?

ZM: I know it sounds silly, but I genuinely enjoy the vast majority of what I do. School can be really challenging at times and making anything, be it a data structure or drone, seems to be more of a process of learning from repeated failure than actually creating anything that works, but I think there is something profound about that. In my (albeit rather limited) experience the more comfortable I become with failure the easier things get.

AG: Is there anything that you’d like to share about yourself of Zeek that I haven’t asked you about?

ZM: I’ve been really floored by Zeek and its community because insofar as I can tell they seems to be genuinely out to do good for the world. Not only is the whole project open source, it's also out to help solve pressing problems we have with network security these days.


Helpful Links and information:

Getting Involved: If you would like to be part of the Open Source Zeek Community and contribute to the success of the project please sign up for our mailing lists, join our IRC Channel, come to our events, follow the blog and/or Twitter feed. If you’re writing scripts or plugins for Zeek we would love to hear from you! Can’t figure out what your next step should be, just reach out. Together we can find a place for you to actively contribute and be a part of this growing community.

About Zeek (formerly Bro): Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. https://www.zeek.org/

Friday, May 31, 2019

Open Source Leadership Team Meeting Minutes - 17 May 2019



The open source Zeek project Leadership Team (LT) is made up of contributors from multiple organizations throughout the community. The LT acts as both a technical steering committee and governance body. You can find out more about the LT on the team page of the website.

Below are the notes from the LT meeting held on 17 May 2019.


Zeek.org Leadership Team Members (Bold indicates attendance)
  • Keith Lehigh (Chair), Indiana University
  • Johanna Amann, International Computer Science Institute/Corelight/Lawrence Berkeley National Laboratory
  • Seth Hall, Corelight
  • Vern Paxson, Corelight & University of California at Berkeley
  • Michal Purzynski, Mozilla Foundation
  • Aashish Sharma, Lawrence Berkeley Lab
  • Adam Slagell, ESnet
  • Robin Sommer, Corelight
Other Attendees (Non-Member)
  • Amber Graner, Corelight, Director of Community for the Open Source Zeek Community
  • Tamara Crawford*, Creative Director, Corelight
    • Helping with the LT with Logo Redesign

Agenda

  • Logo Discussion
  • Web Analytics next steps - will be discussed at the next LT Meeting
  • ZeekWeek Site (Amber)
  • Sponsor Prospectus (Amber)
  • Keynote update (Keith)
  • Trademark issue (Keith)

Minutes

  • Logo Discussion - Discussion continues, narrowed down designs. Agreed to separate mascot from logo. Mascot will be another discussion. Nicole Fisher who is doing the logo design couldn’t make it to the LT meeting so Tamara Crawford attended for Nicole. Nicole to present new mockups to the LT for discussion before next meeting. Amber to draft a blog post on why we are changing the logo. Logo to be finished by Mid August so that we can have it and all giveaways ready with the new logo for ZeekWeek. Please note: Corelight is working with the LT and funding the logo redesign.
    • Amber will help liaison between Corelight and LT and be a back up to Adam
    • Better understanding on need to accelerate decision pace
      • SWAG is important
      • Takes 6 Weeks prior to an event to get Mugs laser etched
      • Stickers
      • Tshirts
    • Logo to be finalized by Mid-August
    • Animal Mascot will be separate from Logo allows for more branding and marketing options
    • Other Ideas
      • Networking Type “Z” that is incorporated with the “eek” of “Zeek” or that can stand alone
      • Schedule follow-up call with Nicole, Adam and Tam once we have all the feedback from the LT
  • Web Analytics next steps - will be discussed at the next LT Meeting as we ran out of time at this meeting to discuss.
  • Keynote update (Keith) - Continues to reach out to prospective keynote speakers.
  • Trademark issue (Keith) - Keith continues to reach out to those in violation on a case by case basis.

Other Topics

  • ZeekWeek Steering Committee (SC) vs ZeekWeek Program Committee (PC) - The LT will continue to function as the SC but this year will have a PC will be different from the LT. The PC will decide on what talks/presentations will get selected for ZeekWeek 2019. Keith will chair the PC and will be inviting people to join the PC. Invitees will be chosen from past ZeekWeek (BroCon speakers). Talks will be submitted through the ZeekWeek website.


Helpful Links and information:

Getting Involved: If you would like to be part of the Open Source Zeek Community and contribute to the success of the project please sign up for our mailing lists, join our IRC Channel, come to our events, follow the blog and/or Twitter feed. If you’re writing scripts or plugins for Zeek we would love to hear from you! Can’t figure out what your next step should be, just reach out. Together we can find a place for you to actively contribute and be a part of this growing community.

About Zeek (formerly Bro): Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. https://www.zeek.org/