Recap of eZeeKonfigurator Notice Configuration and Zeek Week Oct 2019

Slide Note
Embed
Share

A summary of events involving a talk at Zeek Week, issues with notice configuration, experiences with Zeek/Bro, and the introduction of eZeeKonfigurator for configuring Zeek clusters. The content includes descriptions of individuals involved, challenges faced, support for cluster configurations, and the importance of notice configuration in Zeek.

kyn_haz
kyn_haz Follow

Uploaded on Oct 07, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. eZeeKonfigurator - notice config ZeekWeek Oct 2019

  2. This guy... Gave a talk yesterday Had small hiccup with notice config options That may be my fault (unconfirmed) May also be PG&E's fault Has a photo that looks like a school picture Doesn't use the ESnet standard slide template

  3. Me... Jack of all Security Trades Master of none Been using Zeek/Bro since ~2007 Thanks Aashish! Tried to get a major bank to use Zeek before commercial support existed Lulz Loves his job at ESnet usually* Uses appropriate slide template * hates PG&E

  4. PG&E Recap

  5. eZeeKonfigurator Recap Web UI for configuring all of your Zeek cluster options Supports multiple clusters No cluster restarts with changes in real-time When you have multiple clusters, configs in git aren't good enough. @ifdef(environment == "WAN")... x 50 (oh no!) Free!

  6. EZK UI

  7. Notice Configuration I did a lot of messy things early on... Created alert_types Things we get alerts for, but aren't necessarily notice_alarm worthy, but also aren't paging us page_types, bhr_types Script logic to process different notice types All at the bottom of local.zeek Based off redefs that need to be updated every time a script is added or removed.

  8. zeek-notice-config package: Actions Notices will write to notice.log by default IGNORE overrides that. BHR adds an Action::BHR that you can handle later Zeek & Destroy! PAGE and BHR may need additional scripts for your own situation (examples will be provided) There is not and will not be support for Action::EMAIL Talk to Sam

  9. zeek-notice-config: config format Being a vector is important Notice config options are processed in order Much like firewall policies First match wins pseudo: 1) whitelist addresses, Scan::Address_Scan, IGNORE 2) Scan::Address_Scan, LOG,BHR

  10. zeek-notice-config: record details

  11. zeek-notice-config: config format, not pseudo

  12. zeek-notice-config: Just add more to the set!

  13. zeek-notice-config: logic There is still script logic to process these notices But we no longer need to read it and understand it to make a change in how notices are processed It can work standalone as shown BUT.. with eZeekConfigurator you can just manipulate the options from the UI.

  14. Plans to release as a package: DELAYED

  15. That's it

  16. Except...

  17. For a bad joke.

  18. Was this talk ZeekWeak?

  19. Video of the power being shut off at the lab: https://twitter.com/BerkeleyLab/status/1182317173034741763

Related


Understanding Zeek: A Comprehensive Workshop Overview

Understanding Zeek: A Comprehensive Workshop Overview

obsidian
Understanding Weird Logs in Zeek for Network Security Analysis

Understanding Weird Logs in Zeek for Network Security Analysis

musa
NOTICE WRITING

NOTICE WRITING

aahil
Understanding Residential Lease Violations and Required Notices

Understanding Residential Lease Violations and Required Notices

asiya
Guide to Writing Effective Notices for Schools and Organizations

Guide to Writing Effective Notices for Schools and Organizations

obsidian
COBRA Notice Guidelines and Procedures for Employers

COBRA Notice Guidelines and Procedures for Employers

muriel
Detecting Eye Diseases Early with OCT Eye Scan

Detecting Eye Diseases Early with OCT Eye Scan

othello
OCTIVUS Randomized Clinical Trial: OCT-Guided vs IVUS-Guided PCI

OCTIVUS Randomized Clinical Trial: OCT-Guided vs IVUS-Guided PCI

thoren
WHONET Training Course: Laboratory Configuration and Setup

WHONET Training Course: Laboratory Configuration and Setup

aaron
Updates on iKAGRA Installation and Configuration Changes

Updates on iKAGRA Installation and Configuration Changes

lyke_ari
Enhancing EPS Authorization and Configuration Options in 5G Networks

Enhancing EPS Authorization and Configuration Options in 5G Networks

eliel
Effective Notice Writing Guidelines for Clear Communication

Effective Notice Writing Guidelines for Clear Communication

esmee
Guide to Writing an Ideal Notice for Students of Class 9, 10, SSC, HSC, and Hons

Guide to Writing an Ideal Notice for Students of Class 9, 10, SSC, HSC, and Hons

rio
Evolution of Configuration Management in Software Engineering

Evolution of Configuration Management in Software Engineering

zeniy
Insights into Operating Experience and Configuration Management in Nuclear Power Plants

Insights into Operating Experience and Configuration Management in Nuclear Power Plants

aflem
Understanding the Notice of Adverse Benefit Determination (NOABD)

Understanding the Notice of Adverse Benefit Determination (NOABD)

riaan
Advanced Neutronics Parameters for Fusion Chamber Configuration with Magnetic Intervention

Advanced Neutronics Parameters for Fusion Chamber Configuration with Magnetic Intervention

mwols
Indiana Election Division: ABS-24 Application Defect or Denial Notice Update

Indiana Election Division: ABS-24 Application Defect or Denial Notice Update

gwendolen
Fellowship Directors Meeting Recap May 15, 2019

Fellowship Directors Meeting Recap May 15, 2019

vandamme_k
LArDPS to eFEX Test Configuration for FOX Demonstrator

LArDPS to eFEX Test Configuration for FOX Demonstrator

hfio
Lasallian Heritage Week 2014 Event Recap

Lasallian Heritage Week 2014 Event Recap

ros_hag
Virtual Labs and Cybersecurity Overview at 2021 Winter ICT Educators Conference

Virtual Labs and Cybersecurity Overview at 2021 Winter ICT Educators Conference

ellierose
Network Monitoring and Vulnerability Scanning Overview

Network Monitoring and Vulnerability Scanning Overview

hadiya
Network Monitoring Workshop - Incident Response Overview

Network Monitoring Workshop - Incident Response Overview

adalaid

More Related Content

Comprehensive Overview of Hematopoiesis and Immune Response in Human Disease and Treatment
Comprehensive Overview of Hematopoiesis and Immune Response in Human Disease and Treatment
Youth Work Week 2022 - Wellbeing Celebration and Activities
Youth Work Week 2022 - Wellbeing Celebration and Activities
Juvenile Justice Advisory Group: Raise the Age Case Outcomes December 2022
Juvenile Justice Advisory Group: Raise the Age Case Outcomes December 2022
North Houston Space Society Weekly Recap and Plans - Dec 21-27, 2020
North Houston Space Society Weekly Recap and Plans - Dec 21-27, 2020
Proposed Changes to School Week: Asymmetric Week Implementation
Proposed Changes to School Week: Asymmetric Week Implementation
Impact Analysis of New Horizons Project: Oct 16 - Sep 19
Impact Analysis of New Horizons Project: Oct 16 - Sep 19
Assessment of Schlemm's Canal in Acute Primary Angle Closure: AS-OCT Study
Assessment of Schlemm's Canal in Acute Primary Angle Closure: AS-OCT Study
Staffordshire CUES Virtual Training Event Overview
Staffordshire CUES Virtual Training Event Overview
OSCAR Project Proposal for OPNFV
OSCAR Project Proposal for OPNFV
African Monsoon Recent Evolution & Outlooks Update Oct 2021
African Monsoon Recent Evolution & Outlooks Update Oct 2021
Changes in Tenancy and Possession Regulations: Latest Updates
Changes in Tenancy and Possession Regulations: Latest Updates
Understanding the Role of Collecting Bankers in Cheque Collection Process
Understanding the Role of Collecting Bankers in Cheque Collection Process
UITF MPS System Requirements and Protection Details
UITF MPS System Requirements and Protection Details
Enhancing Visit Settings and Configuration for 2024 Annual Redrock Conference
Enhancing Visit Settings and Configuration for 2024 Annual Redrock Conference
Notice of Employment Guidelines for Adjunct and Overload Faculty
Notice of Employment Guidelines for Adjunct and Overload Faculty
Protecting, Leading, Uniting Since 1893 - FSA Overview and Guidelines
Protecting, Leading, Uniting Since 1893 - FSA Overview and Guidelines
Overview of Computational Complexity Theory: Savitch's Theorem, PSPACE, and NL-Completeness
Overview of Computational Complexity Theory: Savitch's Theorem, PSPACE, and NL-Completeness
Data Testing Methodology and Analysis Guidelines for Mobile Networks - A Case Study
Data Testing Methodology and Analysis Guidelines for Mobile Networks - A Case Study
Software Quality and Source Code Management Best Practices
Software Quality and Source Code Management Best Practices
Overview of Hydrogen: Properties, Isotopes, and Characteristics
Overview of Hydrogen: Properties, Isotopes, and Characteristics
Understanding Trigger Data Analysis in Physics: ATLAS Software Tutorial
Understanding Trigger Data Analysis in Physics: ATLAS Software Tutorial
-
- "Temperature Sensor Devices Specifications and Register Configuration
ChannelFinder Setup and Deployment Diagrams with RecSync Components
ChannelFinder Setup and Deployment Diagrams with RecSync Components
Understanding the Notice of Award in Research Grants Management
Understanding the Notice of Award in Research Grants Management