Tools

Zeek Network Security Monitor v2.6.3 release: powerful network analysis framework

Zeek Network Security Monitor

Zeek is a powerful framework for network analysis and security monitoring. It is a powerful system that on top of the functionality it provides out of the box, also offers the flexibility to customize analysis pretty much arbitrarily

Feature

  • AdaptableZeek’s domain-specific scripting language enables site-specific monitoring policies.
  • EfficientZeek targets high-performance networks and is used operationally at a variety of large sites.
  • FlexibleZeek is not restricted to any particular detection approach and does not rely on traditional signatures.
  • ForensicsZeek comprehensively logs what it sees and provides a high-level archive of a network’s activity.
  • In-depth AnalysisZeek comes with analyzers for many protocols, enabling high-level semantic analysis at the application layer.
  • Highly StatefulZeek keeps extensive application-layer state about the network it monitors.
  • Open InterfacesZeek interfaces with other applications for real-time exchange of information.
  • Open SourceZeek comes with a BSD license, allowing for free use with virtually no restrictions.

While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally by both major companies and numerous many educational and scientific institutions for securing their cyberinfrastructure.

Zeek was originally developed by Vern Paxson. Robin Sommer now leads the project, jointly with a core team of researchers and developers at the International Computer Science Institute in Berkeley, CA; and the National Center for Supercomputing Applications in Urbana-Champaign, IL.

Zeek v2.6.3 releases.

Changelog

This is a security patch release to address potential Denial of Service
vulnerabilities:

  • Null pointer dereference in the RPC analysis code. RPC analyzers (e.g. MOUNT or NFS) are not enabled in the default configuration.
  • Signed integer overflow in BinPAC-generated parser code. The result of this is Undefined Behavior with respect to the array bounds checking conditions that BinPAC generates, so it’s unpredictable what an optimizing compiler may actually do under the assumption that signed integer overlows should never happen. The specific symptom which leads to finding this issue was with the PE analyzer causing out-of-memory crashes due to large allocations that were otherwise prevented when the array bounds checking logic was changed to prevent any possible signed integer overlow.

Download

Install

Tutorial

Copyright (c) 1995-2016, The Regents of the University of California through the Lawrence Berkeley National Laboratory and the International Computer Science Institute. All rights reserved.

Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering