Zeek Network Security Monitor v5.2.2 releases: powerful network analysis framework
Zeek Network Security Monitor
Zeek is a powerful framework for network analysis and security monitoring. It is a powerful system that on top of the functionality it provides out of the box, also offers the flexibility to customize analysis pretty much arbitrarily
Feature
-
Adaptable
Zeek’s domain-specific scripting language enables site-specific monitoring policies.
-
Efficient
Zeek targets high-performance networks and is used operationally at a variety of large sites.
-
Flexible
Zeek is not restricted to any particular detection approach and does not rely on traditional signatures.
-
Forensics
Zeek comprehensively logs what it sees and provides a high-level archive of a network’s activity.
-
In-depth Analysis
Zeek comes with analyzers for many protocols, enabling high-level semantic analysis at the application layer.
-
Highly Stateful
Zeek keeps extensive application-layer state about the network it monitors.
-
Open Interfaces
Zeek interfaces with other applications for real-time exchange of information.
-
Open Source
Zeek comes with a BSD license, allowing for free use with virtually no restrictions.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well-grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally by both major companies and numerous many educational and scientific institutions for securing their cyberinfrastructure.
Zeek was originally developed by Vern Paxson. Robin Sommer now leads the project, jointly with a core team of researchers and developers at the International Computer Science Institute in Berkeley, CA; and the National Center for Supercomputing Applications in Urbana-Champaign, IL.
Changelog v5.2.2
This release fixes the following security issues:
- A specially-crafted series of FTP packets with a CMD command with a large path
followed by a very large number of replies could cause Zeek to spend a long
time processing the data. Due to the possibility of receiving these packets
from remote hosts, this is a DoS risk. The fix included prevents Zeek from
reusing the CMD command if it was already consumed by path-traversal logic. - A specially-crafted with a truncated header can cause Zeek to overflow memory
and potentially crash. Due to the possibility of receiving these packets from
remote hosts, this is a DoS risk. This overflow requires implementing the
raw_packet event handler which isn’t implemented by default, which makes the
risk of this issue low. The fix included adds additional length checking
during handling of raw_packet events. - A specially-crafted series of SMTP packets can cause Zeek to generate a very
large number of events and take a long time to process them. Zeek correctly
disables the SMTP analyzer while processing these packets but continues to
feed packets to it, generating more events. Due to the possibility of
receiving these packets from remote hosts, this is a DoS risk. The fix
included prevents an analyzer from calling another analyzer that has already
been disabled for a connection. - A specially-crafted series of POP3 packets containing MIME data can cause Zeek
to spend a long time dealing with each individual file ID. Due to the
possibility of receiving these packets from remote hosts, this is a DoS
risk. The fix included attempts to reuse an existing file ID for a connection
instead of recreating it each pass through the MIME analyzer.
This release fixes the following bugs:
- The config parser implements handling of commas at the end of input files in a
safer way now, avoiding some crashes on Linux systems during parsing. - The AF_Packet plugin wasn’t properly masking the tp_vlan_tci values received
from the kernel, and so could return invalid values for the VLAN ID reported
to Zeek. The value is now correctly masked. - The AF_Packet plugin now checks whether the interface is up during setup,
ensuring that a more useful error message is reported.
Copyright (c) 1995-2016, The Regents of the University of California through the Lawrence Berkeley National Laboratory and the International Computer Science Institute. All rights reserved.