WEBVTT 00:00:00.000 --> 00:00:04.000 Welcome back to the course. 00:00:04.000 --> 00:00:10.000 We've covered a lot of information so far, and we still have a lot to cover. 00:00:10.000 --> 00:00:13.857 This module is all about the Zeek language and how to 00:00:13.857 --> 00:00:17.142 utilize the signature framework to make Zeek work for you 00:00:17.142 --> 00:00:20.000 in the ways that you want it to. 00:00:20.000 --> 00:00:25.000 We're going to cover a lot of information in this one, so get ready. 00:00:25.000 --> 00:00:26.333 In this module, 00:00:26.333 --> 00:00:29.857 we'll talk about the Zeek language and how it works with the 00:00:29.857 --> 00:00:33.999 tool to help get what you need out of it. 00:00:34.000 --> 00:00:38.166 We're going to start by talking about the signature framework in detail and 00:00:38.166 --> 00:00:42.444 learn about how it interacts with the different analyzers and other tools to 00:00:42.444 --> 00:00:45.999 get specific information from the traffic that's seen. 00:00:46.000 --> 00:00:46.375 Then, 00:00:46.375 --> 00:00:50.571 we'll detail the default scripts that come with the Zeek application and hop 00:00:50.571 --> 00:00:55.000 into the lab to look at how some of them are structured. 00:00:55.000 --> 00:00:55.888 After that, 00:00:55.888 --> 00:01:00.714 we'll need to talk about what information you want to see in your 00:01:00.714 --> 00:01:04.999 environment and how you can utilize Zeek to see that. 00:01:05.000 --> 00:01:05.444 Then, 00:01:05.444 --> 00:01:10.000 we'll briefly cover the customization of Zeek scripts and the 00:01:10.000 --> 00:01:13.000 capabilities that this ability provides us. 00:01:13.000 --> 00:01:19.000 We'll wrap up the learning after that and get into the next module. 00:01:19.000 --> 00:01:21.000 When talking about Zeek's language, 00:01:21.000 --> 00:01:25.222 it's important to understand that it's fairly similar to Python and Perl. 00:01:25.222 --> 00:01:29.818 Its ability to be customizable and extensible enables users to 00:01:29.818 --> 00:01:34.571 use Zeek how they see fit and is fairly non-restrictive with the 00:01:34.571 --> 00:01:37.000 capabilities that Zeek provides. 00:01:37.000 --> 00:01:41.666 The language is a Turing-complete scripting language that works in 00:01:41.666 --> 00:01:45.000 conjunction with analyzers to complete tasks. 00:01:45.000 --> 00:01:47.999 What's cool about Zeek is that all of the analysis 00:01:48.000 --> 00:01:51.999 is not hard coded into the tool. 00:01:52.000 --> 00:01:55.333 You can add or remove analyzers and scripts as you want to 00:01:55.333 --> 00:01:59.333 ensure that you have a fully customizable tool for network 00:01:59.333 --> 00:02:02.000 monitoring and security tasks. 00:02:02.000 --> 00:02:06.500 The nice thing about Zeek is that it uses a combination of 00:02:06.500 --> 00:02:09.000 signature analysis and behavior analysis, 00:02:09.000 --> 00:02:12.000 as well as a few other unique detection models, 00:02:12.000 --> 00:02:15.000 to find malicious or questionable activity. 00:02:15.000 --> 00:02:18.333 This is great because it can directly compete with 00:02:18.333 --> 00:02:20.000 some of its higher-cost competitors, 00:02:20.000 --> 00:02:25.000 most of which use the hard coded scripts to detect threats. 00:02:25.000 --> 00:02:29.000 The fact that you can add or remove capabilities in a modular 00:02:29.000 --> 00:02:32.142 way because of the scripting capabilities gives many 00:02:32.142 --> 00:02:35.000 organizations a great detection tool. 00:02:35.000 --> 00:02:39.636 This tool can have a few different inputs as mentioned and can be used to just 00:02:39.636 --> 00:02:45.000 simply sniff the network traffic too using its interfaces. 00:02:45.000 --> 00:02:46.333 As I mentioned before, 00:02:46.333 --> 00:02:50.999 the language that Zeek uses is a Turing-complete scripting model. 00:02:51.000 --> 00:02:54.000 This is based off of an event-driven model. 00:02:54.000 --> 00:02:59.000 What this means is that the events that Zeek detects are neither good nor bad, 00:02:59.000 --> 00:03:03.000 until the scripts that we apply to the tool tell us. 00:03:03.000 --> 00:03:06.666 A good example of this would be a device in our network that reaches 00:03:06.666 --> 00:03:10.000 out to a DNS server that's not in our network. 00:03:10.000 --> 00:03:11.999 Depending on how we write the script, 00:03:12.000 --> 00:03:16.500 that particular event could be bad and generate a logger alert, 00:03:16.500 --> 00:03:20.999 or it could be ignored because we think it's okay. 00:03:21.000 --> 00:03:24.000 This gives us the ability to really flag what we want 00:03:24.000 --> 00:03:27.000 and not just what the box tells us to. 00:03:27.000 --> 00:03:32.000 Let's talk about the signature framework so that we 00:03:32.000 --> 00:03:38.000 can learn how these scripts work.