WEBVTT 00:00:00.000 --> 00:00:03.000 We're back. 00:00:03.000 --> 00:00:05.699 We've learned a lot about the network monitoring tool, 00:00:05.699 --> 00:00:10.000 Zeek, throughout this course, but we still have a little bit to go. 00:00:10.000 --> 00:00:11.000 In this module, 00:00:11.000 --> 00:00:14.200 we'll be reviewing the previous modules and discussing some 00:00:14.200 --> 00:00:18.000 output options that we have available within Zeek. 00:00:18.000 --> 00:00:21.000 Let's get started. 00:00:21.000 --> 00:00:21.300 Here, 00:00:21.300 --> 00:00:25.142 we are going to start out by talking about some of the important 00:00:25.142 --> 00:00:28.000 points to remember from our previous modules. 00:00:28.000 --> 00:00:28.285 Then, 00:00:28.285 --> 00:00:31.999 we'll get into the output discussion and learn about some of the 00:00:31.999 --> 00:00:35.000 logging and alerting that we can do with Zeek. 00:00:35.000 --> 00:00:35.333 Finally, 00:00:35.333 --> 00:00:40.000 we'll wrap up the course and send you off to continue practicing with Zeek 00:00:40.000 --> 00:00:45.000 and learning more about its functionality and capabilities. 00:00:45.000 --> 00:00:46.999 To learn any new technology or tool, 00:00:47.000 --> 00:00:52.000 you must first learn the basics about what it is and what it does. 00:00:52.000 --> 00:00:55.500 Zeek is a network monitoring tool that can be used for many 00:00:55.500 --> 00:00:59.250 different purposes and uses an event-driven approach to detecting 00:00:59.250 --> 00:01:03.000 anomalies or threats within the network. 00:01:03.000 --> 00:01:06.500 It's also very good at monitoring network statistics to give the 00:01:06.500 --> 00:01:10.999 ability to troubleshoot portions of the network too. 00:01:11.000 --> 00:01:13.818 Zeek's primary means of detection and analysis is through the 00:01:13.818 --> 00:01:17.714 use of scripts that can be either predefined or customized to 00:01:17.714 --> 00:01:19.999 fit your environment's needs. 00:01:20.000 --> 00:01:24.666 The way the engine works is that you have it analyze the network traffic, 00:01:24.666 --> 00:01:29.999 generate events, and use scripts to interpret those events. 00:01:30.000 --> 00:01:33.571 Some sort of action is then taken on those events based 00:01:33.571 --> 00:01:36.999 on what's defined in the scripts. 00:01:37.000 --> 00:01:39.750 We also talked a lot about deploying Zeek in the 00:01:39.750 --> 00:01:42.000 enterprise environments and in our labs. 00:01:42.000 --> 00:01:45.500 We learned a lot about the standalone and cluster deployments and 00:01:45.500 --> 00:01:49.000 discussed the benefits and deficiencies of each. 00:01:49.000 --> 00:01:50.125 During this module, 00:01:50.125 --> 00:01:54.500 I showed you the installation and initial configuration of Zeek and 00:01:54.500 --> 00:01:58.428 demonstrated the component called ZeekControl that allows us to manage 00:01:58.428 --> 00:02:01.000 the deployment through an interactive shell. 00:02:01.000 --> 00:02:06.000 It's a really handy way to manage clusters especially. 00:02:06.000 --> 00:02:10.000 We then went into detail about the various components within Zeek 00:02:10.000 --> 00:02:11.999 and learned all about the various frameworks, 00:02:12.000 --> 00:02:17.000 subcomponents, and plugin capabilities that Zeek provides. 00:02:17.000 --> 00:02:21.454 We detailed a few of these specifically in the module and learned about how 00:02:21.454 --> 00:02:26.000 they all fit into the Zeek ecosystem to allow it to function. 00:02:26.000 --> 00:02:29.000 There are a lot of frameworks and components to Zeek, 00:02:29.000 --> 00:02:34.000 so digging into them a little more would benefit you quite a bit. 00:02:34.000 --> 00:02:38.500 Each framework allows us to add some sort of functionality into the tool, 00:02:38.500 --> 00:02:42.000 from signature analysis to the logging capabilities. 00:02:42.000 --> 00:02:47.600 Plugins also allow us to expand the Zeek capabilities through APIs and custom 00:02:47.600 --> 00:02:52.000 code so that we can add to it without changing the base code. 00:02:52.000 --> 00:02:56.000 Finally, we learned all about Zeek's language and scripting, 00:02:56.000 --> 00:02:58.000 detailing how it works. 00:02:58.000 --> 00:03:02.000 We also discussed some signature rules and demonstrated the 00:03:02.000 --> 00:03:05.000 functionality of those by analyzing a pcap. 00:03:05.000 --> 00:03:07.999 Within this learning objective, we talked about the scripts, 00:03:08.000 --> 00:03:11.000 about what you would like to see in your environment, 00:03:11.000 --> 00:03:15.999 as well as had a discussion on custom scripting that we can do with the tool. 00:03:16.000 --> 00:03:20.000 This allows us to use Zeek in unique ways on a per-deployment basis, 00:03:20.000 --> 00:03:24.000 and also help us expand the functionality of it. 00:03:24.000 --> 00:03:24.857 Coming up next, 00:03:24.857 --> 00:03:34.000 we're going to discuss the various outputs that we have with Zeek.