Today started with a great session on containerizing Bro, something that I happen to know a fair amount about. A team had worked on a similar project, interested in building a cluster with the complete DevOps lifecycle. Their specific requirements were similar but also different than ours and so their design had some interesting differences. I will definitely be looking into what they are doing a little further, including checking out their containerized Bro docker build.
The second talk of the morning was some quick updates on Bro 2.6, which includes enabling a Broker feature that could possibly make our cluster setup in containers easier. There was some updates on the various package updates that have happened, including the JA3, JA3S and HASSH packages that I had mentioned yesterday. Then there was one more thing. Bro is getting a new name. This apparently has been in the works for a while now, but they finally settled on a new name - Zeek. The origin of the name actually comes from Far Side cartoons, but the phrase Zeek and you shall find is going to likely be a slogan. What are you zeeking? This is not the data you Zeek. I don't know that I love it yet, but it is growing on me.
The rest of the afternoon was a flurry of different topics, including some lightning talks by folks that volunteered to do really short 5 minute talks. One example of a lightning talk was a simple idea to combine common info from a packet - IP, port, etc - into a single id that could be used to correlate records from different analysis tools like
Bro Zeek and Suricatta. A really simple id that has clear application.
Later sessions continued to explore various solutions that folks had developed with Zeek. I'd like to say that I clearly understood it all, but a lot of it was in the realm of networking stacks and some of it was simply a blur - folks like to quickly show off code and say "look at how easy this is" but as someone who has written code for years, I can tell you that people won't understand your code unless they have time to study it up close. Once I get a chance to look through slides, I should have more to say on them.
Today was a blur of sessions on various topics, and tomorrow is the final day with a lot of questions that will get addressed to a panel. Should be interesting to see what questions folks have.