{"id":441,"date":"2023-03-23T06:00:00","date_gmt":"2023-03-23T10:00:00","guid":{"rendered":"https:\/\/drkeithjones.com\/?p=441"},"modified":"2023-03-24T11:30:25","modified_gmt":"2023-03-24T15:30:25","slug":"using-zeek-signatures-to-detect-cves","status":"publish","type":"post","link":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/23\/using-zeek-signatures-to-detect-cves\/","title":{"rendered":"Using Zeek Signatures To Detect CVEs"},"content":{"rendered":"\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Using Zeek Signatures To Detect CVEs\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/PcXjkUt3rZA?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>I put a video together (<a href=\"https:\/\/www.youtube.com\/watch?v=PcXjkUt3rZA\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/www.youtube.com\/watch?v=PcXjkUt3rZA<\/a>) discussing a method I have used to detect CVEs using just Zeek signatures:<\/p>\n\n\n\n<p><a href=\"https:\/\/docs.zeek.org\/en\/master\/frameworks\/signatures.html\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/docs.zeek.org\/en\/master\/frameworks\/signatures.html<\/a><\/p>\n\n\n\n<p>This method is useful when trying to detect a CVE exploit in a protocol that is not fully parsed by Zeek.  In this video we discuss a CVE for portmapper, which is a protocol not natively supported by Zeek.  <\/p>\n\n\n\n<p>In this video we are not teaching you about detecting specific CVEs as much as I am trying to teach you the method of CVE detection using only Zeek signatures when Zeek can&#8217;t fully parse the connection.<\/p>\n\n\n\n<p>My slides (all the links are clickable): <a href=\"https:\/\/docs.google.com\/presentation\/d\/1lJGNphy6bGwtEBOGGDgQQpLe-kOCpJk5LEX881OUzkc\/edit?usp=sharing\" target=\"_blank\" rel=\"noopener\" title=\"\">https:\/\/docs.google.com\/presentation\/d\/1lJGNphy6bGwtEBOGGDgQQpLe-kOCpJk5LEX881OUzkc\/edit?usp=sharing<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I put a video together (https:\/\/www.youtube.com\/watch?v=PcXjkUt3rZA) discussing a method I have used to detect CVEs using just Zeek signatures: https:\/\/docs.zeek.org\/en\/master\/frameworks\/signatures.html This method is useful when trying to detect a CVE exploit in a protocol that is not fully parsed by Zeek. In this video we discuss a CVE for portmapper, which is a protocol not [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[101,74,91,61,4],"tags":[102,44,100,27],"class_list":["post-441","post","type-post","status-publish","format-standard","hentry","category-cve","category-how-to","category-open-source","category-tools","category-zeek","tag-cve","tag-howto","tag-opensource","tag-zeek"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts\/441","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/comments?post=441"}],"version-history":[{"count":0,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts\/441\/revisions"}],"wp:attachment":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/media?parent=441"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/categories?post=441"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/tags?post=441"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}