TechEX 2019 Sneak Peek: Parsing Weird.log Files to Build a Healthier Network
By Fatema Bannat Wala, University of Delaware
Last year at the University of Delaware we did some deep analysis of the log files that were produced by one of the network monitoring systems - Zeek, formerly known as Bro. It revealed some very interesting aspects of the network’s health that weren't apparently visible through normal traffic analysis.
Our team quickly realized that some very crucial and important network miss-configurations were revealed just by analyzing one of the most underrated log files of Zeek, weird.log. It resulted in the addition of DNSSEC protocol parser support that was created by UD's security engineers for parsing the new fields introduced by the DNSSEC protocol traffic.
The Zeek network security monitor is unique in the way it analyzes network traffic. One of its key features is analyzing the various protocols traversing the wire and logs while simultaneously logging information when traffic does not conform to (or breaks) protocol specifications.
This unique feature makes Zeek more than just a network traffic monitoring tool. The research conducted and the enhancements made by our team improved the overall health of the network and allowed for better traffic monitoring with less amount of noise being logged afterward.
We are excited to share with you our team’s experience in running Zeek to analyze network traffic on our campus at the upcoming 2019 Internet2 Technology Exchange in New Orleans. We hope you will join us on Thursday, December 12 at 10:40 a.m. for what should prove to be an engaging discussion!