ZEEK

root@thm:~$ which zeek
 /opt/zeek/bin/zeek
root@thm:~$ zeek -v
 zeek version 4.2.1

root@thm:~$ which zeekctl 
 /opt/zeek/bin/zeekctl
root@thm:~$ zeekctl   
 Warning: new zeek version detected (run the zeekctl "deploy" command)
 Welcome to ZeekControl 2.4.0
 Type "help" for help.
[ZeekControl] > 

root@thm:~$ cd Desktop/Exercise-Files
root@thm:~$ ls
 TASK-2  TASK-3  TASK-5  TASK-6  TASK-7  TASK-8  TASK-9  clear-logs.sh
root@thm:~$ cd Desktop/Exercise-Files/TASK-2
root@thm:~$ ls
 clear-logs.sh  sample.pcap
 
root@thm:~$ zeek -C -r sample.pcap
 * log files will be created in the background but no terminal output will be produced
root@thm:~$ ls
 clear-logs.sh  dhcp.log  ntp.log            sample.pcap  ssh.log
 conn.log       dns.log   packet_filter.log  snmp.log     syslog.log
 
 * the generated alert files are: conn.log, dhcp.log, dns.log, ntp.log, packet_filter.log, snmp.log, ssh.log, syslog.log

root@thm:~$ cd Desktop/Exercise-Files
root@thm:~$ ls
 TASK-2  TASK-3  TASK-5  TASK-6  TASK-7  TASK-8  TASK-9  clear-logs.sh
root@thm:~$ cd Desktop/Exercise-Files/TASK-3
root@thm:~$ ls
 clear-logs.sh  sample.pcap
 
root@thm:~$ zeek -C -r sample.pcap
 * log files will be created in the background but no terminal output will be produced
root@thm:~$ ls
 clear-logs.sh  dhcp.log  ntp.log            sample.pcap  ssh.log
 conn.log       dns.log   packet_filter.log  snmp.log     syslog.log
 
 * the generated alert files are: conn.log, dhcp.log, dns.log, ntp.log, packet_filter.log, snmp.log, ssh.log, syslog.log
 
root@thm:~$ grep -rE "\bquery" ./dns.log

 * this cmd will quickly identify the log file where a field contains the name "query"

root@thm:~$ cat dns.log |zeek-cut query | uniq 
 blog.webernetz.net
 ip.webernetz.net

root@thm:~$ cd Desktop/Exercise-Files
root@thm:~$ ls
 TASK-2  TASK-3  TASK-5  TASK-6  TASK-7  TASK-8  TASK-9  clear-logs.sh
root@thm:~$ cd Desktop/Exercise-Files/TASK-3
root@thm:~$ ls
 clear-logs.sh  sample.pcap
 
root@thm:~$ zeek -C -r sample.pcap
 * log files will be created in the background but no terminal output will be produced
root@thm:~$ ls
 clear-logs.sh  dhcp.log  ntp.log            sample.pcap  ssh.log
 conn.log       dns.log   packet_filter.log  snmp.log     syslog.log
 
 * the generated alert files are: conn.log, dhcp.log, dns.log, ntp.log, packet_filter.log, snmp.log, ssh.log, syslog.log
 
root@thm:~$ grep -rE "\bquery" ./dns.log

 * this cmd will quickly identify the log file where a field contains the name "query"

root@thm:~$ cat dns.log |zeek-cut query | uniq 
 blog.webernetz.net
 ip.webernetz.net

root@thm:~$ cd Desktop/Exercise-Files
root@thm:~$ ls
 TASK-2  TASK-3  TASK-5  TASK-6  TASK-7  TASK-8  TASK-9  clear-logs.sh
root@thm:~$ cd Desktop/Exercise-Files/TASK-3
root@thm:~$ ls
 clear-logs.sh  sample.pcap
 
root@thm:~$ zeek -C -r sample.pcap
 * log files will be created in the background but no terminal output will be produced
root@thm:~$ ls
 clear-logs.sh  dhcp.log  ntp.log            sample.pcap  ssh.log
 conn.log       dns.log   packet_filter.log  snmp.log     syslog.log
 
 * the generated alert files are: conn.log, dhcp.log, dns.log, ntp.log, packet_filter.log, snmp.log, ssh.log, syslog.log
 
root@thm:~$ grep -rE "\bdur" ./conn.log

 * this cmd will quickly identify the log file where a field contains the name "duration"

root@thm:~$ cat dns.log |zeek-cut duration
 59.206449
 307.422751
 305.791751
 -
 325.924370
 304.539681
 ...
 
root@thm:~$ cat conn.log |zeek-cut duration | sort -n
 332.319364
 
 * the -n sorts the output numerically

root@thm:~$ cd Desktop/Exercise-Files/TASK-5
root@thm:~$ ls
 ftp  http
root@thm:~$ cd http/
root@thm:~$ ls
 clear-logs.sh  http-password.sig  http.pcap
root@thm:~$ cat http-password.sig
 signature http-password {
   ip-proto == tcp
   dst-port == 80
   payload /??????????????/
   event "???????????????????????"
 }

 * copy the payload & event contents of the http-password.sig rule
 
root@thm:~$ nano http-password.sig
 signature http-password {
   ip-proto == tcp
   dst-port == 80
   payload /.*password.*/
   event "Cleartext Password Found!"
 }

root@thm:~$ zeek -C -r http.pcap -s http-password.sig
root@thm:~$ ls
 clear-logs.sh  files.log          http.log   notice.log         signatures.log
 conn.log       http-password.sig  http.pcap  packet_filter.log

#identify the pertinent fields
root@thm:~$ cat signatures.log 
 #fields	ts	uid	src_addr	src_port	dst_addr	dst_port	note	sig_id
 ...
root@thm:~$ cat signatures.log | zeek-cut src_addr src_port dst_addr dst_port event_msg
 10.10.57.178	38706	44.228.249.3	80	10.10.57.178: Cleartext PW Found!
 10.10.57.178	38712	44.228.249.3	80	10.10.57.178: Cleartext PW Found!

root@thm:~$ cd Desktop/Exercise-Files/TASK-5
root@thm:~$ ls
 ftp  http
root@thm:~$ cd http/
root@thm:~$ ls
 clear-logs.sh  http-password.sig  http.pcap
root@thm:~$ cat http-password.sig
 signature http-password {
   ip-proto == tcp
   dst-port == 80
   payload /??????????????/
   event "???????????????????????"
 }

 * copy the payload & event contents of the http-password.sig rule
 
root@thm:~$ nano http-password.sig
 signature http-password {
   ip-proto == tcp
   dst-port == 80
   payload /.*password.*/
   event "Cleartext Password Found!"
 }

root@thm:~$ zeek -C -r http.pcap -s http-password.sig
root@thm:~$ ls
 clear-logs.sh  files.log          http.log   notice.log         signatures.log
 conn.log       http-password.sig  http.pcap  packet_filter.log

#identify the pertinent fields
root@thm:~$ cat signatures.log 
 #fields	ts	uid	src_addr	src_port	dst_addr	dst_port	note	sig_id
 ...
root@thm:~$ cat signatures.log | zeek-cut src_addr src_port dst_addr dst_port event_msg
 10.10.57.178	38706	44.228.249.3	80	10.10.57.178: Cleartext PW Found!
 10.10.57.178	38712	44.228.249.3	80	10.10.57.178: Cleartext PW Found!

root@thm:~$ cd Desktop/Exercise-Files/TASK-5
root@thm:~$ ls
 ftp  http
root@thm:~$ cd http/
root@thm:~$ ls
 clear-logs.sh  http-password.sig  http.pcap
root@thm:~$ cat http-password.sig
 signature http-password {
   ip-proto == tcp
   dst-port == 80
   payload /??????????????/
   event "???????????????????????"
 }

 * copy the payload & event contents of the http-password.sig rule
 
root@thm:~$ nano http-password.sig
 signature http-password {
   ip-proto == tcp
   dst-port == 80
   payload /.*password.*/
   event "Cleartext Password Found!"
 }

root@thm:~$ zeek -C -r http.pcap -s http-password.sig
root@thm:~$ ls
 clear-logs.sh  files.log          http.log   notice.log         signatures.log
 conn.log       http-password.sig  http.pcap  packet_filter.log

#identify the pertinent fields
root@thm:~$ cat conn.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents

root@thm:~$ cat conn.log | zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p orig_pkts resp_pkts
 10.10.57.178	38704	44.228.249.3	80	4	2
 10.10.57.178	38706	44.228.249.3	80	11	9
 10.10.57.178	38708	44.228.249.3	80	4	2
 10.10.57.178	38710	44.228.249.3	80	4	2
 10.10.57.178	38712	44.228.249.3	80	6	5

root@thm:~$ cd Desktop/Exercise-Files/TASK-5
root@thm:~$ ls
 ftp  http
root@thm:~$ cd ftp
root@thm:~$ ls
 clear-logs.sh  ftp-bruteforce.sig  ftp.pcap
root@thm:~$ cat ftp-bruteforce.sig
 signature ftp-username {
   ip-proto == tcp
   ftp /???????????????????????????????/
   event "FTP Username Input Found!"
 }

 signature ftp-brute {
   ip-proto == tcp
   payload /?????????????????????????/
   event "FTP Brute-force Attempt!"
 }

 * copy the payload & event contents of the ftp-bruteforce.sig rule
 
root@thm:~$ BROWSER > https://datatracker.ietf.org/doc/html/rfc765
 530 Not logged in

root@thm:~$ nano http-password.sig
 signature ftp-username {
   ip-proto == tcp
   ftp /.*USER.*/
   event "FTP Username Input Found!"
 }

 signature ftp-brute {
   ip-proto == tcp
   payload /.*530.*Login.*incorrect.*/
   event "FTP Brute-force Attempt!"
 }

root@thm:~$ zeek -C -r ftp.pcap -s ftp-bruteforce.sig
root@thm:~$ ls
 clear-logs.sh  conn.log  ftp-bruteforce.sig  ftp.pcap  notice.log  packet_filter.log  signatures.log  weird.log

#identify the pertinent fields
root@thm:~$ cat notice.log | more
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 ...
root@thm:~$ cat notice.log | zeek-cut uid | sort | uniq
 CzqT1E0kp0OjPPFDf
 CztIYiOrGdJ91JOr4
 Czx9DAxZCgUlefn32
 Czxu2n1OLi3rc5VqCi
 CzyfuO3aVGNxeGbK09
 CzywjFUzrWmHf3xMg
 ...
 
root@thm:~$ cat notice.log | zeek-cut uid | sort | uniq | wc -l
 1413

root@thm:~$ cd Desktop/Exercise-Files/TASK-5
root@thm:~$ ls
 ftp  http
root@thm:~$ cd ftp
root@thm:~$ ls
 clear-logs.sh  ftp-bruteforce.sig  ftp.pcap
root@thm:~$ cat ftp-bruteforce.sig
 signature ftp-username {
   ip-proto == tcp
   ftp /???????????????????????????????/
   event "FTP Username Input Found!"
 }

 signature ftp-brute {
   ip-proto == tcp
   payload /?????????????????????????/
   event "FTP Brute-force Attempt!"
 }

 * copy the payload & event contents of the ftp-bruteforce.sig rule
 
root@thm:~$ BROWSER > https://datatracker.ietf.org/doc/html/rfc765
 530 Not logged in

root@thm:~$ nano http-password.sig
 signature ftp-username {
   ip-proto == tcp
   ftp /.*USER.*/
   event "FTP Username Input Found!"
 }

 signature ftp-brute {
   ip-proto == tcp
   payload /.*530.*Login.*incorrect.*/
   event "FTP Brute-force Attempt!"
 }

root@thm:~$ zeek -C -r ftp.pcap -s ftp-bruteforce.sig
root@thm:~$ ls
 clear-logs.sh  conn.log  ftp-bruteforce.sig  ftp.pcap  notice.log  packet_filter.log  signatures.log  weird.log

#identify the pertinent fields
root@thm:~$ cat signatures.log | more
 #fields	ts	uid	src_addr	src_port	dst_addr	dst_port	note	sig_id	event_msg	sub_msg	sig_count	host_count

root@thm:~$ cat signatures.log  | zeek-cut sig_id event_msg
 ftp-username	10.234.125.254: FTP Username Input Found!
 ftp-brute	10.121.70.151: FTP Brute-force Attempt!
 ftp-brute	10.121.70.151: FTP Brute-force Attempt!
 ftp-brute	10.121.70.151: FTP Brute-force Attempt!
 ftp-brute	10.121.70.151: FTP Brute-force Attempt!
 ftp-brute	10.121.70.151: FTP Brute-force Attempt!
 ftp-brute	10.121.70.151: FTP Brute-force Attempt!
 ...
 
root@thm:~$ cat signatures.log | zeek-cut sig_id | grep "ftp-brute" | wc -l
 1410

root@thm:~$ cd Desktop/Exercise-Files/TASK-6
root@thm:~$ ls
 bigflow  smallflow
root@thm:~$ cd smallflow
root@thm:~$ ls
 clear-logs.sh  dhcp-hostname.zeek  smallFlows.pcap
 
root@thm:~$ cat dhcp-hostname.zeek 
 event dhcp_message (c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
 {
   print options$host_name;
 }
 
 * the first, second and fourth lines are the predefined syntaxes of the scripting 
   language.
    - the only part an analyst creates is the third line which tells Zeek to extract 
      DHCP hostnames

root@thm:~$ zeek -C -r smallFlows.pcap dhcp-hostname.zeek 
 student01-PC
 vinlap01
 1295981640.291600 expression error in ./dhcp-hostname.zeek, line 3: field value missing (options$host_name)

root@thm:~$ ls
 clear-logs.sh       dhcp.log  files.log          reporter.log     ssl.log
 conn.log            dns.log   http.log           smallFlows.pcap  weird.log
 dhcp-hostname.zeek  dpd.log   packet_filter.log  snmp.log         x509.log

#identify pertinent fields
root@thm:~$ cat dhcp.log
 #fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
 #types	time	set[string]	addr	addr	string	string	string	string	addr	addr	intervalstring	string	vector[string]	interval
 1295981573.013593	Ck1jSY3fMuPQPSnhQk	192.168.3.131	-	40:61:86:9a:f1:f5	student01-PC	-	-	-	-	-	-	-	INFORM	0.000000
 1295981640.291009	ClTGlbGLPORFS6Pt7,C0lazw1EB6ujoJwrjb	172.16.255.1	-	00:1e:68:51:4f:a9vinlap01	-	astaro_vineyard	-	-	-	-	-	INFORM,ACK	0.000591

root@thm:~$ cat dhcp.log | zeek-cut domain
 astaro_vineyard

root@thm:~$ cd Desktop/Exercise-Files/TASK-6
root@thm:~$ ls
 bigflow  smallflow
root@thm:~$ cd bigflow
root@thm:~$ ls
 bigFlows.pcap  clear-logs.sh  dhcp-hostname.zeek
 
root@thm:~$ cat dhcp-hostname.zeek 
 event dhcp_message (c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
 {
   print options$host_name;
 }
 
 * the first, second and fourth lines are the predefined syntaxes of the scripting 
   language.
    - the only part an analyst creates is the third line which tells Zeek to extract 
      DHCP hostnames

root@thm:~$ zeek -C -r bigFlows.pcap dhcp-hostname.zeek 
 JDT115
 1361916156.616130 expression error in ./dhcp-hostname.zeek, line 3: field value missing (options$host_name)
 JDT91
 m30-sqdesk
 ...

root@thm:~$ ls
 bigFlows.pcap       dhcp.log   kerberos.log       reporter.log     ssh.log
 clear-logs.sh       dns.log    ntlm.log           sip.log          ssl.log
 conn.log            dpd.log    ntp.log            smb_files.log    syslog.log
 dce_rpc.log         files.log  ocsp.log           smb_mapping.log  weird.log
 dhcp-hostname.zeek  http.log   packet_filter.log  snmp.log         x509.log

#identify pertinent fields
root@thm:~$ cat dhcp.log
 #fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
 #types	time	set[string]	addr	addr	string	string	string	string	addr	addr	intervalstring	string	vector[string]	interval
 1361916156.615988	CAjLva3eNPcVKtRZXc,CGOhdf144CRNFGjkPd	172.16.133.24	-	00:21:70:67:69:d3JDT115	-	jaalam.net	-	-	-	-	-	INFORM,ACK	0.000142
 1361916159.858464	CxYUOyWRPqWGR27Ui	172.16.133.38	-	00:90:fb:38:0c:da	m30-sqdesk	-	-	-	-	-	-	-	REQUEST,REQUEST	11.007566
 ...
 
root@thm:~$ cat dhcp.log | zeek-cut host_name
 JDT115
 m30-sqdesk
 JDT91
 JDT100
 JDT094
 JDT096
 m30-sqdesk
 ... 
 
root@thm:~$ cat dhcp.log | zeek-cut host_name | sort -nr | uniq
 m30-sqdesk
 JLT108
 JDT95
 JDT91
 JDT80
 JDT168
 JDT153
 JDT134
 JDT131
 JDT123
 JDT120
 JDT115
 JDT107
 JDT100
 JDT096
 JDT094
 JDT081
 -
ubuntu@ip-10-10-246-29:~/Desktop/Exercise-Files/TASK-6/bigflow$ cat dhcp.log | zeek-cut host_name | sort -nr | uniq | wc -l
 18 (subtract 1 to exclude the "-")

root@thm:~$ cd Desktop/Exercise-Files/TASK-6
root@thm:~$ ls
 bigflow  smallflow
root@thm:~$ cd bigflow
root@thm:~$ ls
 bigFlows.pcap  clear-logs.sh  dhcp-hostname.zeek
 
root@thm:~$ cat dhcp-hostname.zeek 
 event dhcp_message (c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
 {
   print options$host_name;
 }
 
 * the first, second and fourth lines are the predefined syntaxes of the scripting 
   language.
    - the only part an analyst creates is the third line which tells Zeek to extract 
      DHCP hostnames

root@thm:~$ zeek -C -r bigFlows.pcap dhcp-hostname.zeek 
 JDT115
 1361916156.616130 expression error in ./dhcp-hostname.zeek, line 3: field value missing (options$host_name)
 JDT91
 m30-sqdesk
 ...

root@thm:~$ ls
 bigFlows.pcap       dhcp.log   kerberos.log       reporter.log     ssh.log
 clear-logs.sh       dns.log    ntlm.log           sip.log          ssl.log
 conn.log            dpd.log    ntp.log            smb_files.log    syslog.log
 dce_rpc.log         files.log  ocsp.log           smb_mapping.log  weird.log
 dhcp-hostname.zeek  http.log   packet_filter.log  snmp.log         x509.log

#identify pertinent fields
root@thm:~$ cat dhcp.log
 #fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
 #types	time	set[string]	addr	addr	string	string	string	string	addr	addr	intervalstring	string	vector[string]	interval
 1361916156.615988	CAjLva3eNPcVKtRZXc,CGOhdf144CRNFGjkPd	172.16.133.24	-	00:21:70:67:69:d3JDT115	-	jaalam.net	-	-	-	-	-	INFORM,ACK	0.000142
 1361916159.858464	CxYUOyWRPqWGR27Ui	172.16.133.38	-	00:90:fb:38:0c:da	m30-sqdesk	-	-	-	-	-	-	-	REQUEST,REQUEST	11.007566
 ...
 
root@thm:~$ cat dhcp.log | zeek-cut domain
 jaalam.net
 ...
 
root@thm:~$ cat dhcp.log | zeek-cut domain | sort -nr | uniq
 
root@thm:~$ cat dhcp.log | zeek-cut domain | sort -nr | uniq
 jaalam.net
 -

root@thm:~$ cd Desktop/Exercise-Files/TASK-7
root@thm:~$ ls
 101  201  202
root@thm:~$ cd 101
root@thm:~$ ls
 101.zeek  102.zeek  103.zeek  clear-logs.sh  sample.pcap

root@thm:~$ cat 103.zeek 
 event new_connection(c: connection)
 {
   print ("###########################################################");
   print ("");
   print ("New Connection Found!");
   print ("");
   print fmt ("Source Host: %s # %s --->", c$id$orig_h, c$id$orig_p);
   print fmt ("Destination Host: resp: %s # %s <---", c$id$resp_h, c$id$resp_p);
   print ("");
 }

root@thm:~$ zeek -C -r sample.pcap 103.zeek >> newConn
root@thm:~$ cat newConn
 ###########################################################
 New Connection Found!

 Source Host: 192.168.121.2 # 54445/udp --->
 Destination Host: resp: 192.168.110.10 # 69/udp <---

 ###########################################################

 New Connection Found!

 Source Host: 192.168.110.10 # 1556/udp --->
 Destination Host: resp: 192.168.121.2 # 54445/udp <---

 ###########################################################

 New Connection Found!

 Source Host: 192.168.121.40 # 123/udp --->
 Destination Host: resp: 212.227.54.68 # 123/udp <---

root@thm:~$ cat newConn | grep "New Connection Found!" | wc -l
 87

root@thm:~$ cd Desktop/Exercise-Files/TASK-7
root@thm:~$ ls
 101  201  202
root@thm:~$ cd 201
root@thm:~$ ls
 201.zeek  clear-logs.sh  ftp-admin.sig  ftp.pcap

root@thm:~$ cat 201.zeek 
 event signature_match (state: signature_state, msg: string, data: string)
 {
   if (state$sig_id == "ftp-admin")
   {
     print ("Signature hit! --> #FTP-Admin ");
   }
 }

root@thm:~$ cat ftp-admin.sig 
 signature ftp-admin {
   ip-proto == tcp
   ftp /.*USER.*admin.*/
   event "FTP Username Input Found!"
 }

root@thm:~$ zeek -C -r ftp.pcap -s ftp-admin.sig 201.zeek
 Signature hit! --> #FTP-Admin
 Signature hit! --> #FTP-Admin 
 ...
 
root@thm:~$ ls 
 201.zeek       conn.log       ftp.pcap    packet_filter.log  weird.log
 clear-logs.sh  ftp-admin.sig  notice.log  signatures.log

root@thm:~$ head signature.log
 #fields	ts	uid	src_addr	src_port	dst_addr	dst_port	note	sig_id	event_msg	sub_msg	sig_count	host_count
 #types	time	string	addr	port	addr	port	enum	string	string	string	count	count
 1024380731.210890	C9x2tG2ib3mDnZwjxd	10.234.125.254	2228	10.121.70.151	21	Signatures::Sensitive_Signature	ftp-admin	10.234.125.254: FTP Username Input Found!	USER admin	-	-
 1024380731.267148	CasjJv2h3bXRnC2si9	10.234.125.254	2225	10.121.70.151	21	Signatures::Sensitive_Signature	ftp-admin	10.234.125.254: FTP Username Input Found!	USER admin	-	-

root@thm:~$ cat signatures.log | grep ftp-admin | wc -l
 1401

root@thm:~$ cd Desktop/Exercise-Files/TASK-7
root@thm:~$ ls
 101  201  202
root@thm:~$ cd 201
root@thm:~$ ls
 201.zeek  clear-logs.sh  ftp-admin.sig  ftp.pcap

root@thm:~$ cat 201.zeek 
 event signature_match (state: signature_state, msg: string, data: string)
 {
   if (state$sig_id == "ftp-admin")
   {
     print ("Signature hit! --> #FTP-Admin ");
   }
 }

root@thm:~$ cat ftp-admin.sig 
 signature ftp-admin {
   ip-proto == tcp
   ftp /.*USER.*admin.*/
   event "FTP Username Input Found!"
 }

root@thm:~$ zeek -C -r ftp.pcap -s ftp-admin.sig 201.zeek
 Signature hit! --> #FTP-Admin
 Signature hit! --> #FTP-Admin 
 ...
 
root@thm:~$ ls 
 201.zeek       conn.log       ftp.pcap    packet_filter.log  weird.log
 clear-logs.sh  ftp-admin.sig  notice.log  signatures.log

root@thm:~$ head signature.log
 #fields	ts	uid	src_addr	src_port	dst_addr	dst_port	note	sig_id	event_msg	sub_msg	sig_count	host_count
 #types	time	string	addr	port	addr	port	enum	string	string	string	count	count
 1024380731.210890	C9x2tG2ib3mDnZwjxd	10.234.125.254	2228	10.121.70.151	21	Signatures::Sensitive_Signature	ftp-admin	10.234.125.254: FTP Username Input Found!	USER admin	-	-
 1024380731.267148	CasjJv2h3bXRnC2si9	10.234.125.254	2225	10.121.70.151	21	Signatures::Sensitive_Signature	ftp-admin	10.234.125.254: FTP Username Input Found!	USER admin	-	-

root@thm:~$ cat signatures.log | grep administrator | wc -l
 731

root@thm:~$ cd Desktop/Exercise-Files/TASK-7
root@thm:~$ ls
 101  201  202
root@thm:~$ cd 201
root@thm:~$ ls
 201.zeek  clear-logs.sh  ftp-admin.sig  ftp.pcap

root@thm:~$ zeek -C -r ftp.pcap local
 WARNING: No Site::local_nets have been defined.  It's usually a good idea to define your local networks.

root@thm:~$ ls 
 clear-logs.sh  ftp-admin.sig  loaded_scripts.log  stats.log
 capture_loss.log  conn.log       ftp.pcap       packet_filter.log   weird.log
 
root@thm:~$ head signature.log
 #fields	name
 #types	string
 /opt/zeek/share/zeek/base/init-bare.zeek
 /opt/zeek/share/zeek/base/bif/const.bif.zeek

root@thm:~$ cat loaded_scripts.log | grep -v "#"
 /opt/zeek/share/zeek/policy/frameworks/intel/seen/smtp.zeek
 /opt/zeek/share/zeek/policy/frameworks/intel/seen/smtp-url-extraction.zeek
 /opt/zeek/share/zeek/policy/frameworks/intel/seen/x509.zeek
 ...

root@thm:~$ cat loaded_scripts.log | grep -v "#" | wc -l
 498

root@thm:~$ cd Desktop/Exercise-Files/TASK-7
root@thm:~$ ls
 101  201  202
root@thm:~$ cd 202
root@thm:~$ ls
 clear-logs.sh  ftp-brute.pcap  ftp.pcap
 
 
root@thm:~$ cat /opt/zeek/share/zeek/policy/protocols/ftp/detect-bruteforcing.zeek
 #! FTP brute-forcing detector, triggering when too many rejected usernames or
 ##! failed passwords have occurred from a single address.

 @load base/protocols/ftp
 @load base/frameworks/sumstats

 @load base/utils/time

 module FTP;

 export {
	redef enum Notice::Type += {
		## Indicates a host bruteforcing FTP logins by watching for too
		## many rejected usernames or failed passwords.
		Bruteforcing
	};

	## How many rejected usernames or passwords are required before being
	## considered to be bruteforcing.
 ...
 
root@thm:~$ zeek -C -r ftp-brute.pcap /opt/zeek/share/zeek/policy/protocols/ftp/detect-bruteforcing.zeek

root@thm:~$ ls
 clear-logs.sh  conn.log  ftp-brute.pcap  ftp.pcap  notice.log  packet_filter.log  weird.log
 
root@thm:~$ head notice.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
 1024380732.223481	-	-	-	-	-	-	-	-	-	FTP::Bruteforcing	10.234.125.254 had 20 failed logins on 1 FTP server in 0m1s	-	10.234.125.254	-	-	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-

root@thm:~$ cat notice.log | grep "FTP::Brut*"
 1024380732.223481	-	-	-	-	-	-	-	-	-	FTP::Bruteforcing	10.234.125.254 had 20 failed logins on 1 FTP server in 0m1s	-	10.234.125.254	-	-	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
 1389721084.522861	-	-	-	-	-	-	-	-	-	FTP::Bruteforcing	192.168.56.1 had 20 failed logins on 1 FTP server in 0m37s	-	192.168.56.1	-	-	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-

root@thm:~$ cat notice.log | grep "FTP::Brut*" | wc -l
 2

root@thm:~$ cd Desktop/Exercise-Files/TASK-8
root@thm:~$ ls
 case1.pcap  clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  intelligence-demo.zeek
root@thm:~$ cat intelligence-demo.zeek
 # Load intelligence framework!
 @load /opt/zeek/share/zeek/policy/frameworks/intel/seen
 @load /opt/zeek/share/zeek/policy/frameworks/intel/do_notice.zeek
 redef Intel::read_files += { "/opt/zeek/intel/zeek_intel.txt" };
 
root@thm:~$ zeek -C -r case1.pcap intelligence-demo.zeek
root@thm:~$ ls
 case1.pcap     dhcp.log                files.log       intel.log               pe.log
 clear-logs.sh  dns.log                 hash-demo.zeek  intelligence-demo.zeek
 conn.log       file-extract-demo.zeek  http.log        packet_filter.log

root@thm:~$ cat intel.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
 1561667898.779213	C2CbcG26BMyZCrXnmh	10.6.27.102	53770	10.6.27.1	53	smart-fax.com	Intel::DOMAIN	DNS::IN_REQUEST	zeek	Intel::DOMAIN	TASK-8-Demo	-	-	-
 1561667898.911759	CfQQgQTipHqVBnvSh	10.6.27.102	49162	107.180.50.162	80	smart-fax.com	Intel::DOMAIN	HTTP::IN_HOST_HEADER	zeek	Intel::DOMAIN	TASK-8-Demo	-	-	-
 
root@thm:~$ cat intel.log | zeek-cut seen.where
 DNS::IN_REQUEST
 HTTP::IN_HOST_HEADER

root@thm:~$ cd Desktop/Exercise-Files/TASK-8
root@thm:~$ ls
 case1.pcap  clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  intelligence-demo.zeek
root@thm:~$ cat intelligence-demo.zeek
 # Load intelligence framework!
 @load /opt/zeek/share/zeek/policy/frameworks/intel/seen
 @load /opt/zeek/share/zeek/policy/frameworks/intel/do_notice.zeek
 redef Intel::read_files += { "/opt/zeek/intel/zeek_intel.txt" };
 
root@thm:~$ zeek -C -r case1.pcap intelligence-demo.zeek
root@thm:~$ ls
 case1.pcap     dhcp.log                files.log       intel.log               pe.log
 clear-logs.sh  dns.log                 hash-demo.zeek  intelligence-demo.zeek
 conn.log       file-extract-demo.zeek  http.log        packet_filter.log

root@thm:~$ cat http.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1561667874.713411	CBeR9d3RW63znDZY62	10.6.27.102	49157	23.63.254.163	80	1	GET	www.msftncsi.com	/ncsi.txt	-	1.1	Microsoft NCSI	-	0	14	200	OK	-	-	(empty)	-	-	-	-	-	-	Fpgan59p6uvNzLFja	-	text/plain
 1561667889.643717	CrQiLZ1aWt2zkKmHB1	10.6.27.102	49159	107.180.50.162	80	1	GET	smart-fax.com	/Documents/Invoice&MSO-Request.doc	-	1.1	Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko	-	0	323072	200	OK	-	-	(empty)	-	-	-	-	-	-	FB5o2Hcauv7vpQ8y3	-	application/msword
 1561667898.911759	CfQQgQTipHqVBnvSh	10.6.27.102	49162	107.180.50.162	80	1	GET	smart-fax.com	/knr.exe	-	1.1	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	-	0	2437120	200	OK	-	-	(empty)	-	--	-	-	-	FOghls3WpIjKpvXaEl	-	application/x-dosexec

root@thm:~$ cat http.log | zeek-cut uri 
 /ncsi.txt
 /Documents/Invoice&MSO-Request.doc
 /knr.exe

root@thm:~$ cd Desktop/Exercise-Files/TASK-8
root@thm:~$ ls
 case1.pcap  clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  intelligence-demo.zeek
root@thm:~$ cat hash-demo.zeek
 # Enable MD5, SHA1 and SHA256 hashing for all files.
 @load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 
root@thm:~$ zeek -C -r case1.pcap hash-demo.zeek
root@thm:~$ ls
 case1.pcap  clear-logs.sh  conn.log  dhcp.log  dns.log  file-extract-demo.zeek  files.log  hash-demo.zeek  http.log  intelligence-demo.zeek  packet_filter.log  pe.log

root@thm:~$ cat files.log
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
 1561667874.743959	Fpgan59p6uvNzLFja	23.63.254.163	10.6.27.102	CQP7Mi4HUOPGcPM9lb	HTTP	0	SHA1,MD5	text/plain	-	0.000000	-	F	14	14	0	0F	-	cd5a4d3fdd5bffc16bf959ef75cf37bc	33bf88d5b82df3723d5863c7d23445e345828904	-	-	-	-
 1561667889.703239	FB5o2Hcauv7vpQ8y3	107.180.50.162	10.6.27.102	C0d8Sz2HCrBEXNcEf	HTTP	0	SHA1,MD5	application/msword	-	4.386569	-	F	323072	-	00	F	-	b5243ec1df7d1d5304189e7db2744128	a66bd2557016377dfb95a87c21180e52b23d2e4e	-	-	-	-
 1561667899.060086	FOghls3WpIjKpvXaEl	107.180.50.162	10.6.27.102	CHwAij1Q2bSTESk3ad	HTTP	0	SHA1,MD5,PE	application/x-dosexec	-	0.498764	-	F	2437120	-	00	F	-	cc28e40b46237ab6d5282199ef78c464	0d5c820002cf93384016bd4a2628dcc5101211f4	-	-	-	-


root@thm:~$ cat files.log | zeek-cut md5 sha1 sha256
 text/plain	cd5a4d3fdd5bffc16bf959ef75cf37bc	33bf88d5b82df3723d5863c7d23445e345828904	-
 application/msword	b5243ec1df7d1d5304189e7db2744128	a66bd2557016377dfb95a87c21180e52b23d2e4e	-
 application/x-dosexec	cc28e40b46237ab6d5282199ef78c464	0d5c820002cf93384016bd4a2628dcc5101211f4	-

root@thm:~$ cd Desktop/Exercise-Files/TASK-8
root@thm:~$ ls
 case1.pcap  clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  intelligence-demo.zeek
root@thm:~$ cat file-extract-demo.zeek
 # Load file extract framework!
 @load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek

 
root@thm:~$ zeek -C -r case1.pcap file-extract-demo.zeek
root@thm:~$ ls
 case1.pcap  clear-logs.sh  conn.log  dhcp.log  dns.log  extract_files  file-extract-demo.zeek  files.log  hash-demo.zeek  http.log  intelligence-demo.zeek  packet_filter.log  pe.log

root@thm:~$ cd extract_files
root@thm:~$ ls
 extract-1561667874.743959-HTTP-Fpgan59p6uvNzLFja  extract-1561667889.703239-HTTP-FB5o2Hcauv7vpQ8y3  extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl

root@thm:~$ file * | nl
 1 extract-1561667874.743959-HTTP-Fpgan59p6uvNzLFja:  ASCII text, with no line terminators
 2 extract-1561667889.703239-HTTP-FB5o2Hcauv7vpQ8y3:  Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Template: Normal.dotm, Last Saved By: Administrator, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jun 27 18:24:00 2019, Last Saved Time/Date: Thu Jun 27 18:24:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
 3 extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl: PE32 executable (GUI) Intel 80386, for MS Windows

root@thm:~$ cat extract-1561667874.743959-HTTP-Fpgan59p6uvNzLFja 
 Microsoft NCSI

root@thm:~$ cd Desktop/Exercise-Files/TASK-9
root@thm:~$ ls
 cleartext-pass  geoip-conn
root@thm:~$ cd cleartext-pass
root@thm:~$ ls
 clear-logs.sh  http.pcap
 
root@dco:~$ find / -iname "zeek-sniffpass" 2>/dev/null
 /opt/zeek/share/zeek/site/packages/zeek-sniffpass
 
root@dco:~$ ls /opt/zeek/share/zeek/site/packages/zeek-sniffpass
 __load__.zeek  main.zeek

root@dco:~$ cat /opt/zeek/share/zeek/site/packages/zeek-sniffpass/main.zeek
 @load base/protocols/http
 @load base/frameworks/notice
 module SNIFFPASS;
 ...



#call the package by name
root@thm:~$ zeek -C -r http.pcap zeek-sniffpass
root@thm:~$ ls
 clear-logs.sh  conn.log  files.log  http.log  http.pcap  notice.log  packet_filter.log

root@thm:~$ cat notice.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
 1647504684.298943	Cw0VgS29N0gBieUiVa	10.10.57.178	38706	44.228.249.3	80	-	--	tcp	SNIFFPASS::HTTP_POST_Password_Seen	Password found for user BroZeek	-	10.10.57.178	44.228.249.3	80	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	--	-	-

root@thm:~$ cat notice.log | zeek-cut msg
 Password found for user BroZeek
 Password found for user BroZeek
 Password found for user BroZeek
 Password found for user ZeekBro
 Password found for user ZeekBro

root@thm:~$ cd Desktop/Exercise-Files/TASK-9
root@thm:~$ ls
 cleartext-pass  geoip-conn
root@thm:~$ cd geoip-conn
root@thm:~$ ls
 case1.pcap  case2.pcap  clear-logs.sh  sumstats-counttable.zeek
 
root@dco:~$ find / -iname "geoip*" 2>/dev/null
 /opt/zeek/share/zeek/site/packages/geoip-conn
 
root@dco:~$ ls /opt/zeek/share/zeek/site/packages/geoip-conn
 GeoLite2-ASN.mmdb  GeoLite2-City.mmdb  GeoLite2-Country.mmdb  __load__.zeek  geoip-conn.zeek


root@dco:~$ cat /opt/zeek/share/zeek/site/packages/geoip-conn/geoip-conn.zeek
 ##! Populate geolocation fields in the connection logs.
 ##! This package includes GeoLite2 data created by MaxMind, available from
 ##! https://www.maxmind.com
 module Conn;
 
 # The following redef ensuers the .mmdb included with this package is used
 # out-of-the-box. If you delete that file, Zeek will fall back to looking in
 # default locations. See this link for paths:
 #
 # https://github.com/zeek/zeek/blob/09483619ef0839cad189f22c4d5be3d66cedcf55/src/zeek.bif#L3964-L3971
 
 redef mmdb_dir = @DIR;
 ...

#call the package by name
root@thm:~$ zeek -C -r case2.pcap geoip-conn
root@thm:~$ ls
 case1.pcap  clear-logs.sh  dns.log    http.log           ssl.log    x509.log
 case2.pcap  conn.log       files.log  packet_filter.log  sumstats-counttable.zeek

root@thm:~$ cat conn.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	serviceduration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	geo.orig.country_code	geo.orig.region	geo.orig.city	geo.orig.latitude	geo.orig.longitude	geo.resp.country_code	geo.resp.region	geo.resp.city	geo.resp.latitude	geo.resp.longitude
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string	string	double	double	string	string	string	double	double
 1561766548.962324	C7oGeVuzM68kBNPbc	10.6.29.101	49247	23.77.86.54	80	tcp	http	0.072321	370	452	SF	-	-	0	ShADadFf	6	622	5656	-	-	-	-	-	-	US	IL	Chicago	41.8874	-87.6318

root@thm:~$ cat conn.log | zeek-cut geo.resp.city
 Chicago

root@thm:~$ cd Desktop/Exercise-Files/TASK-9
root@thm:~$ ls
 cleartext-pass  geoip-conn
root@thm:~$ cd geoip-conn
root@thm:~$ ls
 case1.pcap  case2.pcap  clear-logs.sh  sumstats-counttable.zeek
 
root@dco:~$ find / -iname "geoip*" 2>/dev/null
 /opt/zeek/share/zeek/site/packages/geoip-conn
 
root@dco:~$ ls /opt/zeek/share/zeek/site/packages/geoip-conn
 GeoLite2-ASN.mmdb  GeoLite2-City.mmdb  GeoLite2-Country.mmdb  __load__.zeek  geoip-conn.zeek


root@dco:~$ cat /opt/zeek/share/zeek/site/packages/geoip-conn/geoip-conn.zeek
 ##! Populate geolocation fields in the connection logs.
 ##! This package includes GeoLite2 data created by MaxMind, available from
 ##! https://www.maxmind.com
 module Conn;
 
 # The following redef ensuers the .mmdb included with this package is used
 # out-of-the-box. If you delete that file, Zeek will fall back to looking in
 # default locations. See this link for paths:
 #
 # https://github.com/zeek/zeek/blob/09483619ef0839cad189f22c4d5be3d66cedcf55/src/zeek.bif#L3964-L3971
 
 redef mmdb_dir = @DIR;
 ...

#call the package by name
root@thm:~$ zeek -C -r case2.pcap geoip-conn
root@thm:~$ ls
 case1.pcap  clear-logs.sh  dns.log    http.log           ssl.log    x509.log
 case2.pcap  conn.log       files.log  packet_filter.log  sumstats-counttable.zeek

root@thm:~$ cat conn.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	serviceduration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	geo.orig.country_code	geo.orig.region	geo.orig.city	geo.orig.latitude	geo.orig.longitude	geo.resp.country_code	geo.resp.region	geo.resp.city	geo.resp.latitude	geo.resp.longitude
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string	string	double	double	string	string	string	double	double
 1561766548.962324	C7oGeVuzM68kBNPbc	10.6.29.101	49247	23.77.86.54	80	tcp	http	0.072321	370	452	SF	-	-	0	ShADadFf	6	622	5656	-	-	-	-	-	-	US	IL	Chicago	41.8874	-87.6318

root@thm:~$ cat conn.log | zeek-cut geo.resp.city id.resp_h
 Chicago	23.77.86.54
 Chicago	23.77.86.54
 ...

root@thm:~$ cd Desktop/Exercise-Files/TASK-9
root@thm:~$ ls
 cleartext-pass  geoip-conn
root@thm:~$ cd geoip-conn
root@thm:~$ ls
 case1.pcap  case2.pcap  clear-logs.sh  sumstats-counttable.zeek
 
root@thm:~$ cat sumstats-counttable.zeek
 @load /opt/zeek/share/zeek/site/packages/zeek-sumstats-counttable
 event zeek_init()
 ...

root@thm:~$ zeek -Cr case2.pcap sumstats-counttable.zeek 
 Host: 116.203.71.114
 status code: 200, count: 26
 status code: 404, count: 6
 status code: 302, count: 4
 status code: 301, count: 4
 Host: 23.77.86.54
 status code: 301, count: 4

root@thm:~$ ls
 case1.pcap  case2.pcap  clear-logs.sh  conn.log  dns.log  files.log  http.log  packet_filter.log  ssl.log  sumstats-counttable.zeek  x509.log