ZEEK

NSM & ZEEK

What is the installed Zeek instance version number?

root@thm:~$ which zeek
 /opt/zeek/bin/zeek
root@thm:~$ zeek -v
 zeek version 4.2.1

What is the version of the ZeekControl module?

root@thm:~$ which zeekctl 
 /opt/zeek/bin/zeekctl
root@thm:~$ zeekctl   
 Warning: new zeek version detected (run the zeekctl "deploy" command)
 Welcome to ZeekControl 2.4.0
 Type "help" for help.
[ZeekControl] >

Investigate the "sample.pcap" file. What is the number of generated alert files?

root@thm:~$ cd Desktop/Exercise-Files
root@thm:~$ ls
 TASK-2  TASK-3  TASK-5  TASK-6  TASK-7  TASK-8  TASK-9  clear-logs.sh
root@thm:~$ cd Desktop/Exercise-Files/TASK-2
root@thm:~$ ls
 clear-logs.sh  sample.pcap
 
root@thm:~$ zeek -C -r sample.pcap
 * log files will be created in the background but no terminal output will be produced
root@thm:~$ ls
 clear-logs.sh  dhcp.log  ntp.log            sample.pcap  ssh.log
 conn.log       dns.log   packet_filter.log  snmp.log     syslog.log
 
 * the generated alert files are: conn.log, dhcp.log, dns.log, ntp.log, packet_filter.log, snmp.log, ssh.log, syslog.log

ZEEK LOGS

Investigate the sample.pcap file. Investigate the dhcp.log file. What is the available hostname?

root@thm:~$ cd Desktop/Exercise-Files
root@thm:~$ ls
 TASK-2  TASK-3  TASK-5  TASK-6  TASK-7  TASK-8  TASK-9  clear-logs.sh
root@thm:~$ cd Desktop/Exercise-Files/TASK-3
root@thm:~$ ls
 clear-logs.sh  sample.pcap
 
root@thm:~$ zeek -C -r sample.pcap
 * log files will be created in the background but no terminal output will be produced
root@thm:~$ ls
 clear-logs.sh  dhcp.log  ntp.log            sample.pcap  ssh.log
 conn.log       dns.log   packet_filter.log  snmp.log     syslog.log
 
 * the generated alert files are: conn.log, dhcp.log, dns.log, ntp.log, packet_filter.log, snmp.log, ssh.log, syslog.log
 
root@thm:~$ grep -rE "\bquery" ./dns.log

 * this cmd will quickly identify the log file where a field contains the name "query"

root@thm:~$ cat dns.log |zeek-cut query | uniq 
 blog.webernetz.net
 ip.webernetz.net

Investigate the sample.pcap file. Investigate the dns.log file. What is the number of unique DNS queries?

root@thm:~$ cd Desktop/Exercise-Files
root@thm:~$ ls
 TASK-2  TASK-3  TASK-5  TASK-6  TASK-7  TASK-8  TASK-9  clear-logs.sh
root@thm:~$ cd Desktop/Exercise-Files/TASK-3
root@thm:~$ ls
 clear-logs.sh  sample.pcap
 
root@thm:~$ zeek -C -r sample.pcap
 * log files will be created in the background but no terminal output will be produced
root@thm:~$ ls
 clear-logs.sh  dhcp.log  ntp.log            sample.pcap  ssh.log
 conn.log       dns.log   packet_filter.log  snmp.log     syslog.log
 
 * the generated alert files are: conn.log, dhcp.log, dns.log, ntp.log, packet_filter.log, snmp.log, ssh.log, syslog.log
 
root@thm:~$ grep -rE "\bquery" ./dns.log

 * this cmd will quickly identify the log file where a field contains the name "query"

root@thm:~$ cat dns.log |zeek-cut query | uniq 
 blog.webernetz.net
 ip.webernetz.net

Investigate the sample.pcap file. Investigate the conn.log file. What is the longest connection duration?

root@thm:~$ cd Desktop/Exercise-Files
root@thm:~$ ls
 TASK-2  TASK-3  TASK-5  TASK-6  TASK-7  TASK-8  TASK-9  clear-logs.sh
root@thm:~$ cd Desktop/Exercise-Files/TASK-3
root@thm:~$ ls
 clear-logs.sh  sample.pcap
 
root@thm:~$ zeek -C -r sample.pcap
 * log files will be created in the background but no terminal output will be produced
root@thm:~$ ls
 clear-logs.sh  dhcp.log  ntp.log            sample.pcap  ssh.log
 conn.log       dns.log   packet_filter.log  snmp.log     syslog.log
 
 * the generated alert files are: conn.log, dhcp.log, dns.log, ntp.log, packet_filter.log, snmp.log, ssh.log, syslog.log
 
root@thm:~$ grep -rE "\bdur" ./conn.log

 * this cmd will quickly identify the log file where a field contains the name "duration"

root@thm:~$ cat dns.log |zeek-cut duration
 59.206449
 307.422751
 305.791751
 -
 325.924370
 304.539681
 ...
 
root@thm:~$ cat conn.log |zeek-cut duration | sort -n
 332.319364
 
 * the -n sorts the output numerically

ZEEK SIGNATURES

Investigate the http.pcap file. Create the HTTP signature shown in the task and investigate the pcap. What is the source IP of the first event?

root@thm:~$ cd Desktop/Exercise-Files/TASK-5
root@thm:~$ ls
 ftp  http
root@thm:~$ cd http/
root@thm:~$ ls
 clear-logs.sh  http-password.sig  http.pcap
root@thm:~$ cat http-password.sig
 signature http-password {
   ip-proto == tcp
   dst-port == 80
   payload /??????????????/
   event "???????????????????????"
 }

 * copy the payload & event contents of the http-password.sig rule
 
root@thm:~$ nano http-password.sig
 signature http-password {
   ip-proto == tcp
   dst-port == 80
   payload /.*password.*/
   event "Cleartext Password Found!"
 }

root@thm:~$ zeek -C -r http.pcap -s http-password.sig
root@thm:~$ ls
 clear-logs.sh  files.log          http.log   notice.log         signatures.log
 conn.log       http-password.sig  http.pcap  packet_filter.log

#identify the pertinent fields
root@thm:~$ cat signatures.log 
 #fields	ts	uid	src_addr	src_port	dst_addr	dst_port	note	sig_id
 ...
root@thm:~$ cat signatures.log | zeek-cut src_addr src_port dst_addr dst_port event_msg
 10.10.57.178	38706	44.228.249.3	80	10.10.57.178: Cleartext PW Found!
 10.10.57.178	38712	44.228.249.3	80	10.10.57.178: Cleartext PW Found!

Investigate the http.pcap file. Create the HTTP signature shown in the task and investigate the pcap. What is the source port of the second event?

root@thm:~$ cd Desktop/Exercise-Files/TASK-5
root@thm:~$ ls
 ftp  http
root@thm:~$ cd http/
root@thm:~$ ls
 clear-logs.sh  http-password.sig  http.pcap
root@thm:~$ cat http-password.sig
 signature http-password {
   ip-proto == tcp
   dst-port == 80
   payload /??????????????/
   event "???????????????????????"
 }

 * copy the payload & event contents of the http-password.sig rule
 
root@thm:~$ nano http-password.sig
 signature http-password {
   ip-proto == tcp
   dst-port == 80
   payload /.*password.*/
   event "Cleartext Password Found!"
 }

root@thm:~$ zeek -C -r http.pcap -s http-password.sig
root@thm:~$ ls
 clear-logs.sh  files.log          http.log   notice.log         signatures.log
 conn.log       http-password.sig  http.pcap  packet_filter.log

#identify the pertinent fields
root@thm:~$ cat signatures.log 
 #fields	ts	uid	src_addr	src_port	dst_addr	dst_port	note	sig_id
 ...
root@thm:~$ cat signatures.log | zeek-cut src_addr src_port dst_addr dst_port event_msg
 10.10.57.178	38706	44.228.249.3	80	10.10.57.178: Cleartext PW Found!
 10.10.57.178	38712	44.228.249.3	80	10.10.57.178: Cleartext PW Found!

Investigate the conn.log. What is the total number of the sent and received packets from source port 38706?

root@thm:~$ cd Desktop/Exercise-Files/TASK-5
root@thm:~$ ls
 ftp  http
root@thm:~$ cd http/
root@thm:~$ ls
 clear-logs.sh  http-password.sig  http.pcap
root@thm:~$ cat http-password.sig
 signature http-password {
   ip-proto == tcp
   dst-port == 80
   payload /??????????????/
   event "???????????????????????"
 }

 * copy the payload & event contents of the http-password.sig rule
 
root@thm:~$ nano http-password.sig
 signature http-password {
   ip-proto == tcp
   dst-port == 80
   payload /.*password.*/
   event "Cleartext Password Found!"
 }

root@thm:~$ zeek -C -r http.pcap -s http-password.sig
root@thm:~$ ls
 clear-logs.sh  files.log          http.log   notice.log         signatures.log
 conn.log       http-password.sig  http.pcap  packet_filter.log

#identify the pertinent fields
root@thm:~$ cat conn.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents

root@thm:~$ cat conn.log | zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p orig_pkts resp_pkts
 10.10.57.178	38704	44.228.249.3	80	4	2
 10.10.57.178	38706	44.228.249.3	80	11	9
 10.10.57.178	38708	44.228.249.3	80	4	2
 10.10.57.178	38710	44.228.249.3	80	4	2
 10.10.57.178	38712	44.228.249.3	80	6	5

Create the global rule shown in the task and investigate the ftp.pcap file. Investigate the notice.log. What is the number of unique events?

root@thm:~$ cd Desktop/Exercise-Files/TASK-5
root@thm:~$ ls
 ftp  http
root@thm:~$ cd ftp
root@thm:~$ ls
 clear-logs.sh  ftp-bruteforce.sig  ftp.pcap
root@thm:~$ cat ftp-bruteforce.sig
 signature ftp-username {
   ip-proto == tcp
   ftp /???????????????????????????????/
   event "FTP Username Input Found!"
 }

 signature ftp-brute {
   ip-proto == tcp
   payload /?????????????????????????/
   event "FTP Brute-force Attempt!"
 }

 * copy the payload & event contents of the ftp-bruteforce.sig rule
 
root@thm:~$ BROWSER > https://datatracker.ietf.org/doc/html/rfc765
 530 Not logged in

root@thm:~$ nano http-password.sig
 signature ftp-username {
   ip-proto == tcp
   ftp /.*USER.*/
   event "FTP Username Input Found!"
 }

 signature ftp-brute {
   ip-proto == tcp
   payload /.*530.*Login.*incorrect.*/
   event "FTP Brute-force Attempt!"
 }

root@thm:~$ zeek -C -r ftp.pcap -s ftp-bruteforce.sig
root@thm:~$ ls
 clear-logs.sh  conn.log  ftp-bruteforce.sig  ftp.pcap  notice.log  packet_filter.log  signatures.log  weird.log

#identify the pertinent fields
root@thm:~$ cat notice.log | more
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 ...
root@thm:~$ cat notice.log | zeek-cut uid | sort | uniq
 CzqT1E0kp0OjPPFDf
 CztIYiOrGdJ91JOr4
 Czx9DAxZCgUlefn32
 Czxu2n1OLi3rc5VqCi
 CzyfuO3aVGNxeGbK09
 CzywjFUzrWmHf3xMg
 ...
 
root@thm:~$ cat notice.log | zeek-cut uid | sort | uniq | wc -l
 1413

Create the global rule shown in the task and investigate the ftp.pcap file. Investigate the notice.log. What is the number of ftp-brute signature matches?

root@thm:~$ cd Desktop/Exercise-Files/TASK-5
root@thm:~$ ls
 ftp  http
root@thm:~$ cd ftp
root@thm:~$ ls
 clear-logs.sh  ftp-bruteforce.sig  ftp.pcap
root@thm:~$ cat ftp-bruteforce.sig
 signature ftp-username {
   ip-proto == tcp
   ftp /???????????????????????????????/
   event "FTP Username Input Found!"
 }

 signature ftp-brute {
   ip-proto == tcp
   payload /?????????????????????????/
   event "FTP Brute-force Attempt!"
 }

 * copy the payload & event contents of the ftp-bruteforce.sig rule
 
root@thm:~$ BROWSER > https://datatracker.ietf.org/doc/html/rfc765
 530 Not logged in

root@thm:~$ nano http-password.sig
 signature ftp-username {
   ip-proto == tcp
   ftp /.*USER.*/
   event "FTP Username Input Found!"
 }

 signature ftp-brute {
   ip-proto == tcp
   payload /.*530.*Login.*incorrect.*/
   event "FTP Brute-force Attempt!"
 }

root@thm:~$ zeek -C -r ftp.pcap -s ftp-bruteforce.sig
root@thm:~$ ls
 clear-logs.sh  conn.log  ftp-bruteforce.sig  ftp.pcap  notice.log  packet_filter.log  signatures.log  weird.log

#identify the pertinent fields
root@thm:~$ cat signatures.log | more
 #fields	ts	uid	src_addr	src_port	dst_addr	dst_port	note	sig_id	event_msg	sub_msg	sig_count	host_count

root@thm:~$ cat signatures.log  | zeek-cut sig_id event_msg
 ftp-username	10.234.125.254: FTP Username Input Found!
 ftp-brute	10.121.70.151: FTP Brute-force Attempt!
 ftp-brute	10.121.70.151: FTP Brute-force Attempt!
 ftp-brute	10.121.70.151: FTP Brute-force Attempt!
 ftp-brute	10.121.70.151: FTP Brute-force Attempt!
 ftp-brute	10.121.70.151: FTP Brute-force Attempt!
 ftp-brute	10.121.70.151: FTP Brute-force Attempt!
 ...
 
root@thm:~$ cat signatures.log | zeek-cut sig_id | grep "ftp-brute" | wc -l
 1410

ZEEK SCRIPTS: FUNDAMENTALS

Investigate the smallFlows.pcap file. Investigate the dhcp.log file. What is the domain value of the "vinlap01" host?

root@thm:~$ cd Desktop/Exercise-Files/TASK-6
root@thm:~$ ls
 bigflow  smallflow
root@thm:~$ cd smallflow
root@thm:~$ ls
 clear-logs.sh  dhcp-hostname.zeek  smallFlows.pcap
 
root@thm:~$ cat dhcp-hostname.zeek 
 event dhcp_message (c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
 {
   print options$host_name;
 }
 
 * the first, second and fourth lines are the predefined syntaxes of the scripting 
   language.
    - the only part an analyst creates is the third line which tells Zeek to extract 
      DHCP hostnames

root@thm:~$ zeek -C -r smallFlows.pcap dhcp-hostname.zeek 
 student01-PC
 vinlap01
 1295981640.291600 expression error in ./dhcp-hostname.zeek, line 3: field value missing (options$host_name)

root@thm:~$ ls
 clear-logs.sh       dhcp.log  files.log          reporter.log     ssl.log
 conn.log            dns.log   http.log           smallFlows.pcap  weird.log
 dhcp-hostname.zeek  dpd.log   packet_filter.log  snmp.log         x509.log

#identify pertinent fields
root@thm:~$ cat dhcp.log
 #fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
 #types	time	set[string]	addr	addr	string	string	string	string	addr	addr	intervalstring	string	vector[string]	interval
 1295981573.013593	Ck1jSY3fMuPQPSnhQk	192.168.3.131	-	40:61:86:9a:f1:f5	student01-PC	-	-	-	-	-	-	-	INFORM	0.000000
 1295981640.291009	ClTGlbGLPORFS6Pt7,C0lazw1EB6ujoJwrjb	172.16.255.1	-	00:1e:68:51:4f:a9vinlap01	-	astaro_vineyard	-	-	-	-	-	INFORM,ACK	0.000591

root@thm:~$ cat dhcp.log | zeek-cut domain
 astaro_vineyard

Investigate the bigFlows.pcap file. Investigate the dhcp.log file. What is the number of identified unique hostnames?

root@thm:~$ cd Desktop/Exercise-Files/TASK-6
root@thm:~$ ls
 bigflow  smallflow
root@thm:~$ cd bigflow
root@thm:~$ ls
 bigFlows.pcap  clear-logs.sh  dhcp-hostname.zeek
 
root@thm:~$ cat dhcp-hostname.zeek 
 event dhcp_message (c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
 {
   print options$host_name;
 }
 
 * the first, second and fourth lines are the predefined syntaxes of the scripting 
   language.
    - the only part an analyst creates is the third line which tells Zeek to extract 
      DHCP hostnames

root@thm:~$ zeek -C -r bigFlows.pcap dhcp-hostname.zeek 
 JDT115
 1361916156.616130 expression error in ./dhcp-hostname.zeek, line 3: field value missing (options$host_name)
 JDT91
 m30-sqdesk
 ...

root@thm:~$ ls
 bigFlows.pcap       dhcp.log   kerberos.log       reporter.log     ssh.log
 clear-logs.sh       dns.log    ntlm.log           sip.log          ssl.log
 conn.log            dpd.log    ntp.log            smb_files.log    syslog.log
 dce_rpc.log         files.log  ocsp.log           smb_mapping.log  weird.log
 dhcp-hostname.zeek  http.log   packet_filter.log  snmp.log         x509.log

#identify pertinent fields
root@thm:~$ cat dhcp.log
 #fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
 #types	time	set[string]	addr	addr	string	string	string	string	addr	addr	intervalstring	string	vector[string]	interval
 1361916156.615988	CAjLva3eNPcVKtRZXc,CGOhdf144CRNFGjkPd	172.16.133.24	-	00:21:70:67:69:d3JDT115	-	jaalam.net	-	-	-	-	-	INFORM,ACK	0.000142
 1361916159.858464	CxYUOyWRPqWGR27Ui	172.16.133.38	-	00:90:fb:38:0c:da	m30-sqdesk	-	-	-	-	-	-	-	REQUEST,REQUEST	11.007566
 ...
 
root@thm:~$ cat dhcp.log | zeek-cut host_name
 JDT115
 m30-sqdesk
 JDT91
 JDT100
 JDT094
 JDT096
 m30-sqdesk
 ... 
 
root@thm:~$ cat dhcp.log | zeek-cut host_name | sort -nr | uniq
 m30-sqdesk
 JLT108
 JDT95
 JDT91
 JDT80
 JDT168
 JDT153
 JDT134
 JDT131
 JDT123
 JDT120
 JDT115
 JDT107
 JDT100
 JDT096
 JDT094
 JDT081
 -
ubuntu@ip-10-10-246-29:~/Desktop/Exercise-Files/TASK-6/bigflow$ cat dhcp.log | zeek-cut host_name | sort -nr | uniq | wc -l
 18 (subtract 1 to exclude the "-")

Investigate the bigFlows.pcap file. Investigate the dhcp.log file. What is the identified domain value?

root@thm:~$ cd Desktop/Exercise-Files/TASK-6
root@thm:~$ ls
 bigflow  smallflow
root@thm:~$ cd bigflow
root@thm:~$ ls
 bigFlows.pcap  clear-logs.sh  dhcp-hostname.zeek
 
root@thm:~$ cat dhcp-hostname.zeek 
 event dhcp_message (c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
 {
   print options$host_name;
 }
 
 * the first, second and fourth lines are the predefined syntaxes of the scripting 
   language.
    - the only part an analyst creates is the third line which tells Zeek to extract 
      DHCP hostnames

root@thm:~$ zeek -C -r bigFlows.pcap dhcp-hostname.zeek 
 JDT115
 1361916156.616130 expression error in ./dhcp-hostname.zeek, line 3: field value missing (options$host_name)
 JDT91
 m30-sqdesk
 ...

root@thm:~$ ls
 bigFlows.pcap       dhcp.log   kerberos.log       reporter.log     ssh.log
 clear-logs.sh       dns.log    ntlm.log           sip.log          ssl.log
 conn.log            dpd.log    ntp.log            smb_files.log    syslog.log
 dce_rpc.log         files.log  ocsp.log           smb_mapping.log  weird.log
 dhcp-hostname.zeek  http.log   packet_filter.log  snmp.log         x509.log

#identify pertinent fields
root@thm:~$ cat dhcp.log
 #fields	ts	uids	client_addr	server_addr	mac	host_name	client_fqdn	domain	requested_addr	assigned_addr	lease_time	client_message	server_message	msg_types	duration
 #types	time	set[string]	addr	addr	string	string	string	string	addr	addr	intervalstring	string	vector[string]	interval
 1361916156.615988	CAjLva3eNPcVKtRZXc,CGOhdf144CRNFGjkPd	172.16.133.24	-	00:21:70:67:69:d3JDT115	-	jaalam.net	-	-	-	-	-	INFORM,ACK	0.000142
 1361916159.858464	CxYUOyWRPqWGR27Ui	172.16.133.38	-	00:90:fb:38:0c:da	m30-sqdesk	-	-	-	-	-	-	-	REQUEST,REQUEST	11.007566
 ...
 
root@thm:~$ cat dhcp.log | zeek-cut domain
 jaalam.net
 ...
 
root@thm:~$ cat dhcp.log | zeek-cut domain | sort -nr | uniq
 
root@thm:~$ cat dhcp.log | zeek-cut domain | sort -nr | uniq
 jaalam.net
 -

ZEEK SCRIPTS: SIGNATURES

Investigate the sample.pcap file with 103.zeek script. Investigate the terminal output. What is the number of the detected new connections?

root@thm:~$ cd Desktop/Exercise-Files/TASK-7
root@thm:~$ ls
 101  201  202
root@thm:~$ cd 101
root@thm:~$ ls
 101.zeek  102.zeek  103.zeek  clear-logs.sh  sample.pcap

root@thm:~$ cat 103.zeek 
 event new_connection(c: connection)
 {
   print ("###########################################################");
   print ("");
   print ("New Connection Found!");
   print ("");
   print fmt ("Source Host: %s # %s --->", c$id$orig_h, c$id$orig_p);
   print fmt ("Destination Host: resp: %s # %s <---", c$id$resp_h, c$id$resp_p);
   print ("");
 }

root@thm:~$ zeek -C -r sample.pcap 103.zeek >> newConn
root@thm:~$ cat newConn
 ###########################################################
 New Connection Found!

 Source Host: 192.168.121.2 # 54445/udp --->
 Destination Host: resp: 192.168.110.10 # 69/udp <---

 ###########################################################

 New Connection Found!

 Source Host: 192.168.110.10 # 1556/udp --->
 Destination Host: resp: 192.168.121.2 # 54445/udp <---

 ###########################################################

 New Connection Found!

 Source Host: 192.168.121.40 # 123/udp --->
 Destination Host: resp: 212.227.54.68 # 123/udp <---

root@thm:~$ cat newConn | grep "New Connection Found!" | wc -l
 87

Investigate the ftp.pcap file with ftp-admin.sig signature and 201.zeek script. Investigate the signatures.log file. What is the number of signature hits?

root@thm:~$ cd Desktop/Exercise-Files/TASK-7
root@thm:~$ ls
 101  201  202
root@thm:~$ cd 201
root@thm:~$ ls
 201.zeek  clear-logs.sh  ftp-admin.sig  ftp.pcap

root@thm:~$ cat 201.zeek 
 event signature_match (state: signature_state, msg: string, data: string)
 {
   if (state$sig_id == "ftp-admin")
   {
     print ("Signature hit! --> #FTP-Admin ");
   }
 }

root@thm:~$ cat ftp-admin.sig 
 signature ftp-admin {
   ip-proto == tcp
   ftp /.*USER.*admin.*/
   event "FTP Username Input Found!"
 }

root@thm:~$ zeek -C -r ftp.pcap -s ftp-admin.sig 201.zeek
 Signature hit! --> #FTP-Admin
 Signature hit! --> #FTP-Admin 
 ...
 
root@thm:~$ ls 
 201.zeek       conn.log       ftp.pcap    packet_filter.log  weird.log
 clear-logs.sh  ftp-admin.sig  notice.log  signatures.log

root@thm:~$ head signature.log
 #fields	ts	uid	src_addr	src_port	dst_addr	dst_port	note	sig_id	event_msg	sub_msg	sig_count	host_count
 #types	time	string	addr	port	addr	port	enum	string	string	string	count	count
 1024380731.210890	C9x2tG2ib3mDnZwjxd	10.234.125.254	2228	10.121.70.151	21	Signatures::Sensitive_Signature	ftp-admin	10.234.125.254: FTP Username Input Found!	USER admin	-	-
 1024380731.267148	CasjJv2h3bXRnC2si9	10.234.125.254	2225	10.121.70.151	21	Signatures::Sensitive_Signature	ftp-admin	10.234.125.254: FTP Username Input Found!	USER admin	-	-

root@thm:~$ cat signatures.log | grep ftp-admin | wc -l
 1401

Investigate the signatures.log file. What is the total number of "administrator" username detections?

root@thm:~$ cd Desktop/Exercise-Files/TASK-7
root@thm:~$ ls
 101  201  202
root@thm:~$ cd 201
root@thm:~$ ls
 201.zeek  clear-logs.sh  ftp-admin.sig  ftp.pcap

root@thm:~$ cat 201.zeek 
 event signature_match (state: signature_state, msg: string, data: string)
 {
   if (state$sig_id == "ftp-admin")
   {
     print ("Signature hit! --> #FTP-Admin ");
   }
 }

root@thm:~$ cat ftp-admin.sig 
 signature ftp-admin {
   ip-proto == tcp
   ftp /.*USER.*admin.*/
   event "FTP Username Input Found!"
 }

root@thm:~$ zeek -C -r ftp.pcap -s ftp-admin.sig 201.zeek
 Signature hit! --> #FTP-Admin
 Signature hit! --> #FTP-Admin 
 ...
 
root@thm:~$ ls 
 201.zeek       conn.log       ftp.pcap    packet_filter.log  weird.log
 clear-logs.sh  ftp-admin.sig  notice.log  signatures.log

root@thm:~$ head signature.log
 #fields	ts	uid	src_addr	src_port	dst_addr	dst_port	note	sig_id	event_msg	sub_msg	sig_count	host_count
 #types	time	string	addr	port	addr	port	enum	string	string	string	count	count
 1024380731.210890	C9x2tG2ib3mDnZwjxd	10.234.125.254	2228	10.121.70.151	21	Signatures::Sensitive_Signature	ftp-admin	10.234.125.254: FTP Username Input Found!	USER admin	-	-
 1024380731.267148	CasjJv2h3bXRnC2si9	10.234.125.254	2225	10.121.70.151	21	Signatures::Sensitive_Signature	ftp-admin	10.234.125.254: FTP Username Input Found!	USER admin	-	-

root@thm:~$ cat signatures.log | grep administrator | wc -l
 731

Investigate the ftp.pcap file with all local scripts, and investigate the loaded_scripts.log file. What is the total number of loaded scripts?

root@thm:~$ cd Desktop/Exercise-Files/TASK-7
root@thm:~$ ls
 101  201  202
root@thm:~$ cd 201
root@thm:~$ ls
 201.zeek  clear-logs.sh  ftp-admin.sig  ftp.pcap

root@thm:~$ zeek -C -r ftp.pcap local
 WARNING: No Site::local_nets have been defined.  It's usually a good idea to define your local networks.

root@thm:~$ ls 
 clear-logs.sh  ftp-admin.sig  loaded_scripts.log  stats.log
 capture_loss.log  conn.log       ftp.pcap       packet_filter.log   weird.log
 
root@thm:~$ head signature.log
 #fields	name
 #types	string
 /opt/zeek/share/zeek/base/init-bare.zeek
 /opt/zeek/share/zeek/base/bif/const.bif.zeek

root@thm:~$ cat loaded_scripts.log | grep -v "#"
 /opt/zeek/share/zeek/policy/frameworks/intel/seen/smtp.zeek
 /opt/zeek/share/zeek/policy/frameworks/intel/seen/smtp-url-extraction.zeek
 /opt/zeek/share/zeek/policy/frameworks/intel/seen/x509.zeek
 ...

root@thm:~$ cat loaded_scripts.log | grep -v "#" | wc -l
 498

Investigate the ftp-brute.pcap file with "/opt/zeek/share/zeek/policy/protocols/ftp/detect-bruteforcing.zeek" script. Investigate the notice.log file. What is the total number of brute-force detections?

root@thm:~$ cd Desktop/Exercise-Files/TASK-7
root@thm:~$ ls
 101  201  202
root@thm:~$ cd 202
root@thm:~$ ls
 clear-logs.sh  ftp-brute.pcap  ftp.pcap
 
 
root@thm:~$ cat /opt/zeek/share/zeek/policy/protocols/ftp/detect-bruteforcing.zeek
 #! FTP brute-forcing detector, triggering when too many rejected usernames or
 ##! failed passwords have occurred from a single address.

 @load base/protocols/ftp
 @load base/frameworks/sumstats

 @load base/utils/time

 module FTP;

 export {
	redef enum Notice::Type += {
		## Indicates a host bruteforcing FTP logins by watching for too
		## many rejected usernames or failed passwords.
		Bruteforcing
	};

	## How many rejected usernames or passwords are required before being
	## considered to be bruteforcing.
 ...
 
root@thm:~$ zeek -C -r ftp-brute.pcap /opt/zeek/share/zeek/policy/protocols/ftp/detect-bruteforcing.zeek

root@thm:~$ ls
 clear-logs.sh  conn.log  ftp-brute.pcap  ftp.pcap  notice.log  packet_filter.log  weird.log
 
root@thm:~$ head notice.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
 1024380732.223481	-	-	-	-	-	-	-	-	-	FTP::Bruteforcing	10.234.125.254 had 20 failed logins on 1 FTP server in 0m1s	-	10.234.125.254	-	-	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-

root@thm:~$ cat notice.log | grep "FTP::Brut*"
 1024380732.223481	-	-	-	-	-	-	-	-	-	FTP::Bruteforcing	10.234.125.254 had 20 failed logins on 1 FTP server in 0m1s	-	10.234.125.254	-	-	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
 1389721084.522861	-	-	-	-	-	-	-	-	-	FTP::Bruteforcing	192.168.56.1 had 20 failed logins on 1 FTP server in 0m37s	-	192.168.56.1	-	-	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-

root@thm:~$ cat notice.log | grep "FTP::Brut*" | wc -l
 2

ZEEK SCRIPTS: FRAMEWORKS

Investigate the case1.pcap file with intelligence-demo.zeek script. Investigate the intel.log file. Look at the second finding, where was the intel info found?

root@thm:~$ cd Desktop/Exercise-Files/TASK-8
root@thm:~$ ls
 case1.pcap  clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  intelligence-demo.zeek
root@thm:~$ cat intelligence-demo.zeek
 # Load intelligence framework!
 @load /opt/zeek/share/zeek/policy/frameworks/intel/seen
 @load /opt/zeek/share/zeek/policy/frameworks/intel/do_notice.zeek
 redef Intel::read_files += { "/opt/zeek/intel/zeek_intel.txt" };
 
root@thm:~$ zeek -C -r case1.pcap intelligence-demo.zeek
root@thm:~$ ls
 case1.pcap     dhcp.log                files.log       intel.log               pe.log
 clear-logs.sh  dns.log                 hash-demo.zeek  intelligence-demo.zeek
 conn.log       file-extract-demo.zeek  http.log        packet_filter.log

root@thm:~$ cat intel.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	seen.indicator	seen.indicator_type	seen.where	seen.node	matched	sources	fuid	file_mime_type	file_desc
 #types	time	string	addr	port	addr	port	string	enum	enum	string	set[enum]	set[string]	string	string	string
 1561667898.779213	C2CbcG26BMyZCrXnmh	10.6.27.102	53770	10.6.27.1	53	smart-fax.com	Intel::DOMAIN	DNS::IN_REQUEST	zeek	Intel::DOMAIN	TASK-8-Demo	-	-	-
 1561667898.911759	CfQQgQTipHqVBnvSh	10.6.27.102	49162	107.180.50.162	80	smart-fax.com	Intel::DOMAIN	HTTP::IN_HOST_HEADER	zeek	Intel::DOMAIN	TASK-8-Demo	-	-	-
 
root@thm:~$ cat intel.log | zeek-cut seen.where
 DNS::IN_REQUEST
 HTTP::IN_HOST_HEADER

nvestigate the case1.pcap file with intelligence-demo.zeek script. Investigate the http.log file. What is the name of the downloaded .exe file?

root@thm:~$ cd Desktop/Exercise-Files/TASK-8
root@thm:~$ ls
 case1.pcap  clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  intelligence-demo.zeek
root@thm:~$ cat intelligence-demo.zeek
 # Load intelligence framework!
 @load /opt/zeek/share/zeek/policy/frameworks/intel/seen
 @load /opt/zeek/share/zeek/policy/frameworks/intel/do_notice.zeek
 redef Intel::read_files += { "/opt/zeek/intel/zeek_intel.txt" };
 
root@thm:~$ zeek -C -r case1.pcap intelligence-demo.zeek
root@thm:~$ ls
 case1.pcap     dhcp.log                files.log       intel.log               pe.log
 clear-logs.sh  dns.log                 hash-demo.zeek  intelligence-demo.zeek
 conn.log       file-extract-demo.zeek  http.log        packet_filter.log

root@thm:~$ cat http.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	trans_depth	method	host	uri	referrer	version	user_agent	origin	request_body_len	response_body_len	status_code	status_msg	info_code	info_msg	tags	username	password	proxied	orig_fuids	orig_filenames	orig_mime_types	resp_fuids	resp_filenames	resp_mime_types
 #types	time	string	addr	port	addr	port	count	string	string	string	string	string	string	string	count	count	count	string	count	string	set[enum]	string	string	set[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]	vector[string]
 1561667874.713411	CBeR9d3RW63znDZY62	10.6.27.102	49157	23.63.254.163	80	1	GET	www.msftncsi.com	/ncsi.txt	-	1.1	Microsoft NCSI	-	0	14	200	OK	-	-	(empty)	-	-	-	-	-	-	Fpgan59p6uvNzLFja	-	text/plain
 1561667889.643717	CrQiLZ1aWt2zkKmHB1	10.6.27.102	49159	107.180.50.162	80	1	GET	smart-fax.com	/Documents/Invoice&MSO-Request.doc	-	1.1	Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko	-	0	323072	200	OK	-	-	(empty)	-	-	-	-	-	-	FB5o2Hcauv7vpQ8y3	-	application/msword
 1561667898.911759	CfQQgQTipHqVBnvSh	10.6.27.102	49162	107.180.50.162	80	1	GET	smart-fax.com	/knr.exe	-	1.1	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	-	0	2437120	200	OK	-	-	(empty)	-	--	-	-	-	FOghls3WpIjKpvXaEl	-	application/x-dosexec

root@thm:~$ cat http.log | zeek-cut uri 
 /ncsi.txt
 /Documents/Invoice&MSO-Request.doc
 /knr.exe

Investigate the case1.pcap file with hash-demo.zeek script. Investigate the files.log file. What is the MD5 hash of the downloaded .exe file?

root@thm:~$ cd Desktop/Exercise-Files/TASK-8
root@thm:~$ ls
 case1.pcap  clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  intelligence-demo.zeek
root@thm:~$ cat hash-demo.zeek
 # Enable MD5, SHA1 and SHA256 hashing for all files.
 @load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 
root@thm:~$ zeek -C -r case1.pcap hash-demo.zeek
root@thm:~$ ls
 case1.pcap  clear-logs.sh  conn.log  dhcp.log  dns.log  file-extract-demo.zeek  files.log  hash-demo.zeek  http.log  intelligence-demo.zeek  packet_filter.log  pe.log

root@thm:~$ cat files.log
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256	extracted	extracted_cutoff	extracted_size
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string	string	bool	count
 1561667874.743959	Fpgan59p6uvNzLFja	23.63.254.163	10.6.27.102	CQP7Mi4HUOPGcPM9lb	HTTP	0	SHA1,MD5	text/plain	-	0.000000	-	F	14	14	0	0F	-	cd5a4d3fdd5bffc16bf959ef75cf37bc	33bf88d5b82df3723d5863c7d23445e345828904	-	-	-	-
 1561667889.703239	FB5o2Hcauv7vpQ8y3	107.180.50.162	10.6.27.102	C0d8Sz2HCrBEXNcEf	HTTP	0	SHA1,MD5	application/msword	-	4.386569	-	F	323072	-	00	F	-	b5243ec1df7d1d5304189e7db2744128	a66bd2557016377dfb95a87c21180e52b23d2e4e	-	-	-	-
 1561667899.060086	FOghls3WpIjKpvXaEl	107.180.50.162	10.6.27.102	CHwAij1Q2bSTESk3ad	HTTP	0	SHA1,MD5,PE	application/x-dosexec	-	0.498764	-	F	2437120	-	00	F	-	cc28e40b46237ab6d5282199ef78c464	0d5c820002cf93384016bd4a2628dcc5101211f4	-	-	-	-


root@thm:~$ cat files.log | zeek-cut md5 sha1 sha256
 text/plain	cd5a4d3fdd5bffc16bf959ef75cf37bc	33bf88d5b82df3723d5863c7d23445e345828904	-
 application/msword	b5243ec1df7d1d5304189e7db2744128	a66bd2557016377dfb95a87c21180e52b23d2e4e	-
 application/x-dosexec	cc28e40b46237ab6d5282199ef78c464	0d5c820002cf93384016bd4a2628dcc5101211f4	-

Investigate the case1.pcap file with file-extract-demo.zeek script. Investigate the "extract_files" folder. Review the contents of the text file. What is written in the file?

root@thm:~$ cd Desktop/Exercise-Files/TASK-8
root@thm:~$ ls
 case1.pcap  clear-logs.sh  file-extract-demo.zeek  hash-demo.zeek  intelligence-demo.zeek
root@thm:~$ cat file-extract-demo.zeek
 # Load file extract framework!
 @load /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek

 
root@thm:~$ zeek -C -r case1.pcap file-extract-demo.zeek
root@thm:~$ ls
 case1.pcap  clear-logs.sh  conn.log  dhcp.log  dns.log  extract_files  file-extract-demo.zeek  files.log  hash-demo.zeek  http.log  intelligence-demo.zeek  packet_filter.log  pe.log

root@thm:~$ cd extract_files
root@thm:~$ ls
 extract-1561667874.743959-HTTP-Fpgan59p6uvNzLFja  extract-1561667889.703239-HTTP-FB5o2Hcauv7vpQ8y3  extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl

root@thm:~$ file * | nl
 1 extract-1561667874.743959-HTTP-Fpgan59p6uvNzLFja:  ASCII text, with no line terminators
 2 extract-1561667889.703239-HTTP-FB5o2Hcauv7vpQ8y3:  Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Template: Normal.dotm, Last Saved By: Administrator, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jun 27 18:24:00 2019, Last Saved Time/Date: Thu Jun 27 18:24:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
 3 extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl: PE32 executable (GUI) Intel 80386, for MS Windows

root@thm:~$ cat extract-1561667874.743959-HTTP-Fpgan59p6uvNzLFja 
 Microsoft NCSI

ZEEK SCRIPTS: PACKAGES

Investigate the http.pcap file with the zeek-sniffpass module. Investigate the notice.log file. Which username has more module hits?

root@thm:~$ cd Desktop/Exercise-Files/TASK-9
root@thm:~$ ls
 cleartext-pass  geoip-conn
root@thm:~$ cd cleartext-pass
root@thm:~$ ls
 clear-logs.sh  http.pcap
 
root@dco:~$ find / -iname "zeek-sniffpass" 2>/dev/null
 /opt/zeek/share/zeek/site/packages/zeek-sniffpass
 
root@dco:~$ ls /opt/zeek/share/zeek/site/packages/zeek-sniffpass
 __load__.zeek  main.zeek

root@dco:~$ cat /opt/zeek/share/zeek/site/packages/zeek-sniffpass/main.zeek
 @load base/protocols/http
 @load base/frameworks/notice
 module SNIFFPASS;
 ...



#call the package by name
root@thm:~$ zeek -C -r http.pcap zeek-sniffpass
root@thm:~$ ls
 clear-logs.sh  conn.log  files.log  http.log  http.pcap  notice.log  packet_filter.log

root@thm:~$ cat notice.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
 #types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
 1647504684.298943	Cw0VgS29N0gBieUiVa	10.10.57.178	38706	44.228.249.3	80	-	--	tcp	SNIFFPASS::HTTP_POST_Password_Seen	Password found for user BroZeek	-	10.10.57.178	44.228.249.3	80	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	--	-	-

root@thm:~$ cat notice.log | zeek-cut msg
 Password found for user BroZeek
 Password found for user BroZeek
 Password found for user BroZeek
 Password found for user ZeekBro
 Password found for user ZeekBro

Investigate the case2.pcap file with geoip-conn module. Investigate the conn.log file. What is the name of the identified City?

root@thm:~$ cd Desktop/Exercise-Files/TASK-9
root@thm:~$ ls
 cleartext-pass  geoip-conn
root@thm:~$ cd geoip-conn
root@thm:~$ ls
 case1.pcap  case2.pcap  clear-logs.sh  sumstats-counttable.zeek
 
root@dco:~$ find / -iname "geoip*" 2>/dev/null
 /opt/zeek/share/zeek/site/packages/geoip-conn
 
root@dco:~$ ls /opt/zeek/share/zeek/site/packages/geoip-conn
 GeoLite2-ASN.mmdb  GeoLite2-City.mmdb  GeoLite2-Country.mmdb  __load__.zeek  geoip-conn.zeek


root@dco:~$ cat /opt/zeek/share/zeek/site/packages/geoip-conn/geoip-conn.zeek
 ##! Populate geolocation fields in the connection logs.
 ##! This package includes GeoLite2 data created by MaxMind, available from
 ##! https://www.maxmind.com
 module Conn;
 
 # The following redef ensuers the .mmdb included with this package is used
 # out-of-the-box. If you delete that file, Zeek will fall back to looking in
 # default locations. See this link for paths:
 #
 # https://github.com/zeek/zeek/blob/09483619ef0839cad189f22c4d5be3d66cedcf55/src/zeek.bif#L3964-L3971
 
 redef mmdb_dir = @DIR;
 ...

#call the package by name
root@thm:~$ zeek -C -r case2.pcap geoip-conn
root@thm:~$ ls
 case1.pcap  clear-logs.sh  dns.log    http.log           ssl.log    x509.log
 case2.pcap  conn.log       files.log  packet_filter.log  sumstats-counttable.zeek

root@thm:~$ cat conn.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	serviceduration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	geo.orig.country_code	geo.orig.region	geo.orig.city	geo.orig.latitude	geo.orig.longitude	geo.resp.country_code	geo.resp.region	geo.resp.city	geo.resp.latitude	geo.resp.longitude
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string	string	double	double	string	string	string	double	double
 1561766548.962324	C7oGeVuzM68kBNPbc	10.6.29.101	49247	23.77.86.54	80	tcp	http	0.072321	370	452	SF	-	-	0	ShADadFf	6	622	5656	-	-	-	-	-	-	US	IL	Chicago	41.8874	-87.6318

root@thm:~$ cat conn.log | zeek-cut geo.resp.city
 Chicago

Investigate the case2.pcap file with geoip-conn module. Investigate the conn.log file. Which IP address is associated with the identified City?

root@thm:~$ cd Desktop/Exercise-Files/TASK-9
root@thm:~$ ls
 cleartext-pass  geoip-conn
root@thm:~$ cd geoip-conn
root@thm:~$ ls
 case1.pcap  case2.pcap  clear-logs.sh  sumstats-counttable.zeek
 
root@dco:~$ find / -iname "geoip*" 2>/dev/null
 /opt/zeek/share/zeek/site/packages/geoip-conn
 
root@dco:~$ ls /opt/zeek/share/zeek/site/packages/geoip-conn
 GeoLite2-ASN.mmdb  GeoLite2-City.mmdb  GeoLite2-Country.mmdb  __load__.zeek  geoip-conn.zeek


root@dco:~$ cat /opt/zeek/share/zeek/site/packages/geoip-conn/geoip-conn.zeek
 ##! Populate geolocation fields in the connection logs.
 ##! This package includes GeoLite2 data created by MaxMind, available from
 ##! https://www.maxmind.com
 module Conn;
 
 # The following redef ensuers the .mmdb included with this package is used
 # out-of-the-box. If you delete that file, Zeek will fall back to looking in
 # default locations. See this link for paths:
 #
 # https://github.com/zeek/zeek/blob/09483619ef0839cad189f22c4d5be3d66cedcf55/src/zeek.bif#L3964-L3971
 
 redef mmdb_dir = @DIR;
 ...

#call the package by name
root@thm:~$ zeek -C -r case2.pcap geoip-conn
root@thm:~$ ls
 case1.pcap  clear-logs.sh  dns.log    http.log           ssl.log    x509.log
 case2.pcap  conn.log       files.log  packet_filter.log  sumstats-counttable.zeek

root@thm:~$ cat conn.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	serviceduration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	geo.orig.country_code	geo.orig.region	geo.orig.city	geo.orig.latitude	geo.orig.longitude	geo.resp.country_code	geo.resp.region	geo.resp.city	geo.resp.latitude	geo.resp.longitude
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string	string	string	double	double	string	string	string	double	double
 1561766548.962324	C7oGeVuzM68kBNPbc	10.6.29.101	49247	23.77.86.54	80	tcp	http	0.072321	370	452	SF	-	-	0	ShADadFf	6	622	5656	-	-	-	-	-	-	US	IL	Chicago	41.8874	-87.6318

root@thm:~$ cat conn.log | zeek-cut geo.resp.city id.resp_h
 Chicago	23.77.86.54
 Chicago	23.77.86.54
 ...

Investigate the case2.pcap file with sumstats-counttable.zeek script. How many types of status codes are there in the given traffic capture?

root@thm:~$ cd Desktop/Exercise-Files/TASK-9
root@thm:~$ ls
 cleartext-pass  geoip-conn
root@thm:~$ cd geoip-conn
root@thm:~$ ls
 case1.pcap  case2.pcap  clear-logs.sh  sumstats-counttable.zeek
 
root@thm:~$ cat sumstats-counttable.zeek
 @load /opt/zeek/share/zeek/site/packages/zeek-sumstats-counttable
 event zeek_init()
 ...

root@thm:~$ zeek -Cr case2.pcap sumstats-counttable.zeek 
 Host: 116.203.71.114
 status code: 200, count: 26
 status code: 404, count: 6
 status code: 302, count: 4
 status code: 301, count: 4
 Host: 23.77.86.54
 status code: 301, count: 4

root@thm:~$ ls
 case1.pcap  case2.pcap  clear-logs.sh  conn.log  dns.log  files.log  http.log  packet_filter.log  ssl.log  sumstats-counttable.zeek  x509.log

PreviousNETWORK MINER NextBRIM

Last updated 10 months ago