EVENT CORRELATION

USER-DEFINED EVENT SCRIPT W/ SIGNATURE SCRIPTS

this method combines the use of zeek user-defined event scripts with signature scripts

#this is an event script that detects if our previously created "ftp-admin" rule has a hit.

root@dco:~$ BROWSER > https://docs.zeek.org/en/master/scripts/base/bif/event.bif.zeek.html
 events: signature_match
 
root@dco:~$ nano zeekScripts-FTP.zeek
 event signature_match (state: signature_state, msg: string, data: string)
 {
   if (state$sig_id == "ftp-admin")
   {
     print ("Signature hit! --> #FTP-Admin ");
   }
 }
#signature script

root@dco:~$ nano ftp-admin.sig
 signature ftp-admin {
   ip-proto == tcp
   ftp /.*USER.*admin.*/
   event "FTP Username Input Found!"
 }
#correlation
root@dco:~$ zeek -C -r ftp.pcap -s ftp-admin.sig 201.zeek 
 Signature hit! --> #FTP-Admin Signature hit! --> #FTP-Admin
 Signature hit! --> #FTP-Admin Signature hit! --> #FTP-Admin

LOCAL BASE SCRIPTS EVENT CORRELATION

#this loads & runs all the local base scripts against a pcap
root@dco:~$ zeek -C -r ftp.pcap local 
root@dco:~$ ls
 101.zeek  103.zeek          clear-logs.sh  ftp.pcap            packet_filter.log  stats.log
 102.zeek  capture_loss.log  conn.log       loaded_scripts.log  sample.pcap        weird.log 
#this loads & runs specific local base scripts against a pcap
root@dco:~$ zeek -C -r ftp.pcap /opt/zeek/share/zeek/policy/protocols/ftp/detect-bruteforcing.zeek 

root@dco:~$ cat notice.log | zeek-cut ts note msg 
 1024380732.223481	FTP::Bruteforcing	10.234.125.254 had 20 failed logins on 1 FTP server in 0m1s
PreviousSCRIPTINGNextFRAMEWORK

Last updated