EVENT CORRELATION
USER-DEFINED EVENT SCRIPT W/ SIGNATURE SCRIPTS
this method combines the use of zeek user-defined event scripts with signature scripts
#this is an event script that detects if our previously created "ftp-admin" rule has a hit.
root@dco:~$ BROWSER > https://docs.zeek.org/en/master/scripts/base/bif/event.bif.zeek.html
events: signature_match
root@dco:~$ nano zeekScripts-FTP.zeek
event signature_match (state: signature_state, msg: string, data: string)
{
if (state$sig_id == "ftp-admin")
{
print ("Signature hit! --> #FTP-Admin ");
}
}#signature script
root@dco:~$ nano ftp-admin.sig
signature ftp-admin {
ip-proto == tcp
ftp /.*USER.*admin.*/
event "FTP Username Input Found!"
}#correlation
root@dco:~$ zeek -C -r ftp.pcap -s ftp-admin.sig 201.zeek
Signature hit! --> #FTP-Admin Signature hit! --> #FTP-Admin
Signature hit! --> #FTP-Admin Signature hit! --> #FTP-AdminLOCAL BASE SCRIPTS EVENT CORRELATION
#this loads & runs all the local base scripts against a pcap
root@dco:~$ zeek -C -r ftp.pcap local
root@dco:~$ ls
101.zeek 103.zeek clear-logs.sh ftp.pcap packet_filter.log stats.log
102.zeek capture_loss.log conn.log loaded_scripts.log sample.pcap weird.log #this loads & runs specific local base scripts against a pcap
root@dco:~$ zeek -C -r ftp.pcap /opt/zeek/share/zeek/policy/protocols/ftp/detect-bruteforcing.zeek
root@dco:~$ cat notice.log | zeek-cut ts note msg
1024380732.223481 FTP::Bruteforcing 10.234.125.254 had 20 failed logins on 1 FTP server in 0m1sLast updated