FRAMEWORK

zeek's frameworks help analysts to discover the different events of interest. these frameworks are stored in /opt/zeek/share/zeek/policy/frameworks directory. specific frameworks can be used and loaded into a zeek script using the cmd "@load {framework script name.zeek}". Prebuilt frameworks are commonly used in scriptings with the "@load" method. Specific scripts are used as practical scripts for particular use cases

BASIC FRAMEWORK SCRIPTING

#sample usage...
#zeek frameworks
root@dco:~$ ls /opt/zeek/share/zeek/policy/frameworks
 cluster  dpd    intel       notice         signatures
 control  files  netcontrol  packet-filter  software
 
root@dco:~$ ls /opt/zeek/share/zeek/policy/frameworks/files/
 detect-MHR.zeek  entropy-test-all-files.zeek  extract-all-files.zeek  hash-all-files.zeek

root@dco:~$ cat /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 ##! Perform MD5 and SHA1 hashing on all files.
 @load base/files/hash
 event file_new(f: fa_file)
  {
    Files::add_analyzer(f, Files::ANALYZER_MD5);
    Files::add_analyzer(f, Files::ANALYZER_SHA1);
  }

root@dco:~$ nano hashDemo.zeek
 # Enable MD5, SHA1 and SHA256 hashing for all files.
 @load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 
root@dco:~$ zeek -C -r case1.pcap hashDemo.zeek
root@dco:~$ cat files.log | zeek-cut md5 sha1 sha256
 cd5a4d3fdd5bffc16bf959ef75cf37bc	33bf88d5b82df3723d5863c7d23445e345828904	6137f8db2192e638e13610f75e73b9247c05f4706f0afd1fdb132d86de6b4012
 b5243ec1df7d1d5304189e7db2744128	a66bd2557016377dfb95a87c21180e52b23d2e4e	f808229aa516ba134889f81cd699b8d246d46d796b55e13bee87435889a054fb
 cc28e40b46237ab6d5282199ef78c464	0d5c820002cf93384016bd4a2628dcc5101211f4	749e161661290e8a2d190b1a66469744127bc25bf46e5d0c6f2e835f4b92db18

FILTERING AND CORRELATING FINDINGS

this method helps in the investigation of particular value across all available logs.

#zeek frameworks
root@dco:~$ ls /opt/zeek/share/zeek/policy/frameworks
 cluster  dpd    intel       notice         signatures
 control  files  netcontrol  packet-filter  software
 
#
root@dco:~$ ls /opt/zeek/share/zeek/policy/frameworks/files/
 detect-MHR.zeek  entropy-test-all-files.zeek  extract-all-files.zeek  hash-all-files.zeek

root@dco:~$ cat /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
 ##! Extract all files to disk.
 @load base/files/extract
 event file_new(f: fa_file)
   {
     Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
   }

root@dco:~$ zeek -C -r case1.pcap /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
root@dco:~$ ls
 101.zeek  102.zeek  103.zeek  case1.pcap  clear-logs.sh  conn.log  dhcp.log  dns.log  extract_files  files.log  ftp.pcap  http.log  packet_filter.log  pe.log
root@dco:~$ cd extracted_files
 ...

root@dco:~$ ls extract_files | nl
 1 extract-1561667874.743959-HTTP-Fpgan59p6uvNzLFja
 2 extract-1561667889.703239-HTTP-FB5o2Hcauv7vpQ8y3
 3 extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl

root@dco:~$ cd extract_files
root@dco:~$ file *| nl
 1 extract-1561667874.743959-HTTP-Fpgan59p6uvNzLFja:  ASCII text, with no line terminators
 2 extract-1561667889.703239-HTTP-FB5o2Hcauv7vpQ8y3:  Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Template: Normal.dotm, Last Saved By: Administrator, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jun 27 18:24:00 2019, Last Saved Time/Date: Thu Jun 27 18:24:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
 3 extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl: PE32 executable (GUI) Intel 80386, for MS Windows

 *  the extracted files is renamed by zeek based on the values coming from:
     a.conn.log
     b.files.log
     c."extract" keyword
     d.timestamp vale (ts)
     e.protocol (source)
     f.connection id (conn_uids)
 * example:
    {keyword} {ts}            {protocol} {conn_uids}
    extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl

#identify the conn_uids
root@dco:~$ cat files.log | zeek-cut fuid conn_uids tx_hosts rx_hosts mime_type extracted | nl
 1 Fpgan59p6uvNzLFja	CaeNgL1QzYGxxZPwpk	23.63.254.163	10.6.27.102	text/plain	extract-1561667874.743959-HTTP-Fpgan59p6uvNzLFja
 2 FB5o2Hcauv7vpQ8y3	CCwdoX1SU0fF3BGBCe	107.180.50.162	10.6.27.102	application/msword	extract-1561667889.703239-HTTP-FB5o2Hcauv7vpQ8y3
 3 FOghls3WpIjKpvXaEl	CZruIO2cqspVhLuAO9	107.180.50.162	10.6.27.102	application/x-dosexec	extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl

root@dco:~$ grep -rin CZruIO2cqspVhLuAO9 * | column -t | nl | less -S
 #NOTE: The full output is not shown here!. Redo the same actions in the attached VM!
 1 conn.log:43:1561667898.852600   CZruIO2cqspVhLuAO9  10.6.27.102     49162        107.180.50.162      80    tcp  http        
 2 files.log:11:1561667899.060086  FOghls3WpIjKpvXaEl  107.180.50.162  10.6.27.102  CZruIO2cqspVhLuAO9  HTTP  0    EXTRACT,PE  
 3 http.log:11:1561667898.911759   CZruIO2cqspVhLuAO9  10.6.27.102     49162        107.180.50.162      80    1    GET

PreviousEVENT CORRELATION NextFILE FRAMEWORK | HASHES

Last updated 2 months ago

BASIC FRAMEWORK SCRIPTING

#sample usage...
#zeek frameworks
root@dco:~$ ls /opt/zeek/share/zeek/policy/frameworks
 cluster  dpd    intel       notice         signatures
 control  files  netcontrol  packet-filter  software
 
root@dco:~$ ls /opt/zeek/share/zeek/policy/frameworks/files/
 detect-MHR.zeek  entropy-test-all-files.zeek  extract-all-files.zeek  hash-all-files.zeek

root@dco:~$ cat /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 ##! Perform MD5 and SHA1 hashing on all files.
 @load base/files/hash
 event file_new(f: fa_file)
  {
    Files::add_analyzer(f, Files::ANALYZER_MD5);
    Files::add_analyzer(f, Files::ANALYZER_SHA1);
  }

root@dco:~$ nano hashDemo.zeek
 # Enable MD5, SHA1 and SHA256 hashing for all files.
 @load /opt/zeek/share/zeek/policy/frameworks/files/hash-all-files.zeek
 
root@dco:~$ zeek -C -r case1.pcap hashDemo.zeek
root@dco:~$ cat files.log | zeek-cut md5 sha1 sha256
 cd5a4d3fdd5bffc16bf959ef75cf37bc	33bf88d5b82df3723d5863c7d23445e345828904	6137f8db2192e638e13610f75e73b9247c05f4706f0afd1fdb132d86de6b4012
 b5243ec1df7d1d5304189e7db2744128	a66bd2557016377dfb95a87c21180e52b23d2e4e	f808229aa516ba134889f81cd699b8d246d46d796b55e13bee87435889a054fb
 cc28e40b46237ab6d5282199ef78c464	0d5c820002cf93384016bd4a2628dcc5101211f4	749e161661290e8a2d190b1a66469744127bc25bf46e5d0c6f2e835f4b92db18

FILTERING AND CORRELATING FINDINGS

this method helps in the investigation of particular value across all available logs.

#zeek frameworks
root@dco:~$ ls /opt/zeek/share/zeek/policy/frameworks
 cluster  dpd    intel       notice         signatures
 control  files  netcontrol  packet-filter  software
 
#
root@dco:~$ ls /opt/zeek/share/zeek/policy/frameworks/files/
 detect-MHR.zeek  entropy-test-all-files.zeek  extract-all-files.zeek  hash-all-files.zeek

root@dco:~$ cat /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
 ##! Extract all files to disk.
 @load base/files/extract
 event file_new(f: fa_file)
   {
     Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
   }

root@dco:~$ zeek -C -r case1.pcap /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
root@dco:~$ ls
 101.zeek  102.zeek  103.zeek  case1.pcap  clear-logs.sh  conn.log  dhcp.log  dns.log  extract_files  files.log  ftp.pcap  http.log  packet_filter.log  pe.log
root@dco:~$ cd extracted_files
 ...

root@dco:~$ ls extract_files | nl
 1 extract-1561667874.743959-HTTP-Fpgan59p6uvNzLFja
 2 extract-1561667889.703239-HTTP-FB5o2Hcauv7vpQ8y3
 3 extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl

root@dco:~$ cd extract_files
root@dco:~$ file *| nl
 1 extract-1561667874.743959-HTTP-Fpgan59p6uvNzLFja:  ASCII text, with no line terminators
 2 extract-1561667889.703239-HTTP-FB5o2Hcauv7vpQ8y3:  Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Code page: 1252, Template: Normal.dotm, Last Saved By: Administrator, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Thu Jun 27 18:24:00 2019, Last Saved Time/Date: Thu Jun 27 18:24:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
 3 extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl: PE32 executable (GUI) Intel 80386, for MS Windows

 *  the extracted files is renamed by zeek based on the values coming from:
     a.conn.log
     b.files.log
     c."extract" keyword
     d.timestamp vale (ts)
     e.protocol (source)
     f.connection id (conn_uids)
 * example:
    {keyword} {ts}            {protocol} {conn_uids}
    extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl

#identify the conn_uids
root@dco:~$ cat files.log | zeek-cut fuid conn_uids tx_hosts rx_hosts mime_type extracted | nl
 1 Fpgan59p6uvNzLFja	CaeNgL1QzYGxxZPwpk	23.63.254.163	10.6.27.102	text/plain	extract-1561667874.743959-HTTP-Fpgan59p6uvNzLFja
 2 FB5o2Hcauv7vpQ8y3	CCwdoX1SU0fF3BGBCe	107.180.50.162	10.6.27.102	application/msword	extract-1561667889.703239-HTTP-FB5o2Hcauv7vpQ8y3
 3 FOghls3WpIjKpvXaEl	CZruIO2cqspVhLuAO9	107.180.50.162	10.6.27.102	application/x-dosexec	extract-1561667899.060086-HTTP-FOghls3WpIjKpvXaEl

root@dco:~$ grep -rin CZruIO2cqspVhLuAO9 * | column -t | nl | less -S
 #NOTE: The full output is not shown here!. Redo the same actions in the attached VM!
 1 conn.log:43:1561667898.852600   CZruIO2cqspVhLuAO9  10.6.27.102     49162        107.180.50.162      80    tcp  http        
 2 files.log:11:1561667899.060086  FOghls3WpIjKpvXaEl  107.180.50.162  10.6.27.102  CZruIO2cqspVhLuAO9  HTTP  0    EXTRACT,PE  
 3 http.log:11:1561667898.911759   CZruIO2cqspVhLuAO9  10.6.27.102     49162        107.180.50.162      80    1    GET