LOGS

zeek generates log files according to traffic data. the generated logs will be for every connection in the wire including the application level protocols and fields.

LOG CATEGORIES

COMMON LOGS

THREAT HUNTING: ANOMALY DETECTION & LOG CORRELATION

the table below can be used during threat hunting and describes a sample investigation procedure

OVERALL INFO: the first step of the investigation is to review the overall connections, shared files, loaded scripts & indicators
PROTOCOL BASED: conduct a more in-depth investigation by focusing on a specific protocol
DETECTION: use the prebuilt/custom detection scripts & signature outcomes to support findings
OBSERVATION: use the logs in this category to discover possible missing points

#identify relevant fields
root@dco:~$ cat conn.log
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 1488571051.943250	CTMFXm1AcIsSnq2Ric	192.168.121.2	51153	192.168.120.22	53	udp	dns	0.001263	36	106	SF	-	-0	Dd	1	64	1	134	-
 1488571038.380901	CLsSsA3HLB2N6uJwW	192.168.121.10	50080	192.168.120.10	514	udp	-	

#only retrieve the 5-tuples during investigation as those are the most important
root@dco:~$ cat conn.log | zeek-cut uid proto id.orig_h id.orig_p id.resp_h id.resp_p 
 CTMFXm1AcIsSnq2Ric	udp	192.168.121.2	51153	192.168.120.22	53
 CLsSsA3HLB2N6uJwW	udp	192.168.121.10	50080	192.168.120.10	514
 
 * zeekcut is an auxiliary program used for extracting columns from zeek log files
    - it is specifically used against zeeks' log field names and NOT against the log's type section

PreviousMODES NextSIGNATURES

Last updated 6 months ago