zeeks event-driven scripting language allows analysts to investigate and correlate the detected events. these scripts have a .zeek extension. customized script location are also in the following areas:
/opt/zeek/share/zeek/base/bif
/opt/zeek/share/zeek/base/bif/plugins
/opt/zeek/share/zeek/base/protocols
Last updated
#unfiltered data
root@dco:~$ BROWSER > https://docs.zeek.org/en/master/scripts/base/bif/event.bif.zeek.html
* events: new_connection
- use the search feature (CTRL+F) to quickly find the event
root@dco:~$ nano zeekScriptBasics.zeek
event new_connection(c: connection)
{
print c;
}
* this script displays unfiltered connection events
root@dco:~$ zeek -C -r sample.pcap 102.zeek
[id=[orig_h=192.168.121.40, orig_p=123/udp, resp_h=212.227.54.68, resp_p=123/udp], orig=[size=48, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:16:47:df:e7:c1], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:00:0c:9f:f0:79], start_time=1488571365.706238, duration=0 secs, service={}, history=D, uid=CajwDY2vSUtLkztAc, tunnel=, vlan=121, inner_vlan=, dpd=, dpd_state=, removal_hooks=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, ntp=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]#filtered data
root@dco:~$ BROWSER > https://docs.zeek.org/en/master/scripts/base/bif/event.bif.zeek.html
* events: new_connection
root@dco:~$ nano zeekScriptBasics.zeek
event new_connection(c: connection)
{
print ("###########################################################");
print ("");
print ("New Connection Found!");
print ("");
print fmt ("Source Host: %s # %s --->", c$id$orig_h, c$id$orig_p);
print fmt ("Destination Host: resp: %s # %s <---", c$id$resp_h, c$id$resp_p);
print ("");
}
* %s: Identifies string output for the source.
* c$id: Source reference field for the identifier.
root@dco:~$ zeek -C -r sample.pcap 103.zeek
###########################################################
New Connection Found! Source Host: 192.168.121.2 # 58304/udp --->
Destination Host: resp: 192.168.120.22 # 53/udp <---
############################################################
root@dco:~$ BROWSER > https://docs.zeek.org/en/master/scripts/base/bif/event.bif.zeek.html
events: dhcp_message
root@dco:~$ nano /opt/zeek/share/zeek/site
event dhcp_message (c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
{
print options$host_name;
}
* the first, second and fourth lines are the predefined syntaxes of the scripting
language.
- the only part an analyst creates is the third line which tells Zeek to extract
DHCP hostnames
root@dco:~$ zeek -C -r smallFlows.pcap dhcp-hostname.zeek
student01-PC
vinlap01