SCRIPTING

zeeks event-driven scripting language allows analysts to investigate and correlate the detected events. these scripts have a .zeek extension. customized script location are also in the following areas:

/opt/zeek/share/zeek/base/bif 
/opt/zeek/share/zeek/base/bif/plugins
/opt/zeek/share/zeek/base/protocols
LogoZeek Documentation — Book of Zeek (git/master)
use the search feature to quickly find events of interest

BASIC SCRIPTS

#unfiltered data
root@dco:~$ BROWSER > https://docs.zeek.org/en/master/scripts/base/bif/event.bif.zeek.html
 * events: new_connection
    - use the search feature (CTRL+F) to quickly find the event

root@dco:~$ nano zeekScriptBasics.zeek
 event new_connection(c: connection)
 {
   print c;
 }

 * this script displays unfiltered connection events
 
root@dco:~$ zeek -C -r sample.pcap 102.zeek 
 [id=[orig_h=192.168.121.40, orig_p=123/udp, resp_h=212.227.54.68, resp_p=123/udp], orig=[size=48, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:16:47:df:e7:c1], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:00:0c:9f:f0:79], start_time=1488571365.706238, duration=0 secs, service={}, history=D, uid=CajwDY2vSUtLkztAc, tunnel=, vlan=121, inner_vlan=, dpd=, dpd_state=, removal_hooks=, conn=, extract_orig=F, extract_resp=F, thresholds=, dce_rpc=, dce_rpc_state=, dce_rpc_backing=, dhcp=, dnp3=, dns=, dns_state=, ftp=, ftp_data_reuse=F, ssl=, http=, http_state=, irc=, krb=, modbus=, mysql=, ntlm=, ntp=, radius=, rdp=, rfb=, sip=, sip_state=, snmp=, smb_state=, smtp=, smtp_state=, socks=, ssh=, syslog=]
#filtered data
root@dco:~$ BROWSER > https://docs.zeek.org/en/master/scripts/base/bif/event.bif.zeek.html
 * events: new_connection
 
root@dco:~$ nano zeekScriptBasics.zeek
 event new_connection(c: connection)
 {
   print ("###########################################################");
   print ("");
   print ("New Connection Found!");
   print ("");
   print fmt ("Source Host: %s # %s --->", c$id$orig_h, c$id$orig_p);
   print fmt ("Destination Host: resp: %s # %s <---", c$id$resp_h, c$id$resp_p);
   print ("");
 }

 * %s: Identifies string output for the source.
 * c$id: Source reference field for the identifier.
 
root@dco:~$ zeek -C -r sample.pcap 103.zeek 
 ###########################################################
 New Connection Found! Source Host: 192.168.121.2 # 58304/udp ---> 
 Destination Host: resp: 192.168.120.22 # 53/udp <--- 
 ###########################################################
#
root@dco:~$ BROWSER > https://docs.zeek.org/en/master/scripts/base/bif/event.bif.zeek.html
 events: dhcp_message

root@dco:~$ nano /opt/zeek/share/zeek/site
 event dhcp_message (c: connection, is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
 {
   print options$host_name;
 }

 * the first, second and fourth lines are the predefined syntaxes of the scripting 
   language.
    - the only part an analyst creates is the third line which tells Zeek to extract 
      DHCP hostnames
      
root@dco:~$ zeek -C -r smallFlows.pcap dhcp-hostname.zeek 
 student01-PC
 vinlap01
PreviousFTP BRUTE FORCE DETECTIONNextEVENT CORRELATION

Last updated