ANALYTICS

#convert pcaps into zeek logs
root@dco:~$ zeek readpcap pcaps/AsyncRAT.pcap zeek_logs/asyncrat
 Starting the Zeek docker container
 Zeek logs will be saved to /home/ubuntu/zeek_logs/asyncrat
 
root@dco:~$ cd /home/ubuntu/zeek_logs/asyncrat/ && ls
 capture_loss.log  dns.log    http.log         known_services.log  notice.log  packet_filter.log  software.log  stats.log  x509.log
 conn.log          files.log  known_hosts.log  loaded_scripts.log  ocsp.log    reporter.log       ssl.log       weird.log
 
#import logs into RITA for parsing and analysis
root@dco:~$ rita import --logs ~/zeek_logs/asyncrat/ --database asyncrat
 [REDACTED]
 2025-10-23T10:56:58Z INF Initiating new import... dataset=asyncrat directory=/tmp/zeek_logs rebuild=false rolling=false started_at="2025-10-23 10:56:58.079568235 +0000 UTC m=+0.013974881"
 2025-10-23T10:56:58Z INF [THREAT INTEL] Updating online feed... feed_url=https://feodotracker.abuse.ch/downloads/ipblocklist.txt
 [-] Parsing:  /tmp/zeek_logs/conn.log
 [-] Parsing:  /tmp/zeek_logs/http.log
 [-] Parsing:  /tmp/zeek_logs/ssl.log
 [-] Parsing:  /tmp/zeek_logs/dns.log
 Log Parsing ? ??????????????????????????????????????????????????????????? 4 / 4
 [REDACTED]
 
 * RITA will parse and analyze the imported logs
PreviousRITANextREVERSE ENGINEERING

Last updated