[Write-Up Easy Way ] Zeek – TryHackMe | Walkthrough

Introduction to hands-on network monitoring and threat detection with Zeek (formerly Bro). 


Before starting the walkthrough : Some useful commands for Zeek

Generate log files from pcap file

 zeek -C -r file.pcap

Generate log files with signature from pcap file

zeek -C -r file.pcap -s signature.sig

Generate log file with a script

zeek -C -r file.pcap script.zeek

Generate log file with a signature and a script together

zeek -C -r file.pcap -s signature.sig script.zeek

Exploring log files.

When generating the logs file is done, use zeek-cut to exploring the log file. You have to know what « fields » you want to find. Don’t use the #types fields.
So before, you have to open the log file with « head » like head conn.log. When you do that, you get the category of the log file like this :

So if you want to know the IP source and his port, you can to do this command :

cat conn.log | zeek-cut id_orig_h id_orig_p

With zeek-cut, it’s possible to use others Linux command lines like | wc -l to count the line or  | sort -u to find to avoid duplicate information. 


Use your kung fu command line skills!!!!!

Task 2 : Network Security Monitoring and Zeek

  • What is the installed Zeek instance version number?

Answer : 4.2.1


Commande :  

zeek -v

  • What is the version of the ZeekControl module?

Answer : 2.4.0


Commande :

zeekctl -v

  • Investigate the « sample.pcap » file. What is the number of generated alert files?

Answer : 8


Commande :

zeek -C -r sample.pcap

Task 3 : Zeek Logs

  • Investigate the sample.pcap file. Investigate the dhcp.log file. What is the available hostname?

Answer : Microknoppix

Command :   

zeek -C -r sample.pcap

cat dhcp.log | zeek-cut host_name

  • Investigate the dns.log file. What is the number of unique DNS queries?

Answer : 2

Commande :

cat dns.log | zeek-cut query | sort -u | wc -l

  • Investigate the conn.log file. What is the longest connection duration?

Answer : 332.319364

Command :

cat conn.log | zeek-cut duration | sort -n

Task 5 Zeek Signatures

  • Investigate the http.pcap file. Create the HTTP signature shown in the task and investigate the pcap. What is the source IP of the first event?

Answer :

Command :

zeek -C -r http.pcap -s http-password.sig
cat  http.log | zeek-cut id.orig_h

  • What is the source port of the second event?

Answer : 38172

Command :

cat  http.log | zeek-cut id.orig_p

  • Investigate the conn.log.
    What is the total number of the sent and received packets from source port 38706?

Answer : 20

Command :

zeek -C -r http.pcap -s http-password.sig 

cat conn.log | zeek-cut orig_pkts resp_pkts id.orig_p | grep 38706

  • Create the global rule shown in the task and investigate the ftp.pcap file.

    Investigate the notice.log. What is the number of unique events?

Answer : 1413

Command :

zeek -C -r ftp.pcap -s ftp-bruteforce.sig
head notice.log 
cat notice.log | zeek-cut uid | sort -u | wc -l

  • What is the number of ftp-brute signature matches?


Answer : 1410

Command :

cat notice.log | zeek-cut  msg | grep Brute-force | wc -l

Task 6 Zeek Scripts | Fundamentals

  • Investigate the smallFlows.pcap file. Investigate the dhcp.log file. What is the domain value of the « vinlap01 » host?

Answer : astaro_vineyard


Commande :

zeek -C -r smallFlows.pcap dhcp-hostname.zeek
cat dhcp.log | zeek-cut domain

  • Investigate the bigFlows.pcap file. Investigate the dhcp.log file. What is the number of identified unique hostnames?

Answer : 17


Command :

zeek -C -r bigFlows.pcap dhcp-hostname.zeek
cat dhcp.log | zeek-cut host_name | sort -u  | wc -l

  • Investigate the dhcp.log file. What is the identified domain value?

Answer : jaalam.net


Command :

cat dhcp.log | zeek-cut domain

  • Investigate the dns.log file. What is the number of unique queries?


Answer : 1312


Command :

cat dns.log | zeek-cut query | sort -u | grep -v -e ‘*’ -e ‘-‘ | wc -l

Task 7 Zeek Scripts | Scripts and Signatures

  • Go to folder TASK-7/101.
    Investigate the sample.pcap file with 103.zeek script. Investigate the terminal output. What is the number of the detected new connections?

Answer : 87


Command :

zeek -C -r sample.pcap 103.zeek
cat conn.log | zeek-cut uid | wc -l

  • Go to folder TASK-7/201.
    Investigate the ftp.pcap file with ftp-admin.sig signature and  201.zeek script. Investigate the signatures.log file. What is the number of signature hits?

Answer : 1401


Command :

cat signatures.log | zeek-cut event_msg
cat signatures.log | zeek-cut event_msg | wc -l

  • Investigate the signatures.log file. What is the total number of « administrator » username detections?

Answer : 731


Command :

cat signatures.log | zeek-cut sub_msg
cat signatures.log | zeek-cut sub_msg | grep administrator

  • Investigate the ftp.pcap file with all local scripts, and investigate the loaded_scripts.log file. What is the total number of loaded scripts?

Answer : 498


Command :

zeek -C -r ftp.pcap local
cat loaded_scripts.log
cat loaded_scripts.log | grep zeek | wc -l

  • Go to folder TASK-7/202.
    Investigate the ftp-brute.pcap file with « /opt/zeek/share/zeek/policy/protocols/ftp/detect-bruteforcing.zeek » script. Investigate the notice.log file. What is the total number of brute-force detections?

Answer : 2

Command :

zeek -C -r ftp-brute.pcap /opt/zeek/share/zeek/policy/protocols/ftp/detect-bruteforcing.zeek
cat notice.log | zeek-cut note
cat notice.log | zeek-cut note | wc -l

Task 8 Zeek Scripts | Frameworks

  • Investigate the case1.pcap file with intelligence-demo.zeek script. Investigate the intel.log file. Look at the second finding, where was the intel info found? 



Command :

zeek -C -r case1.pcap intelligence-demo.zeek

cat intel.log | zeek-cut seen.where

  • Investigate the http.log file. What is the name of the downloaded .exe file?

Answer : knr.exe


Command :

cat http.log | zeek-cut uri

  • Investigate the case1.pcap file with hash-demo.zeek script. Investigate the files.log file. What is the MD5 hash of the downloaded .exe file?

Answer : cc28e40b46237ab6d5282199ef78c464


Command :

zeek -C -r case1.pcap hash-demo.zeek

cat files.log | zeek-cut tx_rhosts rx_hosts md5

  • Investigate the case1.pcap file with file-extract-demo.zeek script. Investigate the « extract_files » folder. Review the contents of the text file. What is written in the file?

Answer : Microsoft NCSI


Command :

zeek -C -r case1.pcap file-extract-demo.zeek

cd extract_files/

cat « first-file. The name will be different » 

Task 9 Zeek Scripts | Packages

  • Investigate the http.pcap file with the zeek-sniffpass module. Investigate the notice.log file. Which username has more module hits?

Answer : BroZeek


Command :

zeek -C -r http.pcap /opt/zeek/share/zeek/site/zeek-sniffpass
head notice.log
cat notice.log | zeek-cut note msg

  • Investigate the case2.pcap file with geoip-conn module. Investigate the conn.log file. What is the name of the identified City?

Answer : Chicago


Command :

zeek -C -r case2.pcap /opt/zeek/share/zeek/site/geoip-conn
head conn.log | zeek-cut geo.resp.city
cat conn.log | zeek-cut geo.resp.city

  • Which IP address is associated with the identified City?

Answer :


Command :

cat conn.log | zeek-cut id.resp_h geo.resp.city

  • Investigate the case2.pcap file with sumstats-counttable.zeek script. How many types of status codes are there in the given traffic capture?

Answer : 4


Command :

zeek -C -r case2.pcap sumstats-countable.zeek

That’s all folks

Thank you for having taken the trouble to come on the site to read this Write-Up

I hope you enjoyed it and that it taught you some new things.

Feel free to leave a comment or share this article.