[Write-Up Easy Way ] Zeek – TryHackMe | Walkthrough
Introduction to hands-on network monitoring and threat detection with Zeek (formerly Bro).
Before starting the walkthrough : Some useful commands for Zeek
Generate log files from pcap file
zeek -C -r file.pcap
Generate log files with signature from pcap file
zeek -C -r file.pcap -s signature.sig
Generate log file with a script
zeek -C -r file.pcap script.zeek
Generate log file with a signature and a script together
zeek -C -r file.pcap -s signature.sig script.zeek
Exploring log files.
When generating the logs file is done, use zeek-cut to exploring the log file. You have to know what « fields » you want to find. Don’t use the #types fields.
So before, you have to open the log file with « head » like head conn.log. When you do that, you get the category of the log file like this :
So if you want to know the IP source and his port, you can to do this command :
cat conn.log | zeek-cut id_orig_h id_orig_p
With zeek-cut, it’s possible to use others Linux command lines like | wc -l to count the line or | sort -u to find to avoid duplicate information.
Finally
Use your kung fu command line skills!!!!!
Task 2 : Network Security Monitoring and Zeek
- What is the installed Zeek instance version number?
Answer : 4.2.1
Commande :
zeek -v
- What is the version of the ZeekControl module?
Answer : 2.4.0
Commande :
zeekctl -v
Investigate the « sample.pcap » file. What is the number of generated alert files?
Answer : 8
Commande :
zeek -C -r sample.pcap
Task 3 : Zeek Logs
- Investigate the sample.pcap file. Investigate the dhcp.log file. What is the available hostname?
Answer : Microknoppix
Command :
zeek -C -r sample.pcap
cat dhcp.log | zeek-cut host_name
- Investigate the dns.log file. What is the number of unique DNS queries?
Answer : 2
Commande :
cat dns.log | zeek-cut query | sort -u | wc -l
- Investigate the conn.log file. What is the longest connection duration?
Answer : 332.319364
Command :
cat conn.log | zeek-cut duration | sort -n
Task 5 Zeek Signatures
Investigate the http.pcap file. Create the HTTP signature shown in the task and investigate the pcap. What is the source IP of the first event?
Answer : 10.10.57.178
Command :
zeek -C -r http.pcap -s http-password.sig
cat http.log | zeek-cut id.orig_h
What is the source port of the second event?
Answer : 38172
Command :
cat http.log | zeek-cut id.orig_p
Investigate the conn.log.
What is the total number of the sent and received packets from source port 38706?
Answer : 20
Command :
zeek -C -r http.pcap -s http-password.sig
cat conn.log | zeek-cut orig_pkts resp_pkts id.orig_p | grep 38706
Create the global rule shown in the task and investigate the ftp.pcap file.
Investigate the notice.log. What is the number of unique events?
Answer : 1413
Command :
zeek -C -r ftp.pcap -s ftp-bruteforce.sig
head notice.log
cat notice.log | zeek-cut uid | sort -u | wc -l
What is the number of ftp-brute signature matches?
Answer : 1410
Command :
cat notice.log | zeek-cut msg | grep Brute-force | wc -l
Task 6 Zeek Scripts | Fundamentals
Investigate the smallFlows.pcap file. Investigate the dhcp.log file. What is the domain value of the « vinlap01 » host?
Answer : astaro_vineyard
Commande :
zeek -C -r smallFlows.pcap dhcp-hostname.zeek
cat dhcp.log | zeek-cut domain
Investigate the bigFlows.pcap file. Investigate the dhcp.log file. What is the number of identified unique hostnames?
Answer : 17
Command :
zeek -C -r bigFlows.pcap dhcp-hostname.zeek
cat dhcp.log | zeek-cut host_name | sort -u | wc -l
Investigate the dhcp.log file. What is the identified domain value?
Answer : jaalam.net
Command :
cat dhcp.log | zeek-cut domain
Investigate the dns.log file. What is the number of unique queries?
Answer : 1312
Command :
cat dns.log | zeek-cut query | sort -u | grep -v -e ‘*’ -e ‘-‘ | wc -l
Task 7 Zeek Scripts | Scripts and Signatures
- Go to folder TASK-7/101.
Investigate the sample.pcap file with 103.zeek script. Investigate the terminal output. What is the number of the detected new connections?
Answer : 87
Command :
zeek -C -r sample.pcap 103.zeek
cat conn.log | zeek-cut uid | wc -l
Go to folder TASK-7/201.
Investigate the ftp.pcap file with ftp-admin.sig signature and 201.zeek script. Investigate the signatures.log file. What is the number of signature hits?
Answer : 1401
Command :
cat signatures.log | zeek-cut event_msg
cat signatures.log | zeek-cut event_msg | wc -l
Investigate the signatures.log file. What is the total number of « administrator » username detections?
Answer : 731
Command :
cat signatures.log | zeek-cut sub_msg
cat signatures.log | zeek-cut sub_msg | grep administrator
- Investigate the ftp.pcap file with all local scripts, and investigate the loaded_scripts.log file. What is the total number of loaded scripts?
Answer : 498
Command :
zeek -C -r ftp.pcap local
cat loaded_scripts.log
cat loaded_scripts.log | grep zeek | wc -l
Go to folder TASK-7/202.
Investigate the ftp-brute.pcap file with « /opt/zeek/share/zeek/policy/protocols/ftp/detect-bruteforcing.zeek » script. Investigate the notice.log file. What is the total number of brute-force detections?
Answer : 2
Command :
zeek -C -r ftp-brute.pcap /opt/zeek/share/zeek/policy/protocols/ftp/detect-bruteforcing.zeek
cat notice.log | zeek-cut note
cat notice.log | zeek-cut note | wc -l
Task 8 Zeek Scripts | Frameworks
Investigate the case1.pcap file with intelligence-demo.zeek script. Investigate the intel.log file. Look at the second finding, where was the intel info found?
Answer : IN_HOST_HEADER
Command :
zeek -C -r case1.pcap intelligence-demo.zeek
cat intel.log | zeek-cut seen.where
Investigate the http.log file. What is the name of the downloaded .exe file?
Answer : knr.exe
Command :
cat http.log | zeek-cut uri
Investigate the case1.pcap file with hash-demo.zeek script. Investigate the files.log file. What is the MD5 hash of the downloaded .exe file?
Answer : cc28e40b46237ab6d5282199ef78c464
Command :
zeek -C -r case1.pcap hash-demo.zeek
cat files.log | zeek-cut tx_rhosts rx_hosts md5
Investigate the case1.pcap file with file-extract-demo.zeek script. Investigate the « extract_files » folder. Review the contents of the text file. What is written in the file?
Answer : Microsoft NCSI
Command :
zeek -C -r case1.pcap file-extract-demo.zeek
cd extract_files/
cat « first-file. The name will be different »
Task 9 Zeek Scripts | Packages
- Investigate the http.pcap file with the zeek-sniffpass module. Investigate the notice.log file. Which username has more module hits?
Answer : BroZeek
Command :
zeek -C -r http.pcap /opt/zeek/share/zeek/site/zeek-sniffpass
head notice.log
cat notice.log | zeek-cut note msg
- Investigate the case2.pcap file with geoip-conn module. Investigate the conn.log file. What is the name of the identified City?
Answer : Chicago
Command :
zeek -C -r case2.pcap /opt/zeek/share/zeek/site/geoip-conn
head conn.log | zeek-cut geo.resp.city
cat conn.log | zeek-cut geo.resp.city
Which IP address is associated with the identified City?
Answer : 23.77.86.54
Command :
cat conn.log | zeek-cut id.resp_h geo.resp.city
Investigate the case2.pcap file with sumstats-counttable.zeek script. How many types of status codes are there in the given traffic capture?
Answer : 4
Command :
zeek -C -r case2.pcap sumstats-countable.zeek
That’s all folks
Thank you for having taken the trouble to come on the site to read this Write-Up
I hope you enjoyed it and that it taught you some new things.
Feel free to leave a comment or share this article.
