Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More packet fu with zeek

Published: 2022-02-17
Last Updated: 2022-02-17 15:52:53 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
0 comment(s)

Packet-fu with zeek is fun! Let's continue my previous diary Some packet-fu with Zeek (previously known as bro) with other use case: IP geolocation for new connections inside a packet capture.

Prerrequisites

You need to have installed zeek and the MaxMind database.

A command to test the correct setup can be zeek -e "print lookup_location(8.8.8.8);"

If you get the following output, you have to review your configuration:

If you get the following output, you can continue:

Events that will be used

  • new_connection: This event is raised everytime a new connection is detected.
  • zeek_done: This event is raised when the packet input is exhausted.

Code

The following code implements the use case described:

type locationrecord: record{
	source: addr;
	fulllocation: geo_location;
};

global sites: table[count] of locationrecord;
global index=1;

event new_connection (c: connection)
{
    local therecord:locationrecord;
    therecord$source = c$id$orig_h;
    therecord$fulllocation = lookup_location(therecord$source);
    sites[index]=therecord;
    index=index+1;
}

event zeek_done ()
{
    local locationlog=open("location.log");
    local therecord:locationrecord;
    for (n in sites){
	    therecord=sites[n];
	    local country=therecord$fulllocation?$country_code ? therecord$fulllocation$country_code: "<unknown>";
	    local region=therecord$fulllocation?$region ? therecord$fulllocation$region: "<unknown>";
	    local city=therecord$fulllocation?$city ? therecord$fulllocation$city: "<unknown>";
	    print locationlog,fmt("%s %s %s %s", therecord$source, country,region,city);
    }
    close(locationlog);
}

Let's review some interesting aspects on the code:

  • We need to store the location information of every IP address reviewed. That's why we define the locationrecord type.
  • The processed information under the new_connection event will be stored in the sites table.
  • The zeek_done event will provide the output under a text file.

Let's see a snippet of the script's output:

Do you have any other interesting use cases for zeek? Let us know through our contact form.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Keywords:
0 comment(s)
Diary Archives