During an incident response process, one of the fundamental variables to consider is speed. If a net capture is being made where we can presumably find evidence that who and how is causing an incident, any second counts in order to anticipate the attacker in the cyber kill chain sequence. We need to use a passive approach in the analysis of network traffic to be quick in obtaining results. Zeek is a powerful tool to use in these scenarios. It is a tool with network traffic processing capabilities for application level protocols (DCE-RPC, DHCP, DNP3, DNS, FTP, HTTP, IMAP, IRC, KRB, MODBUS, MQTT, MYSQL, NTLM, NTP, POP3, RADIUS, RDP, RFB, SIP, SMB, SMTP, SOCKS, SSH, SSL, SYSLOG, TUNNELS, XMPP), pattern search and a powerful scripting language to process what the incident responder might require. Zeek scripts work through events. We can find a summary of all possible events that can be used at https://docs.zeek.org/en/stable/scripts/base/bif/event.bif.zeek.html. Next we will review those that will be covered by the examples of this diary:
We will cover three simple use cases in this diary:
Top talkers by source IP connection The following script implements the use case: global attempts: table[addr] of count &default=0; event zeek_done () Let's go through the script in detail:
Let's see a snippet of the output: We can get a sorted output: Top talkers by source IP and destination port, with new connections performed The following script implements the use case: global attempts: table[addr,port] of count &default=0; event zeek_done () Let's review the differences from the previous one:
Let's see a snippet of the script's output: We can get a sorted output: Number of connections confirmed by zeek for a specific IP address with a specific protocol The following script implements the use case: global attempts: table[addr,Analyzer::Tag] of count &default=0; event zeek_done () We can see the some new aspects:
Let's see a snippet of the script's output: In my next diaries I will cover other interesting use cases with zeek using the frameworks that it has. Manuel Humberto Santander Peláez |
Manuel Humberto Santander Pelaacuteez 188 Posts ISC Handler |
Reply Subscribe |
Nov 14th 2019 3 weeks ago |
Sign Up for Free or Log In to start participating in the conversation!