We covered an introduction to Zeek, packets and logs analyzer, that can be used for network security monitoring, incident analysis and logs investigation. Zeek has two primary layers; “Event Engine” and “Policy Script Interpreter” that are used to process and extract key data and insights from the logs such as source and destination IP addresses and ports.

We also covered the second part of working with Zeek, the packet and network security analyzer, where we explained how to detect certain events using Zeek signatures and how to correlate those events to trigger certain actions using Zeek scripting language.

We also demonstrated the third part of packet analysis using Zeek. We explained frameworks and packages that can be used to extend the functionality of Zeek allowing for more events correlation and data extraction. Frameworks and packages can be both called and invoked while using Zeek from the command line or they can be invoked inside scripts using the “load” keyword.

This was part of TryHackMe Zeek |  SOC analyst level 1 pathway.

Get Blue Team Notes

The Complete Penetration Testing with BackBox Course

CHALLENGE DESCRIPTION

Introduction to hands-on network monitoring and threat detection with Zeek (formerly Bro).

Video Highlights

Zeek (formerly Bro) is an open-source and commercial passive Network Monitoring tool (traffic analysis framework) developed by Lawrence Berkeley Labs. Today, Zeek is supported by several developers, and Corelight provides an Enterprise-ready fork of Zeek. Therefore this tool is called both open source and commercial. The differences between the open-source version and the commercial version are detailed here.

Zeek differs from known monitoring and IDS/IPS tools by providing a wide range of detailed logs ready to investigate both for forensics and data analysis actions. Currently, Zeek provides 50+ logs in 7 categories.

Zeek has two primary layers; “Event Engine” and “Policy Script Interpreter”. The Event Engine layer is where the packets are processed; it is called the event core and is responsible for describing the event without focusing on event details. It is where the packages are divided into parts such as source and destination addresses, protocol identification, session analysis and file extraction. The Policy Script Interpreter layer is where the semantic analysis is conducted. It is responsible for describing the event correlations by using Zeek scripts.

Zeek has several frameworks to provide extended functionality in the scripting layer. These frameworks enhance Zeek’s flexibility and compatibility with other network components. Each framework focuses on the specific use case and easily runs with Zeek installation. For instance, we will be using the “Logging Framework” for all cases. Having ide on each framework’s functionality can help users quickly identify an event of interest.

There are two operation options for Zeek. The first one is running it as a service, and the second option is running the Zeek against a pcap. Before starting working with Zeek, let’s check the version of the Zeek instance with the following command: zeek -v

Now we are sure that we have Zeek installed. Let’s start the Zeek as a service! To do this, we need to use the “ZeekControl” module, as shown below. The “ZeekControl” module requires superuser permissions to use. You can elevate the session privileges and switch to the superuser account to examine the generated log files with the following command: sudo su

Zeek supports signatures to have rules and event correlations to find noteworthy activities on the network. Zeek signatures use low-level pattern matching and cover conditions similar to Snort rules. Unlike Snort rules, Zeek rules are not the primary event detection point. Zeek has a scripting language and can chain multiple events to find an event of interest.

Zeek has its own event-driven scripting language, which is as powerful as high-level languages and allows us to investigate and correlate the detected events. Since it is as capable as high-level programming languages, you will need to spend time on Zeek scripting language in order to become proficient. In this room, we will cover the basics of Zeek scripting to help you understand, modify and create basic scripts.

Room Answers

What is the installed Zeek instance version number?

What is the version of the ZeekControl module?

Investigate the “sample.pcap” file. What is the number of generated alert files?

Investigate the sample.pcap file. Investigate the dhcp.log file. What is the available hostname?

Investigate the dns.log file. What is the number of unique DNS queries?

Investigate the conn.log file. What is the longest connection duration?

Investigate the http.pcap file. Create the  HTTP signature shown in the task and investigate the pcap. What is the source IP of the first event?

What is the source port of the second event?

Investigate the conn.log.
What is the total number of the sent and received packets from source port 38706?

Create the global rule shown in the task and investigate the ftp.pcap file.

Investigate the notice.log. What is the number of unique events?

What is the number of ftp-brute signature matches?

Investigate the smallFlows.pcap file. Investigate the dhcp.log file. What is the domain value of the “vinlap01” host?

Investigate the bigFlows.pcap file. Investigate the dhcp.log file. What is the number of identified unique hostnames?

Investigate the dhcp.log file. What is the identified domain value?

Go to folder TASK-7/101.
Investigate the sample.pcap file with 103.zeek script. Investigate the terminal output. What is the number of the detected new connections?

Go to folder TASK-7/201.
Investigate the ftp.pcap file with ftp-admin.sig signature and  201.zeek script. Investigate the signatures.log file. What is the number of signature hits?

Investigate the signatures.log file. What is the total number of “administrator” username detections?

Investigate the ftp.pcap file with all local scripts, and investigate the loaded_scripts.log file. What is the total number of loaded scripts?

Go to folder TASK-7/202.
Investigate the ftp-brute.pcap file with /opt/zeek/share/zeek/policy/protocols/ftp/detect-bruteforcing.zeek” script. Investigate the notice.log file. What is the total number of brute-force detections?

Investigate the case1.pcap file with intelligence-demo.zeek script. Investigate the intel.log file. Look at the second finding, where was the intel info found?

Investigate the http.log file. What is the name of the downloaded .exe file?

Investigate the case1.pcap file with hash-demo.zeek script. Investigate the files.log file. What is the MD5 hash of the downloaded .exe file?

Investigate the case1.pcap file with file-extract-demo.zeek script. Investigate the “extract_files” folder. Review the contents of the text file. What is written in the file?

Investigate the http.pcap file with the zeek-sniffpass module. Investigate the notice.log file. Which username has more module hits?
Investigate the case2.pcap file with geoip-conn module. Investigate the conn.log file. What is the name of the identified City?

Which IP address is associated with the identified City?

Investigate the case2.pcap file with sumstats-counttable.zeek script. How many types of status codes are there in the given traffic capture?

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles