What is Zeek    

Open Source Software By Vern Paxson to create “Rich logs” with information about network traffic. This is a data-driven sensor to collect data, aggregate the data onto a log collector and gain insight into your network traffic. Scalable to create many workers to collect data and processors. Can also be deployed on low cost off the shelf hardware. Cluster configuration supports high bandwidth networks easily Zeek likes to think of itself as an intelligence framework to analyze network traffic.

Get data from a sensor

The focus of this article is not data collection, but analyst use to use data from packet captures that have been collected. `analyze -s “” -e “” sensor | zeek -r - 

Zeek Logs

Zeek writes a variety of logs based on what it detects.

  • conn.log Initial IP/Protocol Connections
  • pe.log Portable Executable files found
  • known_hosts.log New hosts seen in the past hour
  • known_services.log New services seen in the past hour
  • dpd.log Dynamic protocol detection
  • weird.log Anomalous Activity
  • loaded_script.log Scripts loaded upon start/restart
  • reporter.log Severety of issues with Zeek
  • sotfwarel.log Version numbers of vulnerable application layer software
  • Protocols (http, dns, ssl, smtp, etc.)

Viewing Logs

In order to view the log files created, you will generally use cat to display the log and then pipe that to zeek-cut to select the values you want displayed.

Example Command

cat conn.log | zeek-cut -u ts uid id.orig_h id.orig_p id.resp_h id.resp_p orig_bytes resp_bytes

  • cat conn.log Start by using cat to display the contents of the log. Any log file you see will represent some aspect of traffic on your network.
  • zeek-cut   Piped to zeek-cut, we can begin to select the fields we want. Each log file has different fields, so having a reference from zeek.org or another source is helpful.
  • -u option to print the time as a UTC timestamp.
  • ts displays the time stamp.
  • uid displays the uniquely generated ID for this connection. This ID will be the same across logs during this capture/time period.
  • id.orig_h displays the source IP address (originating host IP)
  • id.orig_p displays the source port (originating port)
  • id.resp_h displays the destination IP address (responding host IP)
  • id.resp_p displays the destination port (responding port)
  • orig_bytes displays bytes sent from the originating host
  • resp_bytes displays bytes sent from the responding host

zeek-cut Options

  • -c Include the first format header block in the output.
  • -C Include all format header blocks in the output.
  • -m Include the first format header blocks in the output in minimal view.
  • -M Include all format header blocks in the output in minimal view.
  • -d Convert time values into human-readable format.
  • -D <fmt> Like -d, but specify format for time (see strftime(3) for syntax).
  • mrarlen@gmail_com
  • -F <ofs> Sets a different output field separator character.
  • -h Show help.
  • -n Print all fields except those specified.
  • -u Like -d, but print timestamps in UTC instead of local time.
  • -U <fmt> Like -D, but print timestamps in UTC instead of local time.

Sample Fields Available from various logs

conn.log

#fields ts  uid id.orig_h   id.orig_p   id.resp_h   id.resp_p   version cipher  curve   server_name resumed  last_alert  next_protocol   established ssl_history cert_chain_fps  client_cert_chain_fps   sni_matches_cert

files.log

#fields ts  fuid tx_hosts    rx_hosts    conn_uids   source  depth   analyzers   mime_type   filename duration    local_orig  is_orig seen_bytes  total_bytes missing_bytes   overflow_bytes  timedout parent_fuid  md5 sha1 sha256  extracted   extracted_cutoff    extracted_size

SSL.log

#fields ts  uid id.orig_h   id.orig_p   id.resp_h   id.resp_p   version cipher  curve   server_name resumed  last_alert  next_protocol   established ssl_history cert_chain_fps  client_cert_chain_fps   sni_matches_cert

Sample Queries

How many packets were sent and received by connection with source port 36499 cat conn.log | zeek-cut orig_pkts resp_pkts id.orig_p | grep 36499

What is the server that was connected to in the SSL log? cat ssl.log | zeek-cut id.org_h id.orig_p id.resp_h id.resp_p server_name

Identify the file that was transferred from a host of interest. cat files.log | zeek-cut fuid tx_hosts rx_hosts conn_uids

What is the UID of a Portable Executable file that was downloaded? `cat pe.log | zeek-cut -d ts id

What is the web traffic like from a host? cat http.log | zeek-cut -d ts id.orig_h id.orig_p id.resp_h id.resp_p method host uri | grep <IP-Address>

Describe the traffic from a host of interest cat http.log | zeek-cut id.orig_h id.resp_h method user_agent | grep <IP-Address>

What IP addresses and sites did a host of interest connect to? cat dns.log | zeek-cut -d ts id.orig_h id.resp_h id.resp_p proto query answers| grep <IP-Address>

Describe the email exchanges at the time of the incident. cat smtp.log | zeek-cut -d ts uid id.orig_h id.orig_p id.resp_h id.resp_p helo mailfrom rcptto subject