Updated 09-06-2021<\/p>\n
Welcome back!<\/p>\n
In the last episode – our intrepid adventurers setup a Raspberry Pi and got Zeek IDS, downloaded, compiled and running in a very basic way….<\/p>\n
But what about some more advanced functions? What can this small box filled with power do more than report packets traversing switches and routers?<\/p>\n
Changing the log file format for better ingestion<\/strong><\/p>\n The best way for external software to ingest your zeek logs is to convert them to JSON format. In the original config, Zeek creates human readable text tables for each kind of log file created in \/usr\/local\/zeek\/logs\/current such as:<\/p>\n This is great for people to read but less so for machines. To convert these tables into JSON format:<\/p>\n Check to make sure your logs are now in JSON format.<\/p>\n This will help if you want to run scripts against the logs or export to a SIEM-type system.<\/p>\n Adding Intelligence from a Threat Feed & Automating the updates for the feeds. I used to have the setup for criticalstack\/intelstack.com – but it’s gone the way of the dodo.\u00a0 In another post I recommend a new threat feed provided by Critical Path security, easier to update through Git.\u00a0 Click here<\/a> for the install instructions.<\/p>\n Testing the Threat Intel Feeds<\/strong><\/p>\n A new log file will be created when using the intel threat feeds: intel.log.<\/p>\n To test the creation of this log file you can attempt to browse to a tor exit node (if you added a TOR nodes feed) or some other site that could be part of the feeds you’ve added.<\/p>\n For this example, I’ve got 35.225.94.95<\/strong> that came in on my external address. If you browse to it in a browser or use curl from the command line it will trigger a log to generate a intel.log file.<\/p>\n In the case above, it found the request in the sources RUTGERS-BANLIST and CPS-ILLUMINATE as part of the Critical Path intel feeds in our directory that was downloaded earlier.<\/p>\n That’s all for now. In part 3, we will setup a logging server and export the Zeek logs to create a visualization component and dashboards.<\/p>\n","protected":false},"excerpt":{"rendered":" Updated 09-06-2021 Welcome back! In the last episode – our intrepid adventurers setup a Raspberry Pi and got Zeek IDS, downloaded, compiled and running in a very basic way…. But what about some more advanced functions? What can this small box filled with power do more than report packets traversing switches and routers? Changing the… cat capture_loss.log\r\n#separator \\x09\r\n#set_separator ,\r\n#empty_field (empty)\r\n#unset_field -\r\n#path capture_loss\r\n#open 2019-08-31-02-04-06\r\n#fields ts ts_delta peer gaps acks percent_lost\r\n#types time interval string count count double\r\n1567213446.308621 900.000053 zeek 0 0 0.0<\/pre>\n
\n
#JSON Output\r\n@load policy\/tuning\/json-logs.zeek<\/pre>\n
\n
zeekctl deploy<\/pre>\n
cat \/usr\/local\/zeek\/logs\/current\/packet_filter.log\r\n{\"ts\":1567213927.478291,\"node\":\"zeek\",\"filter\":\"ip or not ip\",\"init\":true,\"success\":true}<\/pre>\n
\n<\/strong><\/p>\ncat intel.log\r\n{\"ts\":1630934593.891459,\"uid\":\"C0VM2b1tdQrrVzLYRi\",\"id.orig_h\":\"35.225.94.95\",\"id.orig_p\":47322,\"id.resp_h\":\"10.255.30.30\",\"id.resp_p\":443,\"seen.indicator\":\"35.225.94.95\",\"seen.indicator_type\":\"Intel::ADDR\",\"seen.where\":\"Conn::IN_ORIG\",\"seen.node\":\"zeek\",\"matched\":[\"Intel::ADDR\"],\"sources\":[\"RUTGERS-BANLIST\",\"CPS-ILLUMINATE\"]}<\/pre>\n
Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6,5,7],"tags":[],"class_list":["post-190","post","type-post","status-publish","format-standard","hentry","category-ids","category-security","category-zeek"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/posts\/190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/secognition.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=190"}],"version-history":[{"count":0,"href":"https:\/\/secognition.com\/index.php?rest_route=\/wp\/v2\/posts\/190\/revisions"}],"wp:attachment":[{"href":"https:\/\/secognition.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secognition.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=190"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secognition.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}