Using the toolZeek, formally known as bro, is a high-level packet analysis program. It originally began development in the 1990s and has a long history. It does not directly intercept or modify traffic, rather it passively observes it and creates high-level network logs. It can be used in conjunction with a SIEM to allow quick analysis. It can operate in realtime to create logs of a currently active system, or as a post-mortem analysis tool of a packet capture. This tool can also operate with Creating a scriptWhile zeek does have some good documentation online, it is definitely lacking in any sort of tutorial-based content for beginners. This is especially true for anyone who wants to try their hand at using zeek scripting language to create a custom plugin. A simplified understanding of what a signature detection based zeek plugin has to do is:
CVE-2019-19781 signaturesBetween the patterns defined in this yara rule and the us-cert alert a pattern can be constructed. In this case, the following regex patterns will be used to match malicious URIs:
Importing necessary protocols and defining the moduleHere we define the module as Defining log fileTo define the log file there needs to be a log identifier, in this case a
Defining notice typeZeek allows plugins to define a different Notice type that can be used when generating emails. There are a lot of pre-defined notices that can be used and they are indexed here. Defining signaturesZeek provides a pattern type that can be used to quickly define multiple regex patterns. The language also has some pattern specific operations such as
Initializing ZeekWhen initializing zeek there are a few different methods of recording events. In this case a dedicated log file was chosen. To create this log stream based on the log specifications
Creating an event listenerThe netscalard exploit uses a
OutputAfter running this script against the local interface for testing with the following command: There are some log files generated. Once a malicious packet has been detected, in this case triggered from a curl command, then a new
Using this plugin post-mortem analysis can also be performed. An example command for this is shown below:
0 Comments
Leave a Reply. |
AuthorRed Cursor ArchivesCategories |