openmon.org | Zeek - Using some intelligence

Zeek - Using some intelligence

Hi !

It’s time to talk a bit about the Zeek tool again. I’m not going to go into the details of what it is and allows you to do because there are sites that will be much better than me for this.

https://corelight.com/

https://zeek.org/

Instead, I’ll show you how to use it with the Intelligence Framework. I will now paraphrase what is stated in the documentation: “https://docs.zeek.org/en/master/frameworks/intel.html".

=> “The goals of Zeek’s Intelligence Framework are to consume intelligence data, make it available for matching, and provide infrastructure to improve performance and memory utilization”

=> “Data in the Intelligence Framework is an atomic piece of intelligence such as an IP address or an e-mail address. This atomic data will be packed with metadata such as a freeform source field, a freeform descriptive field, and a URL which might lead to more information about the specific item. The metadata in the default scripts has been deliberately kept to a minimum.”

So obviously we needed data sources. Now I’m going to tell you about a company that is doing a great job providing the community with a whole lot of data for Zeek. I am talking here about “Critical Path Security” (https://www.criticalpathsecurity.com).

They offer a github repository with a whole bunch of data: (https://github.com/CriticalPathSecurity/Zeek-Intelligence-Feeds) The eponymous page gives instructions for incorporating the things offered into your favorite instance of Zeek.

Here is an example of generated “intel.log” file:

intel.log:

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   intel
#open   2023-03-21-17-01-01
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       seen.indicator  seen.indicator_type     seen.where      seen.node
       matched sources fuid    file_mime_type  file_desc       cif.tags        cif.confidence  cif.source      cif.description cif.firstseen   cif.lastseen
#types  time    string  addr    port    addr    port    string  enum    enum    string  set[enum]       set[string]     string  string  string  string  double  string  string  string  string
1679436060.721256       Ck6NEz2PxoLFiXCpE5      193.142.146.35  50676   a.b.c.d 80      193.142.146.35  Intel::ADDR     Conn::IN_ORIG   zeek    Intel::ADDR     CPS-ILLUMINATE  -       -       -       -       -       -       -       -       -
1679436062.101794       Caqh0F2DZ8Ub0OYm4i      68.x.y.x    60812   a.b.c.d 443     68.x.y.x    Intel::ADDR     Conn::IN_ORIG   zeek    Intel::ADDR     BINARY-DEFENSE-SYSTEMS  -       -       -       -       -       -       -       -       -
1679436092.589164       CXCWAm2PaXPDTNuas9      152.x.y.x   46758   a.b.c.d 80      152.x.y.x   Intel::ADDR     Conn::IN_ORIG   zeek    Intel::ADDR     BINARY-DEFENSE-SYSTEMS,CPS-ILLUMINATE   -       -       -       -       -       -       -       -       -
1679436169.025817       CahUUy2slpR9VhgU97      193.x.y.x   57355   a.b.c.d 80      193.x.y.x  Intel::ADDR     Conn::IN_ORIG   zeek    Intel::ADDR     CPS-ILLUMINATE  -       -       -       -       -       -       -       -       -
1679439772.289378       C7gDxlYaHH6GOq1v4       185.x.y.z 20109   a.b.c.d 443      185.x.y.z Intel::ADDR     Conn::IN_ORIG   zeek    Intel::ADDR     BINARY-DEFENSE-SYSTEMS,CPS-ILLUMINATE   -       -       -       -       -       -       -       -       -
1679439783.450085       CgCDc4LeonNUMkDVh       220.x.y.z  46448   a.b.c.d 22      220.x.y.z  Intel::ADDR     Conn::IN_ORIG   zeek    Intel::ADDR     RUTGERS-BANLIST -       -       -       -       -       -       -       -       -
1679439788.986034       CAVOLz2b6r1Zqk5Ex1      88.x.y.z  39010   a.b.c.d 22      88.x.y.z  Intel::ADDR     Conn::IN_ORIG   zeek    Intel::ADDR     RUTGERS-BANLIST -       -       -       -       -       -       -       -       -
1679439860.179770       Ccy2K333bzwi8Dbcef      167.x.y.z  36102   a.b.c.d 22      167.x.y.z   Intel::ADDRConn::IN_ORIG   zeek    Intel::ADDR     RUTGERS-BANLIST -       -       -       -       -       -       -       -       -

Let’s take a look at the last line.

The IP address “167.x.y.z” wanted to connect to IP address “a.b.c.d” via the port 22. Unfortunately at this point we don’t know more about the connection status:

Did she succeed?
Is it a failure?

We have to go a little further in the search for information. For this, let’s take the stream identifier (the second field of the line): “Ccy2K333bzwi8Dbcef” and try to find more information.

Let’s go to the directory where the Zeek logs are.

$ cd /var/log/zeek/2021-03-21

Let’s search for the selected patern.

$ zgrep Ccy2K333bzwi8Dbcef conn*.*
conn.18:00:00-19:00:00.log.gz:1679439860.179575 Ccy2K333bzwi8Dbcef      167.x.y.z    36102   a.b.c.d 22      tcp     ssh     1.345465        1250       1369    SF      F       T       0       ShADdaFf        14      1986    10      1901    -       DE      HE      Frankfurt am Main       50.1188 8.6843     US      -       -       37.751  -97.822

We can observe that the source IP address (167.x.y.z) has successfully connected to the ‘SSH’ port. How do we see that ?

Let’s check the connection state: the “conn_state” flag (the twelfth field in the line) which is “SF”. For more information, refer to: (https://docs.zeek.org/en/master/scripts/base/protocols/conn/main.zeek.html)

We can therefore say that a “strange” IP address managed to make a connection to one of our addresses.

Here is a small overview of what Zeek allows when used with the Intelligence Framework.

Cheers

Tree Of Things

Zeek - Using some intelligence

intel.log: