Write our own scripts to run anomaly detection models on Zeek logs for better control and comprehension of the process and results.
However, the tool is not well-documented yet and in my opinion it’s better to This tool that relies on pyOD to detect outliers in multivariate data within the conn.log file. Since the information is now contained in a convenient dataframe, we can write queries to better understand the logs. Pd.set_option('display.max_columns', None) Zeek_df = log_to_df.create_dataframe('dns.log') To begin, let’s load up the zat module and read the Zeek log files in a dataframe: from zat.log_to_dataframe import LogToDataFrame I would advise that some familiarity with Pandas is needed but after learning the basics of Pandas dataframe manipulation, gleaning information from the log files becomes trivial. ZAT can help automate the process of taking the Zeek log files and turning them into Some examples: zeek-cut -u ts method host uri " | awk ''Ĭat conn.log | zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p > temp.txtĪnalyzing information in Zeek log files using ZATĪn alternative to manually converting Zeek log files to CSV format using zeek-cut mentioned above is the I usually use zeek-cut to grep and awk and/or export data in CSV format. Zeek-cut is a useful utility that ships with Zeek and provides the ability to extract desired information contained within the Zeek *.log files. Columns are tab-separated and are described in The format within these log files is self-explanatory with column names being indicative of the information contained within the columns. When done, Zeek creates the following log files (depending on the type of traffic discovered): The -r option specifies offline PCAP file analysis whereas -w specifies live network capture.ĭepending on the size of the PCAP, this could take a while. To generate these logs files, feed the PCAP to Zeek: log files pertaining to various types of information contained in the PCAP.
We will be using a sample PCAP in this post. This post provides a quick introduction to Zeek and its capabilities. Zeek is very suitable for performing automated analysis for quickly zeroing in on information. Packet capture analysis in Wireshark and while Wireshark is still my number one tool for PCAP analysis, Zeek was a great find for me. Zeek (previously called bro) is a useful tool that enables high-level PCAP analysis at the application layer.
0 kommentar(er)
