Exercise 1<\/strong><\/p>\n\n\n\n Run Zeek in readback mode using http.pcap to become familiar with the logs it generates. Begin by instructing Zeek to read the http.pcap file and produce logs:<\/strong><\/p>\n\n\n\n This generates several log files:<\/p>\n\n\n\n We can see that Zeek has created five log files as a result of parsing the packet capture file. Let’s examine these.<\/p>\n\n\n\n Look at the contents of conn.log, which records the different connections observed:<\/p>\n\n\n\n You see a couple of lines of comments, including the field names followed by the field types. These lines define the structure of Zeek logs. Every log file that Zeek produces will be similarly headed, which defines the field names and types for that file\u2019s contents in this instance.<\/p>\n\n\n\n It is difficult to tell the wrapped text, so we will use the zeek-cut command to present the output in a more coherent format. This command reads and formats log file output into a tabular format and should output Zeek-cut using a pipeline.<\/p>\n\n\n\n Let’s first look at the help for zeek-cut:<\/p>\n\n\n\n It’s time to put this tool to use. When we use it in our first run, we will supply several arguments to zeek-cut to modify the output:<\/p>\n\n\n\n -u option to print the time as a UTC timestamp. The raw output of time is in seconds and fractions of seconds since the UNIX epoch isn’t very human-friendly.<\/p>\n\n\n\n The ts argument indicates that we wish to see the ts field, which contains the time value.<\/p>\n\n\n\n The uid argument indicates that we wish to see the uniquely generated ID for this connection.<\/p>\n\n\n\n The id.orig_h argument indicates that we wish to see the IP address of the host that originated the connection.<\/p>\n\n\n\n The id.orig_p argument indicates that we wish to see the port number used by the host that originated the connection.<\/p>\n\n\n\n The id.resp_h argument indicates that we wish to see the IP address of the responding host in the connection.<\/p>\n\n\n\n The id.resp_p argument indicates that we wish to see the port number used by the host that responded in the connection.<\/p>\n\n\n\n The orig_bytes argument indicates that we wish to see the number of bytes sent by the originating host.<\/p>\n\n\n\n The resp_bytes argument indicates that we wish to see the number of bytes sent by the responding host.<\/p>\n\n\n\n Let’s put this all together to look at the connection log again:<\/p>\n\n\n\n This provides a much easier to read output than simply using the cat tool on the log file!<\/p>\n\n\n\n Next, see if you can figure out how to use the zeek-cut command to display the following fields:<\/p>\n\n\n\n How many packets were sent and received in the connection where the source port is 36499?<\/p>\n\n\n\n 35 packets were sent and 34 packets were received in the connection where the source port is 36499.<\/p>\n\n\n\n Next, try to use zeek-cut to display the source IP, source port, destination IP, destination port, and the name of the server in the only connection in ssl.log. What is the name of the server used?<\/p>\n\n\n\n The name of the server was www.google.com<\/p>\n\n\n\n The files.log contains data about any file Zeek finds in any connection for which it has an appropriate protocol analyzer that exposes files. This means that it doesn\u2019t matter if the file was sent over HTTP, FTP, TFTP, or any other supported protocol that has the notion of a file; a record of that file transfer will appear in the files.log.<\/p>\n\n\n\n Use zeek-cut to display the file id (fuid), the source host, the destination host, and the connection id. Unlike the uid value, the fuid value remains the same for every run.<\/p>\n\n\n\n There is a single files.log record. You can discover the connections found in other logs with related protocol information (where that protocol understands files) by issuing a grep command for the unique fuid value<\/p>\n\n\n\n In what other Zeek log was the same file seen?<\/p>\n\n\n\n It was seen in the http.log file.<\/p>\n\n\n\n Now search for the connection id found in files.log to discover all the logs that contain information about this connection. <\/p>\n\n\n\n In which logs, other than files.log, was the same connection observed?<\/p>\n\n\n\n The connection ID was found in:<\/p>\n\n\n\n conn.log and http.log<\/p>\n\n\n\n This is helpful when you would like to find related activity for a given connection.<\/p>\n\n\n\n Extracting the file contents of the files referenced in files.log is very easy in Zeek. This can be very useful if you suspect some malware has been downloaded and you want to analyze the suspect file.<\/p>\n\n\n\n A Zeek script has been provided that will extract all of the files in a packet capture automatically. This file is in \/sec503\/Exercises\/Day4\/zeek\/zeek-run\/file-extract.zeek.<\/p>\n\n\n\n Use the Zeek script file-extract.zeek to extract the file:<\/p>\n\n\n\n A directory named extract_files is created in your current working directory. Change into that directory. You will find a single file within. When using this script, each extracted file has a name that begins with \u2018extract\u2019, followed by the raw timestamp:<\/p>\n\n\n\n Examine the contents of the file. What standard web server return code message does the www.google.com<\/a> server return to the sender?<\/p>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-1.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-2-1024x222.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-3.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-4-1024x72.png\")
<\/figure>\n\n\n\n\n
![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-5.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-6-1024x41.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-7.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-8-1024x111.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-9-1024x107.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-10.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-11.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-12-1024x134.png\")
<\/figure>\n\n\n\n
![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-13.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-14.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-15.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-16.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-17.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-18.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-19-1024x41.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/epbrtcybersecurityportfolio.xyz\/wp-content\/uploads\/2025\/07\/image-20.png\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"