written in C++ and Spicy
What is Spicy in Zeek?
In the context of Zeek, a network security monitoring tool, Spicy is a new framework to parse network protocols. It provides a more flexible and efficient way to define and implement protocol analyzers.
# docker pull zeek/training:intro23
# docker run -it --privileged zeek/training:intro23
# --privileged : will allow the container to sniff the packets from the host machine.
cd /zeek/training-res/
Zeek/bin
- Zeek-cut
- Zeek
- Zkg
- Zeekctl
Is a command-line utility that formats Zeek logs into a more readable format by cutting fields of interest from the logs.
Zeek, formerly known as Bro, is an open-source software framework for analyzing network traffic that is most commonly used in network security applications.
The selected text "Zkg" is unclear. It may be an acronym or a code, but without further context, a precise explanation cannot be provided. [packet manager like apt-get or brew]
Zeekctl is a command-line tool used to control and manage the operation of the Zeek network security monitor.
Zeek/etc
- Network.cfg
- Node.cfg
- Zeekctl.cfg
Network.cfg is a configuration file that likely contains settings and parameters related to a network or networking software.
UDE defined local networks
Node.cfg refers to a configuration file in a software or application. This file usually contains settings and parameters for the operation of a specific node or module within a software system. It tills Zeek about the cluster by defining the manager, proxy,worker,logger.
workers has interface.
manager and proxy don’t have interface because they don’t sniff packets.
Zeekctl.cfg is a configuration file used in Zeek, a network security monitoring tool. This file contains settings that control how the Zeek system operates.
Zeek/log
location for all log in the cluster mode.
- currents
- current directory
- YYYY-MM-DD
Zeek/spool
"Zeek/spool" refers to a directory or location where Zeek, a powerful network analysis framework, stores temporary runtime data or logs.
It will have all active log
Zeek/share
It contain all the Zeek scripts and policies
- Policy
- protocols
- base
- protocols: many
- site:
main.zeek → what you have to look at.
This will not get updated or overwrite when you do zeek update to new version.
All other folder will be updated with the newer version.
Local.zeek
This will shows all the enable script or options
less local.zeek | grep -v "^#”
Run through CLI
zeek –r capture.pcap
# -C not to run checks and chak.
zeek –C –r capture.pcap
zeek –r capture.pcap my-script.zeek
zeek –r capture.pcap local
zeek –r capture.pcap local –e ‘redef Site::local_nets += { 192.168.125.0/24 };’
zeek –r modbus.pcap protocols/modbus/track-memmap.zeek
try.zeek
try zeek on the browser:
Find all the script that comes with Zeek
cd /zeek/share
# find . –name ‘*.zeek’ | less
Writing in password in cleartext
- Zeek scripts have an export section.
- Redefinable variables
- main.zeek is best place to start looking
# less /zeek/share/zeek/base/protocols/http/main.zeek
export {
# This setting changes if passwords used in
# Basic-Auth are captured or not.
option default_capture_password = F;
}