More packet fu with zeek

Published: 2022-02-17
Last Updated: 2022-02-17 15:52:53 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
0 comment(s)

Packet-fu with zeek is fun! Let's continue my previous diary Some packet-fu with Zeek (previously known as bro) with other use case: IP geolocation for new connections inside a packet capture.

Prerrequisites

You need to have installed zeek and the MaxMind database.

A command to test the correct setup can be zeek -e "print lookup_location(8.8.8.8);"

If you get the following output, you have to review your configuration:

If you get the following output, you can continue:

Events that will be used

  • new_connection: This event is raised everytime a new connection is detected.
  • zeek_done: This event is raised when the packet input is exhausted.

Code

The following code implements the use case described:

type locationrecord: record{
	source: addr;
	fulllocation: geo_location;
};

global sites: table[count] of locationrecord;
global index=1;

event new_connection (c: connection)
{
    local therecord:locationrecord;
    therecord$source = c$id$orig_h;
    therecord$fulllocation = lookup_location(therecord$source);
    sites[index]=therecord;
    index=index+1;
}

event zeek_done ()
{
    local locationlog=open("location.log");
    local therecord:locationrecord;
    for (n in sites){
	    therecord=sites[n];
	    local country=therecord$fulllocation?$country_code ? therecord$fulllocation$country_code: "<unknown>";
	    local region=therecord$fulllocation?$region ? therecord$fulllocation$region: "<unknown>";
	    local city=therecord$fulllocation?$city ? therecord$fulllocation$city: "<unknown>";
	    print locationlog,fmt("%s %s %s %s", therecord$source, country,region,city);
    }
    close(locationlog);
}

Let's review some interesting aspects on the code:

  • We need to store the location information of every IP address reviewed. That's why we define the locationrecord type.
  • The processed information under the new_connection event will be stored in the sites table.
  • The zeek_done event will provide the output under a text file.

Let's see a snippet of the script's output:

Do you have any other interesting use cases for zeek? Let us know through our contact form.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Keywords:
0 comment(s)
ISC Stormcast For Thursday, February 17th, 2022 https://isc.sans.edu/podcastdetail.html?id=7884

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives