![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[DEALS] The Premium Learn to Code Certification Bundle (97% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
_Christophe_Coat_Alamy.jpg?#)
 (1).webp?#)
![Apple Considers Delaying Smart Home Hub Until 2026 [Gurman]](https://www.iclarified.com/images/news/96946/96946/96946-640.jpg)
![iPhone 17 Pro Won't Feature Two-Toned Back [Gurman]](https://www.iclarified.com/images/news/96944/96944/96944-640.jpg)
![Tariffs Threaten Apple's $999 iPhone Price Point in the U.S. [Gurman]](https://www.iclarified.com/images/news/96943/96943/96943-640.jpg)
have fun with Zeek
What a wonderful tool zeek is! This is the thought I had after realising the versatility and potential of the instrument. A network security monitoring tool, I needed this to perform a task. Its extensibility through the installation of protocol recognition packages is what impressed me the most, but let's take two steps back and start from the beginning. I am using Zeek on my Raspberry(ubuntu), connected to a switch port(configured in monitor mode), Zeek operating to analyse and catalogue traffic, and a Universal Forwarder to make my life easier for post-capture data analysis. Once the traffic capture begins, the captured packets are sent to an Event engine which is able to transform the flow of packets into a series of events representing network activity in a natural form. For example, an event of type HTTP is converted into its equivalent to know the ip addresses involved, http version used and the uri involved. Likewise an SSH type event contains the authentication, the IPs involved and the status. All that is extracted and converted is thanks to scripts already included in Zeek, which already allow a lot of information to be obtained with just the basis of the tool. All this is carefully placed in .log files for reading. Are all types of protocols recognised? The answer is yes. but But if we install the appropriate plugins, which I will explain in detail in another post. I had to perform an assessment discovery to compile a list of everything on that network segmentation. Then knowing the domain context (small company) i.e. a small 3D printing company, I could have made a list by hand and then checked Zeek's results against my list. But that was no fun!!! So what I did was ask them to mirror a port and thus start Zeek. Zeek fills a file called conn.log with all captured IP addresses primarily, located in the logs/current/ directory. Main Log: conn.log This file records all observed network connections, including: Source IP (id.orig_h) Destination IP (id.resp_h) Ports, protocol, connection duration, and data transferred ts uid id.orig_h id.resp_h proto service 1693401923.01 C5mAqR1T7kl 192.168.1.10 8.8.8 udp dns This provides a full list of observed IPs in Zeek's network monitoring. Then from there knowing the context and also recognising some services I was able to do some research and be able to install the exact modules (zeek-packages). One of these was ICSNPP-Modbus. Making a second round I completed the list and checking the parameters I got a good 90% coverage. What did I learn from this experience? Definitely a new tool to study in depth. A little more about the world of PLCs. The architecture of Zeek itself. How can you experiment? Surely if you have a knowledge that allows you to monitor a network legally, you can try anything and for as long as you want since scanning is passive you do not risk doing damage or crashing networks. Otherwise if you do not have the possibility of having a small infrastructure at home, you can always analyze pcap packets!! Small Example: Take a pcap of your interest, I recommend this list: ICS-pcap run the command: **zeek -r ** and at the end of the procedure you will have your files with the data. How to analyze files more comfortably? I use Splunk, it allows me to gather all the files under an index and launch SPL queries to facilitate the analysis. Some tips - Perform a diagnosis with zeekctl check When installing modules never skip the tests Do not install zkg as an external module with apt, but use the one under the --/zeek/bin folder Contact me if you have errors. Arm yourself with patience and remember that you must have in mind the infrastructure on which you are operating with Zeek
What a wonderful tool zeek is!
This is the thought I had after realising the versatility and potential of the instrument.
A network security monitoring tool, I needed this to perform a task. Its extensibility through the installation of protocol recognition packages is what impressed me the most, but let's take two steps back and start from the beginning.
I am using Zeek on my Raspberry(ubuntu), connected to a switch port(configured in monitor mode), Zeek operating to analyse and catalogue traffic, and a Universal Forwarder to make my life easier for post-capture data analysis.
Once the traffic capture begins, the captured packets are sent to an Event engine which is able to transform the flow of packets into a series of events representing network activity in a natural form. For example, an event of type HTTP is converted into its equivalent to know the ip addresses involved, http version used and the uri involved. Likewise an SSH type event contains the authentication, the IPs involved and the status. All that is extracted and converted is thanks to scripts already included in Zeek, which already allow a lot of information to be obtained with just the basis of the tool. All this is carefully placed in .log files for reading.
Are all types of protocols recognised?
The answer is yes.
but
But if we install the appropriate plugins, which I will explain in detail in another post. I had to perform an assessment discovery to compile a list of everything on that network segmentation.
Then knowing the domain context (small company) i.e. a small 3D printing company, I could have made a list by hand and then checked Zeek's results against my list.
But that was no fun!!!
So what I did was ask them to mirror a port and thus start Zeek.
Zeek fills a file called conn.log with all captured IP addresses primarily, located in the logs/current/ directory.
Main Log: conn.log
This file records all observed network connections, including:
Source IP (id.orig_h)
Destination IP (id.resp_h)
Ports, protocol, connection duration, and data transferred
ts uid id.orig_h id.resp_h proto service
1693401923.01 C5mAqR1T7kl 192.168.1.10 8.8.8 udp dns
This provides a full list of observed IPs in Zeek's network monitoring.
Then from there knowing the context and also recognising some services I was able to do some research and be able to install the exact modules (zeek-packages). One of these was ICSNPP-Modbus. Making a second round I completed the list and checking the parameters I got a good 90% coverage.
What did I learn from this experience?
Definitely a new tool to study in depth. A little more about the world of PLCs.
The architecture of Zeek itself.
How can you experiment?
Surely if you have a knowledge that allows you to monitor a network legally, you can try anything and for as long as you want since scanning is passive you do not risk doing damage or crashing networks.
Otherwise if you do not have the possibility of having a small infrastructure at home, you can always analyze pcap packets!!
Small Example:
Take a pcap of your interest, I recommend this list:
ICS-pcap
run the command:
**zeek -r **
and at the end of the procedure you will have your files with the data.
How to analyze files more comfortably?
I use Splunk, it allows me to gather all the files under an index and launch SPL queries to facilitate the analysis.
Some tips
- Perform a diagnosis with zeekctl check
- When installing modules never skip the tests
- Do not install zkg as an external module with apt, but use the one under the --/zeek/bin folder
- Contact me if you have errors.
- Arm yourself with patience and remember that you must have in mind the infrastructure on which you are operating with Zeek
