Some of these strings also appear base64 encoded and Cyberchef help us decode it.įigure 11: Base64 decoded data from HTTP method This also highlights that the 'weird.log' file can be a good place to go to look for activity if interest. Using this 'uid', we can see if there are any other references to this network traffic.įigure 10: Results from searching for specific uid within all Zeek log filesįrom the results we see the different log files the specific uid was seen in. One of the nice things about Zeek is that it also generates a 'uid' that can be used to correlate different data in the various log files. find *.pcap -exec pcapfix 'įigure 9: Results of UID and method searching for matching method text Once installed, it's easy to run the pcapfix utility against all of the PCAP files in the current directory. "line 1: unrecognized character" (Zeek)įigure 1: Example Wireshark error with PCAP file that has missing dataįigure 2: Example Zeek processing error with PCAP file that has missing dataĪ useful utility to repair PCAP files is pcapfix."The capture file appears to have been cut short in the middle of a packet" (Wireshark).These interruptions can cause the PCAPs to have file formatting issues. The PCAPs being collected on my PCAP honeypot are often interrupted due to daily scheduled restarts of the honeypot. The steps to get our Zeek data from raw PCAPs will be: I started with a fully updated Ubuntu 22.04.1 LTS desktop. First, we need to install a couple tools to process the PCAP data. I'll be going through and processing some PCAP data collected from my honeypot. It can also help save a lot of storage space. Zeek can help to simplify network traffic analysis. It is also a lot of data to go through and process manually. Having full packet captures of a device or an entire network can be extremely useful.
0 kommentar(er)
