#Get info about longest connections (add "grep udp" to see only udp traffic)#The longest connection might be of malware (constant reverse shell?)catconn.log|zeek-cutid.orig_hid.orig_pid.resp_hid.resp_pprotoserviceduration|sort-nrk7|head-n1010.55.100.1004977865.52.108.225443tcp-86222.36544510.55.100.10756099111.221.29.113443tcp-86220.12615110.55.100.1106016840.77.229.82443tcp-86160.119664#Improve the metrics by summing up the total duration time for connections that have the same destination IP and Port.cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto duration | awk 'BEGIN{ FS="\t" } { arr[$1 FS $2 FS $3 FS $4] += $5 } END{ for (key in arr) printf "%s%s%s\n", key, FS, arr[key] }' | sort -nrk 5 | head -n 10
10.55.100.10065.52.108.225443tcp86222.410.55.100.107111.221.29.113443tcp86220.110.55.100.11040.77.229.82443tcp86160.1#Get the number of connections summed up per each linecat conn.log | zeek-cut id.orig_h id.resp_h duration | awk 'BEGIN{ FS="\t" } { arr[$1 FS $2] += $3; count[$1 FS $2] += 1 } END{ for (key in arr) printf "%s%s%s%s%s\n", key, FS, count[key], FS, arr[key] }' | sort -nrk 4 | head -n 10
10.55.100.10065.52.108.225186222.410.55.100.107111.221.29.113186220.110.55.100.11040.77.229.8213486160.1#Check if any IP is connecting to 1.1.1.1catconn.log|zeek-cutid.orig_hid.resp_hid.resp_pprotoservice|grep'1.1.1.1'|sort|uniq-c#Get number of connections per source IP, dest IP and dest Portcat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p proto | awk 'BEGIN{ FS="\t" } { arr[$1 FS $2 FS $3 FS $4] += 1 } END{ for (key in arr) printf "%s%s%s\n", key, FS, arr[key] }' | sort -nrk 5 | head -n 10
# RITA#Something similar can be done with the tool ritaritashow-long-connections-H--limit10zeek_logs+---------------+----------------+--------------------------+----------------+|SOURCEIP|DESTINATIONIP|DSTPORT:PROTOCOL:SERVICE|DURATION|+---------------+----------------+--------------------------+----------------+|10.55.100.100|65.52.108.225|443:tcp:-|23h57m2.3655s||10.55.100.107|111.221.29.113|443:tcp:-|23h57m0.1262s||10.55.100.110|40.77.229.82|443:tcp:-|23h56m0.1197s|#Get connections info from ritaritashow-beaconszeek_logs|head-n10Score,Source IP,Destination IP,Connections,Avg Bytes,Intvl Range,Size Range,Top Intvl,Top Size,Top Intvl Count,Top Size Count,Intvl Skew,Size Skew,Intvl Dispersion,Size Dispersion
1,192.168.88.2,165.227.88.15,108858,197,860,182,1,89,53341,108319,0,0,0,01,10.55.100.111,165.227.216.194,20054,92,29,52,1,52,7774,20053,0,0,0,00.838,10.55.200.10,205.251.194.64,210,69,29398,4,300,70,109,205,0,0,0,0
DNS 信息
#Get info about each DNS request performedcatdns.log|zeek-cut-cid.orig_hqueryqtype_nameanswers#Get the number of times each domain was requested and get the top 10catdns.log|zeek-cutquery|sort|uniq|rev|cut-d'.'-f1-2|rev|sort|uniq-c|sort-nr|head-n10#Get all the IPscatdns.log|zeek-cutid.orig_hquery|grep'example\.com'|cut-f1|sort|uniq-c#Sort the most common DNS record request (should be A)catdns.log|zeek-cutqtype_name|sort|uniq-c|sort-nr#See top DNS domain requested with ritaritashow-exploded-dns-H--limit10zeek_logs
