Zeek with GeoIP, ASN & JA4 in 5 minutes

The second part of this mini project (pcap did what) is to capture the Zeek logs in a Grafana Dashboard.

Getting Started with Zeek and Docker

The official zeek docker image comes with zkg pre-installed. It also includes support for mmdb files from MaxMind. The one additional step required is to download the MaxMind databases (GeoLite2 City and ASN). These require a free account to be created to download.

Using our custom Dockerfile streamlines the process of getting up an analysis environment up and running with minimal fuss (it really does only take a few minutes). Essentially this is the official image but we add the additional packages for GeoIP, JA3 and JA4 along with a custom script for the ASN processing.

The ASN zeek packages were failing with the latest zeek updates so the local script was based on this one - Zeek ASN Enrichment Script.

git clone https://github.com/hackertarget/pcap-did-what/

After downloading the Maxmind files, place them in the same location as the Dockerfile and local_asn.zeek script. Building the docker image will then copy the files to the required location and updates the local.zeek file.

Dockerfile
local_asn.zeek
GeoLite2-ASN.mmdb
GeoLite2-City.mmdb

sudo docker build . -t zeek-custom

Now we run the docker image. Here we need to specify the local directory where the pcap is located. This gets mapped to /pcap/ on the docker container. Zeek log files will be saved here so that they are available to the host system after the container is destroyed. You can use the example below that includes the current working directory (pwd) or specify the path you wish to use with the mapped volume.

sudo docker run -it -v `pwd`:/data/ zeek-custom

Running the image drops you into bash. From here you can simply run the zeek command line to generate the log files from the input pcap. Adding local to the command loads the local.zeek script file from /usr/local/zeek/share/zeek/site/ - this loads the additional scripts for full processing of the pcap (geoip / asn / ja3 / ja4).

cd /pcap/
$ zeek -C -r mycapture.pcap local

Running the above command creates the zeek log files in the /pcap/ location, that is also accessible from the host. Checking the conn.log will confirm that the GeoIP and ASN data has been populated (as long as external IP address are in the pcap).

Using local as a parameter in the above command tells zeek to use the local.zeek file. Without this the additional packages will not be used and GeoIP, ASN and JA4 fingerprints will not be added to the log files.

Reading Zeek Logs with zeek-cut

The zeek log files are simply plain text tsv files where the separator is a tab. So you can use any text based tool, however zeek is also equipped with a parsing tool that enables quickly cutting columns of interest. In the following example we will get all source, dest and dest ports from the connection log (conn.log).

cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p

Using your host to parse the files (rather than the docker container)? Install the zeek-aux package in Ubuntu / Debian based distributions for access to the zeek-cut tool.

GeoIP with zeek

Using the Maxmind GeoLite2 City database we are getting location data for external IP addresses. The data includes Country, City and Lat, Long. We can use this data to map the IP addresses in a visualization tool or simply use zeek-cut to pull out all "unexpected" countries that are connecting to our network.

cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p geo.resp.country_code geo.resp.city

ASN data with zeek

To get the ASN data we will use a custom script, that is included in the git repo. The script was found on the Threat Hunting Tails blog and has worked well during initial testing.

In this example we pull the ASN column, and also the timestamp (ts) column that gets converted to a readable date / time with the -d parameter.

cat conn.log | zeek-cut -d ts id.orig_h id.resp_h id.resp_p resp_h_asn.organization

JA4 and JA3

JA3 hashes were a powerful tool a few years ago, and they can still provide value however changes to the TLS traffic flows and greater awareness among threat actors has limited the usefulness. A new suite of fingerprinting tools based around JA4 that works for SSL/TLS, SSH and even HTTP and other non-encrypted protocols has been introduced by one of the original JA3 creators.

$ head ssl.log | zeek-cut id.orig_h id.resp_h id.resp_p ja3 ja4
192.168.8.170   192.168.8.174   3389    40adfd923eb82b89d8836ba37a19bca1        t13d311000_e8f1e7e78f70_5ac7197df9d2
192.168.8.174   52.226.139.185  443     6a5d235ee78c6aede6a61448b4e9ff1e        t12d180700_4b22cbed5bed_2dae41c691ec

Conclusion

Utilizing Zeek with Docker to quickly parse pcap files offers a highly efficient and flexible solution for network analysis. This approach combines the powerful network monitoring capabilities of Zeek with the convenience of Docker.

There is a lot more to explore from here. It would be easy to make modifications to the Dockerfile to add in more packages or scripts, further explore the capabilities of the JA4 package and dig into the zeek logs. Look further into Microsoft Protocols such as SMB and RDP when investigating Windows environments or go deep into HTTP, file carving and DNS. This tutorial scratches the surface of what is possible, now go find some traffic.