Zeek is highly scalable and can be deployed onto multi-gigabit networks for real time traffic analysis; however it can also be used as a tactical tool to quickly assess packet captures. The key here is that zeek gives you deep insight into network traffic very quickly.
The second part of this mini project (pcap did what) is to capture the Zeek logs in a Grafana Dashboard.
Rather than install Zeek from scratch, this tutorial covers using docker to deploy a usable system in as little as a few minutes.
Additional packages and scripts add IP address enrichment and JA4 hashes (plus the legacy JA3).
Getting Started with Zeek and Docker
The official zeek docker image comes with zkg pre-installed. It also includes support for mmdb files from MaxMind. The one additional step required is to download the MaxMind databases (GeoLite2 City and ASN). These require a free account to be created to download.
Using our custom Dockerfile streamlines the process of getting up an analysis environment up and running with minimal fuss (it really does only take a few minutes). Essentially this is the official image but we add the additional packages for GeoIP, JA3 and JA4 along with a custom script for the ASN processing.
The ASN zeek packages were failing with the latest zeek updates so the local script was based on this one - Zeek ASN Enrichment Script.
git clone https://github.com/hackertarget/pcap-did-what/
After downloading the Maxmind files, place them in the same location as the Dockerfile and local_asn.zeek script. Building the docker image will then copy the files to the required location and updates the local.zeek file.
Dockerfile local_asn.zeek GeoLite2-ASN.mmdb GeoLite2-City.mmdb
sudo docker build . -t zeek-custom
Now we run the docker image. Here we need to specify the local directory where the pcap is located. This gets mapped to /pcap/ on the docker container. Zeek log files will be saved here so that they are available to the host system after the container is destroyed. You can use the example below that includes the current working directory (pwd) or specify the path you wish to use with the mapped volume.
sudo docker run -it -v `pwd`:/data/ zeek-custom
Running the image drops you into bash. From here you can simply run the zeek command line to generate the log files from the input pcap. Adding local to the command loads the local.zeek script file from /usr/local/zeek/share/zeek/site/ - this loads the additional scripts for full processing of the pcap (geoip / asn / ja3 / ja4).
cd /pcap/ $ zeek -C -r mycapture.pcap local
Running the above command creates the zeek log files in the /pcap/ location, that is also accessible from the host. Checking the conn.log will confirm that the GeoIP and ASN data has been populated (as long as external IP address are in the pcap).
Using local as a parameter in the above command tells zeek to use the local.zeek file. Without this the additional packages will not be used and GeoIP, ASN and JA4 fingerprints will not be added to the log files.
Reading Zeek Logs with zeek-cut
The zeek log files are simply plain text tsv files where the separator is a tab. So you can use any text based tool, however zeek is also equipped with a parsing tool that enables quickly cutting columns of interest. In the following example we will get all source, dest and dest ports from the connection log (conn.log).
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p
Using your host to parse the files (rather than the docker container)? Install the zeek-aux package in Ubuntu / Debian based distributions for access to the zeek-cut tool.
GeoIP with zeek
Using the Maxmind GeoLite2 City database we are getting location data for external IP addresses. The data includes Country, City and Lat, Long. We can use this data to map the IP addresses in a visualization tool or simply use zeek-cut to pull out all "unexpected" countries that are connecting to our network.
cat conn.log | zeek-cut id.orig_h id.resp_h id.resp_p geo.resp.country_code geo.resp.city
ASN data with zeek
To get the ASN data we will use a custom script, that is included in the git repo. The script was found on the Threat Hunting Tails blog and has worked well during initial testing.
In this example we pull the ASN column, and also the timestamp (ts) column that gets converted to a readable date / time with the -d parameter.
cat conn.log | zeek-cut -d ts id.orig_h id.resp_h id.resp_p resp_h_asn.organization
JA4 and JA3
JA3 hashes were a powerful tool a few years ago, and they can still provide value however changes to the TLS traffic flows and greater awareness among threat actors has limited the usefulness. A new suite of fingerprinting tools based around JA4 that works for SSL/TLS, SSH and even HTTP and other non-encrypted protocols has been introduced by one of the original JA3 creators.
$ head ssl.log | zeek-cut id.orig_h id.resp_h id.resp_p ja3 ja4 192.168.8.170 192.168.8.174 3389 40adfd923eb82b89d8836ba37a19bca1 t13d311000_e8f1e7e78f70_5ac7197df9d2 192.168.8.174 52.226.139.185 443 6a5d235ee78c6aede6a61448b4e9ff1e t12d180700_4b22cbed5bed_2dae41c691ec
Conclusion
Utilizing Zeek with Docker to quickly parse pcap files offers a highly efficient and flexible solution for network analysis. This approach combines the powerful network monitoring capabilities of Zeek with the convenience of Docker.
There is a lot more to explore from here. It would be easy to make modifications to the Dockerfile to add in more packages or scripts, further explore the capabilities of the JA4 package and dig into the zeek logs. Look further into Microsoft Protocols such as SMB and RDP when investigating Windows environments or go deep into HTTP, file carving and DNS. This tutorial scratches the surface of what is possible, now go find some traffic.