Skip to content

Commit a753ee3

Browse files
georgemos940georgemos940
committed
Update zeek.md
1 parent 56ff4c3 commit a753ee3

File tree

1 file changed

+9
-8
lines changed

1 file changed

+9
-8
lines changed

docs/tech briefs/network/zeek.md

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -342,11 +342,12 @@ zeek -Cr http.pcap zeek-sniffpass
342342
Check:
343343
```
344344
cat notice.log | zeek-cut id.orig_h id.resp_h proto note msg
345+
346+
=> SNIFFPASS::HTTP_POST_Password_Seen ... Password found for user ...
345347
```
346-
# => SNIFFPASS::HTTP_POST_Password_Seen ... Password found for user ...
347348

348349
Geolocation enrichment (depends on local GeoLite DB):
349-
# (e.g., geoip-conn)
350+
- (e.g., geoip-conn)
350351
```
351352
zeek -Cr case1.pcap geoip-conn
352353
cat conn.log | zeek-cut uid id.orig_h id.resp_h geo.orig.country_code geo.orig.region geo.orig.city geo.resp.country_code geo.resp.region geo.resp.city
@@ -365,12 +366,12 @@ BIFs/protocols: /opt/zeek/share/zeek/base/bif, /opt/zeek/share/zeek/base/protoco
365366
Legacy Snort-to-Bro (snort2bro) is no longer supported in modern Zeek distributions; workflows diverged after rebranding.
366367

367368
# End-To-End Investigation Example (Conceptual)
368-
1) Start broad: conn.log + files.log + intel.log; scan for outliers (rare ports, large transfers, new software).
369-
2) Pivot by UID to dns/http/ssl/ssh/ftp to extract URLs, JA3/TLS certs, user-agents, credential patterns.
370-
3) Inspect detection outputs: notice.log, signatures.log for corroborating signals.
371-
4) Correlate extracted files (files.log, pe.log, x509.log) back to servers and sessions; hash, detonate, or block.
372-
5) Summarize with known_hosts/services/software to see whether behavior is new or expected baseline.
373-
6) Refine signatures/scripts or enable frameworks to improve recall/precision; feed indicators back into intel.
369+
- Start broad: conn.log + files.log + intel.log; scan for outliers (rare ports, large transfers, new software).
370+
- Pivot by UID to dns/http/ssl/ssh/ftp to extract URLs, JA3/TLS certs, user-agents, credential patterns.
371+
- Inspect detection outputs: notice.log, signatures.log for corroborating signals.
372+
- Correlate extracted files (files.log, pe.log, x509.log) back to servers and sessions; hash, detonate, or block.
373+
- Summarize with known_hosts/services/software to see whether behavior is new or expected baseline.
374+
- Refine signatures/scripts or enable frameworks to improve recall/precision; feed indicators back into intel.
374375

375376
# Quick Reference – Parameter & Path Table
376377
| Item | Value / Example | | |

0 commit comments

Comments
 (0)