Packet & Log Analysis with Zeek | TryHackMe Zeek P1 & P2 & P3
We covered an introduction to Zeek, packets and logs analyzer, that can be used for network security monitoring, incident analysis and logs investigation. Zeek has two primary layers; “Event Engine” and “Policy Script Interpreter” that are used to process and extract key data and insights from the logs such as source and destination IP addresses and ports.
We also covered the second part of working with Zeek, the packet and network security analyzer, where we explained how to detect certain events using Zeek signatures and how to correlate those events to trigger certain actions using Zeek scripting language.
We also demonstrated the third part of packet analysis using Zeek. We explained frameworks and packages that can be used to extend the functionality of Zeek allowing for more events correlation and data extraction. Frameworks and packages can be both called and invoked while using Zeek from the command line or they can be invoked inside scripts using the “load” keyword.
This was part of TryHackMe Zeek | SOC analyst level 1 pathway.
Zeek (formerly Bro) is an open-source and commercial passive Network Monitoring tool (traffic analysis framework) developed by Lawrence Berkeley Labs. Today, Zeek is supported by several developers, and Corelight provides an Enterprise-ready fork of Zeek. Therefore this tool is called both open source and commercial. The differences between the open-source version and the commercial version are detailed here.
Zeek differs from known monitoring and IDS/IPS tools by providing a wide range of detailed logs ready to investigate both for forensics and data analysis actions. Currently, Zeek provides 50+ logs in 7 categories.
Zeek supports signatures to have rules and event correlations to find noteworthy activities on the network. Zeek signatures use low-level pattern matching and cover conditions similar to Snort rules. Unlike Snort rules, Zeek rules are not the primary event detection point. Zeek has a scripting language and can chain multiple events to find an event of interest.
Zeek has its own event-driven scripting language, which is as powerful as high-level languages and allows us to investigate and correlate the detected events. Since it is as capable as high-level programming languages, you will need to spend time on Zeek scripting language in order to become proficient. In this room, we will cover the basics of Zeek scripting to help you understand, modify and create basic scripts.
Room Answers
Room answers can be found here
Video 1
Video 2
Video 3
