Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: More packet fu with zeek - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More packet fu with zeek

Packet-fu with zeek is fun! Let's continue my previous diary Some packet-fu with Zeek (previously known as bro) with other use case: IP geolocation for new connections inside a packet capture.

Prerrequisites

You need to have installed zeek and the MaxMind database.

A command to test the correct setup can be zeek -e "print lookup_location(8.8.8.8);"

If you get the following output, you have to review your configuration:

If you get the following output, you can continue:

Events that will be used

  • new_connection: This event is raised everytime a new connection is detected.
  • zeek_done: This event is raised when the packet input is exhausted.

Code

The following code implements the use case described:

type locationrecord: record{
	source: addr;
	fulllocation: geo_location;
};

global sites: table[count] of locationrecord;
global index=1;

event new_connection (c: connection)
{
    local therecord:locationrecord;
    therecord$source = c$id$orig_h;
    therecord$fulllocation = lookup_location(therecord$source);
    sites[index]=therecord;
    index=index+1;
}

event zeek_done ()
{
    local locationlog=open("location.log");
    local therecord:locationrecord;
    for (n in sites){
	    therecord=sites[n];
	    local country=therecord$fulllocation?$country_code ? therecord$fulllocation$country_code: "<unknown>";
	    local region=therecord$fulllocation?$region ? therecord$fulllocation$region: "<unknown>";
	    local city=therecord$fulllocation?$city ? therecord$fulllocation$city: "<unknown>";
	    print locationlog,fmt("%s %s %s %s", therecord$source, country,region,city);
    }
    close(locationlog);
}

Let's review some interesting aspects on the code:

  • We need to store the location information of every IP address reviewed. That's why we define the locationrecord type.
  • The processed information under the new_connection event will be stored in the sites table.
  • The zeek_done event will provide the output under a text file.

Let's see a snippet of the script's output:

Do you have any other interesting use cases for zeek? Let us know through our contact form.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

195 Posts
ISC Handler
Feb 17th 2022

Sign Up for Free or Log In to start participating in the conversation!