|
- Identifying Long Connections with Bro Zeek - Active Countermeasures
It would be nice to have the longest connections at the top so we could focus right in on them Luckily we can leverage the “sort” command to complete this task Here’s an example: The “-k 3” switch tells “sort” to organize the output based on the value in the third column, rather than the first
- Long Connections :: Threat Hunting Labs - GitHub Pages
To determine how long a connection stays open, we first need to define what constitutes the start or end of a connection For TCP, a typical connection starts with a 3-way handshake (SYN, SYN ACK, ACK) and ends with a 4-way handshake (FIN, ACK, FIN, ACK)
- TryHackMe: Zeek Exercises Walkthrough (SOC Level 1)
Investigate the conn log file What is the longest connection duration? Investigate the dns log file Filter all unique DNS queries What is the number of unique domain queries? There are a massive amount of DNS queries sent to the same domain This is abnormal Let’s find out which hosts are involved in this activity Investigate the conn
- TryHackMe Zeek — Task 1 Introduction, Task 2 Network Security . . .
So the full command is cat conn log | zeek-cut duration | sort -n | tail -1, after you have all this typed out, the result should be the longest duration, and thus the answer to the question
- GitHub - corelight zeek-long-connections: Zeek package for tracking . . .
This package provides a new log named conn_long which will log "intermediate" conn logs for long connections It's logged into a separate log stream to avoid confusing the semantics of the normal Zeek conn log which users can assume only contains "complete" connections
- [SOC-Level 1] Tryhackme - Zeek Exercises | Christoph K.
What is the longest connection duration? Investigate the dns log file Filter all unique DNS queries What is the number of unique domain queries? There are a massive amount of DNS queries sent to the same domain This is abnormal Let’s find out which hosts are involved in this activity Investigate the conn log file
- Zeek exercises | THM | quick writeup | by Mohamed Medhat | Medium
cat conn log | zeek-cut duration | sort | uniq # get the longest connection duration cat dns log | zeek-cut query | rev | cut -d ' ' -f 1–2 | rev | sort | uniq -c # uniqe domains num
- UDP long running connections - Zeek - Zeek
I need to monitor long running UDP “connections”, some lasting two or three days If I understand correctly, Zeek only logs UDP connections in conn log on the connection termination
|
|
|