Zeek
Description
Zeek (formerly known as Bro) is an open-source network security monitor that converts PCAPs into structured log files for analysis. It is commonly used as a preprocessing step before feeding logs into tools like RITA for threat detection. Zeek generates multiple log files (e.g., conn.log, dns.log, http.log) that provide detailed protocol-level information about network traffic.
Usage 1: Convert PCAP to Zeek Log Format
Process a PCAP file and generate Zeek logs in the current directory. The local parameter loads the standard Zeek scripts.
Command:
zeek -r ../dnscat2_dns_tunneling_24hr.pcap local
Usage 2: Convert PCAP to Zeek Logs (Octopus C2 Example)
Convert an Octopus C2 PCAP file into Zeek log format for beaconing analysis.
Command:
zeek -r ../octopus.pcap local
Typical Workflow
The standard workflow for using Zeek with RITA involves:
- Create a directory for the output logs:
mkdir dnscat2_logs
cd dnscat2_logs/
- Run Zeek against the PCAP:
zeek -r ../dnscat2_dns_tunneling_24hr.pcap local
- Navigate back and import logs into RITA for analysis:
cd ..
sudo rita import dnscat2_logs dnscat2
Notes
- Zeek generates multiple log files (13 different log types in the DNS tunneling example)
- Processing time depends on PCAP size and system resources
- Output logs are placed in the current working directory
- Zeek logs are the required input format for RITA analysis