Zeek JSON Analysis

🎮 Zeek JSON Analysis¶

📍 Sleigh Shop

chl12-1

🧝🏻‍♂️ Wunorse Openslae

Wunorse Openslae here, just looking at some Zeek logs.

I'm pretty sure one of these connections is a malicious C2 channel...

Do you think you could take a look?

I hear a lot of C2 channels have very long connection times.

Please use jq to find the longest connection in this data set.

We have to kick out any and all grinchy activity!

Jq

Parsing Zeek JSON Logs with JQ

Identify the destination IP address with the longest connection duration

Use the supplied Zeek logfile.

Run runtoanswer to submit your answer.

⚡️ Solution¶

When You open the terminal, You see:

chl12-t

Check the files in the current directory:

ls

chl12-2

You will find conn.log, Let's use it to get the longest connection

cat conn.log | jq -s 'sort_by(.duration) | reverse | .[0]'

-s Instead of running the filter for each JSON object in the input, read the entire input stream into a large array and run the filter just once.
sort_by The sort functions sorts its input, which must be an array.
reverse reverses an array.
.[0] to get the first object in the result.

chl12-3

{
  "ts": "2019-04-18T21:27:45.402479Z",
  "uid": "CmYAZn10sInxVD5WWd",
  "id.orig_h": "192.168.52.132",
  "id.orig_p": 8,
  "id.resp_h": "13.107.21.200",
  "id.resp_p": 0,
  "proto": "icmp",
  "duration": 1019365.337758,
  "orig_bytes": 30781920,
  "resp_bytes": 30382240,
  "conn_state": "OTH",
  "missed_bytes": 0,
  "orig_pkts": 961935,
  "orig_ip_bytes": 57716100,
  "resp_pkts": 949445,
  "resp_ip_bytes": 56966700
}

We can add .["id.resp_h"] to display only the destination IP

cat conn.log | jq -s 'sort_by(.duration) | reverse | .[0] | .["id.resp_h"]'

chl12-4

The destination IP address with the longest connection duration

13.107.21.200

Run runtoanswer and enter the 13.107.21.200

chl12-5

You have completed the Zeek JSON challenge! 🎉

🧝🏻‍♂️ Wunorse Openslae

That's got to be the one - thanks!