In this tutorial, you will learn how to analyze network traffic using Zeek. Zeek is a world’s leading passive network security monitoring tool that sits on the network and read all the traffic passing through the network, parses them into a high-level events that can then be passed through Zeek policy script intepreter which then generates comprehensive record/logs of every connection seen on the wire including all HTTP sessions with their requested URIs, key headers, MIME types, and server responses; DNS requests with replies; SSL certificates; key content of SMTP sessions e.tc.
Analyzing Network Traffic with Zeek
In our previous guides, we have learnt how to install and setup Zeek on various systems;
Analyzing Network Traffic
If you check on the logs directory, Zeek generates quite a number of logs including;
- the
http.logwhich contains information about HTTP requests and replies. - You can also see log files like
conn.logwhich contains information about TCP/UDP/ICMP connections. - Other log file of interest, is
notice.logwhich is about Zeek notices. dns.log: Contains DNS related logsdhcp.log: DHCP leases logsftp.log: FTP related logs
Read more on Zeek Logs page.
Sample logs
ls -1 /opt/zeek/logs/currentbroker.log
capture_loss.log
cluster.log
conn.log
http.log
loaded_scripts.log
notice.log
packet_filter.log
reporter.log
ssh.log
stats.log
stderr.log
stdout.log
weird.log
files.log
dns.log
dhcp.log
ssl.log
x509.log
We will therefore use the Zeek generated log files to analyze the network traffic seen by Zeek on the wire.
There are various ways in which you can analyze network traffic with Zeek;
- manually using
zeek-cutcommand - Integrating Zeek with other visualization tools such as ELK/Brim.
Analyze Zeek Generated Logs using Zeek-cut
Zeek ships with various command line tools that can be used for various tasks.
zeek-cut is one of the Zeek commands which extracts the given columns from ASCII formatted Zeek logs on standard input, and outputs them to standard output.
zeek-cut help information;
zeek -h
zeek-cut [options] []
Extracts the given columns from ASCII Zeek logs on standard input, and outputs
them to standard output. If no columns are given, all are selected.
By default, zeek-cut does not include format header blocks in the output.
Example: cat conn.log | zeek-cut -d ts id.orig_h id.orig_p
-c Include the first format header block in the output.
-C Include all format header blocks in the output.
-m Include the first format header blocks in the output in minimal view.
-M Include all format header blocks in the output in minimal view.
-d Convert time values into human-readable format.
-D Like -d, but specify format for time (see strftime(3) for syntax).
-F Sets a different output field separator character.
-h Show help.
-n Print all fields *except* those specified.
-u Like -d, but print timestamps in UTC instead of local time.
-U Like -D, but print timestamps in UTC instead of local time.
For time conversion option -d or -u, the format string can be specified by
setting an environment variable ZEEK_CUT_TIMEFMT.
In order to make sense out of this guide, we will use Zeek to analyze the Malware traffic packet capture from the cyberdefenders.org Malware Traffic Analysis 1 challenge and try to answer available questions.
In this analysis, we have downloaded the Malware Traffic Analysis 1 PCAP file and placed it in our system for analysis.
ls .c04-MalwareTrafficAnalysis1.zipUnzip the file using the password, cyberdefenders.org.
unzip -P cyberdefenders.org c04-MalwareTrafficAnalysis1.zipListing the files in place again;
ls *c04-MalwareTrafficAnalysis1.zip mta1.pcapAs you can see, we have the pcap to analyze in place.
zeek command can be used to read PCAP files and generate comprehensive logs files describing every activity seen on the traffic.
To analyze the PCAP file using zeek command, run the command below
zeek -r mta1.pcap -CSee zeek -h for help on command line options.
When the command above is executed, it generates logs files in the current working directory.
ls -1 *.logconn.log
dhcp.log
dns.log
files.log
http.log
packet_filter.log
ssl.log
x509.log
A complete description of these logs is provided on Zeek Logs page.
So now that we have the log files generated from the analysis of Malware traffic analysis PCAP file, proceed to attempt to answer the provided questions.
1. What is the IP address of the Windows VM that gets infected?
Of course there are different ways in which one can approach this question. One of the approaches I would use is to find the top talkers. Those IPs/hosts whose connections involves large number of packets or bytes.
conn.log, is our log file of interest, that will at least contain the connection information including the number of packets/bytes involved in every connection.
The fields contained in this file are;
| Field | Field Type |
| ts | time |
| uid | string |
| id.orig_h | addr |
| id.orig_p | port |
| id.resp_h | addr |
| id.resp_p | port |
| proto | enum |
| service | string |
| duration | interval |
| orig_bytes | count |
| resp_bytes | count |
| conn_state | string |
| local_orig | bool |
| local_resp | bool |
| missed_bytes | count |
| history | string |
| orig_pkts | count |
| orig_ip_bytes | count |
| resp_pkts | count |
| resp_ip_bytes | count |
| tunnel_parents | set[string] |
For us to get the IP address of the, the number of fields we are interested in are; source IP (id.orig_h), destination IP (id.resp_h), source bytes (orig_bytes), destination bytes (resp_bytes), source packets (orig_pkts), destination packets (resp_pkts).
To extract these fields, use the command;
cat conn.log | zeek-cut id.orig_h id.resp_h orig_bytes resp_bytes orig_pkts resp_pktsYou can sort the output by the number of bytes involved, for example, column 3, which is the orig_bytes.
cat conn.log | zeek-cut id.orig_h id.resp_h orig_bytes resp_bytes orig_pkts resp_pkts | sort -k3 -nrSample output;
172.16.165.165 204.79.197.200 1768 270 3 5
172.16.165.165 37.200.69.143 1685 496251 113 380
172.16.165.165 37.200.69.143 1684 497644 147 388
172.16.165.165 82.150.140.30 1611 18783 14 24
172.16.165.165 82.150.140.30 1587 21415 17 28
172.16.165.165 82.150.140.30 1585 116094 45 100
172.16.165.165 82.150.140.30 1335 65838 30 57
172.16.165.165 74.125.233.96 1080 334211 115 262
172.16.165.165 74.125.233.96 1064 39580 17 38
172.16.165.165 82.150.140.30 1058 27795 21 33
172.16.165.165 188.225.73.100 890 69977 27 57
172.16.165.165 74.125.233.96 851 15400 10 18
172.16.165.165 204.79.197.200 807 408 2 4
172.16.165.165 82.150.140.30 785 10035 13 18
172.16.165.165 37.200.69.143 776 11441 11 15
172.16.165.165 37.200.69.143 776 11441 10 15
172.16.165.165 131.253.61.84 757 624 3 4
fe80::8db6:2c7:a019:4d88 ff02::1:2 644 0 7 0
172.16.165.165 74.125.233.96 643 70501 26 60
172.16.165.165 74.125.233.100 643 9799 10 14
172.16.165.165 74.125.233.96 548 855 5 4
172.16.165.165 188.225.73.100 531 1032 6 5
fe80::8db6:2c7:a019:4d88 ff02::1:2 368 0 4 0
172.16.165.165 172.16.165.2 354 0 6 0
172.16.165.165 185.53.178.9 353 4269 8 9
172.16.165.165 172.16.165.254 308 300 1 1
172.16.165.165 37.200.69.143 297 402035 132 308
172.16.165.165 37.200.69.143 297 205 6 6
172.16.165.165 172.16.165.2 204 0 3 0
172.16.165.165 172.16.165.2 204 0 3 0
172.16.165.165 172.16.165.2 204 0 3 0
172.16.165.165 172.16.165.2 204 0 3 0
172.16.165.165 172.16.165.2 204 0 3 0
172.16.165.165 172.16.165.255 150 0 3 0
fe80::8db6:2c7:a019:4d88 ff02::16 100 0 5 0
172.16.165.165 204.79.197.200 72 3359 5 6
fe80::8db6:2c7:a019:4d88 ff02::1:3 60 0 2 0
fe80::8db6:2c7:a019:4d88 ff02::1:3 60 0 2 0
172.16.165.165 224.0.0.252 60 0 2 0
172.16.165.165 224.0.0.252 60 0 2 0
172.16.165.165 172.16.165.2 49 65 1 1
172.16.165.165 172.16.165.2 49 65 1 1
fe80::8db6:2c7:a019:4d88 ff02::1:3 44 0 2 0
172.16.165.165 224.0.0.252 44 0 2 0
172.16.165.165 172.16.165.2 36 52 1 1
172.16.165.165 172.16.165.2 34 34 1 1
172.16.165.165 172.16.165.2 33 83 1 1
172.16.165.165 172.16.165.2 33 49 1 1
172.16.165.165 172.16.165.2 30 106 1 1
172.16.165.165 172.16.165.2 29 77 1 1
172.16.165.165 172.16.165.2 29 74 1 1
172.16.165.165 172.16.165.2 29 45 1 1
172.16.165.165 172.16.165.2 26 42 1 1
172.16.165.165 74.125.233.99 - - 1 0
172.16.165.165 74.125.233.99 - - 1 0
172.16.165.165 74.125.233.99 - - 1 0
172.16.165.165 74.125.233.100 - - 1 0
172.16.165.165 255.255.255.255 - - 1 0
172.16.165.165 204.79.197.200 - - 0 1
172.16.165.165 204.79.197.200 0 0 0 146
172.16.165.165 204.79.197.200 0 0 0 146
172.16.165.165 172.16.165.254 - - 0 1
As you can see from the output, there is a lot communication between the IP, 172.16.165.165, and the remote IP, 37.200.69.143, which actually might be the CnC server.
This is enough to conclude that, 172.16.165.165 is the IP address of the infected Windows machine.
2. What is the host name of the Windows VM that gets infected?
Now that we have know the IP address of the infected machine, it should be easy to get the domain name.
You are most likely to get the host name of the infected Windows machine from the DHCP, NetBIOS Name Service (NBNS), or SMB related traffic.
From the logs we got from analysing the PCAP file with Zeek, we only got the DHCP traffic, dhcp.log.
The fields contained in this file are;
| Field | Field Type |
| ts | time |
| uids | set[string] |
| client_addr | addr |
| server_addr | addr |
| mac | string |
| host_name | string |
| client_fqdn | string |
| domain | string |
| requested_addr | addr |
| assigned_addr | addr |
| lease_time | interval |
| client_message | string |
| server_message | string |
| msg_types | vector[string] |
| duration | interval |
Thus, we can extract the client_addr, server_addr, client_fqdn fields.
cat dhcp.log | zeek-cut client_addr server_addr client_fqdnSample output;
172.16.165.165 - -
172.16.165.165 172.16.165.254 K34EN6W3N-PCThus, our client (172.16.165.165), hostname is K34EN6W3N-PC.
3. What is the MAC address of the infected VM?
The same information can be obtained from the DHCP traffic. You can extract the mac field information from the log;
cat dhcp.log | zeek-cut client_addr server_addr mac172.16.165.165 - f0:19:af:02:9b:f1
172.16.165.165 172.16.165.254 f0:19:af:02:9b:f1f0:19:af:02:9b:f1 is the mac address.
4. What is the IP address of the compromised web site?
In this question, we are concerned about the HTTP traffic. Hence, we need to check the http.log.
To begin with, it can easily be noted that, the Windows machine, which was infected with malware was most likely used to compromise other sites. Thus, in this case, we will be looking for traffic originating from the host, 172.16.165.165.
The http.log contains quite a number of fields;
| Field | Field Type |
| ts | time |
| uid | string |
| id.orig_h | addr |
| id.orig_p | port |
| id.resp_h | addr |
| id.resp_p | port |
| trans_depth | count |
| method | string |
| host | string |
| uri | string |
| referrer | string |
| version | string |
| user_agent | string |
| origin | string |
| request_body_len | count |
| response_body_len | count |
| status_code | count |
| status_msg | string |
| info_code | count |
| info_msg | string |
| tags | set[enum] |
| username | string |
| password | string |
| proxied | set[string] |
| orig_fuids | vector[string] |
| orig_filenames | vector[string] |
| orig_mime_types | vector[string] |
| resp_fuids | vector[string] |
| resp_filenames | vector[string] |
| resp_mime_types | vector[string] |
So how can you get to know what is the IP address of the compromised server? Well, based on what the Internet says, when you analyse the HTTP logs, you realize that, one of the sites is acting as a referrer for a number of the sites. This basically means that, when you access that site, it takes you automatically to another site.
See sample events from the command below;
cat http.log | zeek-cut id.orig_h id.resp_h host referrer172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.bing.com/search?q=ciniholland.nl&qs=ds&form=QBLH
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 185.53.178.9 adultbiz.in http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/
172.16.165.165 74.125.233.96 www.youtube.com http://www.ciniholland.nl/
172.16.165.165 82.150.140.30 www.ciniholland.nl -
172.16.165.165 188.225.73.100 24corp-shop.com http://www.ciniholland.nl/
172.16.165.165 188.225.73.100 24corp-shop.com http://www.ciniholland.nl/
172.16.165.165 188.225.73.100 24corp-shop.com http://24corp-shop.com/
172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com http://24corp-shop.com/
172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com http://24corp-shop.com/
172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com -
172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com -
172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com http://stand.trustandprobaterealty.com/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com http://stand.trustandprobaterealty.com/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com -
172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com -
172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com -
172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com -
172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com -
172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com -
From the output above, in a number of instances, when you access the site http://www.ciniholland.nl/, it redirects you to other sites such as adultbiz.in, www.youtube.com, 24corp-shop.com, which is not normal. http://www.ciniholland.nl/ thus looks like it is a compromised site, whose IP address is 82.150.140.30.
There could be other ways on how to go about this. Please explore further.
5. What is the FQDN of the compromised website?
Based on the above, the FQDN of the compromised site is ciniholland.nl.
6. What is the IP address of the server that delivered the exploit kit and malware?
Based on the analysis on question 4, you can see that there is a suspicious connection whereby the connection to www.ciniholland.nl was referred to http://24corp-shop.com/, which then referred the connections to the stand.trustandprobaterealty.com site.
Based on this chain of events, let us analyse the http.log and print the timestamp of connections. We can also include the URI which basically shows the specific resource file on the HTTP traffic.
cat http.log | zeek-cut -d ts id.orig_h id.resp_h host referrer uri2014-11-16T05:11:56+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-content/plugins/contact-form-7/includes/css/styles.css?ver=3.7.2
2014-11-16T05:11:56+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-content/themes/cini/js/functions.js
2014-11-16T05:11:56+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-content/plugins/sitemap/css/page-list.css?ver=4.2
2014-11-16T05:11:55+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.bing.com/search?q=ciniholland.nl&qs=ds&form=QBLH /
2014-11-16T05:11:56+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-content/themes/cini/style.css
2014-11-16T05:11:56+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
2014-11-16T05:11:58+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-content/themes/cini/reset.css
2014-11-16T05:11:57+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=3.7.2
2014-11-16T05:11:57+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-content/plugins/contact-form-7/includes/js/jquery.form.min.js?ver=3.50.0-2014.02.05
2014-11-16T05:11:57+0300 172.16.165.165 185.53.178.9 adultbiz.in http://www.ciniholland.nl/ /new/jquery.php
2014-11-16T05:11:57+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-includes/js/jquery/jquery.js?ver=1.10.2
2014-11-16T05:11:59+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-content/themes/cini/img/youtubelogo_on.gif
2014-11-16T05:11:59+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-content/themes/cini/img/twitter_on.gif
2014-11-16T05:11:59+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-content/themes/cini/img/facebook_on.gif
2014-11-16T05:11:59+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-content/themes/cini/img/br_logo.gif
2014-11-16T05:11:59+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-content/themes/cini/img/newsletter_on.gif
2014-11-16T05:11:59+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-content/themes/cini/img/donate_on.gif
2014-11-16T05:12:00+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-content/themes/cini/img/squareorangedecor.gif
2014-11-16T05:12:00+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-content/uploads/2012/01/P1260499-200x298.jpg
2014-11-16T05:12:00+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl http://www.ciniholland.nl/ /wp-content/uploads/2013/09/IMG-20130928-WA002-150x150.jpg
2014-11-16T05:12:01+0300 172.16.165.165 74.125.233.96 www.youtube.com http://www.ciniholland.nl/ /embed/hqgSewjl8hk
2014-11-16T05:12:09+0300 172.16.165.165 82.150.140.30 www.ciniholland.nl - /favicon.ico
2014-11-16T05:12:11+0300 172.16.165.165 188.225.73.100 24corp-shop.com http://www.ciniholland.nl/ /
2014-11-16T05:12:11+0300 172.16.165.165 188.225.73.100 24corp-shop.com http://www.ciniholland.nl/ /
2014-11-16T05:12:11+0300 172.16.165.165 188.225.73.100 24corp-shop.com http://24corp-shop.com/ /source/notfound.gif
2014-11-16T05:12:12+0300 172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com http://24corp-shop.com/ /?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:12:12+0300 172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com http://24corp-shop.com/ /?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:12:19+0300 172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com - /index.php?req=mp3&num=16&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:12:30+0300 172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com - /index.php?req=mp3&num=95&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:12:41+0300 172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com http://stand.trustandprobaterealty.com/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM /index.php?req=swf&num=809&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:12:41+0300 172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com http://stand.trustandprobaterealty.com/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM /index.php?req=swf&num=7533&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:12:59+0300 172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com - /index.php?req=xml&num=9345&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:13:00+0300 172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com - /index.php?req=xml&num=2527&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:13:01+0300 172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com - /index.php?req=jar&num=3703&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:13:01+0300 172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com - /index.php?req=jar&num=9229&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:13:03+0300 172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com - /index.php?req=mp3&num=912585&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:13:03+0300 172.16.165.165 37.200.69.143 stand.trustandprobaterealty.com - /index.php?req=mp3&num=803295&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
There is a requested resource that is appearing mostly between 172.16.165.165 and 37.200.69.143.
You can also check files.log to find information about files transmitted btwn various hosts;
cat files.log | zeek-cut -d ts tx_hosts rx_hosts source mime_type filename2014-11-16T05:11:57+0300 82.150.140.30 172.16.165.165 HTTP text/plain -
2014-11-16T05:11:57+0300 82.150.140.30 172.16.165.165 HTTP text/plain -
2014-11-16T05:11:57+0300 82.150.140.30 172.16.165.165 HTTP text/plain -
2014-11-16T05:11:56+0300 82.150.140.30 172.16.165.165 HTTP text/html -
2014-11-16T05:11:57+0300 82.150.140.30 172.16.165.165 HTTP text/plain -
2014-11-16T05:11:57+0300 82.150.140.30 172.16.165.165 HTTP text/plain -
2014-11-16T05:11:58+0300 82.150.140.30 172.16.165.165 HTTP text/plain -
2014-11-16T05:11:58+0300 82.150.140.30 172.16.165.165 HTTP text/plain -
2014-11-16T05:11:58+0300 82.150.140.30 172.16.165.165 HTTP text/plain -
2014-11-16T05:11:59+0300 185.53.178.9 172.16.165.165 HTTP text/html -
2014-11-16T05:11:58+0300 82.150.140.30 172.16.165.165 HTTP text/plain -
2014-11-16T05:12:00+0300 82.150.140.30 172.16.165.165 HTTP image/gif -
2014-11-16T05:12:00+0300 82.150.140.30 172.16.165.165 HTTP image/gif -
2014-11-16T05:12:00+0300 82.150.140.30 172.16.165.165 HTTP image/gif -
2014-11-16T05:12:00+0300 82.150.140.30 172.16.165.165 HTTP image/gif -
2014-11-16T05:12:00+0300 82.150.140.30 172.16.165.165 HTTP image/gif -
2014-11-16T05:12:00+0300 82.150.140.30 172.16.165.165 HTTP image/gif -
2014-11-16T05:12:01+0300 82.150.140.30 172.16.165.165 HTTP image/gif -
2014-11-16T05:12:01+0300 82.150.140.30 172.16.165.165 HTTP image/jpeg -
2014-11-16T05:12:01+0300 82.150.140.30 172.16.165.165 HTTP image/jpeg -
2014-11-16T05:12:10+0300 82.150.140.30 172.16.165.165 HTTP image/x-icon -
2014-11-16T05:12:11+0300 188.225.73.100 172.16.165.165 HTTP text/html -
2014-11-16T05:12:11+0300 188.225.73.100 172.16.165.165 HTTP text/html -
2014-11-16T05:12:12+0300 188.225.73.100 172.16.165.165 HTTP image/gif -
2014-11-16T05:12:15+0300 37.200.69.143 172.16.165.165 HTTP text/html -
2014-11-16T05:12:15+0300 37.200.69.143 172.16.165.165 HTTP text/html -
2014-11-16T05:12:23+0300 37.200.69.143 172.16.165.165 HTTP - -
2014-11-16T05:12:33+0300 37.200.69.143 172.16.165.165 HTTP - -
2014-11-16T05:12:41+0300 37.200.69.143 172.16.165.165 HTTP application/x-shockwave-flash -
2014-11-16T05:12:42+0300 37.200.69.143 172.16.165.165 HTTP application/x-shockwave-flash -
2014-11-16T05:13:00+0300 37.200.69.143 172.16.165.165 HTTP application/xml -
2014-11-16T05:13:01+0300 37.200.69.143 172.16.165.165 HTTP application/xml -
2014-11-16T05:13:02+0300 37.200.69.143 172.16.165.165 HTTP application/java-archive -
2014-11-16T05:13:02+0300 37.200.69.143 172.16.165.165 HTTP application/java-archive -
2014-11-16T05:13:08+0300 37.200.69.143 172.16.165.165 HTTP - -
Between 2014-11-16T05:12:41+0300 and 2014-11-16T05:13:02+0300, there are file applications that are transmitted by 37.200.69.143 to 172.16.165.165.
Thus, we can guess 37.200.69.143 as the system that is transmitting the Malware.
7. What is the FQDN that delivered the exploit kit and malware?
Based on the above, the FQDN of the host that delivered malware, is stand.trustandprobaterealty.com.
8. What is the redirect URL that points to the exploit kit (EK) landing page?
On No 6, we mentioned that there was a suspicious connection whereby the connection to www.ciniholland.nl was referred to http://24corp-shop.com/, which then referred the connections to the stand.trustandprobaterealty.com site which delivered the EK. Thus, http://24corp-shop.com/ should be referrer the culprit to the EK landing page.
9. Other than CVE-2013-2551 IE exploit, another application was targeted by the EK and starts with “J”. Provide the full application name.
Based on our analysis of Q No 6, http.log URI shows requests to a number of files. Two of them are suspicious files, where req=swf and req=jar.
/index.php?req=swf&num=7533&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
/index.php?req=jar&num=9229&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTMBased on the files.log analysis, these files are of type Flash and Java applications respectively. The questions required an answer beginning with J hence, Java should be the answer.
12. The compromised website has a malicious script with a URL. What is this URL?
Based on analysis for No 5, the compromised website is ciniholland.nl.
On No. 6, it shows that the connections to this site were referred to http://24corp-shop.com/. Thus, it can be concluded that the compromised site had the site http://24corp-shop.com/ URL embeded somewhere within its code.
For the rest of the questions, you can use other tools to do the analysis.
And that is how you can analyse network traffic using Zeek.
Read more on Cyberdefence.org page to get hints.
Other Tutorials
Detect Changes to Critical Files in Linux using Auditbeat and ELK
Install Arkime (Moloch) Full Packet Capture tool on Debian 11
