Analyze Network Traffic using Zeek

0
16

In this tutorial, you will learn how to analyze network traffic using Zeek. Zeek is a world’s leading passive network security monitoring tool that sits on the network and read all the traffic passing through the network, parses them into a high-level events that can then be passed through Zeek policy script intepreter which then generates comprehensive record/logs of every connection seen on the wire including all HTTP sessions with their requested URIs, key headers, MIME types, and server responses; DNS requests with replies; SSL certificates; key content of SMTP sessions e.tc.

Analyze Network Traffic using Zeek

In our previous guides, we have learnt how to install and setup Zeek on various systems;

Install Zeek on Debian 11

Install Zeek on Ubuntu 20.04

Analyze Network Traffic using Zeek

If you check on the logs directory, Zeek generates quite a number of logs including;

  • the http.log which contains information about HTTP requests and replies.
  • You can also see log files like conn.log which contains information about TCP/UDP/ICMP connections.
  • Other log file of interest, is notice.log which is about Zeek notices.
  • dns.log: Contains DNS related logs
  • dhcp.log: DHCP leases logs
  • ftp.log: FTP related logs

Read more on Zeek Logs page.

Sample logs

ls -1 /opt/zeek/logs/current
broker.log
capture_loss.log
cluster.log
conn.log
http.log
loaded_scripts.log
notice.log
packet_filter.log
reporter.log
ssh.log
stats.log
stderr.log
stdout.log
weird.log
files.log
dns.log
dhcp.log
ssl.log
x509.log

We will therefore use the Zeek generated log files to analyze the network traffic seen by Zeek on the wire.

There are various ways in which you can analyze network traffic using Zeek;

  1. manually using zeek-cut command
  2. Integrating Zeek with other visualization tools such as ELK/Brim.

Analyze Zeek Generated Logs using Zeek-cut

Zeek ships with various command line tools that can be used for various tasks.

zeek-cut is one of the Zeek commands which extracts the given columns from ASCII formatted Zeek logs on standard input, and outputs them to standard output.

zeek-cut help information;

zeek -h
zeek-cut [options] []

Extracts the given columns from ASCII Zeek logs on standard input, and outputs
them to standard output. If no columns are given, all are selected.
By default, zeek-cut does not include format header blocks in the output.

Example: cat conn.log | zeek-cut -d ts id.orig_h id.orig_p

    -c       Include the first format header block in the output.
    -C       Include all format header blocks in the output.
    -m       Include the first format header blocks in the output in minimal view.
    -M       Include all format header blocks in the output in minimal view.
    -d       Convert time values into human-readable format.
    -D  Like -d, but specify format for time (see strftime(3) for syntax).
    -F  Sets a different output field separator character.
    -h       Show help.
    -n       Print all fields *except* those specified.
    -u       Like -d, but print timestamps in UTC instead of local time.
    -U  Like -D, but print timestamps in UTC instead of local time.

For time conversion option -d or -u, the format string can be specified by
setting an environment variable ZEEK_CUT_TIMEFMT.

In order to make sense out of this guide, we will use Zeek to analyze the Malware traffic packet capture from the cyberdefenders.org Malware Traffic Analysis 1 challenge and try to answer available questions.

In this analysis, we have downloaded the Malware Traffic Analysis 1 PCAP file and placed it in our system for analysis.

ls .
c04-MalwareTrafficAnalysis1.zip

Unzip the file using the password, cyberdefenders.org.

unzip -P cyberdefenders.org c04-MalwareTrafficAnalysis1.zip

Listing the files in place again;

ls *
c04-MalwareTrafficAnalysis1.zip  mta1.pcap

As you can see, we have the pcap to analyze in place.

zeek command can be used to read PCAP files and generate comprehensive logs files describing every activity seen on the traffic.

To analyze the PCAP file using zeek command, run the command below

zeek -r mta1.pcap -C

See zeek -h for help on command line options.

When the command above is executed, it generates logs files in the current working directory.

ls -1 *.log
conn.log
dhcp.log
dns.log
files.log
http.log
packet_filter.log
ssl.log
x509.log

A complete description of these logs is provided on Zeek Logs page.

So now that we have the log files generated from the analysis of Malware traffic analysis PCAP file, proceed to attempt to answer the provided questions.

1. What is the IP address of the Windows VM that gets infected?

Of course there are different ways in which one can approach this question. One of the approaches I would use is to find the top talkers. Those IPs/hosts whose connections involves large number of packets or bytes.

conn.log, is our log file of interest, that will at least contain the connection information including the number of packets/bytes involved in every connection.

The fields contained in this file are;

FieldField Type
tstime
uidstring
id.orig_haddr
id.orig_pport
id.resp_haddr
id.resp_pport
protoenum
servicestring
durationinterval
orig_bytescount
resp_bytescount
conn_statestring
local_origbool
local_respbool
missed_bytescount
historystring
orig_pktscount
orig_ip_bytescount
resp_pktscount
resp_ip_bytescount
tunnel_parentsset[string]

For us to get the IP address of the, the number of fields we are interested in are; source IP (id.orig_h), destination IP (id.resp_h), source bytes (orig_bytes), destination bytes (resp_bytes), source packets (orig_pkts), destination packets (resp_pkts).

To extract these fields, use the command;

cat conn.log | zeek-cut id.orig_h id.resp_h orig_bytes resp_bytes orig_pkts resp_pkts

You can sort the output by the number of bytes involved, for example, column 3, which is the orig_bytes.

cat conn.log | zeek-cut id.orig_h id.resp_h orig_bytes resp_bytes orig_pkts resp_pkts | sort -k3 -nr

Sample output;

172.16.165.165	204.79.197.200	1768	270	3	5
172.16.165.165	37.200.69.143	1685	496251	113	380
172.16.165.165	37.200.69.143	1684	497644	147	388
172.16.165.165	82.150.140.30	1611	18783	14	24
172.16.165.165	82.150.140.30	1587	21415	17	28
172.16.165.165	82.150.140.30	1585	116094	45	100
172.16.165.165	82.150.140.30	1335	65838	30	57
172.16.165.165	74.125.233.96	1080	334211	115	262
172.16.165.165	74.125.233.96	1064	39580	17	38
172.16.165.165	82.150.140.30	1058	27795	21	33
172.16.165.165	188.225.73.100	890	69977	27	57
172.16.165.165	74.125.233.96	851	15400	10	18
172.16.165.165	204.79.197.200	807	408	2	4
172.16.165.165	82.150.140.30	785	10035	13	18
172.16.165.165	37.200.69.143	776	11441	11	15
172.16.165.165	37.200.69.143	776	11441	10	15
172.16.165.165	131.253.61.84	757	624	3	4
fe80::8db6:2c7:a019:4d88	ff02::1:2	644	0	7	0
172.16.165.165	74.125.233.96	643	70501	26	60
172.16.165.165	74.125.233.100	643	9799	10	14
172.16.165.165	74.125.233.96	548	855	5	4
172.16.165.165	188.225.73.100	531	1032	6	5
fe80::8db6:2c7:a019:4d88	ff02::1:2	368	0	4	0
172.16.165.165	172.16.165.2	354	0	6	0
172.16.165.165	185.53.178.9	353	4269	8	9
172.16.165.165	172.16.165.254	308	300	1	1
172.16.165.165	37.200.69.143	297	402035	132	308
172.16.165.165	37.200.69.143	297	205	6	6
172.16.165.165	172.16.165.2	204	0	3	0
172.16.165.165	172.16.165.2	204	0	3	0
172.16.165.165	172.16.165.2	204	0	3	0
172.16.165.165	172.16.165.2	204	0	3	0
172.16.165.165	172.16.165.2	204	0	3	0
172.16.165.165	172.16.165.255	150	0	3	0
fe80::8db6:2c7:a019:4d88	ff02::16	100	0	5	0
172.16.165.165	204.79.197.200	72	3359	5	6
fe80::8db6:2c7:a019:4d88	ff02::1:3	60	0	2	0
fe80::8db6:2c7:a019:4d88	ff02::1:3	60	0	2	0
172.16.165.165	224.0.0.252	60	0	2	0
172.16.165.165	224.0.0.252	60	0	2	0
172.16.165.165	172.16.165.2	49	65	1	1
172.16.165.165	172.16.165.2	49	65	1	1
fe80::8db6:2c7:a019:4d88	ff02::1:3	44	0	2	0
172.16.165.165	224.0.0.252	44	0	2	0
172.16.165.165	172.16.165.2	36	52	1	1
172.16.165.165	172.16.165.2	34	34	1	1
172.16.165.165	172.16.165.2	33	83	1	1
172.16.165.165	172.16.165.2	33	49	1	1
172.16.165.165	172.16.165.2	30	106	1	1
172.16.165.165	172.16.165.2	29	77	1	1
172.16.165.165	172.16.165.2	29	74	1	1
172.16.165.165	172.16.165.2	29	45	1	1
172.16.165.165	172.16.165.2	26	42	1	1
172.16.165.165	74.125.233.99	-	-	1	0
172.16.165.165	74.125.233.99	-	-	1	0
172.16.165.165	74.125.233.99	-	-	1	0
172.16.165.165	74.125.233.100	-	-	1	0
172.16.165.165	255.255.255.255	-	-	1	0
172.16.165.165	204.79.197.200	-	-	0	1
172.16.165.165	204.79.197.200	0	0	0	146
172.16.165.165	204.79.197.200	0	0	0	146
172.16.165.165	172.16.165.254	-	-	0	1

As you can see from the output, there is a lot communication between the IP, 172.16.165.165, and the remote IP, 37.200.69.143, which actually might be the CnC server.

This is enough to conclude that, 172.16.165.165 is the IP address of the infected Windows machine.

2. What is the host name of the Windows VM that gets infected?

Now that we have know the IP address of the infected machine, it should be easy to get the domain name.

You are most likely to get the host name of the infected Windows machine from the DHCP, NetBIOS Name Service (NBNS), or SMB related traffic.

From the logs we got from analysing the PCAP file with Zeek, we only got the DHCP traffic, dhcp.log.

The fields contained in this file are;

FieldField Type
tstime
uidsset[string]
client_addraddr
server_addraddr
macstring
host_namestring
client_fqdnstring
domainstring
requested_addraddr
assigned_addraddr
lease_timeinterval
client_messagestring
server_messagestring
msg_typesvector[string]
durationinterval

Thus, we can extract the client_addr, server_addr, client_fqdn fields.

cat dhcp.log | zeek-cut client_addr server_addr client_fqdn

Sample output;

172.16.165.165	-	-
172.16.165.165	172.16.165.254	K34EN6W3N-PC

Thus, our client (172.16.165.165), hostname is K34EN6W3N-PC.

3. What is the MAC address of the infected VM?

The same information can be obtained from the DHCP traffic. You can extract the mac field information from the log;

cat dhcp.log | zeek-cut client_addr server_addr mac
172.16.165.165	-	f0:19:af:02:9b:f1
172.16.165.165	172.16.165.254	f0:19:af:02:9b:f1

f0:19:af:02:9b:f1 is the mac address.

4. What is the IP address of the compromised web site?

In this question, we are concerned about the HTTP traffic. Hence, we need to check the http.log.

To begin with, it can easily be noted that, the Windows machine, which was infected with malware was most likely used to compromise other sites. Thus, in this case, we will be looking for traffic originating from the host, 172.16.165.165.

The http.log contains quite a number of fields;

FieldField Type
tstime
uidstring
id.orig_haddr
id.orig_pport
id.resp_haddr
id.resp_pport
trans_depthcount
methodstring
hoststring
uristring
referrerstring
versionstring
user_agentstring
originstring
request_body_lencount
response_body_lencount
status_codecount
status_msgstring
info_codecount
info_msgstring
tagsset[enum]
usernamestring
passwordstring
proxiedset[string]
orig_fuidsvector[string]
orig_filenamesvector[string]
orig_mime_typesvector[string]
resp_fuidsvector[string]
resp_filenamesvector[string]
resp_mime_typesvector[string]

So how can you get to know what is the IP address of the compromised server? Well, based on what the Internet says, when you analyse the HTTP logs, you realize that, one of the sites is acting as a referrer for a number of the sites. This basically means that, when you access that site, it takes you automatically to another site.

See sample events from the command below;

cat http.log | zeek-cut id.orig_h id.resp_h host referrer
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.bing.com/search?q=ciniholland.nl&qs=ds&form=QBLH
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	185.53.178.9	adultbiz.in	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/
172.16.165.165	74.125.233.96	www.youtube.com	http://www.ciniholland.nl/
172.16.165.165	82.150.140.30	www.ciniholland.nl	-
172.16.165.165	188.225.73.100	24corp-shop.com	http://www.ciniholland.nl/
172.16.165.165	188.225.73.100	24corp-shop.com	http://www.ciniholland.nl/
172.16.165.165	188.225.73.100	24corp-shop.com	http://24corp-shop.com/
172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	http://24corp-shop.com/
172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	http://24corp-shop.com/
172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	-
172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	-
172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	http://stand.trustandprobaterealty.com/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	http://stand.trustandprobaterealty.com/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	-
172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	-
172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	-
172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	-
172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	-
172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	-

From the output above, in a number of instances, when you access the site http://www.ciniholland.nl/, it redirects you to other sites such as adultbiz.in, www.youtube.com, 24corp-shop.com, which is not normal. http://www.ciniholland.nl/ thus looks like it is a compromised site, whose IP address is 82.150.140.30.

There could be other ways on how to go about this. Please explore further.

5. What is the FQDN of the compromised website?

Based on the above, the FQDN of the compromised site is ciniholland.nl.

6. What is the IP address of the server that delivered the exploit kit and malware?

Based on the analysis on question 4, you can see that there is a suspicious connection whereby the connection to www.ciniholland.nl was referred to http://24corp-shop.com/, which then referred the connections to the stand.trustandprobaterealty.com site.

Based on this chain of events, let us analyse the http.log and print the timestamp of connections. We can also include the URI which basically shows the specific resource file on the HTTP traffic.

cat http.log | zeek-cut -d ts id.orig_h id.resp_h host referrer uri
2014-11-16T05:11:56+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=3.7.2
2014-11-16T05:11:56+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-content/themes/cini/js/functions.js
2014-11-16T05:11:56+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-content/plugins/sitemap/css/page-list.css?ver=4.2
2014-11-16T05:11:55+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.bing.com/search?q=ciniholland.nl&qs=ds&form=QBLH	/
2014-11-16T05:11:56+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-content/themes/cini/style.css
2014-11-16T05:11:56+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
2014-11-16T05:11:58+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-content/themes/cini/reset.css
2014-11-16T05:11:57+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=3.7.2
2014-11-16T05:11:57+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-content/plugins/contact-form-7/includes/js/jquery.form.min.js?ver=3.50.0-2014.02.05
2014-11-16T05:11:57+0300	172.16.165.165	185.53.178.9	adultbiz.in	http://www.ciniholland.nl/	/new/jquery.php
2014-11-16T05:11:57+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-includes/js/jquery/jquery.js?ver=1.10.2
2014-11-16T05:11:59+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-content/themes/cini/img/youtubelogo_on.gif
2014-11-16T05:11:59+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-content/themes/cini/img/twitter_on.gif
2014-11-16T05:11:59+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-content/themes/cini/img/facebook_on.gif
2014-11-16T05:11:59+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-content/themes/cini/img/br_logo.gif
2014-11-16T05:11:59+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-content/themes/cini/img/newsletter_on.gif
2014-11-16T05:11:59+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-content/themes/cini/img/donate_on.gif
2014-11-16T05:12:00+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-content/themes/cini/img/squareorangedecor.gif
2014-11-16T05:12:00+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-content/uploads/2012/01/P1260499-200x298.jpg
2014-11-16T05:12:00+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	http://www.ciniholland.nl/	/wp-content/uploads/2013/09/IMG-20130928-WA002-150x150.jpg
2014-11-16T05:12:01+0300	172.16.165.165	74.125.233.96	www.youtube.com	http://www.ciniholland.nl/	/embed/hqgSewjl8hk
2014-11-16T05:12:09+0300	172.16.165.165	82.150.140.30	www.ciniholland.nl	-	/favicon.ico
2014-11-16T05:12:11+0300	172.16.165.165	188.225.73.100	24corp-shop.com	http://www.ciniholland.nl/	/
2014-11-16T05:12:11+0300	172.16.165.165	188.225.73.100	24corp-shop.com	http://www.ciniholland.nl/	/
2014-11-16T05:12:11+0300	172.16.165.165	188.225.73.100	24corp-shop.com	http://24corp-shop.com/	/source/notfound.gif
2014-11-16T05:12:12+0300	172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	http://24corp-shop.com/	/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:12:12+0300	172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	http://24corp-shop.com/	/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:12:19+0300	172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	-	/index.php?req=mp3&num=16&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:12:30+0300	172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	-	/index.php?req=mp3&num=95&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:12:41+0300	172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	http://stand.trustandprobaterealty.com/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM	/index.php?req=swf&num=809&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:12:41+0300	172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	http://stand.trustandprobaterealty.com/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM	/index.php?req=swf&num=7533&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:12:59+0300	172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	-	/index.php?req=xml&num=9345&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:13:00+0300	172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	-	/index.php?req=xml&num=2527&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:13:01+0300	172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	-	/index.php?req=jar&num=3703&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:13:01+0300	172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	-	/index.php?req=jar&num=9229&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:13:03+0300	172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	-	/index.php?req=mp3&num=912585&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
2014-11-16T05:13:03+0300	172.16.165.165	37.200.69.143	stand.trustandprobaterealty.com	-	/index.php?req=mp3&num=803295&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM

There is a requested resource that is appearing mostly between 172.16.165.165 and 37.200.69.143.

You can also check files.log to find information about files transmitted btwn various hosts;

cat files.log | zeek-cut -d ts tx_hosts rx_hosts source mime_type filename
2014-11-16T05:11:57+0300	82.150.140.30	172.16.165.165	HTTP	text/plain	-
2014-11-16T05:11:57+0300	82.150.140.30	172.16.165.165	HTTP	text/plain	-
2014-11-16T05:11:57+0300	82.150.140.30	172.16.165.165	HTTP	text/plain	-
2014-11-16T05:11:56+0300	82.150.140.30	172.16.165.165	HTTP	text/html	-
2014-11-16T05:11:57+0300	82.150.140.30	172.16.165.165	HTTP	text/plain	-
2014-11-16T05:11:57+0300	82.150.140.30	172.16.165.165	HTTP	text/plain	-
2014-11-16T05:11:58+0300	82.150.140.30	172.16.165.165	HTTP	text/plain	-
2014-11-16T05:11:58+0300	82.150.140.30	172.16.165.165	HTTP	text/plain	-
2014-11-16T05:11:58+0300	82.150.140.30	172.16.165.165	HTTP	text/plain	-
2014-11-16T05:11:59+0300	185.53.178.9	172.16.165.165	HTTP	text/html	-
2014-11-16T05:11:58+0300	82.150.140.30	172.16.165.165	HTTP	text/plain	-
2014-11-16T05:12:00+0300	82.150.140.30	172.16.165.165	HTTP	image/gif	-
2014-11-16T05:12:00+0300	82.150.140.30	172.16.165.165	HTTP	image/gif	-
2014-11-16T05:12:00+0300	82.150.140.30	172.16.165.165	HTTP	image/gif	-
2014-11-16T05:12:00+0300	82.150.140.30	172.16.165.165	HTTP	image/gif	-
2014-11-16T05:12:00+0300	82.150.140.30	172.16.165.165	HTTP	image/gif	-
2014-11-16T05:12:00+0300	82.150.140.30	172.16.165.165	HTTP	image/gif	-
2014-11-16T05:12:01+0300	82.150.140.30	172.16.165.165	HTTP	image/gif	-
2014-11-16T05:12:01+0300	82.150.140.30	172.16.165.165	HTTP	image/jpeg	-
2014-11-16T05:12:01+0300	82.150.140.30	172.16.165.165	HTTP	image/jpeg	-
2014-11-16T05:12:10+0300	82.150.140.30	172.16.165.165	HTTP	image/x-icon	-
2014-11-16T05:12:11+0300	188.225.73.100	172.16.165.165	HTTP	text/html	-
2014-11-16T05:12:11+0300	188.225.73.100	172.16.165.165	HTTP	text/html	-
2014-11-16T05:12:12+0300	188.225.73.100	172.16.165.165	HTTP	image/gif	-
2014-11-16T05:12:15+0300	37.200.69.143	172.16.165.165	HTTP	text/html	-
2014-11-16T05:12:15+0300	37.200.69.143	172.16.165.165	HTTP	text/html	-
2014-11-16T05:12:23+0300	37.200.69.143	172.16.165.165	HTTP	-	-
2014-11-16T05:12:33+0300	37.200.69.143	172.16.165.165	HTTP	-	-
2014-11-16T05:12:41+0300	37.200.69.143	172.16.165.165	HTTP	application/x-shockwave-flash	-
2014-11-16T05:12:42+0300	37.200.69.143	172.16.165.165	HTTP	application/x-shockwave-flash	-
2014-11-16T05:13:00+0300	37.200.69.143	172.16.165.165	HTTP	application/xml	-
2014-11-16T05:13:01+0300	37.200.69.143	172.16.165.165	HTTP	application/xml	-
2014-11-16T05:13:02+0300	37.200.69.143	172.16.165.165	HTTP	application/java-archive	-
2014-11-16T05:13:02+0300	37.200.69.143	172.16.165.165	HTTP	application/java-archive	-
2014-11-16T05:13:08+0300	37.200.69.143	172.16.165.165	HTTP	-	-

Between 2014-11-16T05:12:41+0300 and 2014-11-16T05:13:02+0300, there are file applications that are transmitted by 37.200.69.143 to 172.16.165.165.

Thus, we can guess 37.200.69.143 as the system that is transmitting the Malware.

7. What is the FQDN that delivered the exploit kit and malware?

Based on the above, the FQDN of the host that delivered malware, is stand.trustandprobaterealty.com.

8. What is the redirect URL that points to the exploit kit (EK) landing page?

On No 6, we mentioned that there was a suspicious connection whereby the connection to www.ciniholland.nl was referred to http://24corp-shop.com/, which then referred the connections to the stand.trustandprobaterealty.com site which delivered the EK. Thus, http://24corp-shop.com/ should be referrer the culprit to the EK landing page.

9. Other than CVE-2013-2551 IE exploit, another application was targeted by the EK and starts with “J”. Provide the full application name.

Based on our analysis of Q No 6, http.log URI shows requests to a number of files. Two of them are suspicious files, where req=swf and req=jar.

/index.php?req=swf&num=7533&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM
/index.php?req=jar&num=9229&PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM

Based on the files.log analysis, these files are of type Flash and Java applications respectively. The questions required an answer beginning with J hence, Java should be the answer.

12. The compromised website has a malicious script with a URL. What is this URL?

Based on analysis for No 5, the compromised website is ciniholland.nl.

On No. 6, it shows that the connections to this site were referred to http://24corp-shop.com/. Thus, it can be concluded that the compromised site had the site http://24corp-shop.com/ URL embeded somewhere within its code.

For the rest of the questions, you can use other tools to do the analysis.

And that is how you can analyse network traffic using Zeek.

Please leave comments on improvements.

Read more on Cyberdefence.org page to get hints.

Other Tutorials

Detect Changes to Critical Files in Linux using Auditbeat and ELK

Install Arkime (Moloch) Full Packet Capture tool on Debian 11

Intercept Malicious File Upload with ModSecurity and ClamAV

LEAVE A REPLY

Please enter your comment!
Please enter your name here