Scribd
Upload
213 views10 pages

Threat Hunting in Splunk With Zeek

This document discusses how the network analysis tool Zeek (formerly known as Bro) can help with threat hunting by transforming raw network traffic into structured, pre-cooked logs. It provides examples of some of Zeek's main log files, including conn.log for connection details, http.log for HTTP transactions, files.log for file analysis, and smtp.log for email. The document then explains how these logs can be leveraged for threat hunting examples in Splunk.

Uploaded by

ahmedaziz.nust
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
213 views10 pages

Threat Hunting in Splunk With Zeek

This document discusses how the network analysis tool Zeek (formerly known as Bro) can help with threat hunting by transforming raw network traffic into structured, pre-cooked logs. It provides examples of some of Zeek's main log files, including conn.log for connection details, http.log for HTTP transactions, files.log for file analysis, and smtp.log for email. The document then explains how these logs can be leveraged for threat hunting examples in Splunk.

Uploaded by

ahmedaziz.nust
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Threat Hunting in Splunk®

with Zeek

YOUR BEST NEXT MOVE | CORELIGHT.COM


Agenda

• Threat hunting visibility challenges


• How Zeek can help
• Threat hunting examples in Splunk
• About Corelight

YOUR BEST NEXT MOVE | CORELIGHT.COM


How well do you know your network?

SMTP

HTTP

FIREWALL

NETFLOW

FTP

MAIL

HOST

HOST IDS

IDS/IPS/NTA

PCAP

YOUR BEST NEXT MOVE | CORELIGHT.COM


Zeek (fka Bro) transforms raw traffic into precooked data

conn.log | IP, TCP, UDP, ICMP connection details http.log | HTTP request/reply details files.log | File analysis results smtp.log | SMTP transactions
FIELD TYPE DESCRIPTION FIELD TYPE DESCRIPTION FIELD TYPE DESCRIPTION FIELD TYPE DESCRIPTION
ts time Timestamp of the first packet ts time Timestamp of the HTTP request ts time Timestamp when file was first seen ts time Timestamp when message was first seen
uid string Unique ID of the connection uid & id Underlying connection info > See conn.log fuid string Unique identifier for a single file uid & id Underlying connection info > See conn.log
id.orig_h addr Originating endpoint’s IP address (Orig) trans_depth count Pipelined depth into the connection tx_hosts set Host(s) that sourced the data trans_depth count Transaction depth if there are multiple msgs
Originating endpoint’s TCP/UDP port method string HTTP Request verb: GET, POST, HEAD, etc rx_hosts set Host(s) that received the data helo string Contents of the HELO header
id.orig_p port
(or ICMP code)
host string Value of the Host header conn_uids set Connection UID(s) over which file transferred mailfrom string Contents of the MAIL FROM header
id.resp_h addr Responding endpoint’s IP address (Resp)
uri string URI used in the request source string An identification of the source of the file data rcptto set Contents of the RCPT TO header
Responding endpoint’s TCP/UDP port
id.resp_p port referrer string Value of the “Referer” header Depth of file related to source date string Contents of the DATE header
(or ICMP code) depth count
(e.g., HTTP request depth)
proto proto Transport layer protocol of connection user_agent string Value of the User-Agent header from string Contents of the FROM header
analyzers set Set of analyzers attached during file analysis
service string Detected application protocol, if any request_body_len count Uncompressed content size of Orig data to set Contents of the TO header
mime_type string File type, as determined by Bro’s signatures
duration interval Connection length response_body_len count Uncompressed content size of Resp data cc set Contents of the CC header
filename string Filename, if available from source analyzer
Orig payload bytes; from sequence status_code count Status code returned by the server reply_to string Contents of the ReplyTo header
orig_bytes count duration interval The duration that the file was analyzed for
numbers if TCP status_msg string Status message returned by the server msg_id string Contents of the MsgID header
Resp payload bytes; from sequence local_orig bool Did the data originate locally?
resp_bytes count info_code count Last seen 1xx info reply code by server in_reply_to string Contents of the In-Reply-To header
numbers if TCP is_orig bool Was the file sent by the Originator?
info_msg string Last seen 1xx info reply message by server subject string Contents of the Subject header
conn_state string Connection state (see conn.log > conn_state) seen_bytes count Number of bytes provided to file analysis engine
tags set Indicators of various attributes discovered x_originating_ip addr Contents of the X-Originating-IP header
local_orig bool Is Orig in Site::local_nets? Total number of bytes that should
username string Username if basic-auth is performed total_bytes count first_received string Contents of the first Received header
local_resp bool Is Resp in Site::local_nets? comprise the file
password string Password if basic-auth is performed missing_bytes count Number of bytes in file stream missed second_received string Contents of the second Received header
missed_bytes count Number of bytes missing due to content gaps
proxied set Headers indicative of a proxied request Out-of-sequence bytes in the stream due last_reply string Last server to client message
Connection state history overflow_bytes count
history string to overflow
(see conn.log > history) orig_fuids vector File unique IDs from Orig path vector Message transmission path, from headers
orig_pkts count Number of Orig packets timedout bool If the file analysis timed out at least once
orig_filenames vector File names from Orig user_agent string Value of the client User-Agent header
Number of Orig IP bytes parent_fuid string Container file ID this was extracted from
orig_ip_bytes count orig_mime_types vector File types from Orig tls bool Indicates the connection switched to TLS
(via IP total_length header field) md5/sha1 string MD5/SHA1 hash of the file
resp_fuids vector File unique IDs from Resp fuids vector File unique IDs seen attached to message
resp_pkts count Number of Resp packets extracted string Local filename of extracted files, if enabled
resp_filenames vector File names from Resp is_webmail1 bool If the message was sent via webmail
Number of Resp IP bytes entropy double Information density of the file contents
resp_ip_bytes count resp_mime_types vector File types from Resp 1
If policy/protocols/smtp/software.bro is loaded
(via IP total_length header field)
If tunneled, connection UID client_header
tunnel_parents set vector The names of HTTP headers sent by Orig
of encapsulating parent(s) _names1

orig_I2_addr string Link-layer address of the originator server_header


vector The names of HTTP headers sent by Resp
_names1
resp_I2_addr string Link-layer address of the responder
cookie_vars2 vector Variable names extracted from cookies
vlan int The outer VLAN for this connection
uri_vars2 vector Variable names extracted from the URI
inner_vlan int The inner VLAN for this connection
1
If policy/protocols/http/header-names.bro is loaded
2
If policy/protocols/http/var-extraction-uri.bro is loaded

ts Timestamps with microsecond accuracy, synchronized across logs

uid Unique ID for every connection

md5/sha1 File hash of every file

fuid Unique ID for every instance of every file seen on the network
YOUR BEST NEXT MOVE | CORELIGHT.COM
Even if that traffic is encrypted.

YOUR BEST NEXT MOVE | CORELIGHT.COM


Zeek/Corelight complements your existing security stack.
Corelight
Intel feeds Fleet Management

+
OTHERS…
ts
is gh
TAP, SPAN,
Packet Brokers n
s +I
g
Lo

Traffic Physical Sensor


mirroring/decryption
OR File Analysis Tools

Extra
cted
files
+ Virtual Sensor + OTHERS…
OTHERS…

Environment specific CMDB, Whitelists, Blacklists, Organizational Info

YOUR BEST NEXT MOVE | CORELIGHT.COM


Do any of these security pains sound familiar?

Threat Detection Response Hunting

Too many false positives A growing, unresolved incident backlog Missing DNS depth to spot tunneling

Trouble detecting lateral movement Difficulty ID-ing affected machines Can’t find traffic in non-standard ports

Inability to detect encrypted attacks Inability to verify 100% containment Can’t see C2 and beaconing activity

Trouble detecting C2 communications Trouble locating needed PCAP files Can’t easily hunt through SMB traffic

YOUR BEST NEXT MOVE | CORELIGHT.COM


Threat hunting examples in Splunk

YOUR BEST NEXT MOVE | CORELIGHT.COM


Corelight takes the pain out of deploying Zeek

The most comprehensive ● Security-relevant data from layers 3-7


move, monitor your entire ● 600+ security-relevant fields captured
traffic with one solution. ● 10,000+ files a minute extracted

The quickest move, ● <15 min to deploy on prem or in the cloud


deploy security coverage ● Easily integrates with your security stack
immediately. ● Set and forget, no ongoing tuning required

● Out-of-band deployment
The least disruptive ● Passive monitoring, undetectable
security move. ● No end-point or host configuration required

YOUR BEST NEXT MOVE | CORELIGHT.COM


Additional Resources

Corelight and Splunk brief Corelight App for Splunk Threat Hunting Guide
www3.corelight.com/corelight-sensor- splunkbase.splunk.com/app/3884/ www3.corelight.com/corelights-
splunk-data-sheet introductory-guide-to-threat-hunting-
with-zeek-bro-logs

YOUR BEST NEXT MOVE | CORELIGHT.COM

You might also like