Zeek Network Security Monitor Tutorial: Part 4(conn.log — 2)
For a complete table of contents of all the lessons please click below as it will give you a brief of each lesson in addition to the topics it will cover. https://github.com/mytechnotalent/Zeek-Network-Security-Monitor-Tutorial
Welcome back to our tutorial series on Zeek. Today we will continuing learning about zeek-cut and review the conn.log which is one of the most important default logs within Zeek.
FYI — Part 1 of the series provides a step-by-step guide to get Zeek installed within your Network. If you have not read the guide please visit here before continuing. https://medium.com/@mytechnotalent/zeek-network-security-monitor-tutorial-part-1-setup-f0ac2fb8eba8
Let’s first enter into the correct directory where our conn.log lives below. Please make sure you have ZeekControl running. If you are unfamiliar with this please review this lesson. https://medium.com/@mytechnotalent/zeek-network-security-monitor-tutorial-part-2-alert-all-notices-zeek-5591357f6f21
cd /usr/local/zeek/logs/currentIn this lesson we will show the source IP addresses that generated the most network traffic, organized in descending order.
Let’s use the zeek-cut command to review specific fields of interest within conn.log as follows:
zeek-cut id.orig_h < conn.log | sort | uniq -c | sort -rnWe should see something like the following:
...
224 192.168.0.1
100 192.168.0.14
...In our next lesson we will continue our bite-sized tutorial on the Zeek logs!
Till the next time! Click here for our next lesson. https://medium.com/@mytechnotalent/zeek-network-security-monitor-tutorial-part-5-conn-log-3-5e6ff976a9b5
