Finding Long Connections With Zeek – Video Blog

Video – Finding Long Connections With Zeek



Command Used

cat conn.log | bro-cut id.orig_h id.resp_h duration | sort -k 3 -rn | head -10

Video Transcript

Hey folks. I’m Chris Brenton, and today I’m going to show you how to find the longest connections taking place on your network using Bro/Zeek’s conn.log. So I’m cat’ing out my conn.log, so that’s just going to display out what’s inside the file and I’m leveraging bro-cut to only display certain fields. So specifically, I’m using bro-cut to go after the source IP address, the destination IP address and the duration of that connection.

Now all I’m doing is just going in and telling sort, I want to sort based on duration and I want the highest number first, reverse order. Dash in its numeric values, pump it through head, that says show me just the first 10 results. And when I run this, here’s what I get. Now, what I’ll see for values will depend upon how long that capture file ran for. The one I’m using here ran for about 24 hours. So a connection that encompasses the entire file would be 86,400 seconds.

You can see I’ve got a number of entries way up here at the top that are kind of pretty close to that. Anything that’s over about a five hour period of time is probably worth investigating. So how do you find your longest connections with Zeek? This is the way to do it.



Interested in threat hunting tools? Check out AC-Hunter

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!

Share this:
AC-Hunter Datasheet
AC-Hunter Personal Demo
What We’re up To