Finding Long Connections With Zeek – Video Blog
Video – Finding Long Connections With Zeek
cat conn.log | bro-cut id.orig_h id.resp_h duration | sort -k 3 -rn | head -10
Hey folks. I’m Chris Brenton, and today I’m going to show you how to find the longest connections taking place on your network using Bro/Zeek’s conn.log. So I’m cat’ing out my conn.log, so that’s just going to display out what’s inside the file and I’m leveraging bro-cut to only display certain fields. So specifically, I’m using bro-cut to go after the source IP address, the destination IP address and the duration of that connection.
Now all I’m doing is just going in and telling sort, I want to sort based on duration and I want the highest number first, reverse order. Dash in its numeric values, pump it through head, that says show me just the first 10 results. And when I run this, here’s what I get. Now, what I’ll see for values will depend upon how long that capture file ran for. The one I’m using here ran for about 24 hours. So a connection that encompasses the entire file would be 86,400 seconds.
You can see I’ve got a number of entries way up here at the top that are kind of pretty close to that. Anything that’s over about a five hour period of time is probably worth investigating. So how do you find your longest connections with Zeek? This is the way to do it.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.