Finding Long Connections With Zeek – Video Blog
Video – Finding Long Connections With Zeek
Command Used
cat conn.log | bro-cut id.orig_h id.resp_h duration | sort -k 3 -rn | head -10
Video Transcript
(00:00)
Hey folks. I’m Chris Brenton, and today I’m going to show you how to find the longest connections taking place on your network using Bro/Zeek’s conn.log. So I’m cat’ing out my conn.log, so that’s just going to display out what’s inside the file and I’m leveraging bro-cut to only display certain fields. So specifically, I’m using bro-cut to go after the source IP address, the destination IP address and the duration of that connection.
(00:27)
Now all I’m doing is just going in and telling sort, I want to sort based on duration and I want the highest number first, reverse order. Dash in its numeric values, pump it through head, that says show me just the first 10 results. And when I run this, here’s what I get. Now, what I’ll see for values will depend upon how long that capture file ran for. The one I’m using here ran for about 24 hours. So a connection that encompasses the entire file would be 86,400 seconds.
(00:58)
You can see I’ve got a number of entries way up here at the top that are kind of pretty close to that. Anything that’s over about a five hour period of time is probably worth investigating. So how do you find your longest connections with Zeek? This is the way to do it.
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.