Finding the Cumulative Communication Time Between Systems Using Zeek – Video Blog
Video – Finding the Cumulative Communication Time Between Systems Using Zeek
cat conn.*log | bro-cut id.orig_h id.resp_h duration | sort -k 3 -rn | head -10
cat conn.*log | bro-cut id.orig_h id.resp_h duration | sort | grep -v -e '^$' | grep -v '-' | datamash -g 1,2 sum 3 | sort -k 3 -rn | head -10
Hey folks, I am Chris Brenton and today I’m going to show you how to find out the cumulative amount of time that your internal systems have been talking to hosts out on the internet using Zeek data. So I did a previous video where I talked about how to find the longest connections and I gave you this command here. So what we’re looking at is this internal IP address, talking to that external IP for this total amount of time. For reference, this is in seconds, 86,400 is a day. Really what we’re interested in is anything more than 20,000, that’s about five and a half hours. That’s an awful long time for two systems to be in persistent communication. Now this just does unique sessions. So notice here I have two IP addresses, both communicating for more than 27,000 seconds, or over five and a half, close to six hours.
It might be nice to see those combined so that it’s a 12 hour worth of communication because that 12 hours is more interesting than six hours, right? So how do we go through and do that? Well, we’re going to do a variation off of the previous command that I gave you and I’m showing it to you here. So we’re still going into the con log. We’re still using bro-cut to extract those three fields we want, so is destination IP and the amount of time they were in communications. But I’m then going through sorting it out, pulling out blank lines. I’m removing any lines that have a dash for the amount of time. If a system sends another system a packet and it doesn’t result in a real connection, let’s say a reset comes back, Zeek will go through and just record that as a dash.
So we want to remove those because we’re going to use datamash to sum up all of the communication times in the third column. And if datamash doesn’t see a numeric value, it gets unhappy about that. We’re then just resorting the output, looking at the top 10 lists. Now if I look at this list, I was going down to 427 seconds in my top 10. Notice when I re-sort there’s hey, look what we have here. We have a bunch of them that are over 30,000 seconds of time. That’s an awful long time to be in communications with each other. Also notice, I see some real distinct patterns here. I’ve got two external IP addresses that a lot of my internal IPs are communicating with quite frequently, so that’s something I probably want to go in and take a look at.
So here’s a quick, easy way to get this. I hope you found this video useful.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.