View the command history:ubuntu@ubuntu$ history
Execute the 10th command in history:
ubuntu@ubuntu$ !10
Execute the previous command:ubuntu@ubuntu$ !!
Read File
Read sample.txt file:
ubuntu@ubuntu$ cat sample.txt
Read the first 10 lines of the file:
ubuntu@ubuntu$ head sample.txt
Read the last 10 lines of the file:
ubuntu@ubuntu$ tail sample.txt
Print line 11:ubuntu@ubuntu$ cat test.txt | sed -n '11p'
Print lines between 10-15:ubuntu@ubuntu$ cat test.txt | sed -n '10,15p'
Print lines below 11:
ubuntu@ubuntu$ cat test.txt | awk 'NR < 11 {print $0}'
Print line 11:
ubuntu@ubuntu$ cat test.txt | awk 'NR == 11 {print $0}'
Special
Filter specific fields of Zeek logs:ubuntu@ubuntu$ cat signatures.log | zeek-cut uid src_addr dst_addr
Use Case
Description
sort | uniq
Remove duplicate values.
sort | uniq -c
Remove duplicates and count the number of occurrences for each value.
sort -nr
Sort values numerically and recursively.
rev
Reverse string characters.
cut -f 1
Cut field 1.
cut -d '.' -f 1-2
Split the string on every dot and print keep the first two fields.
grep -v 'test'
Display lines that don't match the "test" string.
grep -v -e 'test1' -e 'test2'
Display lines that don't match one or both "test1" and "test2" strings.
file
View file information.
grep -rin Testvalue1 * | column -t | less -S
Search the "Testvalue1" string everywhere, organise column spaces and view the output with less.
Scripts
Zeek has base scripts installed by default, and these are not intended to be modified.
These scripts are located in "/opt/zeek/share/zeek/base".
User-generated or modified scripts should be located in a specific path.
These scripts are located in"/opt/zeek/share/zeek/site".
Policy scripts are located in a specific path.
These scripts are located in "/opt/zeek/share/zeek/policy".
Like Snort, to automatically load/use a script in live sniffing mode, you must identify the script in the Zeek configuration file. You can also use a script for a single run, just like the signatures.
The configuration file is located in "/opt/zeek/share/zeek/site/local.zeek".
Zeek scripts use the ".zeek" extension.
Do not modify anything under the "zeek/base" directory. User-generated and modified scripts should be in the "zeek/site" directory.
You can call scripts in live monitoring mode by loading them with the command load @/script/path or load @script-name in local.zeek file.
Zeek is event-oriented, not packet-oriented! We need to use/write scripts to handle the event of interest.
Scripts 204 | Package Manager
Zeek Package Manager helps users install third-party scripts and plugins to extend Zeek functionalities with ease. The package manager is installed with Zeek and available with the zkg command. Users can install, load, remove, update and create packages with the "zkg" tool. You can read more on and view available packages here and here. Please note that you need root privileges to use the "zkg" tool.
Basic usage of zkg;
Command
Description
zkg install package_path
Install a package. Example (zkg install zeek/j-gras/zeek-af_packet-plugin).
zkg install git_url
Install package. Example (zkg install https://github.com/corelight/ztest).
zkg list
List installed package.
zkg remove
Remove installed package.
zkg refresh
Check version updates for installed packages.
zkg upgrade
Update installed packages.
There are multiple ways of using packages. The first approach is using them as frameworks and calling specific package path/directory per usage. The second and most common approach is calling packages from a script with the "@load" method. The third and final approach to using packages is calling their package names; note that this method works only for packages installed with the "zkg" install method.
Leave a Reply