Ubuntu Zeek: NOTES

Ubuntu Zeek: NOTES
CategoryCommand Purpose and UsageCategoryCommand Purpose and Usage
BasicsView the command history:ubuntu@ubuntu$ history Execute the 10th command in history: ubuntu@ubuntu$ !10 Execute the previous command:ubuntu@ubuntu$ !!Read File Read sample.txt file: ubuntu@ubuntu$ cat sample.txt Read the first 10 lines of the file: ubuntu@ubuntu$ head sample.txt Read the last 10 lines of the file: ubuntu@ubuntu$ tail sample.txt
Find&Filter Cut the 1st field: ubuntu@ubuntu$ cat test.txt | cut -f 1 Cut the 1st column: ubuntu@ubuntu$ cat test.txt | cut -c1 Filter specific keywords: ubuntu@ubuntu$ cat test.txt | grep 'keywords' Sort outputs alphabetically: ubuntu@ubuntu$ cat test.txt | sort Sort outputs numerically: ubuntu@ubuntu$ cat test.txt | sort -n Eliminate duplicate lines: ubuntu@ubuntu$ cat test.txt | uniq Count line numbers: ubuntu@ubuntu$ cat test.txt | wc -l Show line numbers ubuntu@ubuntu$ cat test.txt | nlAdvanced Print line 11:ubuntu@ubuntu$ cat test.txt | sed -n '11p' Print lines between 10-15:ubuntu@ubuntu$ cat test.txt | sed -n '10,15p' Print lines below 11: ubuntu@ubuntu$ cat test.txt | awk 'NR < 11 {print $0}' Print line 11: ubuntu@ubuntu$ cat test.txt | awk 'NR == 11 {print $0}'
SpecialFilter specific fields of Zeek logs:ubuntu@ubuntu$ cat signatures.log | zeek-cut uid src_addr dst_addr
Use CaseDescription
sort | uniqRemove duplicate values.
sort | uniq -cRemove duplicates and count the number of occurrences for each value.
sort -nrSort values numerically and recursively.
revReverse string characters.
cut -f 1Cut field 1.
cut -d '.' -f 1-2Split the string on every dot and print keep the first two fields.
grep -v 'test'Display lines that  don't match the "test" string.
grep -v -e 'test1' -e 'test2'Display lines that don't match one or both "test1" and "test2" strings.
fileView file information.
grep -rin Testvalue1 * | column -t | less -SSearch the "Testvalue1" string everywhere, organise column spaces and view the output with less.

Scripts

Zeek has base scripts installed by default, and these are not intended to be modified.These scripts are located in "/opt/zeek/share/zeek/base".
User-generated or modified scripts should be located in a specific path.These scripts are located in"/opt/zeek/share/zeek/site".
Policy scripts are located in a specific path.These scripts are located in "/opt/zeek/share/zeek/policy".
Like Snort, to automatically load/use a script in live sniffing mode, you must identify the script in the Zeek configuration file. You can also use a script for a single run, just like the signatures.The configuration file is located in "/opt/zeek/share/zeek/site/local.zeek".
  • Zeek scripts use the ".zeek" extension.
  • Do not modify anything under the "zeek/base" directory. User-generated and modified scripts should be in the "zeek/site" directory.
  • You can call scripts in live monitoring mode by loading them with the command load @/script/path or load @script-name in local.zeek file.
  • Zeek is event-oriented, not packet-oriented! We need to use/write scripts to handle the event of interest.

Scripts 204 | Package Manager

Zeek Package Manager helps users install third-party scripts and plugins to extend Zeek functionalities with ease. The package manager is installed with Zeek and available with the zkg command. Users can install, load, remove, update and create packages with the "zkg" tool. You can read more on and view available packages here and here. Please note that you need root privileges to use the "zkg" tool.

Basic usage of zkg;

CommandDescription
zkg install package_pathInstall a package. Example (zkg install zeek/j-gras/zeek-af_packet-plugin).
zkg install git_urlInstall package. Example (zkg install https://github.com/corelight/ztest).
zkg listList installed package.
zkg removeRemove installed package.
zkg refreshCheck version updates for installed packages.
zkg upgradeUpdate installed packages.

There are multiple ways of using packages. The first approach is using them as frameworks and calling specific package path/directory per usage. The second and most common approach is calling packages from a script with the "@load" method. The third and final approach to using packages is calling their package names; note that this method works only for packages installed with the "zkg" install method.

r0tZ Avatar

Leave a Reply

Your email address will not be published. Required fields are marked *