{"id":11267,"date":"2022-01-09T22:57:21","date_gmt":"2022-01-09T19:57:21","guid":{"rendered":"https:\/\/kifarunix.com\/?p=11267"},"modified":"2024-03-14T19:13:57","modified_gmt":"2024-03-14T16:13:57","slug":"analyze-network-traffic-using-zeek","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/analyze-network-traffic-using-zeek\/","title":{"rendered":"Analyze Network Traffic using Zeek"},"content":{"rendered":"\n<p>In this tutorial, you will learn how to analyze network traffic using Zeek. <a href=\"https:\/\/docs.zeek.org\/en\/master\/about.html\" target=\"_blank\" rel=\"noreferrer noopener\">Zeek<\/a> <em>is a world&#8217;s leading passive network security monitoring tool that sits on the network and read all the traffic passing through the network, parses them into a high-level events that can then be passed through Zeek policy script intepreter which then generates comprehensive record\/logs of every connection seen on the wire including all HTTP sessions with their requested URIs, key headers, MIME types, and server responses; DNS requests with replies; SSL certificates; key content of SMTP sessions e.tc<\/em>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analyzing Network Traffic with Zeek<\/h2>\n\n\n\n<p>In our previous guides, we have learnt how to install and setup Zeek on various systems;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-zeek-on-debian-11\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Zeek on Debian 11<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-zeek-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Zeek on Ubuntu 20.04<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Analyzing Network Traffic<\/h3>\n\n\n\n<p>If you check on the logs directory, Zeek generates quite a number of logs including;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>the <strong><code>http.log<\/code><\/strong> which contains information about HTTP requests and replies.<\/li>\n\n\n\n<li>You can also see log files like <strong><code>conn.log<\/code><\/strong> which contains information about TCP\/UDP\/ICMP connections.<\/li>\n\n\n\n<li>Other log file of interest, is <strong><code>notice.log<\/code><\/strong> which is about Zeek notices.<\/li>\n\n\n\n<li><strong><code>dns.log<\/code><\/strong>: Contains DNS related logs<\/li>\n\n\n\n<li><strong><code>dhcp.log<\/code><\/strong>:  DHCP leases logs<\/li>\n\n\n\n<li><strong><code>ftp.log<\/code><\/strong>: FTP related logs<\/li>\n<\/ul>\n\n\n\n<p>Read more on <a href=\"https:\/\/docs.zeek.org\/en\/master\/script-reference\/log-files.html#log-files\" target=\"_blank\" rel=\"noreferrer noopener\">Zeek Logs page<\/a>.<\/p>\n\n\n\n<p>Sample logs<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -1 \/opt\/zeek\/logs\/current<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>broker.log\ncapture_loss.log\ncluster.log\nconn.log\nhttp.log\nloaded_scripts.log\nnotice.log\npacket_filter.log\nreporter.log\nssh.log\nstats.log\nstderr.log\nstdout.log\nweird.log\nfiles.log\ndns.log\ndhcp.log\nssl.log\nx509.log\n<\/code><\/pre>\n\n\n\n<p>We will therefore use the Zeek generated log files to analyze the network traffic seen by Zeek on the wire.<\/p>\n\n\n\n<p>There are various ways in which you can analyze network traffic with Zeek;<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>manually using <strong><code>zeek-cut<\/code><\/strong> command<\/li>\n\n\n\n<li>Integrating Zeek with other visualization tools such as ELK\/Brim.<\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"zeek-cut-analysis\"><a href=\"#zeek-cut-analysis\">Analyze Zeek Generated Logs using Zeek-cut<\/a><\/h4>\n\n\n\n<p>Zeek ships with various command line tools that can be used for various tasks.<\/p>\n\n\n\n<p><strong><code>zeek-cut<\/code><\/strong> is one of the Zeek commands which extracts the given columns from ASCII formatted Zeek logs on standard input, and outputs them to standard output.<\/p>\n\n\n\n<p>zeek-cut help information;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>zeek -h<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nzeek-cut [options] [<columns>]\n\nExtracts the given columns from ASCII Zeek logs on standard input, and outputs\nthem to standard output. If no columns are given, all are selected.\nBy default, zeek-cut does not include format header blocks in the output.\n\nExample: cat conn.log | zeek-cut -d ts id.orig_h id.orig_p\n\n    -c       Include the first format header block in the output.\n    -C       Include all format header blocks in the output.\n    -m       Include the first format header blocks in the output in minimal view.\n    -M       Include all format header blocks in the output in minimal view.\n    -d       Convert time values into human-readable format.\n    -D <fmt> Like -d, but specify format for time (see strftime(3) for syntax).\n    -F <ofs> Sets a different output field separator character.\n    -h       Show help.\n    -n       Print all fields *except* those specified.\n    -u       Like -d, but print timestamps in UTC instead of local time.\n    -U <fmt> Like -D, but print timestamps in UTC instead of local time.\n\nFor time conversion option -d or -u, the format string can be specified by\nsetting an environment variable ZEEK_CUT_TIMEFMT.\n<\/code><\/pre>\n\n\n\n<p>In order to make sense out of this guide, we will use Zeek to analyze the Malware traffic packet capture from the <a href=\"https:\/\/cyberdefenders.org\/labs\/17\" target=\"_blank\" rel=\"noreferrer noopener\">cyberdefenders.org Malware Traffic Analysis 1<\/a> challenge and try to answer available questions.<\/p>\n\n\n\n<p>In this analysis, we have downloaded the <a href=\"https:\/\/download.cyberdefenders.org\/BlueYard\/c04-MalwareTrafficAnalysis1.zip\" target=\"_blank\" rel=\"noreferrer noopener\">Malware Traffic Analysis 1 PCAP file<\/a> and placed it in our system for analysis.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls .<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>c04-MalwareTrafficAnalysis1.zip<\/code><\/pre>\n\n\n\n<p>Unzip the file using the password, <strong><code>cyberdefenders.org<\/code><\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>unzip -P cyberdefenders.org c04-MalwareTrafficAnalysis1.zip<\/code><\/pre>\n\n\n\n<p>Listing the files in place again;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls *<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>c04-MalwareTrafficAnalysis1.zip  <strong>mta1.pcap<\/strong><\/code><\/pre>\n\n\n\n<p>As you can see, we have the pcap to analyze in place.<\/p>\n\n\n\n<p><code>zeek<\/code> command can be used to read PCAP files and generate comprehensive logs files describing every activity seen on the traffic.<\/p>\n\n\n\n<p>To analyze the PCAP file using zeek command, run the command below<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>zeek -r mta1.pcap -C<\/code><\/pre>\n\n\n\n<p>See <code>zeek -h<\/code> for help on command line options.<\/p>\n\n\n\n<p>When the command above is executed, it generates logs files in the current working directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -1 *.log<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>conn.log\ndhcp.log\ndns.log\nfiles.log\nhttp.log\npacket_filter.log\nssl.log\nx509.log\n<\/code><\/pre>\n\n\n\n<p>A complete description of these logs is provided on <a href=\"https:\/\/docs.zeek.org\/en\/master\/script-reference\/log-files.html#log-files\" target=\"_blank\" rel=\"noreferrer noopener\">Zeek Logs page<\/a>.<\/p>\n\n\n\n<p>So now that we have the log files generated from the analysis of Malware traffic analysis PCAP file, proceed to attempt to answer the provided questions.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">1. What is the IP address of the Windows VM that gets infected?<\/h4>\n\n\n\n<p>Of course there are different ways in which one can approach this question. One of the approaches I would use is to find the <strong>top talkers<\/strong>. Those IPs\/hosts whose connections involves large number of packets or bytes.<\/p>\n\n\n\n<p><code>conn.log<\/code>, is our log file of interest, that will at least contain the connection information including the number of packets\/bytes involved in every connection.<\/p>\n\n\n\n<p>The fields contained in this file are;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Field<\/td><td>Field Type<\/td><\/tr><tr><td>ts<\/td><td>time<\/td><\/tr><tr><td>uid<\/td><td>string<\/td><\/tr><tr><td>id.orig_h<\/td><td>addr<\/td><\/tr><tr><td>id.orig_p<\/td><td>port<\/td><\/tr><tr><td>id.resp_h<\/td><td>addr<\/td><\/tr><tr><td>id.resp_p<\/td><td>port<\/td><\/tr><tr><td>proto<\/td><td>enum<\/td><\/tr><tr><td>service<\/td><td>string<\/td><\/tr><tr><td>duration<\/td><td>interval<\/td><\/tr><tr><td>orig_bytes<\/td><td>count<\/td><\/tr><tr><td>resp_bytes<\/td><td>count<\/td><\/tr><tr><td>conn_state<\/td><td>string<\/td><\/tr><tr><td>local_orig<\/td><td>bool<\/td><\/tr><tr><td>local_resp<\/td><td>bool<\/td><\/tr><tr><td>missed_bytes<\/td><td>count<\/td><\/tr><tr><td>history<\/td><td>string<\/td><\/tr><tr><td>orig_pkts<\/td><td>count<\/td><\/tr><tr><td>orig_ip_bytes<\/td><td>count<\/td><\/tr><tr><td>resp_pkts<\/td><td>count<\/td><\/tr><tr><td>resp_ip_bytes<\/td><td>count<\/td><\/tr><tr><td>tunnel_parents<\/td><td>set[string]<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>For us to get the IP address of the, the number of fields we are interested in are; source IP (<strong><code>id.orig_h<\/code><\/strong>), destination IP (<strong><code>id.resp_h<\/code><\/strong>), source bytes (<strong><code>orig_bytes<\/code><\/strong>), destination bytes (<strong><code>resp_bytes<\/code><\/strong>), source packets (<strong><code>orig_pkts<\/code><\/strong>), destination packets (<strong><code>resp_pkts<\/code><\/strong>).<\/p>\n\n\n\n<p>To extract these fields, use the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat conn.log | zeek-cut id.orig_h id.resp_h orig_bytes resp_bytes orig_pkts resp_pkts<\/code><\/pre>\n\n\n\n<p>You can sort the output by the number of bytes involved, for example, column 3, which is the <strong>orig_bytes<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat conn.log | zeek-cut id.orig_h id.resp_h orig_bytes resp_bytes orig_pkts resp_pkts | sort -k3 -nr<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>172.16.165.165\t204.79.197.200\t1768\t270\t3\t5\n172.16.165.165\t37.200.69.143\t1685\t496251\t113\t380\n172.16.165.165\t37.200.69.143\t1684\t497644\t147\t388\n172.16.165.165\t82.150.140.30\t1611\t18783\t14\t24\n172.16.165.165\t82.150.140.30\t1587\t21415\t17\t28\n172.16.165.165\t82.150.140.30\t1585\t116094\t45\t100\n172.16.165.165\t82.150.140.30\t1335\t65838\t30\t57\n172.16.165.165\t74.125.233.96\t1080\t334211\t115\t262\n172.16.165.165\t74.125.233.96\t1064\t39580\t17\t38\n172.16.165.165\t82.150.140.30\t1058\t27795\t21\t33\n172.16.165.165\t188.225.73.100\t890\t69977\t27\t57\n172.16.165.165\t74.125.233.96\t851\t15400\t10\t18\n172.16.165.165\t204.79.197.200\t807\t408\t2\t4\n172.16.165.165\t82.150.140.30\t785\t10035\t13\t18\n172.16.165.165\t37.200.69.143\t776\t11441\t11\t15\n172.16.165.165\t37.200.69.143\t776\t11441\t10\t15\n172.16.165.165\t131.253.61.84\t757\t624\t3\t4\nfe80::8db6:2c7:a019:4d88\tff02::1:2\t644\t0\t7\t0\n172.16.165.165\t74.125.233.96\t643\t70501\t26\t60\n172.16.165.165\t74.125.233.100\t643\t9799\t10\t14\n172.16.165.165\t74.125.233.96\t548\t855\t5\t4\n172.16.165.165\t188.225.73.100\t531\t1032\t6\t5\nfe80::8db6:2c7:a019:4d88\tff02::1:2\t368\t0\t4\t0\n172.16.165.165\t172.16.165.2\t354\t0\t6\t0\n172.16.165.165\t185.53.178.9\t353\t4269\t8\t9\n172.16.165.165\t172.16.165.254\t308\t300\t1\t1\n172.16.165.165\t37.200.69.143\t297\t402035\t132\t308\n172.16.165.165\t37.200.69.143\t297\t205\t6\t6\n172.16.165.165\t172.16.165.2\t204\t0\t3\t0\n172.16.165.165\t172.16.165.2\t204\t0\t3\t0\n172.16.165.165\t172.16.165.2\t204\t0\t3\t0\n172.16.165.165\t172.16.165.2\t204\t0\t3\t0\n172.16.165.165\t172.16.165.2\t204\t0\t3\t0\n172.16.165.165\t172.16.165.255\t150\t0\t3\t0\nfe80::8db6:2c7:a019:4d88\tff02::16\t100\t0\t5\t0\n172.16.165.165\t204.79.197.200\t72\t3359\t5\t6\nfe80::8db6:2c7:a019:4d88\tff02::1:3\t60\t0\t2\t0\nfe80::8db6:2c7:a019:4d88\tff02::1:3\t60\t0\t2\t0\n172.16.165.165\t224.0.0.252\t60\t0\t2\t0\n172.16.165.165\t224.0.0.252\t60\t0\t2\t0\n172.16.165.165\t172.16.165.2\t49\t65\t1\t1\n172.16.165.165\t172.16.165.2\t49\t65\t1\t1\nfe80::8db6:2c7:a019:4d88\tff02::1:3\t44\t0\t2\t0\n172.16.165.165\t224.0.0.252\t44\t0\t2\t0\n172.16.165.165\t172.16.165.2\t36\t52\t1\t1\n172.16.165.165\t172.16.165.2\t34\t34\t1\t1\n172.16.165.165\t172.16.165.2\t33\t83\t1\t1\n172.16.165.165\t172.16.165.2\t33\t49\t1\t1\n172.16.165.165\t172.16.165.2\t30\t106\t1\t1\n172.16.165.165\t172.16.165.2\t29\t77\t1\t1\n172.16.165.165\t172.16.165.2\t29\t74\t1\t1\n172.16.165.165\t172.16.165.2\t29\t45\t1\t1\n172.16.165.165\t172.16.165.2\t26\t42\t1\t1\n172.16.165.165\t74.125.233.99\t-\t-\t1\t0\n172.16.165.165\t74.125.233.99\t-\t-\t1\t0\n172.16.165.165\t74.125.233.99\t-\t-\t1\t0\n172.16.165.165\t74.125.233.100\t-\t-\t1\t0\n172.16.165.165\t255.255.255.255\t-\t-\t1\t0\n172.16.165.165\t204.79.197.200\t-\t-\t0\t1\n172.16.165.165\t204.79.197.200\t0\t0\t0\t146\n172.16.165.165\t204.79.197.200\t0\t0\t0\t146\n172.16.165.165\t172.16.165.254\t-\t-\t0\t1\n<\/code><\/pre>\n\n\n\n<p>As you can see from the output, there is a lot communication between the IP, <code>172.16.165.165<\/code>, and the remote IP,  <code>37.200.69.143<\/code>, which actually might be the CnC server.<\/p>\n\n\n\n<p>This is enough to conclude that, <code>172.16.165.165<\/code> is the IP address of the infected Windows machine.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. What is the host name of the Windows VM that gets infected?<\/h3>\n\n\n\n<p>Now that we have know the IP address of the infected machine, it should be easy to get the domain name.<\/p>\n\n\n\n<p>You are most likely to get the host name of the infected Windows machine from the DHCP, NetBIOS Name Service (NBNS), or SMB related traffic.<\/p>\n\n\n\n<p>From the logs we got from analysing the PCAP file with Zeek, we only got the DHCP traffic, <strong>dhcp.log<\/strong>.<\/p>\n\n\n\n<p>The fields contained in this file are;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Field<\/strong><\/td><td><strong>Field Type<\/strong><\/td><\/tr><tr><td>ts<\/td><td>time<\/td><\/tr><tr><td>uids<\/td><td>set[string]<\/td><\/tr><tr><td>client_addr<\/td><td>addr<\/td><\/tr><tr><td>server_addr<\/td><td>addr<\/td><\/tr><tr><td>mac<\/td><td>string<\/td><\/tr><tr><td>host_name<\/td><td>string<\/td><\/tr><tr><td>client_fqdn<\/td><td>string<\/td><\/tr><tr><td>domain<\/td><td>string<\/td><\/tr><tr><td>requested_addr<\/td><td>addr<\/td><\/tr><tr><td>assigned_addr<\/td><td>addr<\/td><\/tr><tr><td>lease_time<\/td><td>interval<\/td><\/tr><tr><td>client_message<\/td><td>string<\/td><\/tr><tr><td>server_message<\/td><td>string<\/td><\/tr><tr><td>msg_types<\/td><td>vector[string]<\/td><\/tr><tr><td>duration<\/td><td>interval<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Thus, we can extract the <code>client_addr, server_addr, client_fqdn<\/code> fields.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat dhcp.log | zeek-cut client_addr server_addr client_fqdn<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>172.16.165.165\t-\t-\n172.16.165.165\t172.16.165.254\tK34EN6W3N-PC<\/code><\/pre>\n\n\n\n<p>Thus, our client (172.16.165.165), hostname is <code><strong>K34EN6W3N-PC<\/strong><\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. What is the MAC address of the infected VM?<\/h3>\n\n\n\n<p>The same information can be obtained from the DHCP traffic. You can extract the mac field information from the log;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat dhcp.log | zeek-cut client_addr server_addr mac<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>172.16.165.165\t-\tf0:19:af:02:9b:f1\n172.16.165.165\t172.16.165.254\t<strong>f0:19:af:02:9b:f1<\/strong><\/code><\/pre>\n\n\n\n<p><strong>f0:19:af:02:9b:f1<\/strong> is the mac address.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. What is the IP address of the compromised web site?<\/h3>\n\n\n\n<p>In this question, we are concerned about the HTTP traffic. Hence, we need to check the <strong><code>http.log<\/code><\/strong>.<\/p>\n\n\n\n<p>To begin with, it can easily be noted that, the Windows machine, which was infected with malware was most likely used to compromise other sites. Thus, in this case, we will be looking for traffic originating from the host, 172.16.165.165.<\/p>\n\n\n\n<p>The <code>http.log<\/code> contains quite a number of fields;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Field<\/td><td>Field Type<\/td><\/tr><tr><td>ts<\/td><td>time<\/td><\/tr><tr><td>uid<\/td><td>string<\/td><\/tr><tr><td>id.orig_h<\/td><td>addr<\/td><\/tr><tr><td>id.orig_p<\/td><td>port<\/td><\/tr><tr><td>id.resp_h<\/td><td>addr<\/td><\/tr><tr><td>id.resp_p<\/td><td>port<\/td><\/tr><tr><td>trans_depth<\/td><td>count<\/td><\/tr><tr><td>method<\/td><td>string<\/td><\/tr><tr><td>host<\/td><td>string<\/td><\/tr><tr><td>uri<\/td><td>string<\/td><\/tr><tr><td>referrer<\/td><td>string<\/td><\/tr><tr><td>version<\/td><td>string<\/td><\/tr><tr><td>user_agent<\/td><td>string<\/td><\/tr><tr><td>origin<\/td><td>string<\/td><\/tr><tr><td>request_body_len<\/td><td>count<\/td><\/tr><tr><td>response_body_len<\/td><td>count<\/td><\/tr><tr><td>status_code<\/td><td>count<\/td><\/tr><tr><td>status_msg<\/td><td>string<\/td><\/tr><tr><td>info_code<\/td><td>count<\/td><\/tr><tr><td>info_msg<\/td><td>string<\/td><\/tr><tr><td>tags<\/td><td>set[enum]<\/td><\/tr><tr><td>username<\/td><td>string<\/td><\/tr><tr><td>password<\/td><td>string<\/td><\/tr><tr><td>proxied<\/td><td>set[string]<\/td><\/tr><tr><td>orig_fuids<\/td><td>vector[string]<\/td><\/tr><tr><td>orig_filenames<\/td><td>vector[string]<\/td><\/tr><tr><td>orig_mime_types<\/td><td>vector[string]<\/td><\/tr><tr><td>resp_fuids<\/td><td>vector[string]<\/td><\/tr><tr><td>resp_filenames<\/td><td>vector[string]<\/td><\/tr><tr><td>resp_mime_types<\/td><td>vector[string]<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>So how can you get to know what is the IP address of the compromised server? Well, based on what the Internet says, when you analyse the HTTP logs, you realize that, one of the sites is acting as a referrer for a number of the sites. This basically means that, when you access that site, it takes you automatically to another site.<\/p>\n\n\n\n<p>See sample events from the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat http.log | zeek-cut id.orig_h id.resp_h host referrer<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.bing.com\/search?q=ciniholland.nl&amp;qs=ds&amp;form=QBLH\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t185.53.178.9\tadultbiz.in\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t74.125.233.96\twww.youtube.com\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t82.150.140.30\twww.ciniholland.nl\t-\n172.16.165.165\t188.225.73.100\t24corp-shop.com\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t188.225.73.100\t24corp-shop.com\thttp:\/\/www.ciniholland.nl\/\n172.16.165.165\t188.225.73.100\t24corp-shop.com\thttp:\/\/24corp-shop.com\/\n172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\thttp:\/\/24corp-shop.com\/\n172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\thttp:\/\/24corp-shop.com\/\n172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\t-\n172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\t-\n172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\thttp:\/\/stand.trustandprobaterealty.com\/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\n172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\thttp:\/\/stand.trustandprobaterealty.com\/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\n172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\t-\n172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\t-\n172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\t-\n172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\t-\n172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\t-\n172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\t-\n<\/code><\/pre>\n\n\n\n<p>From the output above, in a number of instances, when you access the site <strong><code>http:\/\/www.ciniholland.nl\/<\/code><\/strong>, it redirects you to other sites such as adultbiz.in, www.youtube.com, 24corp-shop.com, which is not normal. <strong><code>http:\/\/www.ciniholland.nl\/<\/code><\/strong> thus looks like it is a compromised site, whose IP address is <strong><code>82.150.140.30<\/code><\/strong>.<\/p>\n\n\n\n<p>There could be other ways on how to go about this. Please explore further.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. What is the FQDN of the compromised website?<\/h3>\n\n\n\n<p>Based on the above, the FQDN of the compromised site is <strong><code>ciniholland.nl<\/code><\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6. What is the IP address of the server that delivered the exploit kit and malware?<\/h3>\n\n\n\n<p>Based on the analysis on question 4, you can see that there is a suspicious connection whereby the connection to <strong><code>www.ciniholland.nl<\/code><\/strong> was referred to <code><strong>http:\/\/24corp-shop.com\/<\/strong><\/code>, which then referred the connections to the <code><strong>stand.trustandprobaterealty.com<\/strong><\/code> site.<\/p>\n\n\n\n<p>Based on this chain of events, let us analyse the http.log and print the timestamp of connections. We can also include the URI which basically shows the specific resource file on the HTTP traffic.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat http.log | zeek-cut -d ts id.orig_h id.resp_h host referrer uri<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>2014-11-16T05:11:56+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-content\/plugins\/contact-form-7\/includes\/css\/styles.css?ver=3.7.2\n2014-11-16T05:11:56+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-content\/themes\/cini\/js\/functions.js\n2014-11-16T05:11:56+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-content\/plugins\/sitemap\/css\/page-list.css?ver=4.2\n2014-11-16T05:11:55+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.bing.com\/search?q=ciniholland.nl&amp;qs=ds&amp;form=QBLH\t\/\n2014-11-16T05:11:56+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-content\/themes\/cini\/style.css\n2014-11-16T05:11:56+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-includes\/js\/jquery\/jquery-migrate.min.js?ver=1.2.1\n2014-11-16T05:11:58+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-content\/themes\/cini\/reset.css\n2014-11-16T05:11:57+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-content\/plugins\/contact-form-7\/includes\/js\/scripts.js?ver=3.7.2\n2014-11-16T05:11:57+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-content\/plugins\/contact-form-7\/includes\/js\/jquery.form.min.js?ver=3.50.0-2014.02.05\n2014-11-16T05:11:57+0300\t172.16.165.165\t185.53.178.9\tadultbiz.in\thttp:\/\/www.ciniholland.nl\/\t\/new\/jquery.php\n2014-11-16T05:11:57+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-includes\/js\/jquery\/jquery.js?ver=1.10.2\n2014-11-16T05:11:59+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-content\/themes\/cini\/img\/youtubelogo_on.gif\n2014-11-16T05:11:59+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-content\/themes\/cini\/img\/twitter_on.gif\n2014-11-16T05:11:59+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-content\/themes\/cini\/img\/facebook_on.gif\n2014-11-16T05:11:59+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-content\/themes\/cini\/img\/br_logo.gif\n2014-11-16T05:11:59+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-content\/themes\/cini\/img\/newsletter_on.gif\n2014-11-16T05:11:59+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-content\/themes\/cini\/img\/donate_on.gif\n2014-11-16T05:12:00+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-content\/themes\/cini\/img\/squareorangedecor.gif\n2014-11-16T05:12:00+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-content\/uploads\/2012\/01\/P1260499-200x298.jpg\n2014-11-16T05:12:00+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\thttp:\/\/www.ciniholland.nl\/\t\/wp-content\/uploads\/2013\/09\/IMG-20130928-WA002-150x150.jpg\n2014-11-16T05:12:01+0300\t172.16.165.165\t74.125.233.96\twww.youtube.com\thttp:\/\/www.ciniholland.nl\/\t\/embed\/hqgSewjl8hk\n2014-11-16T05:12:09+0300\t172.16.165.165\t82.150.140.30\twww.ciniholland.nl\t-\t\/favicon.ico\n2014-11-16T05:12:11+0300\t172.16.165.165\t188.225.73.100\t24corp-shop.com\thttp:\/\/www.ciniholland.nl\/\t\/\n2014-11-16T05:12:11+0300\t172.16.165.165\t188.225.73.100\t24corp-shop.com\thttp:\/\/www.ciniholland.nl\/\t\/\n2014-11-16T05:12:11+0300\t172.16.165.165\t188.225.73.100\t24corp-shop.com\thttp:\/\/24corp-shop.com\/\t\/source\/notfound.gif\n2014-11-16T05:12:12+0300\t172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\thttp:\/\/24corp-shop.com\/\t\/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\n2014-11-16T05:12:12+0300\t172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\thttp:\/\/24corp-shop.com\/\t\/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\n2014-11-16T05:12:19+0300\t172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\t-\t\/index.php?req=mp3&amp;num=16&amp;PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\n2014-11-16T05:12:30+0300\t172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\t-\t\/index.php?req=mp3&amp;num=95&amp;PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\n2014-11-16T05:12:41+0300\t172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\thttp:\/\/stand.trustandprobaterealty.com\/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\t\/index.php?req=swf&amp;num=809&amp;PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\n2014-11-16T05:12:41+0300\t172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\thttp:\/\/stand.trustandprobaterealty.com\/?PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\t\/index.php?req=swf&amp;num=7533&amp;PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\n2014-11-16T05:12:59+0300\t172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\t-\t\/index.php?req=xml&amp;num=9345&amp;PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\n2014-11-16T05:13:00+0300\t172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\t-\t\/index.php?req=xml&amp;num=2527&amp;PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\n2014-11-16T05:13:01+0300\t172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\t-\t\/index.php?req=jar&amp;num=3703&amp;PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\n2014-11-16T05:13:01+0300\t172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\t-\t\/index.php?req=jar&amp;num=9229&amp;PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\n2014-11-16T05:13:03+0300\t172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\t-\t\/index.php?req=mp3&amp;num=912585&amp;PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\n2014-11-16T05:13:03+0300\t172.16.165.165\t37.200.69.143\tstand.trustandprobaterealty.com\t-\t\/index.php?req=mp3&amp;num=803295&amp;PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\n<\/code><\/pre>\n\n\n\n<p>There is a requested resource that is appearing mostly between <strong>172.16.165.165<\/strong> and <strong>37.200.69.143<\/strong>.<\/p>\n\n\n\n<p>You can also check <strong><code>files.log<\/code><\/strong> to find information about files transmitted btwn various hosts;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat files.log | zeek-cut -d ts tx_hosts rx_hosts source mime_type filename<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>2014-11-16T05:11:57+0300\t82.150.140.30\t172.16.165.165\tHTTP\ttext\/plain\t-\n2014-11-16T05:11:57+0300\t82.150.140.30\t172.16.165.165\tHTTP\ttext\/plain\t-\n2014-11-16T05:11:57+0300\t82.150.140.30\t172.16.165.165\tHTTP\ttext\/plain\t-\n2014-11-16T05:11:56+0300\t82.150.140.30\t172.16.165.165\tHTTP\ttext\/html\t-\n2014-11-16T05:11:57+0300\t82.150.140.30\t172.16.165.165\tHTTP\ttext\/plain\t-\n2014-11-16T05:11:57+0300\t82.150.140.30\t172.16.165.165\tHTTP\ttext\/plain\t-\n2014-11-16T05:11:58+0300\t82.150.140.30\t172.16.165.165\tHTTP\ttext\/plain\t-\n2014-11-16T05:11:58+0300\t82.150.140.30\t172.16.165.165\tHTTP\ttext\/plain\t-\n2014-11-16T05:11:58+0300\t82.150.140.30\t172.16.165.165\tHTTP\ttext\/plain\t-\n2014-11-16T05:11:59+0300\t185.53.178.9\t172.16.165.165\tHTTP\ttext\/html\t-\n2014-11-16T05:11:58+0300\t82.150.140.30\t172.16.165.165\tHTTP\ttext\/plain\t-\n2014-11-16T05:12:00+0300\t82.150.140.30\t172.16.165.165\tHTTP\timage\/gif\t-\n2014-11-16T05:12:00+0300\t82.150.140.30\t172.16.165.165\tHTTP\timage\/gif\t-\n2014-11-16T05:12:00+0300\t82.150.140.30\t172.16.165.165\tHTTP\timage\/gif\t-\n2014-11-16T05:12:00+0300\t82.150.140.30\t172.16.165.165\tHTTP\timage\/gif\t-\n2014-11-16T05:12:00+0300\t82.150.140.30\t172.16.165.165\tHTTP\timage\/gif\t-\n2014-11-16T05:12:00+0300\t82.150.140.30\t172.16.165.165\tHTTP\timage\/gif\t-\n2014-11-16T05:12:01+0300\t82.150.140.30\t172.16.165.165\tHTTP\timage\/gif\t-\n2014-11-16T05:12:01+0300\t82.150.140.30\t172.16.165.165\tHTTP\timage\/jpeg\t-\n2014-11-16T05:12:01+0300\t82.150.140.30\t172.16.165.165\tHTTP\timage\/jpeg\t-\n2014-11-16T05:12:10+0300\t82.150.140.30\t172.16.165.165\tHTTP\timage\/x-icon\t-\n2014-11-16T05:12:11+0300\t188.225.73.100\t172.16.165.165\tHTTP\ttext\/html\t-\n2014-11-16T05:12:11+0300\t188.225.73.100\t172.16.165.165\tHTTP\ttext\/html\t-\n2014-11-16T05:12:12+0300\t188.225.73.100\t172.16.165.165\tHTTP\timage\/gif\t-\n2014-11-16T05:12:15+0300\t37.200.69.143\t172.16.165.165\tHTTP\ttext\/html\t-\n2014-11-16T05:12:15+0300\t37.200.69.143\t172.16.165.165\tHTTP\ttext\/html\t-\n2014-11-16T05:12:23+0300\t37.200.69.143\t172.16.165.165\tHTTP\t-\t-\n2014-11-16T05:12:33+0300\t37.200.69.143\t172.16.165.165\tHTTP\t-\t-\n2014-11-16T05:12:41+0300\t37.200.69.143\t172.16.165.165\tHTTP\tapplication\/x-shockwave-flash\t-\n2014-11-16T05:12:42+0300\t37.200.69.143\t172.16.165.165\tHTTP\tapplication\/x-shockwave-flash\t-\n2014-11-16T05:13:00+0300\t37.200.69.143\t172.16.165.165\tHTTP\tapplication\/xml\t-\n2014-11-16T05:13:01+0300\t37.200.69.143\t172.16.165.165\tHTTP\tapplication\/xml\t-\n2014-11-16T05:13:02+0300\t37.200.69.143\t172.16.165.165\tHTTP\tapplication\/java-archive\t-\n2014-11-16T05:13:02+0300\t37.200.69.143\t172.16.165.165\tHTTP\tapplication\/java-archive\t-\n2014-11-16T05:13:08+0300\t37.200.69.143\t172.16.165.165\tHTTP\t-\t-\n\n<\/code><\/pre>\n\n\n\n<p>Between <strong><code>2014-11-16T05:12:41+0300<\/code><\/strong> and <strong><code>2014-11-16T05:13:02+0300<\/code><\/strong>, there are file applications that are transmitted by <code>37.200.69.143<\/code> to <code>172.16.165.165<\/code>.<\/p>\n\n\n\n<p>Thus, we can guess <code><strong>37.200.69.143<\/strong><\/code> as the system that is transmitting the Malware.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7. What is the FQDN that delivered the exploit kit and malware?<\/h3>\n\n\n\n<p>Based on the above, the FQDN of the host that delivered malware, is <strong><code>stand.trustandprobaterealty.com<\/code><\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">8. What is the redirect URL that points to the exploit kit (EK) landing page?<\/h3>\n\n\n\n<p>On No 6, we mentioned that there was a suspicious connection whereby the connection to <strong><code>www.ciniholland.nl<\/code><\/strong> was referred to <code><strong>http:\/\/24corp-shop.com\/<\/strong><\/code>, which then referred the connections to the <code><strong>stand.trustandprobaterealty.com<\/strong><\/code> site which delivered the EK. Thus, <code><strong>http:\/\/24corp-shop.com\/<\/strong><\/code> should be referrer the culprit to the EK landing page.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9. Other than CVE-2013-2551 IE exploit, another application was targeted by the EK and starts with &#8220;J&#8221;. Provide the full application name.<\/h3>\n\n\n\n<p>Based on our analysis of Q No 6, <code>http.log<\/code> URI shows requests to a number of files. Two of them are suspicious files, where <strong>req=swf<\/strong> and <strong>req=jar<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/index.php?<strong>req=swf<\/strong>&amp;num=7533&amp;PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM\n\/index.php?<strong>req=jar<\/strong>&amp;num=9229&amp;PHPSSESID=njrMNruDMhvJFIPGKuXDSKVbM07PThnJko2ahe6JVg|ZDJiZjZiZjI5Yzc5OTg3MzE1MzJkMmExN2M4NmJiOTM<\/code><\/pre>\n\n\n\n<p>Based on the <strong>files.log<\/strong> analysis, these files are of type <strong>Flash<\/strong> and <strong>Java<\/strong> applications respectively. The questions required an answer beginning with J hence, <strong>Java<\/strong> should be the answer.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">12. The compromised website has a malicious script with a URL. What is this URL?<\/h3>\n\n\n\n<p>Based on analysis for No 5, the compromised website is <strong><code>ciniholland.nl<\/code><\/strong>.<\/p>\n\n\n\n<p>On No. 6, it shows that the connections to this site were referred to <code><strong>http:\/\/24corp-shop.com\/<\/strong><\/code>. Thus, it can be concluded that the compromised site had the site <code><strong>http:\/\/24corp-shop.com\/<\/strong><\/code> URL embeded somewhere within its code.<\/p>\n\n\n\n<p>For the rest of the questions, you can use other tools to do the analysis.<\/p>\n\n\n\n<p>And that is how you can analyse network traffic using Zeek.<\/p>\n\n\n\n<p>Read more on <a href=\"https:\/\/cyberdefenders.org\/labs\/17\" target=\"_blank\" rel=\"noreferrer noopener\">Cyberdefence.org page to get hints<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/detect-changes-to-critical-files-in-linux-using-auditbeat-and-elk\/\" target=\"_blank\" rel=\"noreferrer noopener\">Detect Changes to Critical Files in Linux using Auditbeat and ELK<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-arkime-moloch-full-packet-capture-tool-on-debian\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install Arkime (Moloch) Full Packet Capture tool on Debian 11<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/intercept-malicious-file-upload-with-modsecurity-and-clamav\/\" target=\"_blank\" rel=\"noreferrer noopener\">Intercept Malicious File Upload with ModSecurity and ClamAV<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to analyze network traffic using Zeek. Zeek is a world&#8217;s leading passive network security monitoring tool that sits<\/p>\n","protected":false},"author":3,"featured_media":11279,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121],"tags":[4422,4428,4427,4426,4424,4418,4425,4423],"class_list":["post-11267","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","tag-analyse-network-traffic-with-zeek","tag-dns-log","tag-files-log","tag-http-log","tag-read-pcap-files-with-zeek","tag-zeek","tag-zeek-extract-files-in-pcap-files","tag-zeek-network-traffic-analysis","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11267"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=11267"}],"version-history":[{"count":8,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11267\/revisions"}],"predecessor-version":[{"id":21318,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/11267\/revisions\/21318"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/11279"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=11267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=11267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=11267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}