https://try.zeek.org/#/?example=hello
Work through the tutorial and find the flags listed below.
Flag IR 350.1: Hello World (3 pts)
What event is raised when Zeek terminates?
Flag IR 350.2: Functions (3 pts)
What attribute makes an argument optional?
Flag IR 350.3: Variables (3 pts)
Try to print z in line 18. The flag is in the error message, covered by a green rectangle in the image below.
Flag IR 350.4: Primitive Datatypes (3 pts)
What type represents an unsigned integer?
Flag IR 350.5: Primitive Datatypes (3 pts)
What type contains a value like 192.168.0.0/16?
Flag IR 350.6: Operators (3 pts extra)
What is the value of this expression:|"fabulous"|
Flag IR 350.7: Operators (3 pts extra)
What is the output of this code?
local i = 1; local s = "3"; print i > s;
Flag IR 350.8: Operators (5 pts extra)
What three-letter function can you insert to replace XXX and make this code run properly?
local i = 1; local s = "3"; print XXX(i) > s;
Flag IR 350.9: Operators (3 pts extra)
What is the value of this expression:"fabulous"[4:8][2:3]
Flag IR 350.10: Loops (3 pts extra)
What command can you insert to replace XXX and make this code run properly, so it counts from 1 to 5?
local i = 1; while ( i < 6 ) { print i; XXX; }
Flag IR 350.11: Switch (3 pts extra)
What block is executed if no "case" block matches?
Flag IR 350.12: Switch (5 pts extra)
What command can you insert to replace XXX and make this code run properly, so it prints "WIN"?
local i = 1; switch ( i ) { case 1: ++i; XXX; case 2: print "WIN"; break; }
Flag IR 350.13: Composite Types (3 pts extra)
What type is similar to a struct in C?
Flag IR 350.14: exercise_traffic.pcap (3 pts extra)
Run the "Exercise 2" Solution script on the "exercise_traffic.pcap" file provided in the Zeek tutorial.The flag is the total number of new connections found.
Flag IR 350.15: http.pcap (3 pts extra)
Run the "Exercise 2" Solution script on the "http.pcap" file provided in the Zeek tutorial.Modify the script as needed to answer this question:
What was the local port number of the 19th connection?
Flag IR 350.16: scan1.pcap (10 pts extra)
Use this file: scan1.pcapIt contains a port scan of 159.203.238.50.
Find the 39th new connection to that address, including icmp, tcp, and ucp. The port number of that connection is the flag.