IR 350: Zeek Interactive Tutorial (15 pts + 44 extra)

What You Need for this Project

Purpose

To learn the basics of using Zeek, formerly called Bro.

Launch the Interactive Tutorial

In a Web browser, go to

https://try.zeek.org/#/?example=hello

Work through the tutorial and find the flags listed below.

Flag IR 350.1: Hello World (3 pts)

What event is raised when Zeek terminates?

Flag IR 350.2: Functions (3 pts)

What attribute makes an argument optional?

Flag IR 350.3: Variables (3 pts)

Try to print z in line 18. The flag is in the error message, covered by a green rectangle in the image below.

Flag IR 350.4: Primitive Datatypes (3 pts)

What type represents an unsigned integer?

Flag IR 350.5: Primitive Datatypes (3 pts)

What type contains a value like 192.168.0.0/16?

Flag IR 350.6: Operators (3 pts extra)

What is the value of this expression:
|"fabulous"|

Flag IR 350.7: Operators (3 pts extra)

What is the output of this code?
	local i = 1;
	local s = "3";
	print i > s;

Flag IR 350.8: Operators (5 pts extra)

What three-letter function can you insert to replace XXX and make this code run properly?
	local i = 1;
	local s = "3";
	print XXX(i) > s;

Flag IR 350.9: Operators (3 pts extra)

What is the value of this expression:
"fabulous"[4:8][2:3]

Flag IR 350.10: Loops (3 pts extra)

What command can you insert to replace XXX and make this code run properly, so it counts from 1 to 5?
	local i = 1;
	while ( i < 6 )
	{
		print i;
		XXX;
	}

Flag IR 350.11: Switch (3 pts extra)

What block is executed if no "case" block matches?

Flag IR 350.12: Switch (5 pts extra)

What command can you insert to replace XXX and make this code run properly, so it prints "WIN"?
local i = 1;
switch ( i )
{
	case 1:
		++i;
		XXX;
	case 2:
		print "WIN";
		break;
}

Flag IR 350.13: Composite Types (3 pts extra)

What type is similar to a struct in C?

Flag IR 350.14: exercise_traffic.pcap (3 pts extra)

Run the "Exercise 2" Solution script on the "exercise_traffic.pcap" file provided in the Zeek tutorial.

The flag is the total number of new connections found.

Flag IR 350.15: http.pcap (3 pts extra)

Run the "Exercise 2" Solution script on the "http.pcap" file provided in the Zeek tutorial.

Modify the script as needed to answer this question:

What was the local port number of the 19th connection?

Flag IR 350.16: scan1.pcap (10 pts extra)

Use this file: scan1.pcap

It contains a port scan of 159.203.238.50.

Find the 39th new connection to that address, including icmp, tcp, and ucp. The port number of that connection is the flag.

References

Docs -- GRR on GitHub

Posted 6-21-2020
350.10 XXX added 11-15-20
IR 350.16 instructions improved 8-3-2021
IT 350.3 instructions improved 7-13-22