IR 351: Installing and Using Zeek (25 pts)

What You Need for this Project

Purpose

To install, configure, and apply Zeek for to detect common attacks.

Installing Zeek

On your Linux server, in an SSH session, execute these commands: 
sudo apt update

sudo apt install cmake make gcc g++ flex bison -y

sudo apt install libpcap-dev libssl-dev python-dev swig zlib1g-dev -y

sudo apt install zlib1g-dev wget curl -y

echo 'deb http://download.opensuse.org/repositories/security:/zeek/Debian_10/ /' \
 | sudo tee /etc/apt/sources.list.d/security:zeek.list
 
sudo wget -nv https://download.opensuse.org/repositories/security:zeek/Debian_10/Release.key \
 -O "/etc/apt/trusted.gpg.d/security:zeek.asc"
 
sudo apt update

sudo apt install zeek-lts -y

cd

echo "export PATH=/opt/zeek/bin:$PATH" >> .bashrc

source .bashrc

Starting Zeek

On your Linux server, in an SSH session, execute this command: 
sudo /opt/zeek/bin/zeek -i ens4 -C &
Press Enter to get a fresh command prompt.

Creating DNS Traffic

On your Linux server, in an SSH session, execute these commands: 
ping -c 1 -W 1 msn.com
ping -c 1 -W 1 kittenwar.com
ls
Several log files have appeared, as shown below.

Viewing the DNS Log

On your Linux server, in an SSH session, execute this command: 
cat dns.log
You see log entries for the domains you pinged, as shown below.

Creating HTTP Traffic

On your Linux server, in an SSH session, execute this command: 
wget http://ad.samsclass.info

Flag IR 351.1: HTTP Log (5 pts)

On your Linux server, in an SSH session, execute this command: 
cat http.log
The flag is covered by a green rectangle in the image below.

HTTP Basic Authentication

By default, Zeek doesn't log passwords. To fix that, on your Linux server, in an SSH session, execute this command: 
sudo nano /opt/zeek/share/zeek/base/protocols/http/main.zeek
Change default_capture_password to T as shown below

Press Ctrl+X, Y, Enter to save the file.

On your Linux server, in an SSH session, execute these commands to download a PCAP file to examine and process it with Zeek: 

sudo rm http.log
wget https://samsclass.info/152/proj/http-basic.pcap
sudo /opt/zeek/bin/zeek -r http-basic.pcap -C
head -n 7 http.log
There are a lot of fields, but the ones of interest to us are:
username password status_code status_msg
as shown below.

Zeek provides a zeek-cut utility to make it easier to pick out fields like that.

Flag IR 351.2: HTTP Password (5 pts)

On your Linux server, in an SSH session, execute this command: 
cat http.log | zeek-cut username password status_code status_msg
The flag is the password for the successful login, covered by a green rectangle in the image below.

Flag IR 351.3: HTTP PIN (10 pts)

On your Linux server, in an SSH session, execute this command: 
wget https://samsclass.info/152/proj/http-basic2.pcap
The flag is the password for the successful login.

Detecting SSH Brute-Force Attacks

On your Linux server, in an SSH session, execute this command: 
nano notice_ssh_guesser.zeek
Enter thhis code: 
@load protocols/ssh/detect-bruteforcing

redef SSH::password_guesses_limit=10;

hook Notice::policy(n: Notice::Info)
  {
  if ( n$note == SSH::Password_Guessing )
                add n$actions[Notice::ACTION_EMAIL];
  }
Press Ctrl+X, Y, Enter to save the file.

Flag IR 351.4: SSH Brute Force Alert (5 pts)

On your Linux server, in an SSH session, execute this command: 
wget https://samsclass.info/152/proj/ssh-brute.pcap
sudo /opt/zeek/bin/zeek -r ssh-brute.pcap -C notice_ssh_guesser.zeek
cat notice.log
The flag is covered by a green rectangle in the image below.

References

Zeek Docs
Exercise: Intelligence-Based Incident Response
Posted 6-26-2020