Location: Sleigh Workshop
Some JSON files can get quite busy.
There's lots to see and do.
Does C&C lurk in our data?
JQ's the tool for you!
-Wunorse Openslae
Identify the destination IP address with the longest connection duration
using the supplied Zeek logfile. Run runtoanswer to submit your answer.
elf@2943579d68fd:~$
Let's find the log file that needs to be analyzed.
elf@2943579d68fd:~$ ls -l
total 48876
-rw-r--r-- 1 elf elf 50047602 Nov 18 19:53 conn.log
Let's check that we can use 'jq' and can determine what name:value pairs are available.
elf@2943579d68fd:~$ head -1 conn.log | jq
{
"ts": "2019-04-04T20:34:24.698965Z",
"uid": "CAFvAu2l50Km67tSP5",
"id.orig_h": "192.168.144.130",
"id.orig_p": 64277,
"id.resp_h": "192.168.144.2",
"id.resp_p": 53,
"proto": "udp",
"service": "dns",
"duration": 0.320463,
"orig_bytes": 94,
"resp_bytes": 316,
"conn_state": "SF",
"missed_bytes": 0,
"history": "Dd",
"orig_pkts": 2,
"orig_ip_bytes": 150,
"resp_pkts": 2,
"resp_ip_bytes": 372
}
Now to find the longest duration entry.
sort_by - will sort smallest to largest for the specified field. reverse - flips the order from largest to smallest. [0] - returns the first entry, which now the entry with the largest duration.
elf@2943579d68fd:~$ cat conn.log | jq -s 'sort_by(.duration) | reverse | .[0]'
{
"ts": "2019-04-18T21:27:45.402479Z",
"uid": "CmYAZn10sInxVD5WWd",
"id.orig_h": "192.168.52.132",
"id.orig_p": 8,
"id.resp_h": "13.107.21.200",
"id.resp_p": 0,
"proto": "icmp",
"duration": 1019365.337758,
"orig_bytes": 30781920,
"resp_bytes": 30382240,
"conn_state": "OTH",
"missed_bytes": 0,
"orig_pkts": 961935,
"orig_ip_bytes": 57716100,
"resp_pkts": 949445,
"resp_ip_bytes": 56966700
}
elf@2943579d68fd:~$ runtoanswer
Loading, please wait......
What is the destination IP address with the longes connection duration?\\
13.107.21.200
Thank you for your analysis, you are spot-on.
I would have been working on that until the early dawn.
Now that you know the features of jq,
You'll be able to answer other challenges too.
-Wunorse Openslae
Congratulations!
elf@2943579d68fd:~$
That's this one complete.