Location: Sleigh Workshop

Some JSON files can get quite busy. 
There's lots to see and do. 
Does C&C lurk in our data? 
JQ's the tool for you! 

-Wunorse Openslae 

Identify the destination IP address with the longest connection duration 
using the supplied Zeek logfile. Run runtoanswer to submit your answer. 


Let's find the log file that needs to be analyzed.

elf@2943579d68fd:~$ ls -l  
total 48876 
-rw-r--r-- 1 elf elf 50047602 Nov 18 19:53 conn.log

Let's check that we can use 'jq' and can determine what name:value pairs are available.

elf@2943579d68fd:~$ head -1 conn.log | jq 
  "ts": "2019-04-04T20:34:24.698965Z", 
  "uid": "CAFvAu2l50Km67tSP5", 
  "id.orig_h": "", 
  "id.orig_p": 64277, 
  "id.resp_h": "", 
  "id.resp_p": 53, 
  "proto": "udp", 
  "service": "dns", 
  "duration": 0.320463, 
  "orig_bytes": 94, 
  "resp_bytes": 316, 
  "conn_state": "SF", 
  "missed_bytes": 0, 
  "history": "Dd", 
  "orig_pkts": 2, 
  "orig_ip_bytes": 150, 
  "resp_pkts": 2, 
  "resp_ip_bytes": 372 

Now to find the longest duration entry.

sort_by - will sort smallest to largest for the specified field. reverse - flips the order from largest to smallest. [0] - returns the first entry, which now the entry with the largest duration.

elf@2943579d68fd:~$ cat conn.log | jq -s 'sort_by(.duration) | reverse | .[0]' 
  "ts": "2019-04-18T21:27:45.402479Z", 
  "uid": "CmYAZn10sInxVD5WWd", 
  "id.orig_h": "", 
  "id.orig_p": 8, 
  "id.resp_h": "", 
  "id.resp_p": 0, 
  "proto": "icmp", 
  "duration": 1019365.337758, 
  "orig_bytes": 30781920, 
  "resp_bytes": 30382240, 
  "conn_state": "OTH", 
  "missed_bytes": 0, 
  "orig_pkts": 961935, 
  "orig_ip_bytes": 57716100, 
  "resp_pkts": 949445, 
  "resp_ip_bytes": 56966700 
elf@2943579d68fd:~$ runtoanswer  
Loading, please wait...... 

What is the destination IP address with the longes connection duration?\\ 

Thank you for your analysis, you are spot-on. 
I would have been working on that until the early dawn. 
Now that you know the features of jq, 
You'll be able to answer other challenges too. 

-Wunorse Openslae 



That's this one complete.