User Tools


Zeek JSON Analysis (Sleigh Workshop)

Some JSON files can get quite busy. 
There's lots to see and do. 
Does C&C lurk in our data? 
JQ's the tool for you! 
 

-Wunorse Openslae 
 

Identify the destination IP address with the longest connection duration 
using the supplied Zeek logfile. Run runtoanswer to submit your answer. 
 

elf@2943579d68fd:~$

Let's find the log file that needs to be analyzed.

elf@2943579d68fd:~$ ls -l  
total 48876 
-rw-r--r-- 1 elf elf 50047602 Nov 18 19:53 conn.log

Let's check that we can use 'jq' and can determine what name:value pairs are available.

elf@2943579d68fd:~$ head -1 conn.log | jq 
{ 
  "ts": "2019-04-04T20:34:24.698965Z", 
  "uid": "CAFvAu2l50Km67tSP5", 
  "id.orig_h": "192.168.144.130", 
  "id.orig_p": 64277, 
  "id.resp_h": "192.168.144.2", 
  "id.resp_p": 53, 
  "proto": "udp", 
  "service": "dns", 
  "duration": 0.320463, 
  "orig_bytes": 94, 
  "resp_bytes": 316, 
  "conn_state": "SF", 
  "missed_bytes": 0, 
  "history": "Dd", 
  "orig_pkts": 2, 
  "orig_ip_bytes": 150, 
  "resp_pkts": 2, 
  "resp_ip_bytes": 372 
}

Now to find the longest duration entry.

sort_by - will sort smallest to largest for the specified field. reverse - flips the order from largest to smallest. [0] - returns the first entry, which now the entry with the largest duration.

elf@2943579d68fd:~$ cat conn.log | jq -s 'sort_by(.duration) | reverse | .[0]' 
{ 
  "ts": "2019-04-18T21:27:45.402479Z", 
  "uid": "CmYAZn10sInxVD5WWd", 
  "id.orig_h": "192.168.52.132", 
  "id.orig_p": 8, 
  "id.resp_h": "13.107.21.200", 
  "id.resp_p": 0, 
  "proto": "icmp", 
  "duration": 1019365.337758, 
  "orig_bytes": 30781920, 
  "resp_bytes": 30382240, 
  "conn_state": "OTH", 
  "missed_bytes": 0, 
  "orig_pkts": 961935, 
  "orig_ip_bytes": 57716100, 
  "resp_pkts": 949445, 
  "resp_ip_bytes": 56966700 
} 
elf@2943579d68fd:~$ runtoanswer  
Loading, please wait...... 
 

What is the destination IP address with the longes connection duration?\\
13.107.21.200 
 

Thank you for your analysis, you are spot-on. 
I would have been working on that until the early dawn. 
Now that you know the features of jq, 
You'll be able to answer other challenges too. 
 

-Wunorse Openslae 
 

Congratulations! 
 

elf@2943579d68fd:~$  

That's this one complete.