# Check for unknown args
if commands:
print('Unrecognized args: %s' % commands)
sys.exit(1)
# Sanity check that this is a ssl log
if 'ssl' not in args.zeek_log:
print('This example only works with Zeek ssl.log files..')
sys.exit(1)
# File may have a tilde in it
if args.zeek_log:
args.zeek_log = os.path.expanduser(args.zeek_log)
# Run the zeek reader on the ssl.log file looking for potential Tor connections
reader = zeek_log_reader.ZeekLogReader(args.zeek_log, tail=args.t)
# Just a counter to keep an eye on how many possible Tor connections we identify
number = 0
# A empty list to use for the port statistics
ports = []
for row in reader.readrows():
# Add the destination port to the list of ports
ports.append(row['id.resp_p'])
# Pull out the Certificate Issuer
try:
issuer = row['issuer']
except KeyError:
print(
'Could not find the issuer field in your ssl.log. Please verify your log file.'
)
def _get_field_info(self, log_filename):
"""Internal Method: Use ZAT log reader to read header for names and types"""
_zeek_reader = zeek_log_reader.ZeekLogReader(log_filename)
_, field_names, field_types, _ = _zeek_reader._parse_zeek_header(
log_filename)
return field_names, field_types
if __name__ == '__main__':
# Example to run the zeek log reader on a given file
# Collect args from the command line
parser = argparse.ArgumentParser()
parser.add_argument('zeek_log',
type=str,
help='Specify a zeek log to run ZeekLogReader test on')
parser.add_argument('-t',
'--tail',
action='store_true',
help='Turn on log tailing')
args, commands = parser.parse_known_args()
# Check for unknown args
if commands:
print('Unrecognized args: %s' % commands)
sys.exit(1)
# File may have a tilde in it
if args.zeek_log:
args.zeek_log = os.path.expanduser(args.zeek_log)
# Run the zeek reader on a given log file
reader = zeek_log_reader.ZeekLogReader(args.zeek_log,
tail=args.tail,
strict=True)
for row in reader.readrows():
pprint(row)
try:
vtq = pickle.load(open('vtq.pkl', 'rb'))
print('Opening VirusTotal Query Cache (cache_size={:d})...'.format(vtq.size))
except IOError:
vtq = vt_query.VTQuery(max_cache_time=60*24*7) # One week cache
# See our 'Risky Domains' Notebook for the analysis and
# statistical methods used to compute this risky set of TLDs
risky_tlds = set(['info', 'tk', 'xyz', 'online', 'club', 'ru', 'website', 'in', 'ws',
'top', 'site', 'work', 'biz', 'name', 'tech', 'loan', 'win', 'pro'])
# Launch long lived process with signal catcher
with signal_utils.signal_catcher(save_vtq):
# Run the zeek reader on the dns.log file looking for risky TLDs
reader = zeek_log_reader.ZeekLogReader(args.zeek_log)
for row in reader.readrows():
# Pull out the TLD
query = row['query']
tld = tldextract.extract(query).suffix
# Check if the TLD is in the risky group
if tld in risky_tlds:
# Make the query with the full query
results = vtq.query_url(query)
if results.get('positives', 0) > 3: # At least four hits
print('\nRisky Domain DNS Query Found')
print('From: {:s} To: {:s} QType: {:s} RCode: {:s}'.format(row['id.orig_h'],
row['id.resp_h'], row['qtype_name'], row['rcode_name']))
pprint(results)
print('This example only works with Zeek x509.log files..')
sys.exit(1)
# File may have a tilde in it
if args.zeek_log:
args.zeek_log = os.path.expanduser(args.zeek_log)
# These domains may be spoofed with a certificate issued by 'Let's Encrypt'
spoofed_domains = set(
['paypal', 'gmail', 'google', 'apple', 'ebay', 'amazon'])
# Modification: List out known ioc domains for testing
ioc_domains = set(['ioc1', 'ioc2', 'ioc3'])
# Run the zeek reader on the x509.log file looking for spoofed domains
reader = zeek_log_reader.ZeekLogReader(
args.zeek_log, tail=True) # tail=False to turn off dynamic tailing
for row in reader.readrows():
# Pull out specified fields, i.e. Certificate Issuer
issuer = row['certificate.issuer']
subject = row['certificate.subject']
# Include here other fields necessary for testing
if "Let's Encrypt" in issuer:
# Check if the certificate subject has any spoofed domains
if any([domain in subject for domain in spoofed_domains]):
print('\n<<< Suspicious Certificate Found >>>')
#pprint(row)
