# Check for unknown args if commands: print('Unrecognized args: %s' % commands) sys.exit(1) # Sanity check that this is a ssl log if 'ssl' not in args.zeek_log: print('This example only works with Zeek ssl.log files..') sys.exit(1) # File may have a tilde in it if args.zeek_log: args.zeek_log = os.path.expanduser(args.zeek_log) # Run the zeek reader on the ssl.log file looking for potential Tor connections reader = zeek_log_reader.ZeekLogReader(args.zeek_log, tail=args.t) # Just a counter to keep an eye on how many possible Tor connections we identify number = 0 # A empty list to use for the port statistics ports = [] for row in reader.readrows(): # Add the destination port to the list of ports ports.append(row['id.resp_p']) # Pull out the Certificate Issuer try: issuer = row['issuer'] except KeyError: print( 'Could not find the issuer field in your ssl.log. Please verify your log file.' )
def _get_field_info(self, log_filename): """Internal Method: Use ZAT log reader to read header for names and types""" _zeek_reader = zeek_log_reader.ZeekLogReader(log_filename) _, field_names, field_types, _ = _zeek_reader._parse_zeek_header( log_filename) return field_names, field_types
if __name__ == '__main__': # Example to run the zeek log reader on a given file # Collect args from the command line parser = argparse.ArgumentParser() parser.add_argument('zeek_log', type=str, help='Specify a zeek log to run ZeekLogReader test on') parser.add_argument('-t', '--tail', action='store_true', help='Turn on log tailing') args, commands = parser.parse_known_args() # Check for unknown args if commands: print('Unrecognized args: %s' % commands) sys.exit(1) # File may have a tilde in it if args.zeek_log: args.zeek_log = os.path.expanduser(args.zeek_log) # Run the zeek reader on a given log file reader = zeek_log_reader.ZeekLogReader(args.zeek_log, tail=args.tail, strict=True) for row in reader.readrows(): pprint(row)
try: vtq = pickle.load(open('vtq.pkl', 'rb')) print('Opening VirusTotal Query Cache (cache_size={:d})...'.format(vtq.size)) except IOError: vtq = vt_query.VTQuery(max_cache_time=60*24*7) # One week cache # See our 'Risky Domains' Notebook for the analysis and # statistical methods used to compute this risky set of TLDs risky_tlds = set(['info', 'tk', 'xyz', 'online', 'club', 'ru', 'website', 'in', 'ws', 'top', 'site', 'work', 'biz', 'name', 'tech', 'loan', 'win', 'pro']) # Launch long lived process with signal catcher with signal_utils.signal_catcher(save_vtq): # Run the zeek reader on the dns.log file looking for risky TLDs reader = zeek_log_reader.ZeekLogReader(args.zeek_log) for row in reader.readrows(): # Pull out the TLD query = row['query'] tld = tldextract.extract(query).suffix # Check if the TLD is in the risky group if tld in risky_tlds: # Make the query with the full query results = vtq.query_url(query) if results.get('positives', 0) > 3: # At least four hits print('\nRisky Domain DNS Query Found') print('From: {:s} To: {:s} QType: {:s} RCode: {:s}'.format(row['id.orig_h'], row['id.resp_h'], row['qtype_name'], row['rcode_name'])) pprint(results)
print('This example only works with Zeek x509.log files..') sys.exit(1) # File may have a tilde in it if args.zeek_log: args.zeek_log = os.path.expanduser(args.zeek_log) # These domains may be spoofed with a certificate issued by 'Let's Encrypt' spoofed_domains = set( ['paypal', 'gmail', 'google', 'apple', 'ebay', 'amazon']) # Modification: List out known ioc domains for testing ioc_domains = set(['ioc1', 'ioc2', 'ioc3']) # Run the zeek reader on the x509.log file looking for spoofed domains reader = zeek_log_reader.ZeekLogReader( args.zeek_log, tail=True) # tail=False to turn off dynamic tailing for row in reader.readrows(): # Pull out specified fields, i.e. Certificate Issuer issuer = row['certificate.issuer'] subject = row['certificate.subject'] # Include here other fields necessary for testing if "Let's Encrypt" in issuer: # Check if the certificate subject has any spoofed domains if any([domain in subject for domain in spoofed_domains]): print('\n<<< Suspicious Certificate Found >>>') #pprint(row)