- Notifications
You must be signed in to change notification settings - Fork21
zeek/zeek-aux
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
| Version: | 0.50-145 |
|---|
Handy auxiliary programs related to the use of the Zeek Network SecurityMonitor (https://www.zeek.org).
Installation is simple and standard:
./configuremakemake install
The "adtrace" utility is used to compute thenetwork address that compose the internal and extern nets that Zeekis monitoring. This program just reads a pcap(tcpdump) file and writes out the src MAC, dst MAC, src IP, dstIP for each packet seen in the file.
This is a modern replacement for Zeek's historical log-archival process. Fordetails, please refer to its dedicated README in the zeek-archiver subdirectory.
The "zeek-cut" utility reads ASCII Zeek logs on standard inputand outputs them to standard output with only the specified columns (thecolumn names can be found in each log file in the "#fields" header line).If no column names are specified, then "zeek-cut" simply outputs all columns.
There are several command-line options available to modify the output (run"zeek-cut -h" to see a list of all options). There are options to converttimestamps into human-readable format, and options to specify whether or notto include the format header lines in the output (by default, they're notincluded).
For example, the following command will output the three specified columnsfrom conn.log with the timestamps from the "ts" column being converted tohuman-readable format:
cat conn.log | zeek-cut -d ts id.orig_h id.orig_p
The specified order of the column names determines the output order of thecolumns (i.e., "zeek-cut" can reorder the columns).
The "zeek-cut" utility can read the concatenation of one or more uncompressedASCII log files (however, JSON format is not supported) produced by Zeekversion 2.0 or newer, as long as each log file contains format headerlines (these are the lines at the beginning of the file starting with "#").In fact, "zeek-cut" can process the concatenation of multiple ASCII log filesthat have different column layouts.
To read a compressed log file, a tool such as "zcat" must be used touncompress the file. For example, "zeek-cut" can read a group of compressedconn.log files with a command like this:
zcat conn.*.log.gz | zeek-cut
A set of scripts used commonly for Zeek development. Note that none ofthese scripts are installed by 'make install'.
- extract-conn-by-uid
- Extracts a connection from a trace file basedon its UID found in Zeek's conn.log
- gen-mozilla-ca-list.rb
- Generates list of Mozilla SSL root certificates ina format readable by Zeek.
- update-changes
- A script to maintain the CHANGES and VERSION files.
- git-show-fastpath
- Show commits to the fastpath branch not yet merged into master.
- cpu-bench-with-trace
- Run a number of Zeek benchmarks on a trace file.
The "rst" utility can be invoked by a Zeek script to terminate anestablished TCP connection by forging RST tear-down packets.