Wednesday 30 October 2019

Zeek - Access Nested Data Structures of ::INFO

More of a reminder for myself.
I am doing an IR course, I went through the Zeek Lab and experimented. I went to go back for review and realized I had created the scripts within the VPN. The VPN has reset and I have lost the scripts I made. - Do not do that again Haydn!


1 screenshot of my script was in my Google Doc (course notes), which saved me some time.

I wanted to write about an annoying thing I found when scripting. It is a difference in the new version against the course with a slightly older version. -  How to access the nested structure of the ::INFO script

The Zeek Documentation:



The Writing Scripts tutorial I found overwhelming and hard for me to see on a 1:1 basis what they were talking about.



Mostly this bit:


I was confused because the description of "TeamCymruMalwareHashRegistry::Match" is not in the code block they mention. See imagine below:

I have scripted in Python, written Bash scripts, but I was unable to understand what that section meant.
It was a bit frustrating

The issue I was having between Versions

The course was using an older version and was using RDP as an example. If you look at the RDP script for current Zeek(3.0) that the client machine variable is within RDP::INFO variable. However, in the older version, it is within the rdp_connect_request event (2.6).

It took me a while to figure it out. 

I did not know how to dig into the RDP::INFO variable, or any ::INFO part for any other of the base scripts.


So in the 2.6 version of Zeek, we can print a client machine from RDP connections this way:

@load base/protocols/rdp
event rdp_connect_request(c: connection, cookie:string)
{
    print cookie;
}




Whereas in the 3.0 Version, it would look like:

@load/base/protocols/rdp
event RDP::log_rdp(rec RDP::Info)
{
    print rec$cookie;
}

As you can see, it's quite different to access the event ::INFO for rdp. To find the name it is mentioned in the documentation under Events. See below screenshot 




An SSH script I wrote within http://try.bro.org/ is below. I chose to test with SSH because the website had an SSH PCAP to try.


Again if you look at the current SSH script documentation, you will see similar to the RDP:





The output of the script is:





The documentation from Zeek for writing scripts does explain using the $ sign to access nested data structures. Nor did it explain how to access ::INFO section. It explains nested data structures.  I just feel that it covers so much and takes a while to reach that. Hence this blog post to remind me how to access nested data structures.







Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)