A former FOR572 student, John D, helfully provided some useful command lines that you might be able to take advantage of, specifically while parsing Zeek's log files when created in JSON format. These commands use the jq utility, which is widely available for most operating systems. Another useful resource is the JSON and jq Quick Start Guide, which is used in FOR572 and provided as a public resource.
Querying Zeek files:
dce_rpc.logcat dce_rpc.log | jq '{ operation, "named_pipe", endpoint, ts, "id.orig_h", "id.orig_p", "id.resp_h", "id.resp_p"}'- Example output:
{ "operation": "NetrShareGetInfo", "named_pipe": "\\PIPE\\srvsvc", "endpoint": "srvsvc", "ts": 1536156415.286374, "id.orig_h": "172.16.6.11", "id.orig_p": 49395, "id.resp_h": "172.16.4.5", "id.resp_p": 445 }
files.logcat files.log | jq '{ tx_hosts, rx_hosts, seen_bytes, filename, mime_type, extracted }'- Example output:
{ "tx_hosts": [ "172.16.4.5" ], "rx_hosts": [ "172.16.6.11" ], "seen_bytes": 189248, "filename": "Windows\\Temp\\perfmon\\ri.exe", "mime_type": "application/x-dosexec", "extracted": "extract-1536156434.599353-SMB-F6MJhN3kKoq5sNmygg" }
ntlm.logcat ntlm.log | jq '{ ts, "id.orig_h", "id.resp_h", username, hostname, domainname, "server_nb_computer_name"}'- Example Output:
{ "ts": 1536156413.087253, "id.orig_h": "172.16.6.11", "id.resp_h": "172.16.4.5", "username": "spsql", "hostname": "BASE-RD-01", "domainname": "shieldbase", "server_nb_computer_name": "BASE-FILE" }
smb_files.logcat smb_files.log | jq '{ action, path, "id.orig_h", "id.resp_h", "times.accessed" } ' | grep path | uniq | sort- Example Output:
"path": "\\\\172.16.4.4\\c$", "path": "\\\\172.16.4.5\\c$",