Converting a PCAP into Zeek logs and investigating the data
Use case for analysis
Let's learn how to take a PCAP from the malware-traffic-analysis.net website and transform it into Zeek logs using Brim. We will then break down the log files to see what patterns we can find. You'll learn how to use data from Zeek (a tool we overviewed in previous articles) during an investigation. And, we'll comb through the different log files and discuss what they mean and why they are useful.
Get your free course catalog
Tools and websites used
Brim
- Brim has many different capabilities
- For this article, we will use the tool to transform PCAP data into Zeek logs
- Brim has a great UI to explore Zeek logs in a 'user-friendly' manner
Malware-Traffic-Analysis website
- A website devoted to hosting various network traffic exercises and PCAP files
- We will explore the data in the "2015-01-09 Traffic analysis exercise - Windows host visits a website, gets EK traffic" exercise for this article
Environment setup
First, we will need to download the appropriate tools and files for this use case. I'll start by pulling the PCAP file from the malware-traffic-analysis.net website.
After I downloaded the PCAP file safely, I downloaded Brim for MacOS. You can find all the versions and platforms Brim supports to use the tool yourself.
I then uploaded the PCAP file to the Brim system and received the below output.
From here, we are now ready to explore the data. You can also use the questions provided on the malware-traffic-analysis.net website as a starting point if you wish to dive deeper into the data.
What does this data mean?
Brim took the PCAP and generated the associated Zeek log files from the data. We can see a breakdown of the type of activity seen in this capture from the above screenshot.
The below outlines the types of Zeek logs derived from this file that we care to look at:
- HTTP (contains HTTP requests and denies)
- files (results of file analysis, contains MD5s and SHA values)
- conn (records TCP/UDP/ICMP connections)
- notice (logs for activities that seem out of the ordinary)
Now let’s dive into a few of the common files produced by Zeek (as seen in the Brim UI). By exploring the "HTTP" logs, we can see the IP address of the host machine associated with this activity.
The "conn" log file shows us the data transferred between connection attempts. Looking at the overall number of bytes transferred to and from a system can help with baselining and identifying spikes in activity.
The "files" log file provides detailed information (MD5, SHA1, etc.) about files analyzed during Zeek’s analysis.
Zeek and Brim live demo
Our goal for this article was to show how to load a PCAP file into Brim and explore the various Zeek log files it creates. However, there are numerous websites and exercises available to practice your network traffic investigation skills if you’d like further practice.
In a recent Infosec Edge webcast, I walked through how to use data derived from a PCAP file to create Zeek logs (similar to what we did in this article) and then upload the data to an open-source SIEM (Elastic SIEM). Watch the Learn intrusion detection: Using Zeek and Elastic for incident response webinar below to learn more.
Want to learn more? Take my Advanced Intrusion Detection courses in Infosec Skills.
- Expert instruction
- Hands-on labs
- Unlimited access
In this Series
- Converting a PCAP into Zeek logs and investigating the data
- What is zero trust architecture (ZTA)? Pillars of zero trust and trends for 2024
- A deep dive into network security protocols: Safeguarding digital infrastructure 2024
- Asset mapping and detection: How to implement the nuts and bolts
- The Pentagon goes all-in on Zero Trust
- How to configure a network firewall: Walkthrough
- 4 network utilities every security pro should know: Video walkthrough
- How to use Nmap and other network scanners
- Security engineers: The top 13 cybersecurity tools you should know
- Using Zeek for network analysis and detections
- Suricata: What is it and how can we use it
- Intrusion detection software best practices
- What is intrusion detection?
- How to use Wireshark for protocol analysis: Video walkthrough
- 9 best practices for network security
- Securing voice communications
- Introduction to SIEM (security information and event management)
- VPNs and remote access technologies
- Cellular Networks and Mobile Security
- Secure network protocols
- Network security (101)
- IDS/IPS overview
- Exploiting built-in network protocols for DDoS attacks
- Firewall types and architecture
- Wireless attacks and mitigation
- Wireless network overview
- Open source IDS: Snort or Suricata? [updated 2021]
- PCAP analysis basics with Wireshark [updated 2021]
- What is a firewall: An overview
- NSA report: Indicators of compromise on personal networks
- Securing the home office: Printer security risks (and mitigations)
- Email security
- Data integrity and backups
- Cost of non-compliance: 8 largest data breach fines and penalties
- How to find weak passwords in your organization’s Active Directory
- Monitoring business communication tools like Slack for data infiltration risks
- Firewalls and IDS/IPS
- IPv4 and IPv6 overview
- The OSI model and TCP/IP model
- Endpoint hardening (best practices)
- Wireless Networks and Security
- Networking fundamentals (for network security professionals)
- How your home network can be hacked and how to prevent it
- Network design: Firewall, IDS/IPS
- Work-from-home network traffic spikes: Are your employees vulnerable?
- RTS threshold configuration for improved wireless network performance [updated 2020]
- Web server protection: Web server security monitoring
- Web server security: Active defense
- Web server security: Infrastructure components
- Web server protection: Web application firewalls for web server protection
- Web server security: Command line-fu for web server protection
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
