Advertisement
taosecurity

Troubleshooting EQL with Zeek logs 01

Mar 18th, 2019
114
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.61 KB | None | 0 0
  1. Running Security Onion.
  2.  
  3. so16@so16:~$ lsb_release -a
  4. No LSB modules are available.
  5. Distributor ID: Ubuntu
  6. Description: Ubuntu 16.04.6 LTS
  7. Release: 16.04
  8. Codename: xenial
  9.  
  10. EQL installed.
  11.  
  12. so16@so16:~$ eql --version
  13. eql 0.6.2
  14.  
  15. EQL works on sample data.
  16.  
  17. so16@so16:~$ eql query -f example.json "process where process_name == 'explorer.exe'"
  18. {"command_line": "C:\\Windows\\Explorer.EXE", "event_subtype_full": "already_running", "event_type_full": "process_event", "md5": "ac4c51eb24aa95b77f705ab159189e24", "opcode": 3, "pid": 2460, "ppid": 3052, "process_name": "explorer.exe", "process_path": "C:\\Windows\\explorer.exe", "serial_event_id": 34, "timestamp": 131485997150000000, "unique_pid": 34, "unique_ppid": 0, "user_domain": "research", "user_name": "researcher"}
  19.  
  20. Sample Zeek conn.log.
  21.  
  22. so16@so16:~$ cat conn.log
  23. {"ts":"2019-03-14T23:59:49.920582Z","uid":"CPQ9vC2my8sIGasb3a","id.orig_h":"192.168.4.57","id.orig_p":42051,"id.resp_h":"192.168.4.1","id.resp_p":53,"proto":"udp","service":"dns","duration":0.000368,"orig_bytes":0,"resp_bytes":234,"conn_state":"SHR","local_orig":true,"local_resp":true,"missed_bytes":0,"history":"^d","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":2,"resp_ip_bytes":290,"sensorname":"so16-enp0s8"}
  24. {"ts":"2019-03-14T23:59:00.699642Z","uid":"CiEbJY1e6EoUiEaBW4","id.orig_h":"173.230.144.109","id.orig_p":123,"id.resp_h":"192.168.4.18","id.resp_p":57878,"proto":"udp","conn_state":"S0","local_orig":false,"local_resp":true,"missed_bytes":0,"history":"D","orig_pkts":1,"orig_ip_bytes":76,"resp_pkts":0,"resp_ip_bytes":0,"sensorname":"so16-enp0s8"}
  25.  
  26. Plan to replace . with _
  27.  
  28. so16@so16:~$ cat conn.log | sed 's/\./_/g'
  29. {"ts":"2019-03-14T23:59:49_920582Z","uid":"CPQ9vC2my8sIGasb3a","id_orig_h":"192_168_4_57","id_orig_p":42051,"id_resp_h":"192_168_4_1","id_resp_p":53,"proto":"udp","service":"dns","duration":0_000368,"orig_bytes":0,"resp_bytes":234,"conn_state":"SHR","local_orig":true,"local_resp":true,"missed_bytes":0,"history":"^d","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":2,"resp_ip_bytes":290,"sensorname":"so16-enp0s8"}
  30. {"ts":"2019-03-14T23:59:00_699642Z","uid":"CiEbJY1e6EoUiEaBW4","id_orig_h":"173_230_144_109","id_orig_p":123,"id_resp_h":"192_168_4_18","id_resp_p":57878,"proto":"udp","conn_state":"S0","local_orig":false,"local_resp":true,"missed_bytes":0,"history":"D","orig_pkts":1,"orig_ip_bytes":76,"resp_pkts":0,"resp_ip_bytes":0,"sensorname":"so16-enp0s8"}
  31.  
  32. Create new file with no .
  33.  
  34. so16@so16:~$ cat conn.log | sed 's/\./_/g' > conn.mod.json
  35.  
  36. Show new file.
  37.  
  38. so16@so16:~$ cat conn.mod.json
  39. {"ts":"2019-03-14T23:59:49_920582Z","uid":"CPQ9vC2my8sIGasb3a","id_orig_h":"192_168_4_57","id_orig_p":42051,"id_resp_h":"192_168_4_1","id_resp_p":53,"proto":"udp","service":"dns","duration":0_000368,"orig_bytes":0,"resp_bytes":234,"conn_state":"SHR","local_orig":true,"local_resp":true,"missed_bytes":0,"history":"^d","orig_pkts":0,"orig_ip_bytes":0,"resp_pkts":2,"resp_ip_bytes":290,"sensorname":"so16-enp0s8"}
  40. {"ts":"2019-03-14T23:59:00_699642Z","uid":"CiEbJY1e6EoUiEaBW4","id_orig_h":"173_230_144_109","id_orig_p":123,"id_resp_h":"192_168_4_18","id_resp_p":57878,"proto":"udp","conn_state":"S0","local_orig":false,"local_resp":true,"missed_bytes":0,"history":"D","orig_pkts":1,"orig_ip_bytes":76,"resp_pkts":0,"resp_ip_bytes":0,"sensorname":"so16-enp0s8"}
  41.  
  42. Try query.
  43.  
  44. so16@so16:~$ eql query -f conn.mod.json "any where id_orig_h == '192_168_4_57'"
  45. Traceback (most recent call last):
  46. File "/home/so16/.local/bin/eql", line 11, in <module>
  47. sys.exit(main())
  48. File "/home/so16/.local/lib/python2.7/site-packages/eql/main.py", line 90, in main
  49. parsed.func(parsed)
  50. File "/home/so16/.local/lib/python2.7/site-packages/eql/main.py", line 60, in query
  51. engine.stream_events(stream, finalize=False)
  52. File "/home/so16/.local/lib/python2.7/site-packages/eql/engines/native.py", line 1205, in stream_events
  53. for event in events:
  54. File "/home/so16/.local/lib/python2.7/site-packages/eql/utils.py", line 172, in stream_file_events
  55. for event in stream_events(handle, file_format=file_format):
  56. File "/home/so16/.local/lib/python2.7/site-packages/eql/utils.py", line 204, in stream_events
  57. return json.load(fileobj)
  58. File "/usr/lib/python2.7/json/__init__.py", line 291, in load
  59. **kw)
  60. File "/usr/lib/python2.7/json/__init__.py", line 339, in loads
  61. return _default_decoder.decode(s)
  62. File "/usr/lib/python2.7/json/decoder.py", line 364, in decode
  63. obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  64. File "/usr/lib/python2.7/json/decoder.py", line 380, in raw_decode
  65. obj, end = self.scan_once(s, idx)
  66. ValueError: Expecting ',' delimiter: line 1 column 192 (char 191)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement