Top Tweets for #Zeekurity
#socat & #Zeek_IDS #Zeekurity conexión remota/ captura
(192.168.1.181) socat -d -d -d TCP4-LISTEN:7788 EXEC:/bin/bash
(1.50) socat -d -d - TCP4:192.168.1.181:7788
(1.50) sudo zeek -QCS -i enp0s25 -e 'redef LogAscii::use_json=T;' /usr/local/zeek/share/zeek/site/live.zeek
Pequeño hilo sobre #Zeek_IDS #Zeekurity y extracción && análisis de evidencias usando herramientas básicas.
#Zeek_IDS #Zeekurity básico.
ag CE8vgo4cOz343lxbuc http.log --nonumber | jq .
ag CYMLpO2OEXMzfovA54 files.log --nonumber | jq .
cat extract_files/extract-1641914625.727687-HTTP-F9FELo4CUg6mKM6Akh
#olevba extract_files/HTTP-FXr1VC35SXNVSRzLsa.doc
#Zeekurity / #Zeek_IDS y el .zip
#cat files.log | jq 'select(.filename) |.'
#exiftool -a -v -ee -uU -g2 extract_files/extract-1571183204.15649-HTTP-FtMeTLw9vT3JBg7fi
#zipdump.py -v [-e] --pretty extract_files/extract-1571183204.15649-HTTP-FtMeTLw9vT3JBg7fi
![seguridadyredes's tweet photo. #Zeekurity / #Zeek_IDS y el .zip
#cat files.log | jq 'select(.filename) |.'
#exiftool -a -v -ee -uU -g2 extract_files/extract-1571183204.15649-HTTP-FtMeTLw9vT3JBg7fi
#zipdump.py -v [-e] --pretty extract_files/extract-1571183204.15649-HTTP-FtMeTLw9vT3JBg7fi https://t.co/MKUhrG2N2I](https://pbs.twimg.com/media/F5qr2BVWEAAOLJv.png)
![seguridadyredes's tweet photo. #Zeekurity / #Zeek_IDS y el .zip
#cat files.log | jq 'select(.filename) |.'
#exiftool -a -v -ee -uU -g2 extract_files/extract-1571183204.15649-HTTP-FtMeTLw9vT3JBg7fi
#zipdump.py -v [-e] --pretty extract_files/extract-1571183204.15649-HTTP-FtMeTLw9vT3JBg7fi https://t.co/MKUhrG2N2I](https://pbs.twimg.com/media/F5qr10JWUAAl3v2.jpg)
![seguridadyredes's tweet photo. #Zeekurity / #Zeek_IDS y el .zip
#cat files.log | jq 'select(.filename) |.'
#exiftool -a -v -ee -uU -g2 extract_files/extract-1571183204.15649-HTTP-FtMeTLw9vT3JBg7fi
#zipdump.py -v [-e] --pretty extract_files/extract-1571183204.15649-HTTP-FtMeTLw9vT3JBg7fi https://t.co/MKUhrG2N2I](https://pbs.twimg.com/media/F5qr1kDW8AA2NAF.jpg)
#Zeekurity #Zeek_IDS & #csvlook
dce/rpc
cat dce_rpc.log | jq -c '[(.ts[0:19]),.uid,."id.orig_h",."id.resp_h",.named_pipe,.endpoint,.operation]' | tr -d '[]"' |sed '1its,uid,origen,destino, named_pipe,endpoint,operation'|csvlook|colout '.*Lsar.*' red reverse
![seguridadyredes's tweet photo. #Zeekurity #Zeek_IDS & #csvlook
dce/rpc
cat dce_rpc.log | jq -c '[(.ts[0:19]),.uid,."id.orig_h",."id.resp_h",.named_pipe,.endpoint,.operation]' | tr -d '[]"' |sed '1its,uid,origen,destino, named_pipe,endpoint,operation'|csvlook|colout '.*Lsar.*' red reverse https://t.co/DitDgtVY82](https://pbs.twimg.com/media/F19bj7TWEAE0bcS.png)
@wisepds @alozanox89 Ahora en serio. Un compañero lo instaló pero creo recordar que lo descartamos por la forma de tratar las VLANs. Al final instalaré un @securityonion con #Zeekurity .
#Zeekurity/smb y asociados
jq 'select(.service|. and contains("smb"))|[.uid,.["id.orig_h"],.["id.resp_h"],.conn_state,.history,.proto,.service,(.orig_pkts|@text),......]|@csv' conn.log|tr -d '"'|column -tenx -s"\\"|sed 's/,//1;s/,//1;s/,//1;s/,//1;s/,//1;s/,//1;s/,$//;s/ , //g;'
![seguridadyredes's tweet photo. #Zeekurity/smb y asociados
jq 'select(.service|. and contains("smb"))|[.uid,.["id.orig_h"],.["id.resp_h"],.conn_state,.history,.proto,.service,(.orig_pkts|@text),......]|@csv' conn.log|tr -d '"'|column -tenx -s"\\"|sed 's/,//1;s/,//1;s/,//1;s/,//1;s/,//1;s/,//1;s/,$//;s/ , //g;' https://t.co/44JuStQVEh](https://pbs.twimg.com/media/Ft5MisFXsAELTHL.png)
#Zeek_IDS/#Zeekurity notice.log (DNSMonitor).
ag email_dest
jq -c '[."id.orig_h",."id.resp_h",(.msg[0:140]),.note]'
![seguridadyredes's tweet photo. #Zeek_IDS/#Zeekurity notice.log (DNSMonitor).
ag email_dest
jq -c '[."id.orig_h",."id.resp_h",(.msg[0:140]),.note]' https://t.co/YLN9b7rwE1](https://pbs.twimg.com/media/FqsGi-IWcAEcTLA.png)
Me he separao de Security Onion. Pero hemos quedado como amigos, de buen rollito.
Me quedo con #SELKS (con funciones IPS) y #Wazuh, con todas sus integraciones incluidas #Suricata_IDS, #Zeekurity, Audit #Office365, #MITRE, #Vulnerabilities #Yara, #Virustotal, #Abuse ...
#Zeek_IDS #Zeekurity básico.
ag CE8vgo4cOz343lxbuc http.log --nonumber | jq .
ag CYMLpO2OEXMzfovA54 files.log --nonumber | jq .
cat extract_files/extract-1641914625.727687-HTTP-F9FELo4CUg6mKM6Akh
#olevba extract_files/HTTP-FXr1VC35SXNVSRzLsa.doc
#Zeek_IDS #Zeekurity
jq 'select(.service=="http" or .service==".tls") conn.log| .uid'|..| xargs -I% grep % http.log > srvh ;cat srvh|jq -c 'select(.host!=null)|[.uid,.["id.orig_h"],.["id.orig_p"],"->",.["id.resp_h"],.["id.resp_p"],.method,.host,(.uri[0:80]|gsub(",";";")),...
![seguridadyredes's tweet photo. #Zeek_IDS #Zeekurity
jq 'select(.service=="http" or .service==".tls") conn.log| .uid'|..| xargs -I% grep % http.log > srvh ;cat srvh|jq -c 'select(.host!=null)|[.uid,.["id.orig_h"],.["id.orig_p"],"->",.["id.resp_h"],.["id.resp_p"],.method,.host,(.uri[0:80]|gsub(",";";")),... https://t.co/WR6Sv4i3lM](https://pbs.twimg.com/media/FipW_wAXgAA95Y6.png)
![seguridadyredes's tweet photo. #Zeek_IDS #Zeekurity
jq 'select(.service=="http" or .service==".tls") conn.log| .uid'|..| xargs -I% grep % http.log > srvh ;cat srvh|jq -c 'select(.host!=null)|[.uid,.["id.orig_h"],.["id.orig_p"],"->",.["id.resp_h"],.["id.resp_p"],.method,.host,(.uri[0:80]|gsub(",";";")),... https://t.co/WR6Sv4i3lM](https://pbs.twimg.com/media/FipWWrnWYAER89K.png)
![seguridadyredes's tweet photo. #Zeek_IDS #Zeekurity
jq 'select(.service=="http" or .service==".tls") conn.log| .uid'|..| xargs -I% grep % http.log > srvh ;cat srvh|jq -c 'select(.host!=null)|[.uid,.["id.orig_h"],.["id.orig_p"],"->",.["id.resp_h"],.["id.resp_p"],.method,.host,(.uri[0:80]|gsub(",";";")),... https://t.co/WR6Sv4i3lM](https://pbs.twimg.com/media/FipWHJSXoAASM-Y.png)
![seguridadyredes's tweet photo. #Zeek_IDS #Zeekurity
jq 'select(.service=="http" or .service==".tls") conn.log| .uid'|..| xargs -I% grep % http.log > srvh ;cat srvh|jq -c 'select(.host!=null)|[.uid,.["id.orig_h"],.["id.orig_p"],"->",.["id.resp_h"],.["id.resp_p"],.method,.host,(.uri[0:80]|gsub(",";";")),... https://t.co/WR6Sv4i3lM](https://pbs.twimg.com/media/FipWE5KWQAAfVbb.png)
#Zeek_IDS #Zeekurity signatures payload
signature log_smb {
......
header tcp[2:2] == 445 # puerto destino
tcp-state established,originator # responder
payload /.*.A.u.t.o.R.u.n...i.n.f..*/
event "CONEXION RECURSO DE RED AutoRun.inf"
}
![seguridadyredes's tweet photo. #Zeek_IDS #Zeekurity signatures payload
signature log_smb {
......
header tcp[2:2] == 445 # puerto destino
tcp-state established,originator # responder
payload /.*.A.u.t.o.R.u.n...i.n.f..*/
event "CONEXION RECURSO DE RED AutoRun.inf"
} https://t.co/QNI85ehOZP](https://pbs.twimg.com/media/Fhrwr9gXoAAdJss.png)
![seguridadyredes's tweet photo. #Zeek_IDS #Zeekurity signatures payload
signature log_smb {
......
header tcp[2:2] == 445 # puerto destino
tcp-state established,originator # responder
payload /.*.A.u.t.o.R.u.n...i.n.f..*/
event "CONEXION RECURSO DE RED AutoRun.inf"
} https://t.co/QNI85ehOZP](https://pbs.twimg.com/media/FhrvGHbXgAIBwnc.png)
![seguridadyredes's tweet photo. #Zeek_IDS #Zeekurity signatures payload
signature log_smb {
......
header tcp[2:2] == 445 # puerto destino
tcp-state established,originator # responder
payload /.*.A.u.t.o.R.u.n...i.n.f..*/
event "CONEXION RECURSO DE RED AutoRun.inf"
} https://t.co/QNI85ehOZP](https://pbs.twimg.com/media/Fhru_qDXkAAH3jW.png)
![seguridadyredes's tweet photo. #Zeek_IDS #Zeekurity signatures payload
signature log_smb {
......
header tcp[2:2] == 445 # puerto destino
tcp-state established,originator # responder
payload /.*.A.u.t.o.R.u.n...i.n.f..*/
event "CONEXION RECURSO DE RED AutoRun.inf"
} https://t.co/QNI85ehOZP](https://pbs.twimg.com/media/FhruoahWYAA7s1s.png)
#Zeek_IDS #Zeekurity #Shodan Zeek Integration
event new_connection(c: connection){
local a = InternetDB::lookup_internetdb_api(c$id$resp_h);
local b = InternetDB::lookup_internetdb_sqlite(c$id$resp_h);
NOTICE([$ts=current_time(),$note=Shodan_Zeek , $msg=fmt("Shodan API=...
#Zeek_IDS #Zeekurity
Lo pillé !!! ;-)
cat notice.log | ag -v DNS |jq -c 'select(.uid)|[.uid,."id.orig_h",."id.resp_h",.note,.msg]'|tr -d '[]"' | column -t -s,
![seguridadyredes's tweet photo. #Zeek_IDS #Zeekurity
Lo pillé !!! ;-)
cat notice.log | ag -v DNS |jq -c 'select(.uid)|[.uid,."id.orig_h",."id.resp_h",.note,.msg]'|tr -d '[]"' | column -t -s, https://t.co/yiQBXRGYnk](https://pbs.twimg.com/media/FhhY-lrXgAAtLsS.png)
This was a bit too late to make the newsletter, but here is some great news – this is Microsoft’s pull request, now on the #Zeekurity GitHub:
https://t.co/tPKtOInLFH
The latest edition of the #Zeekurity newsletter is available. There should be no surprises if you watch other social media, but if you don't, this will get you up to speed. https://t.co/y9PFNH2f1q
#Zeek_IDS / #Zeekurity && #ICSNPP
Industrial Control Systems Network Protocol Parsers (ICSNPP).
Industrial Control Systems protocol parsers plugins for the Zeek network security monitoring framework.
https://t.co/RQAu8ynqnS
#Brim 0.31.0 es ahora #Zui.
(#Suricata_IDS. #Zeekurity, #Wireshark...)
alert
community_id=="1:aISyMn51wu5psZ7Nw8L3kExs/vY="
_path=="files" mime_type!="text/html" mime_type!="text/plain"
#Zeek_IDS #Zeekurity
cat pe.log|jq .id|xargs -I% ag % files.log --nonumber|jq -c '[(.ts[0:19]),.fuid,.filename,.source,.tx_hosts,.rx_hosts]'|tr -d '"[]'|ag -v null;echo;cat pe.log|jq .id|xargs -I% ag % http.log --nonumber|jq -c '[(.ts[0:19]),.uid,.method,.uri,."id.orig_h"...
![seguridadyredes's tweet photo. #Zeek_IDS #Zeekurity
cat pe.log|jq .id|xargs -I% ag % files.log --nonumber|jq -c '[(.ts[0:19]),.fuid,.filename,.source,.tx_hosts,.rx_hosts]'|tr -d '"[]'|ag -v null;echo;cat pe.log|jq .id|xargs -I% ag % http.log --nonumber|jq -c '[(.ts[0:19]),.uid,.method,.uri,."id.orig_h"... https://t.co/XldVYsIosV](https://pbs.twimg.com/media/Fes8sAuWQAImJn2.png)
![seguridadyredes's tweet photo. #Zeek_IDS #Zeekurity
cat pe.log|jq .id|xargs -I% ag % files.log --nonumber|jq -c '[(.ts[0:19]),.fuid,.filename,.source,.tx_hosts,.rx_hosts]'|tr -d '"[]'|ag -v null;echo;cat pe.log|jq .id|xargs -I% ag % http.log --nonumber|jq -c '[(.ts[0:19]),.uid,.method,.uri,."id.orig_h"... https://t.co/XldVYsIosV](https://pbs.twimg.com/media/Fes8mb8WYAALm-K.png)
Last Seen Hashtags on Sotwe
tokatlama
Seen from Turkey
maltepegay
Seen from Turkey
ميقا_حصريات
Seen from Singapore
男娘
Seen from Russia
caught in public
Seen from Australia
incesto con mi hermana
Seen from United States
nolimit(**)********+filter:native_video
Seen from Brazil
fartanimation
Seen from Korea
nolimit filter:videos
Seen from Poland
outdoor sục cặc
Seen from Vietnam
Most Popular Users
Elon Musk 
@elonmusk
240.6M followers
Barack Obama
@barackobama
119.2M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110.5M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.6M followers
NASA
@nasa
92.2M followers
Justin Bieber
@justinbieber
90.9M followers
KATY PERRY
@katyperry
87.6M followers
Taylor Swift
@taylorswift13
81.4M followers
Lady Gaga
@ladygaga
73M followers
Virat Kohli
@imvkohli
69.8M followers
Kim Kardashian
@kimkardashian
69.8M followers
YouTube
@youtube
68.7M followers
Bill Gates
@billgates
63.9M followers
Neymar Jr
@neymarjr
62.5M followers
The Ellen Show
@theellenshow
62.4M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.7M followers