Network Security Monitoring - Threat Hunting Snippets

Tags: #<Tag:0x00007f8a1f7f1cb8> #<Tag:0x00007f8a1f7f1948> #<Tag:0x00007f8a1f7f1560> #<Tag:0x00007f8a1f7f11f0> #<Tag:0x00007f8a1f7f10d8> #<Tag:0x00007f8a1f7e3f28>

Network Security Monitoring - Threat Hunting Snippets

Zeek

Retention

Retention is configured via the “expire” settings.

[email protected]:/opt/zeek/etc# grep -i expire zeekctl.cfg | grep -v '#'
LogExpireInterval = 2 hr
StatsLogExpireInterval = 1
CrashExpireInterval = 1

Rita

rita import /opt/zeek/logs/2021-05-15/ first
rita show-useragents first
rita show-beacons-fqdn first
rita show-long-connections first

Passer

Get LAN traffic for the asset inventory (tshark)

tshark -F pcap -i ens192 \
-f "src net (192.168.0.0/16 or 172.16.0.0/12 or 10.0.0.0/8) \
and dst net (192.168.0.0/16 or 172.16.0.0/12 or 10.0.0.0/8)" \
-w ...