ZEEK（bro）基礎實踐三

處理指定行或以下幾行的shell腳本
awk '/^[a-z]$/{print NR}' file.txt > line.txt
NUM=`cat line.txt | wc -l`
a=$[NUM-1]
for i in `seq $a`
do
    NR=`sed -n "${i}p" line.txt`
    NR2=`sed -n "$[i+1]p" line.txt`
    N=$[NR2-NR]
    if [[ $N > 2 ]]
    then
        sed -n "$[NR+1],$[NR2-1]p" file.txt
    fi
done

awk帶變量的情況
2018-06-02;447956815999;2018-06-02 00:00:00
2018-06-03;447956815999;2018-06-03 00:00:00
2018-06-04;447956815999;2018-06-04 00:00:00
$ grep '2018-06' gprs_c* | grep '447956815999' | awk -F ";" '{if($3<"2018-06-03 00:00:00") print $1}'  
2018-06-02
$ date1="2018-06-03 00:00:00"
$ grep '2018-06' gprs_c* | grep '447956815999' | awk -F ";" '{if($3<"'"$date1"'") print $1}'  

檢索指定時間的入站信息
cat ssh.log|bro-cut -d ts id.orig_h id.resp_h auth_sucess direction|awk -F\\t '$0!~/^#/ && $5=="INBOUND" { hour=int(substr($1,12,2)); if (hour<9 || hour >=17) {print}}'|less -S 
 cat ./ssh/*.log|/opt/zeek/bin/zeek-cut -d ts uid id.orig_h id.resp_h auth_success |awk -F\\t '{ hour=int(substr($1,12,2));if(hour<6||hour>18) print $0}'|more 
 
檢索暴力猜解
zcat 2017-*/ssh*.gz|cat - current/ssh.log|bro-cut -d -C ts uid id.org_h id.resp_h auth_success|awk -F\\t '{ pairkey = $3 ":" $4; if($5!=$7){ fails[pairkey]++;}else{ if(fails[pairkey]>20) print $0 " after " fails[pairkey] "tries";} delete fail[pairkey]; }
}}'
$ cat ./ssh/*.log|/opt/zeek/bin/zeek-cut -d -C ts uid id.orig_h id.resp_h auth_success|awk -F \\t '{pairkey=$3":"$4;if($5 != "T"){fails[pairkey]++;} if(fails[pairkey]>2) {print $0;}}'
攻擊檢測
cat software.log|bro-cut -C -d ts host host_p unparsed_version|awk -F\\t '$2=="8.8.8.8" $3=="22" {if(lastversion !=$4) {print ; lastversion=$4} }'

檢索ja3 ja3s
zcat ssl.*|gro-cut server_name resumed ja3 ja3s|grep ben.io
檢索地址
cat ./conn/*.log|/opt/zeek/bin/zeek-cut -d|awk '{split($0,a,"\t");if (a[5]==$hostkeyword) print $0}'

過濾 ssl 版本及 加密算法

 cat ./ssl/*.log|/opt/zeek/bin/zeek-cut -d|awk '{split($0,a,"\t");if (a[7]=="TLSv12" && a[8]=="TLS_DHE_RSA_*") print $0}'

過濾 ja3

 cat ./ssl/*.log|/opt/zeek/bin/zeek-cut -d|awk '{split($0,a,"\t"); print a[21]}'|more

過濾某個特徵的證書

 cat ./ssl/*.log|/opt/zeek/bin/zeek-cut -d|awk '{split($0,a,"\t");if (a[17]=="CN=local") print $0}'

過濾user-agent

 cat ./http/*.log|/opt/zeek/bin/zeek-cut -d|awk '{split($0,a,"\t");if(a[3]~/1.1/ || a[5]~/1.1/) print a[1],a[2],a[3],a[5],a[13]}'|more

過濾 orig_bytes resp_bytes 同時大於0 的鏈接

cat ./conn/*.log|/opt/zeek/bin/zeek-cut -d|awk '{split($0,a,"\t");if(a[10]>0 && a[11]>0) print $0}'|more