WEBVTT 00:00:01.924 --> 00:00:04.923 Now we're going to hop in the lab and see the 00:00:04.923 --> 00:00:06.923 installed tool along with its logs. 00:00:06.924 --> 00:00:09.924 We'll see the end state with the default configuration 00:00:09.924 --> 00:00:10.923 and the default scripts running. 00:00:10.924 --> 00:00:13.924 The logs and outputs are just the standard ones, 00:00:13.924 --> 00:00:17.923 and they're getting piped over to Splunk via Syslog. 00:00:17.924 --> 00:00:20.923 Of course, much more configuration and tuning is needed, 00:00:20.924 --> 00:00:23.209 but it's outside of the scope of this course since 00:00:23.209 --> 00:00:24.923 we're just trying to get started. 00:00:24.924 --> 00:00:28.923 You'll be installing and configuring this all in the next module. 00:00:28.924 --> 00:00:30.924 Before we hop in and explore this instance, 00:00:30.924 --> 00:00:33.924 I wanted to share this amazing resource with you. 00:00:33.924 --> 00:00:37.924 The Zeek Documentation Library, along with its community, 00:00:37.924 --> 00:00:40.924 are great for learning more about the program and its operations, 00:00:40.924 --> 00:00:44.924 as well as how to tune and script it in more advanced ways. 00:00:44.924 --> 00:00:48.923 Let's go explore really quickly. 00:00:48.924 --> 00:00:51.924 So here we are in my lab environment, 00:00:51.924 --> 00:00:54.924 and I'm logged into the CentOS 7 box that we're using for Zeek. 00:00:54.924 --> 00:00:57.924 I'm currently logged in as the user Zeek, 00:00:57.924 --> 00:01:01.174 which we'll go through and create later on in the course as 00:01:01.174 --> 00:01:02.924 we go through the installation of it. 00:01:02.924 --> 00:01:05.924 This box has Zeek fully installed and operational, 00:01:05.924 --> 00:01:08.924 which is the end state after we finish the course for you. 00:01:08.924 --> 00:01:13.923 So the default installation directory is /opt/zeek, 00:01:13.924 --> 00:01:15.923 and that's where we currently are. 00:01:15.924 --> 00:01:21.023 The specific directory of logs/current is where we'll go to see our 00:01:21.023 --> 00:01:23.924 system in operation and see the events that have flags. 00:01:23.924 --> 00:01:25.924 Doing an ip add command, 00:01:25.924 --> 00:01:30.923 we're using ens192 for our management and the two others for monitoring. 00:01:30.924 --> 00:01:33.923 I have them on the same subnet and VLAN, 00:01:33.924 --> 00:01:36.924 so they're both getting the exact same traffic. 00:01:36.924 --> 00:01:37.924 But if you wanted to, 00:01:37.924 --> 00:01:40.923 you can have them monitor separate VLANs or networks 00:01:40.924 --> 00:01:42.924 to see your whole environment. 00:01:42.924 --> 00:01:48.924 Going here to the path /etc folder, we have our configuration files for Zeek. 00:01:48.924 --> 00:01:52.923 The node.cfg is the one that we'll be messing with during the installation. 00:01:52.924 --> 00:01:54.124 Opening it up, 00:01:54.124 --> 00:01:58.638 here is where our interfaces are defined in both the standalone 00:01:58.638 --> 00:02:02.023 and clustered configurations and we tell Zeek what interfaces to 00:02:02.023 --> 00:02:03.924 use for what and how to use them. 00:02:03.924 --> 00:02:08.924 Now I'm going into the logs folder so we can see what we have going on. 00:02:08.924 --> 00:02:09.824 Listing the contents, 00:02:09.824 --> 00:02:12.923 we have a whole bunch of logs that are being labeled intelligently 00:02:12.924 --> 00:02:15.923 based on the events and their classifications. 00:02:15.924 --> 00:02:18.924 Let's look at some of these really quickly. 00:02:18.924 --> 00:02:20.124 Seeing the DHCP log, 00:02:20.124 --> 00:02:23.287 we have a lot of information based on the Windows 10 00:02:23.287 --> 00:02:24.924 machine getting an IP address lease. 00:02:24.924 --> 00:02:27.924 It shows us the specifics of the DHCP requests. 00:02:27.924 --> 00:02:29.924 So because of this, 00:02:29.924 --> 00:02:33.924 we know our Zeek application is configured and turned on 00:02:33.924 --> 00:02:35.924 and is actually monitoring the network. 00:02:35.924 --> 00:02:40.257 I also have these logs piped over to Splunk so that we can 00:02:40.257 --> 00:02:42.924 see the data a little bit more visually. 00:02:42.924 --> 00:02:49.923 Let's go ahead and search for this host, which is the 30.8 IP address. 00:02:49.924 --> 00:02:52.924 As you can see here, we have our data coming in. 00:02:52.924 --> 00:02:55.924 There are a lot of different source types that we can see 00:02:55.924 --> 00:02:57.924 just like in the logs folder on Zeek. 00:02:57.924 --> 00:03:01.524 I have it sending everything in that log folder over to 00:03:01.524 --> 00:03:03.924 Splunk so that we can see it all. 00:03:03.924 --> 00:03:06.257 We'll look at the weird.log events here, 00:03:06.257 --> 00:03:10.924 and as you can see, we have some weird traffic from the hosts. 00:03:10.924 --> 00:03:14.014 This is one of the cool logs in my opinion because it shows 00:03:14.014 --> 00:03:16.924 us the stuff that just doesn't make sense. 00:03:16.924 --> 00:03:20.924 It shows us the strange activity, hence the name weird. 00:03:20.924 --> 00:03:23.174 Let's look at another one of these log sources really 00:03:23.174 --> 00:03:24.924 quickly before we wrap up the demo. 00:03:24.924 --> 00:03:25.287 Here, 00:03:25.287 --> 00:03:29.824 we can see the DNS traffic going back and forth and see the 00:03:29.824 --> 00:03:31.924 information about the DNS requests and replies. 00:03:31.924 --> 00:03:35.590 We'll learn how to ingest other formats besides the 00:03:35.590 --> 00:03:37.924 typical Syslog later on in the course. 00:03:37.924 --> 00:03:40.674 Zeek's able to send the data in other formats besides just 00:03:40.674 --> 00:03:42.924 Syslog like we talked about earlier, 00:03:42.924 --> 00:03:46.924 and taking advantage of those is extremely useful. 00:03:46.924 --> 00:03:47.924 As you can see, 00:03:47.924 --> 00:03:52.590 the plain Syslog format just isn't very well structured to be 00:03:52.590 --> 00:03:54.924 able to quickly look and identify problems. 00:03:54.924 --> 00:03:58.924 We're definitely wanting to make this easier on our analysts. 00:03:58.924 --> 00:04:00.924 So there you have it. 00:04:00.924 --> 00:04:04.924 We just saw our lab environment and learned all about the basics of Zeek. 00:04:04.924 --> 00:04:09.924 In this module, we started out by talking about the course and what it's about, 00:04:09.924 --> 00:04:12.924 as well as some of the prerequisite information. 00:04:12.924 --> 00:04:17.923 We then discussed what exactly Zeek is and what we can do with it. 00:04:17.923 --> 00:04:18.257 After, 00:04:18.257 --> 00:04:23.123 we hopped into the lab and explored Zeek as it is after a 00:04:23.123 --> 00:04:25.674 default installation and saw some of the logs being 00:04:25.674 --> 00:04:27.923 generated and sent over to Splunk. 00:04:27.924 --> 00:04:28.924 In the coming modules, 00:04:28.924 --> 00:04:31.923 we're going to dig much more into Zeek and its capabilities, 00:04:31.924 --> 00:04:35.674 as well as the installation, components, 00:04:35.674 --> 00:04:36.924 and languages. 00:04:36.924 --> 00:04:49.924 Join me in the next module so we can get our learn on.