WEBVTT 00:00:00.874 --> 00:00:03.749 Before we hop into the lab and check out a few of the 00:00:03.749 --> 00:00:05.874 scripts that Zeek comes with by default, 00:00:05.874 --> 00:00:09.874 we need to talk about and detail them really quickly. 00:00:09.874 --> 00:00:11.874 There are several that are loaded by default, 00:00:11.874 --> 00:00:13.874 and it's not recommended that you alter these ones 00:00:13.874 --> 00:00:15.874 unless you know what you're doing. 00:00:15.874 --> 00:00:22.874 If desired, you could duplicate them and modify them, or just turn them off. 00:00:22.874 --> 00:00:26.874 There are two places by default where scripts typically belong 00:00:26.874 --> 00:00:28.874 and they're intended for specific purposes. 00:00:28.874 --> 00:00:32.874 Unless you tell Zeek to do a bare bone installation, 00:00:32.874 --> 00:00:36.874 all of the default scripts are loaded into the base directory. 00:00:36.874 --> 00:00:40.420 Anything in the policy directory are customizations and will 00:00:40.420 --> 00:00:42.874 have options on whether or not to use them. 00:00:42.874 --> 00:00:45.541 We're going to focus solely on the default scripts in the 00:00:45.541 --> 00:00:47.874 base directory during this demo and course, 00:00:47.874 --> 00:00:50.763 as it's just a getting started course and there's going to 00:00:50.763 --> 00:00:54.874 be a more advanced scripting and customization course in 00:00:54.874 --> 00:00:57.874 the future at Pluralsight. 00:00:57.874 --> 00:00:58.692 In this demo, 00:00:58.692 --> 00:01:02.303 we're going to check out the Zeek installation that we conducted in a 00:01:02.303 --> 00:01:05.874 previous module and see the base scripts in detail. 00:01:05.874 --> 00:01:06.249 First, 00:01:06.249 --> 00:01:09.763 we'll explore that base directory within Zeek so that 00:01:09.763 --> 00:01:12.874 we can see what we have available. 00:01:12.874 --> 00:01:13.160 Then, 00:01:13.160 --> 00:01:16.874 we'll break down a sample script so we can understand a 00:01:16.874 --> 00:01:18.874 little bit about its functionality. 00:01:18.874 --> 00:01:21.874 If you're ready to hop in there and do it, so am I. 00:01:21.874 --> 00:01:26.874 Let's check out what Zeek is giving us. 00:01:26.874 --> 00:01:29.303 The first thing that I want to do before looking at any scripts 00:01:29.303 --> 00:01:33.874 within Zeek is look at the local configuration file. 00:01:33.874 --> 00:01:36.303 This is the file that we use to load Zeek scripts and 00:01:36.303 --> 00:01:38.874 signatures within this local Zeek instance, 00:01:38.874 --> 00:01:43.874 and can be used to add custom ones to the capabilities of the tool. 00:01:43.874 --> 00:01:48.874 It's in the opt/zeek/share/zeek site folder, 00:01:48.874 --> 00:01:54.874 and that typical default installation should be the only item in there. 00:01:54.874 --> 00:01:55.946 Pulling it up to view, 00:01:55.946 --> 00:01:59.207 it has a lot of things standard in it that we can use the pound 00:01:59.207 --> 00:02:02.874 sign to activate or deactivate within it. 00:02:02.874 --> 00:02:05.874 There are a lot of default scripts that we can have it load for us 00:02:05.874 --> 00:02:08.874 that help us learn more about the environment. 00:02:08.874 --> 00:02:12.874 We have quite a bit of protocol-related scripts loaded by default, 00:02:12.874 --> 00:02:17.874 as well as some asset tracking information and SSL certificate analyzers. 00:02:17.874 --> 00:02:22.874 We see we have some frameworks activated for looking at different files, 00:02:22.874 --> 00:02:26.874 as well as some not activated dealing with layer 2. 00:02:26.874 --> 00:02:29.874 This file is where we go to add or remove the scripts, 00:02:29.874 --> 00:02:33.874 so we need to be sure we always know where it is. 00:02:33.874 --> 00:02:34.674 Moving on, 00:02:34.674 --> 00:02:38.207 let's go through and check out the base folder so we can see what 00:02:38.207 --> 00:02:40.874 some of the scripting options are by default. 00:02:40.874 --> 00:02:45.874 Within this main folder, we have some options here to choose from. 00:02:45.874 --> 00:02:50.874 The first one that we're going to check out is the frameworks folder. 00:02:50.874 --> 00:02:51.874 As you can see, 00:02:51.874 --> 00:02:54.692 this is where all of the different frameworks that we talked 00:02:54.692 --> 00:02:58.160 about earlier on in the course are located with regards to 00:02:58.160 --> 00:02:59.874 the scripts and configurations. 00:02:59.874 --> 00:03:04.874 Let's check out the inputs really quickly to see what we have in there. 00:03:04.874 --> 00:03:08.874 Looking at our main.zeek file within this particular frameworks folder, 00:03:08.874 --> 00:03:11.874 I can see the script. 00:03:11.874 --> 00:03:14.874 Do you see how this language kind of feels familiar, 00:03:14.874 --> 00:03:17.874 especially if you're used to programming? 00:03:17.874 --> 00:03:18.174 Here, 00:03:18.174 --> 00:03:21.763 we can add or remove inputs that we have and modify 00:03:21.763 --> 00:03:24.874 how the script can process it all. 00:03:24.874 --> 00:03:27.874 We'll be covering the scripting for Zeek in great detail 00:03:27.874 --> 00:03:29.783 in a later course here at Pluralsight, 00:03:29.783 --> 00:03:32.874 so let's move on and explore a little bit more. 00:03:32.874 --> 00:03:36.874 Now let's go hop into the protocols folder and see what we have. 00:03:36.874 --> 00:03:40.124 There are scripts for a lot of the main protocols and 00:03:40.124 --> 00:03:41.874 services that we see throughout our networks. 00:03:41.874 --> 00:03:46.074 I'm going to check out the HTTP one and show you a 00:03:46.074 --> 00:03:47.874 little bit about what's in here. 00:03:47.874 --> 00:03:52.874 As you can see, we have our scripts, which are designated by the .zeek format. 00:03:52.874 --> 00:03:55.874 We also have a signature in here too that comes default, 00:03:55.874 --> 00:03:59.874 known as the dynamic protocol detection. 00:03:59.874 --> 00:04:02.731 This allows us to enable different analyzers based on 00:04:02.731 --> 00:04:04.874 the information that we receive. 00:04:04.874 --> 00:04:06.874 So for this one, for example, 00:04:06.874 --> 00:04:11.874 if in the payloads we see any of these fields and the protocol is TCP, 00:04:11.874 --> 00:04:13.874 and all of this other criteria match, 00:04:13.874 --> 00:04:19.874 then we're going to activate the HTTP analyzer to look at it more in detail. 00:04:19.874 --> 00:04:23.874 This is that enable action that I was talking about earlier. 00:04:23.874 --> 00:04:25.874 This allows us to save on resources, 00:04:25.874 --> 00:04:30.874 so we don't have to have all of the analyzers running it all of the time. 00:04:30.874 --> 00:04:31.999 Using the signature, 00:04:31.999 --> 00:04:35.329 we're invoking the enable action to turn on this 00:04:35.329 --> 00:04:37.874 particular analyzer and look at the data. 00:04:37.874 --> 00:04:40.874 Looking at the main.zeek script within this protocol, 00:04:40.874 --> 00:04:43.874 there's a lot of information here. 00:04:43.874 --> 00:04:46.674 We're defining many different fields and structures of the 00:04:46.674 --> 00:04:48.874 events and messages that are generated, 00:04:48.874 --> 00:04:52.874 so we can accurately determine what's going on. 00:04:52.874 --> 00:04:57.874 You can also define the HTTP methods for example, as well. 00:04:57.874 --> 00:04:59.588 As you can see, 00:04:59.588 --> 00:05:03.446 this one script defines almost all of the variables that are 00:05:03.446 --> 00:05:06.374 possible with the HTTP protocol so that Zeek knows what to 00:05:06.374 --> 00:05:09.874 look for and where to look for it. 00:05:09.874 --> 00:05:13.874 Each function is a different event or different task within Zeek. 00:05:13.874 --> 00:05:16.874 For example, looking at this one, 00:05:16.874 --> 00:05:21.874 we're telling it to utilize this information here to track a new connection. 00:05:21.874 --> 00:05:26.874 We want things like the time, the IDs, and the HTTP state. 00:05:26.874 --> 00:05:31.511 Within the base directory folder, go through and explore some of these scripts. 00:05:31.511 --> 00:05:35.874 Some of them tell Zeek how to handle different frameworks and protocols, 00:05:35.874 --> 00:05:39.874 some help us determine how to handle our events and logs as well. 00:05:39.874 --> 00:05:42.874 This entire folder, by default, 00:05:42.874 --> 00:05:45.731 is included in the Zeek installation and can help you get a 00:05:45.731 --> 00:05:51.874 feel for how your network is functioning.