WEBVTT 00:00:00.522 --> 00:00:04.522 Now we're going to talk briefly about script customization. 00:00:04.522 --> 00:00:07.522 You can get way down into the weeds with regards to 00:00:07.522 --> 00:00:10.522 customizing the scripts that we have available, 00:00:10.522 --> 00:00:13.291 and much of that is going to be saved for a future 00:00:13.291 --> 00:00:15.522 course that's dedicated just to this, 00:00:15.522 --> 00:00:20.522 but let's cover it briefly so you know the capabilities. 00:00:20.522 --> 00:00:20.967 So, 00:00:20.967 --> 00:00:25.022 customizing Zeek scripts can be a difficult process if you 00:00:25.022 --> 00:00:26.522 have no experience in script writing. 00:00:26.522 --> 00:00:32.094 The scripting language within Zeek uses a combination of operators, 00:00:32.094 --> 00:00:35.522 types, attributes, declarations, statements, 00:00:35.522 --> 00:00:37.522 and directives. 00:00:37.522 --> 00:00:39.522 Using these different parameters, 00:00:39.522 --> 00:00:43.411 you can create your own scripts that use events or other 00:00:43.411 --> 00:00:46.522 packages to figure out what's going on. 00:00:46.522 --> 00:00:47.189 Using these, 00:00:47.189 --> 00:00:50.411 you can use the Zeek notice framework or logging 00:00:50.411 --> 00:00:53.522 framework to define an action to take. 00:00:53.522 --> 00:00:57.772 All of these parameters have specific variable sets that you can use to 00:00:57.772 --> 00:01:02.022 configure them properly and provide the flexibility that you need to 00:01:02.022 --> 00:01:07.522 define any event or set of events that you want to. 00:01:07.522 --> 00:01:09.808 The key thing to writing your own scripts with Zeek is 00:01:09.808 --> 00:01:13.704 that it uses the event handlers to come up with the data 00:01:13.704 --> 00:01:15.522 that it's using for processing. 00:01:15.522 --> 00:01:18.951 Zeek is essentially using scripts to make decisions based 00:01:18.951 --> 00:01:21.522 on the information provided in events. 00:01:21.522 --> 00:01:26.522 To understand the custom scripts, or any of Zeek scripts for that matter, 00:01:26.522 --> 00:01:29.189 require you to understand the events and event 00:01:29.189 --> 00:01:32.522 handlers that Zeek collects and creates. 00:01:32.522 --> 00:01:37.522 A lot of what Zeek does relies on the context of the packets or data streams, 00:01:37.522 --> 00:01:42.522 not just the packets themselves or the fact that they exist. 00:01:42.522 --> 00:01:45.022 Zeek is really good at analyzing the back and forth 00:01:45.022 --> 00:01:51.522 conversations between two hosts, and that plays a part in your script building. 00:01:51.522 --> 00:01:55.522 Once you understand the scripts, whether custom or default, 00:01:55.522 --> 00:01:57.022 and the structures of them, 00:01:57.022 --> 00:02:01.522 then you can also understand and create logging scripts. 00:02:01.522 --> 00:02:01.922 Previously, 00:02:01.922 --> 00:02:05.022 we were discussing scripts in relation to the analysis of 00:02:05.022 --> 00:02:08.522 network activity in the processing of events. 00:02:08.522 --> 00:02:11.522 You can also customize the logging that you do with Zeek 00:02:11.522 --> 00:02:14.522 based on the events and the analysis. 00:02:14.522 --> 00:02:17.522 We'll cover the various output options in the next module, 00:02:17.522 --> 00:02:19.522 but just remember that using scripts, 00:02:19.522 --> 00:02:24.022 you can do things like change the logging format from ASCII to JSON, 00:02:24.022 --> 00:02:30.522 or any other format, as well as your own custom format if desired. 00:02:30.522 --> 00:02:32.977 You can define the output to correspond to your 00:02:32.977 --> 00:02:37.522 chosen tool and format as needed.