boB Rudis
3 years ago
22 changed files with 909 additions and 12 deletions
@ -1,4 +1,14 @@ |
|||
# Generated by roxygen2: do not edit by hand |
|||
|
|||
import(httr) |
|||
importFrom(jsonlite,fromJSON) |
|||
export(find_zeek) |
|||
export(get_zeek) |
|||
export(man_zeek) |
|||
export(pcap_to_zeek) |
|||
export(read_zeek_logs) |
|||
export(zeek) |
|||
export(zeek_man) |
|||
import(arrow) |
|||
import(ndjson) |
|||
importFrom(tools,file_ext) |
|||
importFrom(tools,file_path_sans_ext) |
|||
importFrom(utils,browseURL) |
|||
|
@ -0,0 +1,10 @@ |
|||
#' Get Zeek |
|||
#' |
|||
#' Opens the default browser to the place where you can get Zeek. |
|||
#' |
|||
#' @export |
|||
#' @examples |
|||
#' if (interactive) get_zeek() |
|||
get_zeek <- function() { |
|||
utils::browseURL("https://zeek.org/get-zeek/") |
|||
} |
@ -0,0 +1,106 @@ |
|||
#' Process a PCAP with Zeek and create Parquet files |
|||
#' |
|||
#' @param pcap path to PCAP to process. ([path.expand()] will be called on this value) |
|||
#' @param out_dir path to Parquet files. ([path.expand()] will be called on this value) |
|||
#' If the directory does not exist it will be created. If ho directory is specified |
|||
#' a temporary directory will be created and used. You should |
|||
#' call [unlink()] on this path if you used a temporary directory. |
|||
#' @param zeek_opts extra options passed to to Zeek command line. NOTE: |
|||
#' `--no-checksums`, `LogAscii::use_json=T`, and `Log::default_scope_sep='_'` |
|||
#' are already handled by this function; no need to specify them. |
|||
#' @param ... extra named parameters passed on to [arrow::write_parquet()] |
|||
#' @return length 1 character vector of the expanded path of the `out_dir` |
|||
#' @note the `zeek` binary **must** be available on `PATH`. You can use the |
|||
#' environment variable `ZEEK_PATH` as a hint where [find_zeek()] will |
|||
#' look for the `zeek` binary. |
|||
#' @export |
|||
#' @examples |
|||
#' loc <- pcap_to_zeek(system.file("pcap/ssh.pcap", package = "zeekr")) |
|||
#' read_zeek_logs(loc) |
|||
#' unlink(loc) # don't do this IRL until you're done working with or saving. |
|||
pcap_to_zeek <- function(pcap, out_dir = tempfile(pattern = "zeek"), zeek_opts = c(), ...) { |
|||
|
|||
pcap <- path.expand(pcap[1]) |
|||
|
|||
if (!file.exists(pcap)) { |
|||
stop(sprintf("PCAP [%s] not found.", pcap), call.=FALSE) |
|||
} |
|||
|
|||
out_dir <- path.expand(out_dir[1]) |
|||
if (!dir.exists(out_dir)) dir.create(out_dir) |
|||
|
|||
pcap_link <- file.path(out_dir, basename(pcap)) |
|||
|
|||
if (!file.symlink(pcap, pcap_link)) { |
|||
stop(sprintf("Could not create symlink %s for %s.", pcap_link, pcap), call. = FALSE) |
|||
} |
|||
|
|||
zeek_opts <- c("--no-checksums", "LogAscii::use_json=T", "Log::default_scope_sep='_'", zeek_opts, "-r", pcap_link) |
|||
|
|||
wd <- getwd() |
|||
on.exit(setwd(wd)) |
|||
setwd(out_dir) |
|||
|
|||
system2( |
|||
command = find_zeek(), |
|||
args = zeek_opts, |
|||
env = c("ZEEK_LOG_SUFFIX=json") |
|||
) -> status |
|||
|
|||
stopifnot("Error converting PCAP." = (status == 0)) |
|||
|
|||
if (!file.remove(pcap_link)) { |
|||
stop(sprintf("Could not remove symlink %s", pcap_link), call.=FALSE) |
|||
} |
|||
|
|||
in_fils <- list.files(out_dir, pattern = "\\.json$", full.names = TRUE) |
|||
out_fils <- sub("\\.json$", ".parquet", in_fils) |
|||
|
|||
for (idx in seq_along(in_fils)) { |
|||
|
|||
arrow::write_parquet( |
|||
x = arrow::read_json_arrow( |
|||
file = in_fils[idx], |
|||
as_data_frame = FALSE |
|||
), |
|||
sink = out_fils[idx], |
|||
... |
|||
) |
|||
|
|||
file.remove(in_fils[idx]) |
|||
|
|||
} |
|||
|
|||
out_dir |
|||
|
|||
} |
|||
|
|||
#' Find the Zeek binary |
|||
#' |
|||
#' Use the environment variable `ZEEK_PATH` or specify the directory in |
|||
#' the call to this function. |
|||
#' |
|||
#' @param path hint to where to look for the Zeek binary |
|||
#' @export |
|||
#' @return length 1 character vector of the path to the zeek binary or `""` |
|||
#' @examples |
|||
#' find_zeek() |
|||
find_zeek <- function(path = Sys.getenv("ZEEK_PATH", "")) { |
|||
|
|||
if (path != "") { |
|||
Sys.setenv( |
|||
PATH = paste0(path, Sys.getenv("PATH"), sep = .Platform$path.sep) |
|||
) |
|||
} |
|||
|
|||
res <- Sys.which("zeek") |
|||
stopifnot( |
|||
c("Cannot locate Zeek binary." = (res != "")) |
|||
) |
|||
unname(res) |
|||
} |
|||
|
|||
set_names <- function (object = nm, nm) { |
|||
names(object) <- nm |
|||
object |
|||
} |
@ -0,0 +1,32 @@ |
|||
#' Read zeek logs from a processed PCAP into a list |
|||
#' |
|||
#' @note Logs must be in Parquet or JSON format. |
|||
#' @param log_dir directory of zeek logs |
|||
#' @export |
|||
#' @examples |
|||
#' loc <- pcap_to_zeek(system.file("pcap/ssh.pcap", package = "zeekr")) |
|||
#' read_zeek_logs(loc) |
|||
#' unlink(loc) # don't do this IRL until you're done working with or saving. |
|||
read_zeek_logs <- function(log_dir) { |
|||
|
|||
log_dir <- path.expand(log_dir[1]) |
|||
|
|||
stopifnot("Cannot find directory." = dir.exists(log_dir)) |
|||
|
|||
in_fils <- list.files(log_dir, full.names = TRUE) |
|||
|
|||
fil_names <- make.unique(tools::file_path_sans_ext(basename(in_fils))) |
|||
|
|||
lapply(in_fils, function(.x) { |
|||
|
|||
if (tools::file_ext(.x) == "parquet") { |
|||
arrow::read_parquet(.x) |
|||
} else { |
|||
ndjson::stream_in(.x, cls = "tbl") |
|||
} |
|||
|
|||
}) -> out |
|||
|
|||
set_names(out, fil_names) |
|||
|
|||
} |
@ -0,0 +1,86 @@ |
|||
#' Zeek Manual Page Quick Reference |
|||
#' |
|||
#' `zeek` - passive network traffic analyzer |
|||
#' |
|||
#' ## SYNOPSIS |
|||
#' |
|||
#' **`zeek`** `[*options*] [*file* ...]` |
|||
#' |
|||
#' ## DESCRIPTION |
|||
#' |
|||
#' Zeek is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, however, Zeek supports a wide range of traffic analysis tasks even #' outside of the security domain, including performance measurements and helping with trouble-shooting. |
|||
#' |
|||
#' Zeek comes with built-in functionality for a range of analysis and detection tasks, including detecting malware by interfacing to external registries, reporting vulnerable versions of software seen on #' the network, identifying popular web applications, detecting SSH brute-forcing, validating SSL certificate chains, among others. |
|||
#' |
|||
#' ## OPTIONS |
|||
#' |
|||
#' * **`<file>`**: policy file, or read stdin |
|||
#' * **`-a`**, `--parse-only`: exit immediately after parsing scripts |
|||
#' * **`-b`**, `--bare-mode`: don't load scripts from the base/ directory |
|||
#' * **`-d`**, `--debug-policy:` activate policy file debugging |
|||
#' * **`-e`**, `--exec <zeek code>`: augment loaded policies by given code |
|||
#' * **`-f`**, `--filter <filter>`: tcpdump filter |
|||
#' * **`-h`**, `--help|-?`: command line help |
|||
#' * **`-i`**, `--iface <interface>`: read from given interface |
|||
#' * **`-p`**, `--prefix <prefix>`: add given prefix to policy file resolution |
|||
#' * **`-r`**, `--readfile <readfile>`: read from given tcpdump file |
|||
#' * **`-s`**, `--rulefile <rulefile>`: read rules from given file |
|||
#' * **`-t`**, `--tracefile <tracefile>`: activate execution tracing |
|||
#' * **`-w`**, `--writefile <writefile>`: write to given tcpdump file |
|||
#' * **`-v`**, `--version`: print version and exit |
|||
#' * **`-x`**, `--print-state <file.bst>`: print contents of state file |
|||
#' * **`-C`**, `--no-checksums`: ignore checksums |
|||
#' * **`-F`**, `--force-dns`: force DNS |
|||
#' * **`-I`**, `--print-id <ID name>`: print out given ID |
|||
#' * **`-N`**, `--print-plugins`: print available plugins and exit (**-NN** for verbose) |
|||
#' * **`-P`**, `--prime-dns`: prime DNS |
|||
#' * **`-Q`**, `--time`: print execution time summary to stderr |
|||
#' * **`-R`**, `--replay <events.bst>`: replay events |
|||
#' * **`-S`**, `--debug-rules`: enable rule debugging |
|||
#' * **`-T`**, `--re-level <level>`: set 'RE_level' for rules |
|||
#' * **`-U`**, `--status-file <file>`: Record process status in file |
|||
#' * **`-W`**, `--watchdog`: activate watchdog timer |
|||
#' * **`-X`**, `--zeekygen <cfgfile>`: generate documentation based on config file |
|||
#' * **`--pseudo-realtime[=**<speedup>]`: enable pseudo-realtime for performance evaluation (default 1) |
|||
#' * **`--load-seeds`** `<file>`: load seeds from given file |
|||
#' * **`--save-seeds`** `<file>`: save seeds to given file |
|||
#' |
|||
#' The following option is available only when Zeek is built with the `--enable-debug` configure option: |
|||
#' |
|||
#' **`-B`**, `--debug <dbgstreams>`: Enable debugging output for selected streams ('-B help' for help) |
|||
#' |
|||
#' The following options are available only when Zeek is built with `gperftools` support (use the `--enable-perftools` and `--enable-perftools-debug` configure options): |
|||
#' |
|||
#' **`-m`**, `--mem-leaks`: show leaks |
|||
#' **`-M`**, `--mem-profile`: record heap |
|||
#' |
|||
#' ## ENVIRONMENT |
|||
#' |
|||
#' - **`ZEEKPATH`**: file search path |
|||
#' - **`ZEEK_PLUGIN_PATH`**: plugin search path |
|||
#' - **`ZEEK_PLUGIN_ACTIVATE`**: plugins to always activate |
|||
#' - **`ZEEK_PREFIXES`**: prefix list |
|||
#' - **`ZEEK_DNS_FAKE`**: disable DNS lookups |
|||
#' - **`ZEEK_SEED_FILE`**: file to load seeds from |
|||
#' - **`ZEEK_LOG_SUFFIX`**: ASCII log file extension |
|||
#' - **`ZEEK_PROFILER_FILE`**: Output file for script execution statistics |
|||
#' - **`ZEEK_DISABLE_ZEEKYGEN`**: Disable Zeekygen (Broxygen) documentation support |
|||
#' |
|||
#' ## AUTHOR |
|||
#' |
|||
#' **zeek** was written by The Zeek Project <info@zeek.org>. |
|||
#' |
|||
#' @name zeek_man |
|||
#' @rdname zeek_man |
|||
#' @export |
|||
#' @examples |
|||
#' zeek_man() |
|||
#' man_zeek |
|||
#' ?zeek_man |
|||
zeek_man <- function() { |
|||
help("zeek_man") |
|||
} |
|||
|
|||
#' @rdname zeek_man |
|||
#' @export |
|||
man_zeek <- zeek_man |
@ -0,0 +1,25 @@ |
|||
#' (WIP) Common `redef`initions for Zeek when processing PCAPs |
|||
#' |
|||
#' Zeek is great out-of-the-box, but you may need to tweak behavior |
|||
#' every now and then to perform analyses on the Zeek logs. |
|||
#' |
|||
#' - `redef Log::default_scope_sep = "_"` will turn dots ("`.`") in column |
|||
#' names to underscores ("`_`"). This will make many "big data" environments |
|||
#' much more pleasant to deal with. |
|||
#' |
|||
#' - `redef FileExtraction::path = "/some/where/else"` will reconfigure where |
|||
#' Zeek's output files go. |
|||
#' |
|||
#' - `redef FTP::default_capture_password = T` will turn off Zeek's default |
|||
#' masking of FTP passwords. |
|||
#' |
|||
#' - `redef HTTP::default_capture_password=T` will turn off Zeek's default |
|||
#' state of not capturing HTTP passwords. |
|||
#' |
|||
#' - `redef Intel::read_files += { "/opt/zeek_file_badlist.txt" }` will load in |
|||
#' custom IoCs (see the [Intelligence Framework](https://docs.zeek.org/en/master/frameworks/intel.html)) |
|||
#' for more info. |
|||
#' |
|||
#' @name zeek_redefs |
|||
#' @rdname zeek_redefs |
|||
NULL |
@ -0,0 +1,34 @@ |
|||
#' Call the Zeek binary with optional custom environment variables and options |
|||
#' |
|||
#' This is just a convenience wrapper around [system2()]. See [find_zeek()] for |
|||
#' information on helping this package find the Zeek binary. |
|||
#' |
|||
#' @param zeek_bin specify a complate path or let [find_zeek()] do the dirty work. |
|||
#' @param args same as [system2()] `args` |
|||
#' @param env same as [system2()] `env` |
|||
#' @return `list` with `stderr`, `stdout`, `status` and `errmsg` (invisibly) |
|||
#' @export |
|||
zeek <- function(zeek_bin = find_zeek(), args = c(), env = c()) { |
|||
|
|||
errf <- tempfile() |
|||
on.exit(unlink(errf)) |
|||
|
|||
outf <- tempfile() |
|||
on.exit(unlink(outf)) |
|||
|
|||
system2( |
|||
command = zeek_bin, |
|||
args = args, |
|||
env = env, |
|||
stderr = errf, |
|||
stdout = outf |
|||
) -> res |
|||
|
|||
invisible(list( |
|||
stderr = readLines(errf, warn = FALSE), |
|||
stdout = readLines(outf, warn = FALSE), |
|||
status = attr(res, "status"), |
|||
errmsg = attr(res, "errmsg") |
|||
)) |
|||
|
|||
} |
@ -1,9 +1,15 @@ |
|||
#' ... |
|||
#' |
|||
#' Tools to Make Analyses Using Zeek Easier |
|||
#' |
|||
#' [Zeek](https://zeek.org/) is an open source network security monitoring |
|||
#' system. Tools are provided to make it a bit easier to work with Zeek to perform |
|||
#' analyses with R. |
|||
#' |
|||
#' @md |
|||
#' @name zeekr |
|||
#' @keywords internal |
|||
#' @author Bob Rudis (bob@@rud.is) |
|||
#' @import httr |
|||
#' @importFrom jsonlite fromJSON |
|||
#' @import arrow |
|||
#' @import ndjson |
|||
#' @importFrom utils browseURL |
|||
#' @importFrom tools file_path_sans_ext file_ext |
|||
"_PACKAGE" |
|||
|
@ -0,0 +1,129 @@ |
|||
|
|||
[![Project Status: Active – The project has reached a stable, usable |
|||
state and is being actively |
|||
developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active) |
|||
[![Signed |
|||
by](https://img.shields.io/badge/Keybase-Verified-brightgreen.svg)](https://keybase.io/hrbrmstr) |
|||
![Signed commit |
|||
%](https://img.shields.io/badge/Signed_Commits-100%25-lightgrey.svg) |
|||
[![R-CMD-check](https://github.com/hrbrmstr/zeekr/workflows/R-CMD-check/badge.svg)](https://github.com/hrbrmstr/zeekr/actions?query=workflow%3AR-CMD-check) |
|||
[![Linux build |
|||
Status](https://travis-ci.org/hrbrmstr/zeekr.svg?branch=master)](https://travis-ci.org/hrbrmstr/zeekr) |
|||
![Minimal R |
|||
Version](https://img.shields.io/badge/R%3E%3D-3.6.0-blue.svg) |
|||
![License](https://img.shields.io/badge/License-AGPL-blue.svg) |
|||
|
|||
# zeekr |
|||
|
|||
Tools to Make Analyses Using Zeek Easier |
|||
|
|||
## Description |
|||
|
|||
[Zeek](https://zeek.org/) is an open source network security monitoring |
|||
system. Tools are provided to make it a bit easier to work with Zeek to |
|||
perform analyses with R. |
|||
|
|||
## What’s Inside The Tin |
|||
|
|||
The following functions are implemented: |
|||
|
|||
- `find_zeek`: Find the Zeek binary |
|||
- `get_zeek`: Get Zeek |
|||
- `pcap_to_zeek`: Process a PCAP with Zeek and create Parquet files |
|||
- `read_zeek_logs`: Read zeek logs from a processed PCAP into a list |
|||
- `zeek_man`: Zeek Manual Page Quick Reference |
|||
- `zeek_redefs`: (WIP) Common redefinitions for Zeek when processing |
|||
PCAPs |
|||
- `zeek`: Call the Zeek binary with optional custom environment |
|||
variables and options |
|||
|
|||
## Installation |
|||
|
|||
``` r |
|||
remotes::install_git("https://git.rud.is/hrbrmstr/zeekr.git") |
|||
``` |
|||
|
|||
NOTE: To use the ‘remotes’ install options you will need to have the |
|||
[{remotes} package](https://github.com/r-lib/remotes) installed. |
|||
|
|||
## Usage |
|||
|
|||
``` r |
|||
library(zeekr) |
|||
|
|||
# current version |
|||
packageVersion("zeekr") |
|||
## [1] '0.1.0' |
|||
``` |
|||
|
|||
``` r |
|||
loc <- pcap_to_zeek(system.file("pcap/ssh.pcap", package = "zeekr")) |
|||
|
|||
list.files(loc) |
|||
## [1] "conn.parquet" "packet_filter.parquet" "ssh.parquet" |
|||
|
|||
zeek <- read_zeek_logs(loc) |
|||
|
|||
str(zeek, 3) |
|||
## List of 3 |
|||
## $ conn :Classes 'tbl_df', 'tbl' and 'data.frame': 49 obs. of 18 variables: |
|||
## ..$ ts : num [1:49] 1.32e+09 1.32e+09 1.32e+09 1.32e+09 1.32e+09 ... |
|||
## ..$ uid : chr [1:49] "CAmnTGoJHwg6hNFea" "CvHC1J1yB5yLVQuXR7" "CE6UIa40hIdUlMZCS2" "CK2bU24sjXqxWxiSpl" ... |
|||
## ..$ id_orig_h : chr [1:49] "172.16.238.1" "172.16.238.1" "172.16.238.1" "172.16.238.1" ... |
|||
## ..$ id_orig_p : int [1:49] 58389 58389 58389 58389 58397 58389 58389 58398 58389 58399 ... |
|||
## ..$ id_resp_h : chr [1:49] "172.16.238.135" "172.16.238.135" "172.16.238.135" "172.16.238.135" ... |
|||
## ..$ id_resp_p : int [1:49] 22 22 22 22 22 22 22 22 22 22 ... |
|||
## ..$ proto : chr [1:49] "tcp" "tcp" "tcp" "tcp" ... |
|||
## ..$ duration : num [1:49] 4.23 NA NA NA 17.78 ... |
|||
## ..$ orig_bytes : int [1:49] 0 NA NA NA 1733 NA NA 1733 NA 1589 ... |
|||
## ..$ resp_bytes : int [1:49] 0 NA NA NA 2007 NA NA 2007 NA 1943 ... |
|||
## ..$ conn_state : chr [1:49] "SH" "SH" "SH" "SH" ... |
|||
## ..$ missed_bytes : int [1:49] 0 0 0 0 0 0 0 0 0 0 ... |
|||
## ..$ history : chr [1:49] "F" "F" "F" "F" ... |
|||
## ..$ orig_pkts : int [1:49] 6 1 1 1 21 1 1 21 1 19 ... |
|||
## ..$ orig_ip_bytes: int [1:49] 312 52 52 52 2837 52 52 2837 52 2589 ... |
|||
## ..$ resp_pkts : int [1:49] 0 0 0 0 17 0 0 18 0 16 ... |
|||
## ..$ resp_ip_bytes: int [1:49] 0 0 0 0 2899 0 0 2951 0 2783 ... |
|||
## ..$ service : chr [1:49] NA NA NA NA ... |
|||
## $ packet_filter:Classes 'tbl_df', 'tbl' and 'data.frame': 1 obs. of 5 variables: |
|||
## ..$ ts : num 1.63e+09 |
|||
## ..$ node : chr "zeek" |
|||
## ..$ filter : chr "ip or not ip" |
|||
## ..$ init : logi TRUE |
|||
## ..$ success: logi TRUE |
|||
## $ ssh :Classes 'tbl_df', 'tbl' and 'data.frame': 40 obs. of 17 variables: |
|||
## ..$ ts : num [1:40] 1.32e+09 1.32e+09 1.32e+09 1.32e+09 1.32e+09 ... |
|||
## ..$ uid : chr [1:40] "CUegdV3IvAoKWGu681" "Ci9sXu2lSlpqg3Au47" "Csw04n3ZhbvBDjJTNd" "C3qrkm4EaQi2uvlpD6" ... |
|||
## ..$ id_orig_h : chr [1:40] "172.16.238.1" "172.16.238.1" "172.16.238.1" "172.16.238.1" ... |
|||
## ..$ id_orig_p : int [1:40] 58395 58396 58397 58398 58399 58402 58403 58404 58405 58406 ... |
|||
## ..$ id_resp_h : chr [1:40] "172.16.238.168" "172.16.238.129" "172.16.238.136" "172.16.238.136" ... |
|||
## ..$ id_resp_p : int [1:40] 22 22 22 22 22 22 22 22 22 22 ... |
|||
## ..$ version : int [1:40] 2 2 2 2 2 2 2 2 2 2 ... |
|||
## ..$ auth_success : logi [1:40] TRUE TRUE FALSE FALSE FALSE FALSE ... |
|||
## ..$ auth_attempts : int [1:40] 3 1 2 2 1 2 2 2 4 2 ... |
|||
## ..$ client : chr [1:40] "SSH-2.0-OpenSSH_5.6" "SSH-2.0-OpenSSH_5.6" "SSH-2.0-OpenSSH_5.6" "SSH-2.0-OpenSSH_5.6" ... |
|||
## ..$ server : chr [1:40] "SSH-2.0-OpenSSH_5.3" "SSH-2.0-OpenSSH_5.3" "SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1" "SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1" ... |
|||
## ..$ cipher_alg : chr [1:40] "aes128-ctr" "aes128-ctr" "aes128-ctr" "aes128-ctr" ... |
|||
## ..$ mac_alg : chr [1:40] "hmac-md5" "hmac-md5" "hmac-md5" "hmac-md5" ... |
|||
## ..$ compression_alg: chr [1:40] "none" "none" "none" "none" ... |
|||
## ..$ kex_alg : chr [1:40] "diffie-hellman-group-exchange-sha256" "diffie-hellman-group-exchange-sha256" "diffie-hellman-group-exchange-sha256" "diffie-hellman-group-exchange-sha256" ... |
|||
## ..$ host_key_alg : chr [1:40] "ssh-rsa" "ssh-rsa" "ssh-rsa" "ssh-rsa" ... |
|||
## ..$ host_key : chr [1:40] "a5:3c:40:6e:e8:bf:5d:09:79:c8:4b:2c:65:5f:eb:12" "a5:3c:40:6e:e8:bf:5d:09:79:c8:4b:2c:65:5f:eb:12" "87:11:46:da:89:c5:2b:d9:6b:ee:e0:44:7e:73:80:f8" "87:11:46:da:89:c5:2b:d9:6b:ee:e0:44:7e:73:80:f8" ... |
|||
``` |
|||
|
|||
## zeekr Metrics |
|||
|
|||
| Lang | # Files | (%) | LoC | (%) | Blank lines | (%) | # Lines | (%) | |
|||
|:-----|--------:|-----:|----:|-----:|------------:|-----:|--------:|-----:| |
|||
| R | 8 | 0.36 | 100 | 0.37 | 38 | 0.32 | 175 | 0.42 | |
|||
| YAML | 2 | 0.09 | 23 | 0.09 | 2 | 0.02 | 2 | 0.00 | |
|||
| Rmd | 1 | 0.05 | 12 | 0.04 | 19 | 0.16 | 30 | 0.07 | |
|||
| SUM | 11 | 0.50 | 135 | 0.50 | 59 | 0.50 | 207 | 0.50 | |
|||
|
|||
clock Package Metrics for zeekr |
|||
|
|||
## Code of Conduct |
|||
|
|||
Please note that this project is released with a Contributor Code of |
|||
Conduct. By participating in this project you agree to abide by its |
|||
terms. |
Binary file not shown.
@ -0,0 +1,21 @@ |
|||
% Generated by roxygen2: do not edit by hand |
|||
% Please edit documentation in R/pcap_to_zeek.R |
|||
\name{find_zeek} |
|||
\alias{find_zeek} |
|||
\title{Find the Zeek binary} |
|||
\usage{ |
|||
find_zeek(path = Sys.getenv("ZEEK_PATH", "")) |
|||
} |
|||
\arguments{ |
|||
\item{path}{hint to where to look for the Zeek binary} |
|||
} |
|||
\value{ |
|||
length 1 character vector of the path to the zeek binary or \code{""} |
|||
} |
|||
\description{ |
|||
Use the environment variable \code{ZEEK_PATH} or specify the directory in |
|||
the call to this function. |
|||
} |
|||
\examples{ |
|||
find_zeek() |
|||
} |
@ -0,0 +1,14 @@ |
|||
% Generated by roxygen2: do not edit by hand |
|||
% Please edit documentation in R/get-zeek.R |
|||
\name{get_zeek} |
|||
\alias{get_zeek} |
|||
\title{Get Zeek} |
|||
\usage{ |
|||
get_zeek() |
|||
} |
|||
\description{ |
|||
Opens the default browser to the place where you can get Zeek. |
|||
} |
|||
\examples{ |
|||
if (interactive) get_zeek() |
|||
} |
@ -0,0 +1,38 @@ |
|||
% Generated by roxygen2: do not edit by hand |
|||
% Please edit documentation in R/pcap_to_zeek.R |
|||
\name{pcap_to_zeek} |
|||
\alias{pcap_to_zeek} |
|||
\title{Process a PCAP with Zeek and create Parquet files} |
|||
\usage{ |
|||
pcap_to_zeek(pcap, out_dir = tempfile(pattern = "zeek"), zeek_opts = c(), ...) |
|||
} |
|||
\arguments{ |
|||
\item{pcap}{path to PCAP to process. (\code{\link[=path.expand]{path.expand()}} will be called on this value)} |
|||
|
|||
\item{out_dir}{path to Parquet files. (\code{\link[=path.expand]{path.expand()}} will be called on this value) |
|||
If the directory does not exist it will be created. If ho directory is specified |
|||
a temporary directory will be created and used. You should |
|||
call \code{\link[=unlink]{unlink()}} on this path if you used a temporary directory.} |
|||
|
|||
\item{zeek_opts}{extra options passed to to Zeek command line. NOTE: |
|||
\code{--no-checksums}, \code{LogAscii::use_json=T}, and \code{Log::default_scope_sep='_'} |
|||
are already handled by this function; no need to specify them.} |
|||
|
|||
\item{...}{extra named parameters passed on to \code{\link[arrow:write_parquet]{arrow::write_parquet()}}} |
|||
} |
|||
\value{ |
|||
length 1 character vector of the expanded path of the \code{out_dir} |
|||
} |
|||
\description{ |
|||
Process a PCAP with Zeek and create Parquet files |
|||
} |
|||
\note{ |
|||
the \code{zeek} binary \strong{must} be available on \code{PATH}. You can use the |
|||
environment variable \code{ZEEK_PATH} as a hint where \code{\link[=find_zeek]{find_zeek()}} will |
|||
look for the \code{zeek} binary. |
|||
} |
|||
\examples{ |
|||
loc <- pcap_to_zeek(system.file("pcap/ssh.pcap", package = "zeekr")) |
|||
read_zeek_logs(loc) |
|||
unlink(loc) # don't do this IRL until you're done working with or saving. |
|||
} |
@ -0,0 +1,22 @@ |
|||
% Generated by roxygen2: do not edit by hand |
|||
% Please edit documentation in R/read-zeek-logs.R |
|||
\name{read_zeek_logs} |
|||
\alias{read_zeek_logs} |
|||
\title{Read zeek logs from a processed PCAP into a list} |
|||
\usage{ |
|||
read_zeek_logs(log_dir) |
|||
} |
|||
\arguments{ |
|||
\item{log_dir}{directory of zeek logs} |
|||
} |
|||
\description{ |
|||
Read zeek logs from a processed PCAP into a list |
|||
} |
|||
\note{ |
|||
Logs must be in Parquet or JSON format. |
|||
} |
|||
\examples{ |
|||
loc <- pcap_to_zeek(system.file("pcap/ssh.pcap", package = "zeekr")) |
|||
read_zeek_logs(loc) |
|||
unlink(loc) # don't do this IRL until you're done working with or saving. |
|||
} |
@ -0,0 +1,22 @@ |
|||
% Generated by roxygen2: do not edit by hand |
|||
% Please edit documentation in R/zeek.R |
|||
\name{zeek} |
|||
\alias{zeek} |
|||
\title{Call the Zeek binary with optional custom environment variables and options} |
|||
\usage{ |
|||
zeek(zeek_bin = find_zeek(), args = c(), env = c()) |
|||
} |
|||
\arguments{ |
|||
\item{zeek_bin}{specify a complate path or let \code{\link[=find_zeek]{find_zeek()}} do the dirty work.} |
|||
|
|||
\item{args}{same as \code{\link[=system2]{system2()}} \code{args}} |
|||
|
|||
\item{env}{same as \code{\link[=system2]{system2()}} \code{env}} |
|||
} |
|||
\value{ |
|||
\code{list} with \code{stderr}, \code{stdout}, \code{status} and \code{errmsg} (invisibly) |
|||
} |
|||
\description{ |
|||
This is just a convenience wrapper around \code{\link[=system2]{system2()}}. See \code{\link[=find_zeek]{find_zeek()}} for |
|||
information on helping this package find the Zeek binary. |
|||
} |
@ -0,0 +1,95 @@ |
|||
% Generated by roxygen2: do not edit by hand |
|||
% Please edit documentation in R/zeek-man.R |
|||
\name{zeek_man} |
|||
\alias{zeek_man} |
|||
\alias{man_zeek} |
|||
\title{Zeek Manual Page Quick Reference} |
|||
\usage{ |
|||
zeek_man() |
|||
|
|||
man_zeek() |
|||
} |
|||
\description{ |
|||
\code{zeek} - passive network traffic analyzer |
|||
} |
|||
\details{ |
|||
\subsection{SYNOPSIS}{ |
|||
|
|||
\strong{\code{zeek}} \verb{[*options*] [*file* ...]} |
|||
} |
|||
|
|||
\subsection{DESCRIPTION}{ |
|||
|
|||
Zeek is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, however, Zeek supports a wide range of traffic analysis tasks even #' outside of the security domain, including performance measurements and helping with trouble-shooting. |
|||
|
|||
Zeek comes with built-in functionality for a range of analysis and detection tasks, including detecting malware by interfacing to external registries, reporting vulnerable versions of software seen on #' the network, identifying popular web applications, detecting SSH brute-forcing, validating SSL certificate chains, among others. |
|||
} |
|||
|
|||
\subsection{OPTIONS}{ |
|||
\itemize{ |
|||
\item \strong{\verb{<file>}}: policy file, or read stdin |
|||
\item \strong{\code{-a}}, \code{--parse-only}: exit immediately after parsing scripts |
|||
\item \strong{\code{-b}}, \code{--bare-mode}: don't load scripts from the base/ directory |
|||
\item \strong{\code{-d}}, \verb{--debug-policy:} activate policy file debugging |
|||
\item \strong{\code{-e}}, \verb{--exec <zeek code>}: augment loaded policies by given code |
|||
\item \strong{\code{-f}}, \verb{--filter <filter>}: tcpdump filter |
|||
\item \strong{\code{-h}}, \verb{--help|-?}: command line help |
|||
\item \strong{\code{-i}}, \verb{--iface <interface>}: read from given interface |
|||
\item \strong{\code{-p}}, \verb{--prefix <prefix>}: add given prefix to policy file resolution |
|||
\item \strong{\code{-r}}, \verb{--readfile <readfile>}: read from given tcpdump file |
|||
\item \strong{\code{-s}}, \verb{--rulefile <rulefile>}: read rules from given file |
|||
\item \strong{\code{-t}}, \verb{--tracefile <tracefile>}: activate execution tracing |
|||
\item \strong{\code{-w}}, \verb{--writefile <writefile>}: write to given tcpdump file |
|||
\item \strong{\code{-v}}, \code{--version}: print version and exit |
|||
\item \strong{\code{-x}}, \verb{--print-state <file.bst>}: print contents of state file |
|||
\item \strong{\code{-C}}, \code{--no-checksums}: ignore checksums |
|||
\item \strong{\code{-F}}, \code{--force-dns}: force DNS |
|||
\item \strong{\code{-I}}, \verb{--print-id <ID name>}: print out given ID |
|||
\item \strong{\code{-N}}, \code{--print-plugins}: print available plugins and exit (\strong{-NN} for verbose) |
|||
\item \strong{\code{-P}}, \code{--prime-dns}: prime DNS |
|||
\item \strong{\code{-Q}}, \code{--time}: print execution time summary to stderr |
|||
\item \strong{\code{-R}}, \verb{--replay <events.bst>}: replay events |
|||
\item \strong{\code{-S}}, \code{--debug-rules}: enable rule debugging |
|||
\item \strong{\code{-T}}, \verb{--re-level <level>}: set 'RE_level' for rules |
|||
\item \strong{\code{-U}}, \verb{--status-file <file>}: Record process status in file |
|||
\item \strong{\code{-W}}, \code{--watchdog}: activate watchdog timer |
|||
\item \strong{\code{-X}}, \verb{--zeekygen <cfgfile>}: generate documentation based on config file |
|||
\item **\verb{--pseudo-realtime[=**<speedup>]}: enable pseudo-realtime for performance evaluation (default 1) |
|||
\item \strong{\code{--load-seeds}} \verb{<file>}: load seeds from given file |
|||
\item \strong{\code{--save-seeds}} \verb{<file>}: save seeds to given file |
|||
} |
|||
|
|||
The following option is available only when Zeek is built with the \code{--enable-debug} configure option: |
|||
|
|||
\strong{\code{-B}}, \verb{--debug <dbgstreams>}: Enable debugging output for selected streams ('-B help' for help) |
|||
|
|||
The following options are available only when Zeek is built with \code{gperftools} support (use the \code{--enable-perftools} and \code{--enable-perftools-debug} configure options): |
|||
|
|||
\strong{\code{-m}}, \code{--mem-leaks}: show leaks |
|||
\strong{\code{-M}}, \code{--mem-profile}: record heap |
|||
} |
|||
|
|||
\subsection{ENVIRONMENT}{ |
|||
\itemize{ |
|||
\item \strong{\code{ZEEKPATH}}: file search path |
|||
\item \strong{\code{ZEEK_PLUGIN_PATH}}: plugin search path |
|||
\item \strong{\code{ZEEK_PLUGIN_ACTIVATE}}: plugins to always activate |
|||
\item \strong{\code{ZEEK_PREFIXES}}: prefix list |
|||
\item \strong{\code{ZEEK_DNS_FAKE}}: disable DNS lookups |
|||
\item \strong{\code{ZEEK_SEED_FILE}}: file to load seeds from |
|||
\item \strong{\code{ZEEK_LOG_SUFFIX}}: ASCII log file extension |
|||
\item \strong{\code{ZEEK_PROFILER_FILE}}: Output file for script execution statistics |
|||
\item \strong{\code{ZEEK_DISABLE_ZEEKYGEN}}: Disable Zeekygen (Broxygen) documentation support |
|||
} |
|||
} |
|||
|
|||
\subsection{AUTHOR}{ |
|||
|
|||
\strong{zeek} was written by The Zeek Project <info@zeek.org>. |
|||
} |
|||
} |
|||
\examples{ |
|||
zeek_man() |
|||
man_zeek |
|||
?zeek_man |
|||
} |
@ -0,0 +1,25 @@ |
|||
% Generated by roxygen2: do not edit by hand |
|||
% Please edit documentation in R/zeek-redefs.R |
|||
\name{zeek_redefs} |
|||
\alias{zeek_redefs} |
|||
\title{(WIP) Common \code{redef}initions for Zeek when processing PCAPs} |
|||
\description{ |
|||
Zeek is great out-of-the-box, but you may need to tweak behavior |
|||
every now and then to perform analyses on the Zeek logs. |
|||
} |
|||
\details{ |
|||
\itemize{ |
|||
\item \verb{redef Log::default_scope_sep = "_"} will turn dots ("\code{.}") in column |
|||
names to underscores ("\verb{_}"). This will make many "big data" environments |
|||
much more pleasant to deal with. |
|||
\item \verb{redef FileExtraction::path = "/some/where/else"} will reconfigure where |
|||
Zeek's output files go. |
|||
\item \verb{redef FTP::default_capture_password = T} will turn off Zeek's default |
|||
masking of FTP passwords. |
|||
\item \verb{redef HTTP::default_capture_password=T} will turn off Zeek's default |
|||
state of not capturing HTTP passwords. |
|||
\item \verb{redef Intel::read_files += \{ "/opt/zeek_file_badlist.txt" \}} will load in |
|||
custom IoCs (see the \href{https://docs.zeek.org/en/master/frameworks/intel.html}{Intelligence Framework}) |
|||
for more info. |
|||
} |
|||
} |
@ -0,0 +1,205 @@ |
|||
# NAME |
|||
|
|||
zeek - passive network traffic analyzer |
|||
|
|||
# SYNOPSIS |
|||
|
|||
**zeek** \[*options*\] \[*file* \...\] |
|||
|
|||
# DESCRIPTION |
|||
|
|||
Zeek is primarily a security monitor that inspects all traffic on a link |
|||
in depth for signs of suspicious activity. More generally, however, Zeek |
|||
supports a wide range of traffic analysis tasks even outside of the |
|||
security domain, including performance measurements and helping with |
|||
trouble-shooting. |
|||
|
|||
Zeek comes with built-in functionality for a range of analysis and |
|||
detection tasks, including detecting malware by interfacing to external |
|||
registries, reporting vulnerable versions of software seen on the |
|||
network, identifying popular web applications, detecting SSH |
|||
brute-forcing, validating SSL certificate chains, among others. |
|||
|
|||
# OPTIONS |
|||
|
|||
**\<file>** |
|||
|
|||
: policy file, or read stdin |
|||
|
|||
**-a**, \--parse-only |
|||
|
|||
: exit immediately after parsing scripts |
|||
|
|||
**-b**, \--bare-mode |
|||
|
|||
: don\'t load scripts from the base/ directory |
|||
|
|||
**-d**, \--debug-policy |
|||
|
|||
: activate policy file debugging |
|||
|
|||
**-e**, \--exec \<zeek code> |
|||
|
|||
: augment loaded policies by given code |
|||
|
|||
**-f**, \--filter \<filter> |
|||
|
|||
: tcpdump filter |
|||
|
|||
**-h**, \--help\|-? |
|||
|
|||
: command line help |
|||
|
|||
**-i**, \--iface \<interface> |
|||
|
|||
: read from given interface |
|||
|
|||
**-p**, \--prefix \<prefix> |
|||
|
|||
: add given prefix to policy file resolution |
|||
|
|||
**-r**, \--readfile \<readfile> |
|||
|
|||
: read from given tcpdump file |
|||
|
|||
**-s**, \--rulefile \<rulefile> |
|||
|
|||
: read rules from given file |
|||
|
|||
**-t**, \--tracefile \<tracefile> |
|||
|
|||
: activate execution tracing |
|||
|
|||
**-w**, \--writefile \<writefile> |
|||
|
|||
: write to given tcpdump file |
|||
|
|||
**-v**, \--version |
|||
|
|||
: print version and exit |
|||
|
|||
**-x**, \--print-state \<file.bst> |
|||
|
|||
: print contents of state file |
|||
|
|||
**-C**, \--no-checksums |
|||
|
|||
: ignore checksums |
|||
|
|||
**-F**, \--force-dns |
|||
|
|||
: force DNS |
|||
|
|||
**-I**, \--print-id \<ID name> |
|||
|
|||
: print out given ID |
|||
|
|||
**-N**, \--print-plugins |
|||
|
|||
: print available plugins and exit (**-NN** for verbose) |
|||
|
|||
**-P**, \--prime-dns |
|||
|
|||
: prime DNS |
|||
|
|||
**-Q**, \--time |
|||
|
|||
: print execution time summary to stderr |
|||
|
|||
**-R**, \--replay \<events.bst> |
|||
|
|||
: replay events |
|||
|
|||
**-S**, \--debug-rules |
|||
|
|||
: enable rule debugging |
|||
|
|||
**-T**, \--re-level \<level> |
|||
|
|||
: set \'RE_level\' for rules |
|||
|
|||
**-U**, \--status-file \<file> |
|||
|
|||
: Record process status in file |
|||
|
|||
**-W**, \--watchdog |
|||
|
|||
: activate watchdog timer |
|||
|
|||
**-X**, \--zeekygen \<cfgfile> |
|||
|
|||
: generate documentation based on config file |
|||
|
|||
**\--pseudo-realtime\[=**\<speedup>\] |
|||
|
|||
: enable pseudo-realtime for performance evaluation (default 1) |
|||
|
|||
**\--load-seeds** \<file> |
|||
|
|||
: load seeds from given file |
|||
|
|||
**\--save-seeds** \<file> |
|||
|
|||
: save seeds to given file |
|||
|
|||
The following option is available only when Zeek is built with the \--enable-debug configure option: |
|||
|
|||
: |
|||
|
|||
**-B**, \--debug \<dbgstreams> |
|||
|
|||
: Enable debugging output for selected streams (\'-B help\' for help) |
|||
|
|||
The following options are available only when Zeek is built with gperftools support (use the \--enable-perftools and \--enable-perftools-debug configure options): |
|||
|
|||
: |
|||
|
|||
**-m**, \--mem-leaks |
|||
|
|||
: show leaks |
|||
|
|||
**-M**, \--mem-profile |
|||
|
|||
: record heap |
|||
|
|||
# ENVIRONMENT |
|||
|
|||
**ZEEKPATH** |
|||
|
|||
: file search path |
|||
|
|||
**ZEEK_PLUGIN_PATH** |
|||
|
|||
: plugin search path |
|||
|
|||
**ZEEK_PLUGIN_ACTIVATE** |
|||
|
|||
: plugins to always activate |
|||
|
|||
**ZEEK_PREFIXES** |
|||
|
|||
: prefix list |
|||
|
|||
**ZEEK_DNS_FAKE** |
|||
|
|||
: disable DNS lookups |
|||
|
|||
**ZEEK_SEED_FILE** |
|||
|
|||
: file to load seeds from |
|||
|
|||
**ZEEK_LOG_SUFFIX** |
|||
|
|||
: ASCII log file extension |
|||
|
|||
**ZEEK_PROFILER_FILE** |
|||
|
|||
: Output file for script execution statistics |
|||
|
|||
**ZEEK_DISABLE_ZEEKYGEN** |
|||
|
|||
: Disable Zeekygen (Broxygen) documentation support |
|||
|
|||
# AUTHOR |
|||
|
|||
**zeek** was written by The Zeek Project \<info\@zeek.org>. |
Loading…
Reference in new issue