Zeek
zeek -r $PCAP # '-r' especifica offline análisis mientras que '-w' es para live capture
zeek-cut -u ts method host uri < http.log | grep "<string>" | awk '{print $1$}'
zeek-cut -F ',' -u ts method host uri < http.log | grep "<string>" | awk '{print $3 }'
cat conn.log | zeek-cut id.orig_h id.orig_p id.resp_h id.resp_p > temp.txt
# Instalamos el paquete de zat
pip install zat
# En python
from zat.log_to_dataframe import LogToDataFrame
log_to_df = LogToDataFrame()
zeek_df = log_to_df.create_dataframe('dns.log')
pd.set_option('display.max_columns', None)
zeek_df
# Para hacer queries
zeek_df['query'].value_counts()
# Clonamos el repo
git clone https://github.com/stratosphereips/zeek_anomaly_detector.git
# Instalamos el paquete de pyod
pip install pyod
import pandas as pd
from IPython.display import display
pd.set_option('display.max_columns', None)
!python zeek_anomaly_detector.py -a 20 -f conn.log
Última actualización 1yr ago