File extraction with Zeek
One of the features of Zeek that I find interesting is the ability to extract files as you may be aware, commercial products like Zscaler offer malicious files detection and the ability to send unknown files to a sandbox for analysis before the user open the file.
The version of Zeek I am using is 3.2.3. Version 4 was released just a while ago.
root@zeek:~# /opt/zeek/bin/zeek -v
/opt/zeek/bin/zeek version 3.2.3
Running Zeek as a Command-Line Utility
root@zeek:/home/u1# /opt/zeek/bin/zeek -i enp0s3 /opt/zeek/share/zeek/policy/frameworks/files/extract-all-files.zeek
listening on enp0s3
1614864430.678414 warning in /opt/zeek/share/zeek/base/misc/find-checksum-offloading.zeek, line 54: Your interface is likely receiving invalid TCP and UDP checksums, most likely from NIC checksum offloading. By default, packets with invalid checksums are discarded by Zeek unless using the -C command-line option or toggling the ‘ignore_checksums’ variable. Alternatively, disable checksum offloading by the network adapter to ensure Zeek analyzes the actual checksums that are transmitted.
^C1614864431.921404 received termination signal
1614864431.921404 19 packets received on interface enp0s3, 0 (0.00%) dropped
No SSL traffic!
If the files are transmitted via SSL, it cannot be extracted. I was spending quite alot of time wondering what was wrong before I realised that.
u1@zeek:~$ wget http://ftp4.freebsd.org/pub/FreeBSD/README.TXT
— 2021–03–04 13:27:09 — http://ftp4.freebsd.org/pub/FreeBSD/README.TXT
Resolving ftp4.freebsd.org (ftp4.freebsd.org)… 203.80.16.151, 2404:a8:3ff::15:0
Connecting to ftp4.freebsd.org (ftp4.freebsd.org)|203.80.16.151|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 4259 (4.2K) [text/plain]
Saving to: ‘README.TXT’
README.TXT 100%[=========================================================================================================================================>] 4.16K — .-KB/s in 0s
2021–03–04 13:27:09 (1.17 GB/s) — ‘README.TXT’ saved [4259/4259]
Location of the extracted files
The extracted files will be saved in a folder as defined in the .zeek file. The folder is ./extract_files/
root@zeek:/home/u1# ls
conn.log dns.log extract_files files.log http.log packet_filter.log README.TXT reporter.log ssl.log weird.log
root@zeek:/home/u1# ls extract_files/
extract-1614864429.458447-HTTP-FOIhRn1esWUIgxzs1c
Lets do a cat to make sure the contents is the same
cat extract_files/extract-1614864429.458447-HTTP-FOIhRn1esWUIgxzs1c
Welcome to the FreeBSD archive!
— — — — — — — — — — — — — — — -
Here you will find the official releases of FreeBSD, along with the ports
……
Using ZeekControl
I didn’t realise that I have to issue the deploy command in ZeekControl as I assume it will read the config file every time it starts. So alot of time was spent wondering why file extraction is not working when using ZeekControl.
Edit the config file to load the extract-all-files script
root@zeek:~# vi /opt/zeek/share/zeek/site/local.zeek
add @load frameworks/files/extract-all-files
Start ZeekControl
root@zeek:~# /opt/zeek/bin/zeekctl
Warning: zeekctl node config has changed (run the zeekctl “deploy” command)
Welcome to ZeekControl 2.2.0
Type “help” for help.
[ZeekControl] > start
starting zeek …
creating crash report for previously crashed nodes: zeek
[ZeekControl] > deploy
checking configurations …
installing …
removing old policies in /opt/zeek/spool/installed-scripts-do-not-touch/site …
removing old policies in /opt/zeek/spool/installed-scripts-do-not-touch/auto …
creating policy directories …
installing site policies …
generating standalone-layout.zeek …
generating local-networks.zeek …
generating zeekctl-config.zeek …
generating zeekctl-config.sh …
stopping …
stopping zeek …
starting …
starting zeek …
[ZeekControl] >
Location of the extracted files
root@zeek:/home/u1# find / -name extract* -print
/home/u1/extract_files
/opt/zeek/spool/zeek/extract_files
root@zeek:/home/u1# ls /opt/zeek/spool/zeek/extract_files
extract-1614870026.756496-HTTP-Fu4aMFhgnf9xjZ7hl
head /opt/zeek/spool/zeek/extract_files/extract-1614870026.756496-HTTP-Fu4aMFhgnf9xjZ7hl
Welcome to the FreeBSD archive!
— — — — — — — — — — — — — — — -
Here you will find the official releases of FreeBSD, along with the ports
collection and other FreeBSD-related material. We encourage you to visit
the FreeBSD home page at:
root@zeek:/home/u1#
Purpose?
One purpose of getting the extracted files is that you then have a choice to send them to a Sandbox like Cuckoo Sandbox for analysis.
The SSL issue must be solved as most websites nowadays are using SSL.
