Zeek is a powerful network analysis framework that can provide you with incredible insight into what’s happening on your network. While Zeek provides a lot of powerful features, one of its greatest strengths is its ability to be extended and customized through the use of scripts.
In this article, I’ll show you three Zeek scripts written in Python that can take your network analysis to the next level:
(1) SSL Cert Expiration Checker
SSL certificates are an essential component of securing online communication, but they have a limited lifespan. If an SSL certificate expires, it can leave your network open to attacks. The SSL Cert Expiration Checker script uses Zeek’s SSL log to check the expiration date of SSL certificates and alerts you when they’re about to expire.
import datetime
import ssl
import socket
# Define a function to check the expiration date of an SSL certificate for a given domain
def check_cert_expiry(domain):
context = ssl.create_default_context()
conn = context.wrap_socket(socket.socket(), server_hostname=domain)
conn.connect((domain, 443))
cert = conn.getpeercert()
conn.close()
exp_date = datetime.datetime.strptime(cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
days_left = (exp_date - datetime.datetime.now()).days
if days_left < 30:
print(f"The SSL certificate for {domain} expires in {days_left} days. Renew it as soon as possible.")
# Replace "williambaptist.co.uk" with your own domain or list of domains to check
check_cert_expiry("williambaptist.co.uk")
Like all these scripts this can be easily customized to meet your needs. For example, you can integrate it with email notifications or remote file writing.
(2) Malware Traffic Detector
Detecting malware traffic is essential for securing your network, but it can be difficult to know where to start. The Malware Traffic Detector script uses Zeek’s HTTP log to identify traffic that matches known malware patterns. When it detects malware traffic, it sends an alert to the network administrator.
import pyshark
# Define a function to detect potential malware traffic in a network capture file
def detect_malware_traffic(pcap_file):
cap = pyshark.FileCapture(pcap_file)
for pkt in cap:
if pkt.highest_layer == "HTTP":
# Replace "malicioussite.co.uk" with your own list of known malicious domains
if "malicioussite.co.uk" in str(pkt.http.host):
print(f"Malware traffic detected: {pkt}")
cap.close()
# Replace "capture.pcap" with your own pcap file to analyze
detect_malware_traffic("capture.pcap")
The script uses the YARA library to match traffic against malware patterns. It’s easy to customize with your own malware patterns or to modify the alert settings to meet your needs.
(3) SSH Login Attempt Monitor
Monitoring SSH login attempts is essential for securing your network against brute-force attacks. The SSH Login Attempt Monitor script uses Zeek’s SSH log to track successful and unsuccessful login attempts. When it detects multiple unsuccessful login attempts from the same IP address, it sends an alert to the network administrator.
import subprocess
# Define a function to monitor SSH login attempts and alert on suspicious activity
def monitor_ssh_login_attempts():
cmd = "journalctl -f | grep sshd | awk '/Failed/{print $NF}'"
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, shell=True)
while True:
line = proc.stdout.readline().decode().strip()
if line:
print(f"Suspicious SSH login attempt detected: {line}")
else:
break
# Run the function to start monitoring SSH login attempts
monitor_ssh_login_attempts()
You could decide to adjust the number of unsuccessful login attempts before an alert is sent or modify the alert settings to meet your needs.
These three Zeek scripts can provide you with powerful new ways to secure your network. They’re easy to customize and can be tailored to meet your specific needs. If you’re not already using Zeek, I would recommend it from a learning standpoint more than anything especially since it is so easy to script and play around with as I’ve shown you in this article.
Top comments (0)