Skip to main content
HashnodeSOC Analyst LabsSOC Analyst Labs

Command Palette

Search for a command to run...

Zeek (formerly BRO) | Tryhackme Walkthrough

Updated
7 min read
U
Umamaheswari B
👋Hi, I’m Umamaheswari Through this blog, I share visual walkthroughs and hands-on investigations on PCAP, phishing, Splunk, ELK, malware, and digital forensics—based on labs from TryHackMe, HackTheBox and CyberDefenders. Feel free to connect or ask questions — I am more happy to help.
Part of seriesNetwork Traffic Analysis

Zeek is a powerful network security monitoring tool that analyzes network traffic deeply.
It’s used to detect suspicious behavior, generate detailed logs, and help in threat hunting or incident response.
Unlike Snort, which only raises alerts based on signatures, Zeek records rich contextual data for analysis.
It uses scripts and policies to detect both known and unknown threats.
Zeek’s modular frameworks and packages make it highly flexible and extendable for custom network analysis.

Task 2: Zeek Fundamentals

Once you run Zeek, it will automatically start investigating the traffic or the given pcap file and generate logs automatically.

Once you process a pcap with Zeek, it will create the logs in the working directory.

If you run the Zeek as a service, your logs will be located in the default log path.

The default log path is: /opt/zeek/logs/

version check:

We can use zeek in 2 ways:

The first one is running it as a service = for live network traffic monitoring

the second option is running the Zeek against a pcap = as pcap investigator

Let's start the Zeek as a service!

To do this, we need to use the "ZeekControl" module, as shown below. The "ZeekControl" module requires superuser permissions to use.

requires sudo privileges, sudo su (switch user to root)

  • One way:
  • otherway:

zeekctl status

zeekctl start

zeekctl stop

PCAP investigation:

zeek -C -r pcapfile

zeek -r (read) pcap file , -C ignore checksum errors

then it processes the file, parse through packets , then generates different protocol logs

Desktop/Exercise-Files/TASK-2

What is the installed Zeek instance version number?

Ans: 4.2.1

What is the version of the ZeekControl module?

Ans: 2.4.0

Investigate the "sample.pcap" file. What is the number of generated alert files?

Ans: 8

Task 3 : Logs

Learn: log categories, which logs updated daily /as per session, mostly used logs

Recall 1: Zeek is capable of identifying 50+ logs and categorizing them into seven categories,

Zeek logs are well structured and tab-separated ASCII files, so reading and processing them is easy but requires effort.

To view logs: use cat or with text editor like pluma, nano

Recall 2: Investigating the generated logs will require command-line tools (cat, cut, grep sort, and uniq) and additional tools (zeek-cut).

Each log file provides "field names" in the beginning. This information will help you while using zeek-cut. Make sure that you use the "fields" and not "types"

To get specific columns(fileds): use zeek-cut or commands (cat,cut,grep,sort , uniq)

💡
Understand the log type — meaning, know what it records and what fields it contains.

After that, sort or filter the data based on the relevant fields.

Desktop/Exercise-Files/TASK-3

Investigate the sample.pcap file. Investigate the dhcp.log file. What is the available hostname?

Ans: Microknoppix

extra:

Investigate the dns.log file. What is the number of unique DNS queries?

Ans: 2

Investigate the conn.log file. What is the longest connection duration?

Ans: 332.319364

Extra: -head give me top 10 lines

Task 5: Zeek Signatures

Zeek signatures support regex. Regex ".*" matches any character zero or more times. The rule will match when a "given" phrase is detected in the packet payload. Once the match occurs, Zeek will generate an alert and create additional log files (signatures.log and notice.log).

Each exercise has a folder. Ensure you are in the right directory to find the pcap file and accompanying files. Desktop/Exercise-Files/TASK-5

  1. Investigate the http.pcap file. Create the  HTTP signature shown in the task and investigate the pcap. What is the source IP of the first event?

Ans: 10.10.57.178

The HTTP signature file is already provided — open it, and make the required modifications. You can simply copy the given HTTP signature file from this task.

Next, run this signature against the http.pcap file.

After execution, new log files will be generated — specifically notice.log and signatures.log.

Analyzing signature.log

  1. What is the source port of the second event?

Ans: 38712

  1. Investigate the conn.log.
    What is the total number of the sent and received packets from source port 38706?

Ans: 20

hint: Sent packets (orig_pkts), received packets (resp_pkts) source port (id.orig_p).

Create the global rule shown in the task and investigate the ftp.pcap file.

  1. Investigate the notice.log. What is the number of unique events?

Ans: 1413

Hint: uid, sort and uniq will help

Only add ftp-brute force signature file, if you create both, number of events change and will be more, then notice.log events changes

  1. What is the number of ftp-brute signature matches?

Ans: 1410

In this you can add 2 signatures:

cat signatures.log | zeek-cut sig_id | sort | uniq -c = how many times each signature matched

Task 6: Zeek Scripts | Fundamentals

Each exercise has a folder. Ensure you are in the right directory to find the pcap file and accompanying files. Desktop/Exercise-Files/TASK-6

  1. Investigate the smallFlows.pcap file. Investigate the dhcp.log file. What is the domain value of the "vinlap01" host?

Ans: astaro_vineyard

  1. Investigate the bigFlows.pcap file. Investigate the dhcp.log file. What is the number of identified unique hostnames?

Ans: 17

there is no hostname for one log

  1. Investigate the dhcp.log file. What is the identified domain value?

Ans: jaalam.net
cat dhcp.log | zeek-cut domain | sort | uniq -c

Task 7 : Zeek Scripts | Scripts and Signatures

Each exercise has a folder. Ensure you are in the right directory to find the pcap file and accompanying files. Desktop/Exercise-Files/TASK-7

Go to folder TASK-7/101.
1. Investigate the sample.pcap file with 103.zeek script. Investigate the terminal output. What is the number of the detected new connections?

Ans: 87

Observed how the scripts work then delete logs created with ./clear-logs.sh

again running same command.. this time with

grep -i “new connection found” | wc -l to count captured lines

Go to folder TASK-7/201.
2. Investigate the ftp.pcap file with ftp-admin.sig signature and  201.zeek script. Investigate the signatures.log file. What is the number of signature hits?

Ans: 1401

3. Investigate the signatures.log file. What is the total number of "administrator" username detections?

Ans: 731

  1. Investigate the ftp.pcap file with all local scripts, and investigate the loaded_scripts.log file. What is the total number of loaded scripts?

Ans: 498

Go to folder TASK-7/202.
Investigate the ftp-brute.pcap file with "/opt/zeek/share/zeek/policy/protocols/ftp/detect-bruteforcing.zeek" script. Investigate the notice.log file. What is the total number of brute-force detections?

Ans: 2

Task 8: Zeek Scripts | Frameworks

Each exercise has a folder. Ensure you are in the right directory to find the pcap file and accompanying files. Desktop/Exercise-Files/TASK-8

  1. Investigate the case1.pcap file with hash-demo.zeek script. Investigate the files.log file. What is the MD5 hash of the downloaded .exe file?

Ans: cc28e40b46237ab6d5282199ef78c464

  1. Investigate the case1.pcap file with file-extract-demo.zeek script. Investigate the "extract_files" folder. Review the contents of the text file. What is written in the file?

Ans: Microsoft NCSI

  1. Investigate the case1.pcap file with intelligence-demo.zeek script. Investigate the intel.log file. Look at the second finding, where was the intel info found?

Ans: IN_HOST_HEADER

  1. Investigate the http.log file. What is the name of the downloaded .exe file?

Ans: knr.exe

or we can either use grep

cat http.log | zeek-cut | grep ".exe"

Task 9: Zeek Scripts | Packages

Each exercise has a folder. Ensure you are in the right directory to find the pcap file and accompanying files. Desktop/Exercise-Files/TASK-9

  1. Investigate the http.pcap file with the zeek-sniffpass module. Investigate the notice.log file. Which username has more module hits?

Ans: BroZeek

  1. Investigate the case2.pcap file with geoip-conn module. Investigate the conn.log file. What is the name of the identified City?

Ans: Chicago

or cat conn.log | zeek-cut geo.resp.city | sort | uniq -c

  1. Which IP address is associated with the identified City?

Ans: 23.77.86.54

  1. Investigate the case2.pcap file with sumstats-counttable.zeek script. How many types of status codes are there in the given traffic capture?

Ans: 4

Finally we did it! congratulations

Happy Hunting

#tryhackme-walkthrough#soc-analyst

Comments

Join the discussion

No comments yet. Be the first to comment.

Network Traffic Analysis

Part 8 of 9
Up next

Zeek Exercises

The room invites you a challenge to investigate a series of traffic data and stop malicious activity under different scenarios. Anomalous DNS An alert triggered: "Anomalous DNS Activity". The case was

More from this blog

S

SOC Analyst Labs

39 posts

Hands-on blue team journey covering phishing analysis, threat detection, threat intelligence, network and endpoint log analysis, web traffic analysis, and SIEM monitoring on TryHackMe and Let’s Defend