Open Blason opened 2 years ago
bekirk
commented
2 years ago I suspect that zeek will only see dns traffic and what ever else happens to this dns server like ssh and such. I don’t think you will need to disable anything, it will just work like there is no other traffic. Try it out and see what you get with Rita I imagine you will see dns activity but no beacon activity nor other things that come from the connection data zeek analyzes.
Thank you, Brian Kirk
Blason
commented
2 years ago Ok - in this case to analyse the beacon do I need to capture the network traffic as well?
On Mon, Feb 14, 2022, 10:46 bekirk @.***> wrote:
I suspect that zeek will only see dns traffic and what ever else happens to this dns server like ssh and such. I don’t think you will need to disable anything, it will just work like there is no other traffic. Try it out and see what you get with Rita I imagine you will see dns activity but no beacon activity nor other things that come from the connection data zeek analyzes.
Thank you, Brian Kirk
— Reply to this email directly, view it on GitHub https://github.com/activecm/rita/issues/722#issuecomment-1038653570, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABJVOLZEAPEWMPT444JNCYTU3CF2TANCNFSM5OKFGLWA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you authored the thread.Message ID: @.***>
bekirk
commented
2 years ago Yea you will need to have a span to tap sent to a network interface that is in promiscuous mode and capture all the traffic. To this I also have never used zeek to capture traffic on a interface that was not in promiscuous mode, but I would expect it to work.
Blason
commented
2 years ago Ok - The issue here is; since my server acts as a BIND/Recursive DNS Server enabling zeek would definitely increase overhead and I definitely would want to avoid that hence wanted only to capture the dns traffic and then analyze with RITA. Will that be good enough?
On Mon, Feb 14, 2022 at 11:08 PM bekirk @.***> wrote:
Yea you will need to have a span to tap sent to a network interface that is in promiscuous mode and capture all the traffic. To this I also have never used zeek to capture traffic on a interface that was not in promiscuous mode, but I would expect it to work.
— Reply to this email directly, view it on GitHub https://github.com/activecm/rita/issues/722#issuecomment-1039366235, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABJVOLYVNIAZGWRPKDZTOX3U3E42HANCNFSM5OKFGLWA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you authored the thread.Message ID: @.***>
bekirk
commented
2 years ago If it is only capturing dns I would imagine zeek wouldn’t add much over head and Rita should only add a little since it won’t have much if any beacon traffic to analyze.
You can also capture zeek for your dns on that server and scp it to another system for Rita to do analysis. They don’t need to run on the same system and i think mongo and Rita will be your biggest resource hogs, if they are using too much that is, but I don’t think they will.
Blason
commented
2 years ago Hmmm.. That's a good idea and valid point. However, I'm wondering if there is an auto mechanism to transfer the logs over the internet?
And to detect a beacon what exact information is needed along with DNS? SSL certificate fingerprints? IP addresses?
On Mon, Feb 14, 2022 at 11:55 PM bekirk @.***> wrote:
If it is only capturing dns I would imagine zeek wouldn’t add much over head and Rita should only add a little since it won’t have much if any beacon traffic to analyze.
You can also capture zeek for your dns on that server and scp it to another system for Rita to do analysis. They don’t need to run on the same system and i think mongo and Rita will be your biggest resource hogs, if they are using too much that is, but I don’t think they will.
— Reply to this email directly, view it on GitHub https://github.com/activecm/rita/issues/722#issuecomment-1039412283, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABJVOL5OMAP5HULJZALUJGDU3FCKVANCNFSM5OKFGLWA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
You are receiving this because you authored the thread.Message ID: @.***>
Zalgo2462
commented
2 years ago Hello, in order to detect network beacons associated with an external IP, RITA needs to analyze the Zeek conn.log (https://docs.zeek.org/en/master/logs/conn.html). In addition, to detect network beacons associated with an FQDN, RITA needs to analyze the Zeek dns.log (https://docs.zeek.org/en/master/logs/dns.html). Command and control channels which only use DNS such as dnscat2 (https://github.com/iagox86/dnscat2) are able to detected using the dns.log alone.
If you want to limit Zeek to only inspecting DNS traffic, follow the guide at https://www.activecountermeasures.com/improving-packet-capture-performance-1-of-3/. zeekctl.cfg is usually found at /usr/local/zeek/etc/zeekctl.cfg or /opt/zeek/etc/zeekctl.cfg.
If you are capturing internal <-> external connections one Zeek system and capturing DNS on another, you would want to set up a cron job to to scp the logs over from one system to the other, merge the two folders, and then run RITA on resulting dataset.
HI Team,
I have DNS Firewall built on Ubuntu with BIND and RPZ; I wanted to leverage zeek and RITA installing on the same server. However since its only DNS Server. I wanted to enable only DNS protocol in zeek. Since I am not a pro in zeek wondering how do I do it? Can someone please help to enable DNS and disable everything else so that my system resources will be saved.
TIA Blason R