Hey all, in this room we are putting to use the skills learned in the previous room: Zeek to analyze PCAP files containing malware or proof of attacks on the network.
Task 1: Introduction
The room invites you a challenge to investigate a series of traffic data and stop malicious activity under different scenarios. Let's start working with Zeek to analyse the captured traffic. If you haven't done the Zeek room yet you should do so!
Task 2: Anomalous DNS
In this task we are analyzing the dns-tunneling.pcap. DNS-Tunneling is an attack in which a bad actor will obfuscate a file/command as a subdomain so it can pass through the firewall.
2.1 What is the number f DNS records linked to the IPv6 address?
Run cat dns.log | grep AAAA | wc-l, AAAA records maps a domain name to an IPv6 address.
Answer:320
2.2 What is the longest connection duration?
To get the longest connection duration run this command
cat conn.log | zeek-cut duration | sort -nr | head -1.
Answer: 9.420791.