known_*.log and software.log¶
Zeek produces several logs that help summarize certain aspects of the network it monitors. These logs track a few aspects of the local network, such as SSL/TLS certificates, host IP addresses, services, and applications.
The sections which follow will present examples of entries in
known_certs.log
, known_hosts,log
, known_services.log
,
and software.log
files collected on live networks.
For full details on each field of those log files, see
Known::CertsInfo
, Known::HostsInfo
,
Known::ServicesInfo
, and Software::Info
.
known_certs.log
¶
The known_certs.log
captures information about SSL/TLS certificates
seen on the local network. Here is one example:
{
"ts": "2020-12-31T15:15:53.690221Z",
"host": "192.168.4.1",
"port_num": 443,
"subject": "L=San Jose,ST=CA,O=Ubiquiti Networks,CN=UBNT Router UI,C=US",
"issuer_subject": "L=San Jose,ST=CA,O=Ubiquiti Networks,CN=UBNT Router UI,C=US",
"serial": "98D0AD47D748CDD6"
}
This example shows a device offering a TLS server on port 443 TCP, with a certificate associated with Ubiquiti Networks.
known_hosts.log
¶
The known_hosts.log
simply records a timestamp and an IP address when
Zeek observes a new system on the local network.
{"ts":"2021-01-03T01:19:26.260073Z","host":"192.168.4.25"}
{"ts":"2021-01-03T01:19:27.353353Z","host":"192.168.4.29"}
{"ts":"2021-01-03T01:19:32.488179Z","host":"192.168.4.43"}
{"ts":"2021-01-03T01:19:58.792683Z","host":"192.168.4.142"}
...edited...
{"ts":"2021-01-03T12:17:22.496004Z","host":"192.168.4.115"}
This edited example shows how this log could be part of an IP address inventory program.
known_services.log
¶
The known_services.log
records a timestamp, IP, port number, protocol,
and service (if available) when Zeek observes a system offering a new service
on the local network. Here is what a single entry looks like:
{
"ts": "2021-01-03T01:19:36.242774Z",
"host": "192.168.4.1",
"port_num": 53,
"port_proto": "udp",
"service": [
"DNS"
]
}
For the following list, I used the jq utility to remove the timestamp but show the other log values.
["192.168.4.43",51472,"tcp",[]]
["192.168.4.1",443,"tcp",["SSL"]]
["192.168.4.1",80,"tcp",["HTTP"]]
["192.168.4.1",22,"tcp",["SSH"]]
["192.168.4.1",53,"tcp",["DNS"]]
["192.168.4.1",123,"udp",["NTP"]]
["192.168.4.50",49745,"tcp",[]]
["192.168.4.158",4500,"udp",[]]
["192.168.4.159",53032,"tcp",[]]
["192.168.4.142",36807,"udp",[]]
["192.168.4.1",53,"udp",["DNS"]]
["192.168.4.149",8080,"tcp",["HTTP"]]
["192.168.4.1",67,"udp",["DHCP"]]
["192.168.4.43",64744,"tcp",[]]
["192.168.4.43",52793,"tcp",[]]
["192.168.4.29",52827,"tcp",[]]
["192.168.4.43",64807,"tcp",[]]
["192.168.4.43",64752,"tcp",[]]
["192.168.4.149",3478,"udp",[]]
Note how many of the services do not have names associated with them.
software.log
¶
Zeek’s software.log
collects details on applications operated by the
hosts it sees on the local network. The log captures information like the
following:
{
"ts": "2021-01-03T00:16:22.694616Z",
"host": "192.168.4.25",
"software_type": "HTTP::BROWSER",
"name": "Windows-Update-Agent",
"version.major": 10,
"version.minor": 0,
"version.minor2": 10011,
"version.minor3": 16384,
"version.addl": "Client",
"unparsed_version": "Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.0"
}
It is amazing in 2021 that so many modern applications still use clear text protocols subject to collection and analysis by software like Zeek.
Services beyond HTTP may also reveal interesting details. Consider these three entries:
["192.168.4.1","SSH::SERVER","OpenSSH",6,6,1,null,"p1","OpenSSH_6.6.1p1 Debian-4~bpo70+1"]
["192.168.4.37","SSH::CLIENT","OpenSSH",6,6,1,null,"p1","OpenSSH_6.6.1p1 Debian-4~bpo70+1"]
["192.168.4.37","SSH::CLIENT","OpenSSH",7,6,null,null,"p1","OpenSSH_7.6p1"]
These examples show an SSH server and two different SSH clients.
Conclusion¶
Details recorded in known_certs.log
, known_hosts,log
,
known_services.log
, and software.log
files can help network and
security analysts better understand the nature of the activity in their
environment. Some of this information relies on capturing clear text, while
other aspects are based solely on the presence of the services and hosts on the
network.