-
Notifications
You must be signed in to change notification settings - Fork 0
/
Zui usage
54 lines (31 loc) · 1.23 KB
/
Zui usage
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
step1
transger pcapng to zng
command
C:\Users\andrew\Downloads\brimcap-v1.6.0.windows-amd64\brimcap\brimcap.exe analyze %CD%\%%x > %CD%\%%x.zng
for /F %%x in ('dir /b %CD% ' ) do (
C:\Users\andrew\Downloads\brimcap-v1.6.0.windows-amd64\brimcap\brimcap.exe analyze %CD%\%%x > %CD%\%%x.zng
)
pause
brimcap 載點:
https://github.com/brimdata/brimcap/releases
Step 2 if the pcap is too huge pleasw use the editpcap to divid it
"C:\Program Files (x86)\Wireshark\editcap.exe" -c 200000 input.pcap output.pcap
ref :https://microchip.my.site.com/s/article/Split-large-PCAP-file-into-smaller-PCAP-files
Step 3 run Zui
some basic command you may need
command:
conn | TCP | count() by id.resp_h
target IP
# 統計 IP 地址及連接數並輸出
local counts = conn | count() by id.resp_h;
print "IP 地址\t連接數";
foreach (counts) {
print fmt("%s\t%d", $key, $value);
}
Step4 focus on a specific IP or C2
id.resp_h==159.138.AA.XX or id.orig_h==159.138.AA.XX
語法參考
id.resp_h==IP1 or id.orig_h==IP1
or id.resp_h==IP2 or id.orig_h==IP@ | geo.orig.country_code=="TW" or geo.resp.country_code=="TW"
分析說明
https://docs.zeek.org/en/current/scripts/base/protocols/conn/main.zeek.html