Zeek supports signatures to have rules and event correlations to find noteworthy activities on the network. Zeek signatures use low-level pattern matching and cover conditions similar to Snort rules. Unlike Snort rules, Zeek rules are not the primary event detection point. Zeek has a scripting language and can chain multiple events to find an event of interest.

Zeek signatures are composed of three logical paths; signature id, conditions and action.

Logical path Breakdown
Signature id Unique signature name.
Conditions Header: Filtering the packet headers for specific source and destination addresses,
protocol and port numbers.
Content: Filtering the packet payload for specific value/pattern.
Action Default action: Create the signatures.log file in case of a signature match.
Additional action: Trigger a Zeek script.

The most common conditions and filters for Zeek signatures:

Condition Field Available Filters
Header src-ip: Source IP.
dst-ip: Destination IP.
src-port: Source port.
dst-port: Destination port.
ip-proto: Target protocol. Supported protocols; TCP, UDP, ICMP, ICMP6, IP, IP6
Content payload: Packet payload.
http-request: Decoded HTTP requests.
http-request-header: Client-side HTTP headers.
http-request-body: Client-side HTTP request bodys.
http-reply-header: Server-side HTTP headers.
http-reply-body: Server-side HTTP request bodys.
ftp: Command line input of FTP sessions.
Context same-ip: Filtering the source and destination addresses for duplication.
Action event: Signature match message.
==, !=, <, <=, >, >=
NOTE! Filters accept string, numeric and regex values.

To run Zeek with a signature file:

zeek -C -r sample.pcap -s sample.sig
  • -C: Ignore checksum errors.

  • -r: Read pcap file.

  • -s: Use signature file.


Ensure you are in the right directory to find the pcap file and accompanying files: Desktop/Exercise-Files/TASK-5.


Investigate the http.pcap file. Create the HTTP signature and investigate the pcap.

nano http-password.sig

HTTP signature:

signature http-password {
    ip-proto == tcp
    dst-port == 80
    payload /.*password.*/
    event "Clear-text password found."

Run zeek:

zeek -C -r http.pcap -s http-password.sig

What is the source IP of the first event?

cat signatures.log | zeek-cut src_addr <=

What is the source port of the second event?

cat signatures.log | zeek-cut src_port
38712 <=

Investigate the conn.log. What is the total number of the sent and received packets from source port 38706?

cat conn.log | zeek-cut id.orig_p id.resp_h id.resp_p proto service orig_pkts orig_ip_bytes resp_pkts
38704	80	tcp	-	4	216	2
38706	80	tcp	http	11	1815	9  <= Total 20
38708	80	tcp	-	4	216	2
38710	80	tcp	-	4	216	2
38712	80	tcp	http	6	1272	5


Create signature file and investigate the ftp.pcap file.

signature ftp-username {
    ip-proto == tcp
    ftp /.*USER.*dmin.*/
    event "FTP Username Input Found!"

signature ftp-brute {
    ip-proto == tcp
    payload /.*530.*Login.*incorrect.*/
    event "FTP Brute-force Attempt!"

Run zeek:

zeek -C -r ftp.pcap -s ftp-bruteforce.sig

Investigate the notice.log. What is the number of unique events?

Top of the file:

cat notice.log | head -10
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open	2022-11-28-21-49-01
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_descproto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
1024380731.015090	CCKUOW2neqARiqxzI6	2217	21	-	-	-	tcp	Signatures::Sensitive_Signature FTP Brute-force Attempt!	530 Login incorrect.\x0d\x0a	21	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	--
1024380731.043248	C57fWGbeB8QktlHv5	2220	21	-	-	-	tcp	Signatures::Sensitive_Signature FTP Brute-force Attempt!	530 Login incorrect.\x0d\x0a	21	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-

And construct command:

cat notice.log | zeek-cut uid | sort | uniq | wc -l

What is the number of ftp-brute signature matches?

cat signatures.log | grep "ftp-brute" | wc -l