Unable to generate intel.log

Zeek
1

I’m trying to detect connections to specific IP addresses using the Intelligence framework. I read the documentation, however I have trouble getting even a basic test scenario working.

No matter what I do, it seems like no intel.log is being generated.

I followed these steps:

  1. Create a intel file to match against. I’m calling it test.txt and include a sample domain and IP address:
    #fields	indicator	indicator_type	meta.source	meta.desc
heise.de	Intel::DOMAIN	test_source	Heise Domain
193.99.144.80	Intel::ADDR	test_source	Heise IP
  2. Add the following to the end of /opt/zeek/share/zeek/site/local.zeek:
    @load frameworks/intel/seen
redef Intel::read_files += { "/opt/zeek/intel/test.txt" };
  3. Create a sample PCAP using tcpdump. While the capture is running, I navigate to the test URL on a webbrowser:
    sudo tcpdump -w capture.pcap
  4. Run Zeek on the PCAP file:
    sudo /opt/zeek/bin/zeek /opt/zeek/share/zeek/site/local.zeek -r capture.pcap -C LogAscii::use_json=T

I would expect to see a intel.log file being generated with this, however I don’t get any as a result. I only get the following files:

capture_loss.log
capture.pcap
conn.log
dns.log
known_hosts.log
known_services.log
loaded_scripts.log
packet_filter.log
quic.log
ssl.log
stats.log
telemetry.log
x509.log

I checked the loaded_scripts.log and was able to verify that the intel framework was loaded. I can also see the domain and IP address show up in various Zeek logs such as conn.log, dns.log or ssl.log.
I’m using Zeek 8.0.6, the current LTS version.

Can you please point me towards what I’m doing wrong?

2

Hi,

there are a couple of possible cases for this to happen. The first one is that, when processing pcaps, there always is a bit of a race condition between the input framework and the pcap processing. Both happen simultaneously - and pcap processing (for small pcaps) often is faster.

You can load a short script that suspends processing till after the intelligence file is loaded, e.g. like this:

event zeek_init()
        {
        suspend_processing();
        }

event Input::end_of_data(name: string, source: string)
        {
        if ( /^intel-/ in name )
                continue_processing();
        }

The second possibility is that only a quic connection is established (via udp). UDP connections don’t automatically trigger the intelligence framework.

1 Like
3

Hey, thanks for the quick response.

I was able to test your suggestion and indeed pausing the processing worked. The intel.log file gets generated without issue now.