Hi,
Following my previous email, Zeek started extracting some .exe files but not all. If for example I download twenty .exe files over http from a certain website, Zeek extracts like 2 or 3 out of 20. Is there a reason why Zeek is not recognizing and extracting all.exe files? Also, I added Binary .bin files to be extracted, however it is not extracting them.
Note: I am downloading all files over http protocol only and not SSL.
Thank you for your help
Regards,
Hank
What does the conn and http log entry look like for the file transfers
that are not being extracted?
Could this be caused by capture loss? If you don’t have all the packets you can’t reconstruct.
Looking into http and conn files, I can see that the downloaded .exe files appear in http.log however most of the time .exe files are not recognized as application/x-dosexec files. For example, I tried downloading same .exe file several times until it got recognized only once as x-dosexec file. Also, there’s a delay to present the traffic log in http or conn files.
Note: Due to lack of resources, the lab is made up of a single HP server that has Windows 10 where three VMware VMs using VMware Workstation Pro.
The Zeek VM works as an IP Forwarder with two interfaces: one is connected to the client PC (Internally) and the second interface is connected to the internet. The client PC is a Windows 7 that has a Gateway IP of the internal interface on Zeek Machine and get internet through Zeek VM.
The third machine is a web server with a single interface that is in the same subnet as the Zeek second interface (Connected to the internet).
I configured zeek to monitor the internal interface and the subnet of the client PC.
Hi Mike, I checked the capture_loss log and found several records there. I analyzed the traffic using Wireshark and observed packets loss when downloading the .exe or .bin files. I am not sure what is causing the problem so I am trying to figure out. Is there any thing to do on Zeek in such case?