25 - DNS.log
cat dns.log | zeek-grep 3.109.209.43 | zeek-cut id.orig_h id.resp_h query
172.31.39.46 172.31.0.2 43.209.109.3.in-addr.arpa
172.31.39.46 172.31.0.2 ec2-3-109-209-43.ap-south-1.compute.amazonaws.com
172.31.39.46 172.31.0.2 ec2-3-109-209-43.ap-south-1.compute.amazonaws.com
Q2 -> time when attacker started the attack
cat conn.log | zeek-cut id.orig_h | sort | uniq -c | sort -n
3.109.209.43 made the most connection to the target.
cat conn.log | zeek-grep 3.109.209.43 | zeek-cut ts id.orig_h id.resp_p | tail -1
1679397942.571299 3.109.209.43 22
date -d @1679397942.571299
Tue Mar 21 11:25:42 UTC 2023