Obsidian Vault
30 - making changes to local.zeek

Making changes to local.zeek to extract files.
...

/usr/local/zeek/share/zeek/site/local.zeek

root@53ef41d5da39:/usr/local/zeek/share/zeek# find . | grep extract
./base/files/extract
./base/files/extract/main.zeek
./base/files/extract/__load__.zeek
./policy/protocols/http/var-extraction-uri.zeek
./policy/protocols/http/var-extraction-cookies.zeek
./policy/frameworks/intel/seen/smtp-url-extraction.zeek
./policy/frameworks/files/extract-all-files.zeek
./policy/tuning/defaults/extracted_file_limits.zeek

added this line to local.zeek
Pasted image 20231214003923.png

also copied local.zeek to custom.zeek

cp local.zeek custom.zeek

zeek -C -r Capture.pcap custom

Pasted image 20231214004205.png

now we have folder -> extract_files

cat http.log | zeek-grep Wget | less -S

Pasted image 20231214004523.png

ls extract_files/ | grep FM4a5p1MGD3XkvhPU7

extract-1679398954.413587-HTTP-FM4a5p1MGD3XkvhPU7

Pasted image 20231214004747.png

the file was 100M, may thats the reason my unzip failed

but running 7z l on the file i was able to get the ransomeware name ->
gonnacry

7z l extract-1679398954.413587-HTTP-FM4a5p1MGD3XkvhPU7

Pasted image 20231214005044.png

Finding more file uids via ftp.log
...

cat ftp.log  | zeek-grep RETR| zeek-cut command arg fuid

Pasted image 20231214005925.png

Interactive Graph
Table Of Contents

30 - making changes to local.zeek

Making changes to local.zeek to extract files.

Finding more file uids via ftp.log