0

I am using Zeek standalone for the learning purpose and I am facing the following issues in the log file: I am missing the "loaded_scripts.log" file from the current folder. I have followed the installation guide from the rapid7 and Zeek manual so I think the installed is not an issue over here. I am running some scripts and expect them to be loaded in the "loaded_scripts.log" folder, but I don't see one. Is it a good idea to create one manually and if so can someone help me what should be included in the file while creating it and how to load/declare scripts in that log file?

David Hoelzer
  • 15,862
  • 4
  • 48
  • 67
Rut
  • 1
  • 2
  • Sounds like the problem here is that the loaded-scripts.zeek script itself isn't loaded. It's the script that produces the loaded_scripts.log. How exactly are you invoking Zeek, and what's in your `ZEEKPATH` environment variable? Try adding `local` to the list of loaded files— this would try to pull in local.zeek from your site folder. Alternatively, try adding `loaded-scripts` directly. – Christian Dec 17 '19 at 23:51
  • I have a pcap file and have written a small script to test it. I am executing following command: zeek -r isc.pcap dns-isc.bro My zeek path environment variable is set using the following command: export PATH=/usr/local/zeek/bin:$PATH Based on my understanding above running the above zeek command the dns-isc.bro is automatically added to loaded_scripts.log, but for some reason the file is not present in the location /usr/local/zeek/logs/current. – Rut Dec 23 '19 at 16:50
  • There are following files at this location: capture_loss.log conn.log dhcp.log dns.log files.log http.log ssl.log stats.log stderr.log stdout.log weird.log I found local.zeek from the site folder, now what exactly should I do to solve it? Thank you for helping me out. – Rut Dec 23 '19 at 16:51
  • Does it work when you say `zeek -r isc.pcap dns-isc.bro misc/loaded-scripts.zeek`? There's too much here to explain — PATH isn't the same as ZEEKPATH, I don't know what's in dns-isc.bro, etc. My recommended approach is still to add `loaded-scripts.zeek` directly to the invocation, until you get the desired log. You may need to try some variations of the path, depending on what's in your ZEEKPATH environment variable. Try the full, absolute path to it if all else fails. – Christian Jan 02 '20 at 22:45
  • Upon running the command mentioned by you, it still does not show the desired log file in the location. Following is my dns-isc.bro: """" module DNS; redef enum Notice::Type += { DNS }; event dns(c:connection, msg: dns_msg, query: string) { if (c$dns$query == "virustotal.com") NOTICE([$note=DNSTEST, $msg="Found dns request to Virustotal", $conn=c]); } – Rut Jan 06 '20 at 14:56
  • Can you please guide me on how to add "loaded-scripts.zeek" directly to the invocation. Where can I find this zeek file? – Rut Jan 06 '20 at 15:02
  • NVM!!! Got the file "loaded_scripts.log" at the desired location while testing some other signatures.Thanks for your help :) – Rut Jan 06 '20 at 17:09

0 Answers0