so-import-pcap: zeek - display urlencoded-form field #9493
Replies: 1 comment
-
|
Zeek doesn't log those details by default, but you could write a Zeek script to configure it to do so. Here's another option without having to resort to Zeek scripts or Wireshark. If you use the URL provided by so-import-pcap, then it will take you our SOC interface where you can view not only the Zeek logs as you did in Kibana but also pivot to the full TCP stream. For example: |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Grabbed this pcap from Kringlecon22 involving a brute force password login on a website, thought it'd be fun to import it into SO 2,3 to hunt for the answers. In Kibana I see it imported correctly (via so-import-pcap), pretty easy to navigate the zeek logs to find most of the answers, however I was not able to detect the user/password attempts being logged in zeek:
The field value in wireshark is urlencoded-form:
Is this just operator error and I'm looking in the wrong part of Kibana or is this information not being captured/indexed?
Beta Was this translation helpful? Give feedback.
All reactions