Building off the Zeek (Bro) tutorial, you’ll once again be using the online Zeek interpeter for this assignment: http://try.zeek.org. You will be running your code against exercise_traffic.pcap which...

Building off the Zeek (Bro) tutorial, you’ll once again be using the online Zeek interpeter for this assignment: http://try.zeek.org. You will be running your code against exercise_traffic.pcap which can be selected from the dropdown directly underneath the code windows. You will find these Zeek “events” very useful for your code: https://docs.zeek.org/en/stable/scripts/base/bif/event.bif.bro.html. Write Zeek functions to answer the following questions: 1. How many packets are in the PCAP file? 2. Count and list the number of distinct operating systems. 3. Which protocol does not adhere to Bro’s expected behavior (i.e., policy/protocol violations)? 4. How many connections show unexpected behavior (i.e. IP connections/strings) & what are the associated IP’s?


JHU IDS Module 7 Assignment: Zeek Zeek Programming Building off the Zeek (Bro) tutorial, you’ll once again be using the online Zeek interpeter for this assignment: http://try.zeek.org. You will be running your code against exercise_traffic.pcap which can be selected from the dropdown directly underneath the code windows. You will find these Zeek “events” very useful for your code: https://docs.zeek.org/en/stable/scripts/base/bif/event.bif.bro.html. Write Zeek functions to answer the following questions: 1. How many packets are in the PCAP file? 2. Count and list the number of distinct operating systems. 3. Which protocol does not adhere to Bro’s expected behavior (i.e., policy/protocol violations)? 4. How many connections show unexpected behavior (i.e. IP connections/strings) & what are the associated IP’s? Next, select 3 Zeek events that were not used in your previous solution. For each of them, 1.) briefly describe the event chosen, 2.) why you chose that event, 3.) which IDS-related questions are you trying to answer and 4.) implement your solution (provide screenshots) Please submit a text file with all of your Zeek source code as well as a document containing the answers to the 7 questions above (can be screenshots, typed, whatever’s easiest for you). Let me know if you have any questions. Note: You can write out the 7 above Zeek (Bro) functions either using version 3.0.0 or version 2.5.5. Reason; some of the functions available in version 2.5.5. like "OS_version" to answer #2 above are not supported in the newer 3.0.0 version. JHU IDS Module 7 Assignment: Zeek