From 0099692d73e20a1b9104a37769156279428b6c1a Mon Sep 17 00:00:00 2001 From: James Lagermann Date: Thu, 11 Jan 2024 08:53:14 -0600 Subject: [PATCH 1/6] work in progress --- scripts/conn.zeek | 53 ++++++++++++++++++++++++++++++++++++++++ scripts/enrich.zeek | 57 +------------------------------------------- scripts/files.zeek | 18 ++++++++++++++ scripts/id-logs.zeek | 23 ++++++++++++++++++ scripts/x509.zeek | 18 ++++++++++++++ 5 files changed, 113 insertions(+), 56 deletions(-) create mode 100644 scripts/conn.zeek create mode 100644 scripts/files.zeek create mode 100644 scripts/id-logs.zeek create mode 100644 scripts/x509.zeek diff --git a/scripts/conn.zeek b/scripts/conn.zeek new file mode 100644 index 0000000..3b978e9 --- /dev/null +++ b/scripts/conn.zeek @@ -0,0 +1,53 @@ +module EndpointEnrichment; + + +## Enrich Conn.log ## +export { + ## Enables the logging of endpoint details to the conn log. + option extra_logging_conn = F; +} + +redef record Conn::Info += { + orig_ep_status: string &log &optional; + orig_ep_uid: string &log &optional; + orig_ep_cid: string &log &optional; + orig_ep_source: string &log &optional; + resp_ep_status: string &log &optional; + resp_ep_uid: string &log &optional; + resp_ep_cid: string &log &optional; + resp_ep_source: string &log &optional; +}; + + +event new_connection(c: connection) &priority=4 +{ + if (extra_logging_conn) { + if ( !c$conn?$local_orig && !c$conn?$local_resp ) { + return; + } + + # If the orig IP is local and in the list, update the conn log. + if ( c$conn?$local_orig && c$id$orig_h in hosts_data ) { + local orig_data = hosts_data[c$id$orig_h]; + if ( orig_data ?$ status) + c$conn$orig_endpoint_status = orig_data$status; + if ( orig_data ?$ host_uid) + c$conn$orig_endpoint_host_uid = orig_data$host_uid; + if ( orig_data ?$ cid) + c$conn$orig_endpoint_cid = orig_data$cid; + c$conn$orig_endpoint_source = orig_data$source; + } + + # If the resp IP is local and in the list, update the conn log. + if ( c$conn?$local_resp && c$id$resp_h in hosts_data ) { + local resp_data = hosts_data[c$id$resp_h]; + if ( resp_data ?$ status) + c$conn$resp_endpoint_status = resp_data$status; + if ( resp_data ?$ host_uid) + c$conn$resp_endpoint_host_uid = resp_data$host_uid; + if ( resp_data ?$ cid) + c$conn$resp_endpoint_cid = resp_data$cid; + c$conn$resp_endpoint_source = resp_data$source; + } + } +} diff --git a/scripts/enrich.zeek b/scripts/enrich.zeek index 6178a5e..f0b7f3e 100644 --- a/scripts/enrich.zeek +++ b/scripts/enrich.zeek @@ -10,7 +10,7 @@ type Val: record { ## The status of the endpoint host. status: string &log &optional; ## The unique identifier, assigned by the source, of the endpoint host. - host_uid: string &log &optional; + uid: string &log &optional; ## The customer ID the host belongs to. cid: string &log &optional; ## The Operating System version of the endpoint host. @@ -42,61 +42,6 @@ event zeek_init() { ]); } -## Enrich Conn.log ## -export { - ## Enables the logging of endpoint details to the conn log. - option extra_logging_conn = F; -} - -redef record Conn::Info += { - orig_endpoint_status: string &log &optional; - orig_endpoint_host_uid: string &log &optional; - orig_endpoint_cid: string &log &optional; - orig_endpoint_source: string &log &optional; - resp_endpoint_status: string &log &optional; - resp_endpoint_host_uid: string &log &optional; - resp_endpoint_cid: string &log &optional; - resp_endpoint_source: string &log &optional; -}; - -# priority of -5 is too long for enriching the conn.log, -# the connection has already been removed from memory -event connection_state_remove(c: connection) -{ - if (extra_logging_conn) { - if ( !c$conn?$local_orig && !c$conn?$local_resp ) { - return; - } - - # If the orig IP is local and in the list, update the conn log. - if ( c$conn?$local_orig && c$id$orig_h in hosts_data ) { - local orig_data = hosts_data[c$id$orig_h]; - if ( orig_data ?$ status) - c$conn$orig_endpoint_status = orig_data$status; - if ( orig_data ?$ host_uid) - c$conn$orig_endpoint_host_uid = orig_data$host_uid; - if ( orig_data ?$ cid) - c$conn$orig_endpoint_cid = orig_data$cid; - c$conn$orig_endpoint_source = orig_data$source; - } - - # If the resp IP is local and in the list, update the conn log. - if ( c$conn?$local_resp && c$id$resp_h in hosts_data ) { - local resp_data = hosts_data[c$id$resp_h]; - if ( resp_data ?$ status) - c$conn$resp_endpoint_status = resp_data$status; - if ( resp_data ?$ host_uid) - c$conn$resp_endpoint_host_uid = resp_data$host_uid; - if ( resp_data ?$ cid) - c$conn$resp_endpoint_cid = resp_data$cid; - c$conn$resp_endpoint_source = resp_data$source; - } - } -} - - - - ## Enrich known_hosts ## redef record Known::HostDetails += { endpoint: Val &log &optional; diff --git a/scripts/files.zeek b/scripts/files.zeek new file mode 100644 index 0000000..9444f91 --- /dev/null +++ b/scripts/files.zeek @@ -0,0 +1,18 @@ + +redef record Files::Info += { + vlan : int &log &optional; + vlan_inner : int &log &optional; +}; + +event file_sniff(f: fa_file, meta: fa_metadata) + { + for ( id in f$conns ) + { + if ( id?$vlan ) + f$info$vlan = id$vlan; + if ( id?$vlan_inner ) + f$info$vlan_inner = id$vlan_inner; + # just grab the first one + break; + } + } diff --git a/scripts/id-logs.zeek b/scripts/id-logs.zeek new file mode 100644 index 0000000..71a1d6b --- /dev/null +++ b/scripts/id-logs.zeek @@ -0,0 +1,23 @@ +##! Add VLAN to all logs with an "id" field. + +module Corelight; + +redef record conn_id += { + orig_ep_status: string &log &optional; + orig_ep_uid: string &log &optional; + orig_ep_cid: string &log &optional; + orig_ep_source: string &log &optional; + resp_ep_status: string &log &optional; + resp_ep_uid: string &log &optional; + resp_ep_cid: string &log &optional; + resp_ep_source: string &log &optional; +}; + +event new_onnection(c: connection) &priority=4 + { + if ( c?$vlan ) + c$id$vlan = c$vlan; + + if ( c?$inner_vlan ) + c$id$vlan_inner = c$inner_vlan; + } diff --git a/scripts/x509.zeek b/scripts/x509.zeek new file mode 100644 index 0000000..90a4e82 --- /dev/null +++ b/scripts/x509.zeek @@ -0,0 +1,18 @@ + +redef record X509::Info += { + vlan : int &log &optional; + vlan_inner : int &log &optional; +}; + +event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) + { + for ( id in f$conns ) + { + if ( id?$vlan ) + f$info$x509$vlan = id$vlan; + if ( id?$vlan_inner ) + f$info$x509$vlan_inner = id$vlan_inner; + # just grab the first one + break; + } + } From 84b5b7f9945dd46b00b73a1b47225098f97f3234 Mon Sep 17 00:00:00 2001 From: James Lagermann Date: Thu, 11 Jan 2024 09:46:02 -0600 Subject: [PATCH 2/6] add cid option --- scripts/__load__.zeek | 4 ++- scripts/conn.zeek | 22 ++++++------ scripts/{enrich.zeek => known.zeek} | 53 ++++------------------------- scripts/main.zeek | 43 +++++++++++++++++++++++ 4 files changed, 63 insertions(+), 59 deletions(-) rename scripts/{enrich.zeek => known.zeek} (64%) create mode 100644 scripts/main.zeek diff --git a/scripts/__load__.zeek b/scripts/__load__.zeek index 9b6b1c2..1eb610e 100644 --- a/scripts/__load__.zeek +++ b/scripts/__load__.zeek @@ -1 +1,3 @@ -@load ./enrich.zeek +@load ./main.zeek +@load ./known.zeek +@load ./conn.zeek diff --git a/scripts/conn.zeek b/scripts/conn.zeek index 3b978e9..756e370 100644 --- a/scripts/conn.zeek +++ b/scripts/conn.zeek @@ -1,10 +1,10 @@ module EndpointEnrichment; - ## Enrich Conn.log ## export { ## Enables the logging of endpoint details to the conn log. option extra_logging_conn = F; + option extra_logging_conn_cid = F; } redef record Conn::Info += { @@ -30,24 +30,24 @@ event new_connection(c: connection) &priority=4 if ( c$conn?$local_orig && c$id$orig_h in hosts_data ) { local orig_data = hosts_data[c$id$orig_h]; if ( orig_data ?$ status) - c$conn$orig_endpoint_status = orig_data$status; + c$conn$orig_ep_status = orig_data$status; if ( orig_data ?$ host_uid) - c$conn$orig_endpoint_host_uid = orig_data$host_uid; - if ( orig_data ?$ cid) - c$conn$orig_endpoint_cid = orig_data$cid; - c$conn$orig_endpoint_source = orig_data$source; + c$conn$orig_ep_host_uid = orig_data$host_uid; + if ( orig_data ?$ cid && extra_logging_conn_cid) + c$conn$orig_ep_cid = orig_data$cid; + c$conn$orig_ep_source = orig_data$source; } # If the resp IP is local and in the list, update the conn log. if ( c$conn?$local_resp && c$id$resp_h in hosts_data ) { local resp_data = hosts_data[c$id$resp_h]; if ( resp_data ?$ status) - c$conn$resp_endpoint_status = resp_data$status; + c$conn$resp_ep_status = resp_data$status; if ( resp_data ?$ host_uid) - c$conn$resp_endpoint_host_uid = resp_data$host_uid; - if ( resp_data ?$ cid) - c$conn$resp_endpoint_cid = resp_data$cid; - c$conn$resp_endpoint_source = resp_data$source; + c$conn$resp_ep_host_uid = resp_data$host_uid; + if ( resp_data ?$ cid && extra_logging_conn_cid) + c$conn$resp_ep_cid = resp_data$cid; + c$conn$resp_ep_source = resp_data$source; } } } diff --git a/scripts/enrich.zeek b/scripts/known.zeek similarity index 64% rename from scripts/enrich.zeek rename to scripts/known.zeek index f0b7f3e..9bb592f 100644 --- a/scripts/enrich.zeek +++ b/scripts/known.zeek @@ -1,57 +1,15 @@ module EndpointEnrichment; -type Idx: record { - ip: addr; -}; - -type Val: record { - ## The description of the endpoint. - desc: string &log &optional; - ## The status of the endpoint host. - status: string &log &optional; - ## The unique identifier, assigned by the source, of the endpoint host. - uid: string &log &optional; - ## The customer ID the host belongs to. - cid: string &log &optional; - ## The Operating System version of the endpoint host. - os_version: string &log &optional; - ## The source of the endpoint information. - source: string &log &optional; - ## The criticality of the endpoint host. - criticality: string &log &optional; - ## The MAC address of the endpoint host. - mac: string &optional; - ## The hostname of the vulnerable host. - hostname: string &optional; - ## The machine domain of the endpoint host. - machine_domain: string &optional; -}; - -global hosts_data: table[addr] of Val = table(); -# # source to use for all unknown IPs -# global unknownSource: string; - -event zeek_init() { - Input::add_table([ - $source="hosts_data.tsv", - $name="hosts_data", - $idx=Idx, - $val=Val, - $destination=hosts_data, - $mode=Input::REREAD - ]); -} - ## Enrich known_hosts ## redef record Known::HostDetails += { - endpoint: Val &log &optional; + ep: Val &log &optional; }; hook Known::add_host_details(h: Known::HostDetails, d: Known::HostDetails){ #d is from worker #h is the internal table - if (d ?$ endpoint){ - h$endpoint = d$endpoint; + if (d ?$ ep){ + h$ep = d$ep; } } @@ -80,16 +38,17 @@ function knownEndpoint (ip: addr) { Known::add_domain_annotation(ip, data$machine_domain, set(data$source+"/"+data$status)); } # add new fields to hosts log - Known::get_host_details(ip)$endpoint = data; + Known::get_host_details(ip)$ep = data; } function unknownEndpoint (ip: addr) { # TODO: create a list of all possible sources from the input file, or don't include a source with unknown hosts # local data: Val = [$status = "unknown", $source = unknownSource]; local data: Val = [$status = "unknown"]; - Known::get_host_details(ip)$endpoint = data; + Known::get_host_details(ip)$ep = data; } # priority of -5 to make sure the Known-entities creates an entry first +# note: priority of -5, the connection will already be removed from memory event connection_state_remove(c: connection) &priority=-5 { if ( !c$conn?$local_orig && !c$conn?$local_resp ) { diff --git a/scripts/main.zeek b/scripts/main.zeek new file mode 100644 index 0000000..a174e59 --- /dev/null +++ b/scripts/main.zeek @@ -0,0 +1,43 @@ +module EndpointEnrichment; + +type Idx: record { + ip: addr; +}; + +type Val: record { + ## The description of the endpoint. + desc: string &log &optional; + ## The status of the endpoint host. + status: string &log &optional; + ## The unique identifier, assigned by the source, of the endpoint host. + uid: string &log &optional; + ## The customer ID the host belongs to. + cid: string &log &optional; + ## The Operating System version of the endpoint host. + os_version: string &log &optional; + ## The source of the endpoint information. + source: string &log &optional; + ## The criticality of the endpoint host. + criticality: string &log &optional; + ## The MAC address of the endpoint host. + mac: string &optional; + ## The hostname of the vulnerable host. + hostname: string &optional; + ## The machine domain of the endpoint host. + machine_domain: string &optional; +}; + +global hosts_data: table[addr] of Val = table(); +# # source to use for all unknown IPs +# global unknownSource: string; + +event zeek_init() { + Input::add_table([ + $source="hosts_data.tsv", + $name="hosts_data", + $idx=Idx, + $val=Val, + $destination=hosts_data, + $mode=Input::REREAD + ]); +} From 970646d6c17fcab505322fad55b730aadb2884f3 Mon Sep 17 00:00:00 2001 From: James Lagermann Date: Thu, 11 Jan 2024 12:53:27 -0600 Subject: [PATCH 3/6] add all-logs --- scripts/__load__.zeek | 1 + scripts/conn.zeek | 11 +++++------ scripts/files.zeek | 42 ++++++++++++++++++++++++++------------- scripts/id-logs.zeek | 46 ++++++++++++++++++++++++++++++++++--------- scripts/known.zeek | 3 +-- scripts/x509.zeek | 42 ++++++++++++++++++++++++++------------- zkg.meta | 2 +- 7 files changed, 101 insertions(+), 46 deletions(-) diff --git a/scripts/__load__.zeek b/scripts/__load__.zeek index 1eb610e..9579d45 100644 --- a/scripts/__load__.zeek +++ b/scripts/__load__.zeek @@ -1,3 +1,4 @@ @load ./main.zeek @load ./known.zeek @load ./conn.zeek +@load ./id-logs.zeek diff --git a/scripts/conn.zeek b/scripts/conn.zeek index 756e370..1e0ea31 100644 --- a/scripts/conn.zeek +++ b/scripts/conn.zeek @@ -19,8 +19,7 @@ redef record Conn::Info += { }; -event new_connection(c: connection) &priority=4 -{ +event new_connection(c: connection) &priority=-1 { if (extra_logging_conn) { if ( !c$conn?$local_orig && !c$conn?$local_resp ) { return; @@ -31,8 +30,8 @@ event new_connection(c: connection) &priority=4 local orig_data = hosts_data[c$id$orig_h]; if ( orig_data ?$ status) c$conn$orig_ep_status = orig_data$status; - if ( orig_data ?$ host_uid) - c$conn$orig_ep_host_uid = orig_data$host_uid; + if ( orig_data ?$ uid) + c$conn$orig_ep_uid = orig_data$uid; if ( orig_data ?$ cid && extra_logging_conn_cid) c$conn$orig_ep_cid = orig_data$cid; c$conn$orig_ep_source = orig_data$source; @@ -43,8 +42,8 @@ event new_connection(c: connection) &priority=4 local resp_data = hosts_data[c$id$resp_h]; if ( resp_data ?$ status) c$conn$resp_ep_status = resp_data$status; - if ( resp_data ?$ host_uid) - c$conn$resp_ep_host_uid = resp_data$host_uid; + if ( resp_data ?$ uid) + c$conn$resp_ep_uid = resp_data$uid; if ( resp_data ?$ cid && extra_logging_conn_cid) c$conn$resp_ep_cid = resp_data$cid; c$conn$resp_ep_source = resp_data$source; diff --git a/scripts/files.zeek b/scripts/files.zeek index 9444f91..577b26e 100644 --- a/scripts/files.zeek +++ b/scripts/files.zeek @@ -1,18 +1,32 @@ +module EndpointEnrichment; + +## Add VLAN to all logs with an "id" field. +export { + ## Enables the logging of endpoint details to the conn log. + option extra_logging_files = F; + option extra_logging_files_cid = F; +} redef record Files::Info += { - vlan : int &log &optional; - vlan_inner : int &log &optional; + orig_ep_status: string &log &optional; + orig_ep_uid: string &log &optional; + orig_ep_cid: string &log &optional; + orig_ep_source: string &log &optional; + resp_ep_status: string &log &optional; + resp_ep_uid: string &log &optional; + resp_ep_cid: string &log &optional; + resp_ep_source: string &log &optional; }; -event file_sniff(f: fa_file, meta: fa_metadata) - { - for ( id in f$conns ) - { - if ( id?$vlan ) - f$info$vlan = id$vlan; - if ( id?$vlan_inner ) - f$info$vlan_inner = id$vlan_inner; - # just grab the first one - break; - } - } +# event file_sniff(f: fa_file, meta: fa_metadata) { +# if (extra_logging_files) { +# for ( tx in f$tx_hosts ) { +# if ( id?$vlan ) +# f$info$vlan = id$vlan; +# if ( id?$vlan_inner ) +# f$info$vlan_inner = id$vlan_inner; +# # just grab the first one +# break; +# } +# } +# } diff --git a/scripts/id-logs.zeek b/scripts/id-logs.zeek index 71a1d6b..e55186a 100644 --- a/scripts/id-logs.zeek +++ b/scripts/id-logs.zeek @@ -1,6 +1,11 @@ -##! Add VLAN to all logs with an "id" field. +module EndpointEnrichment; -module Corelight; +## Add VLAN to all logs with an "id" field. +export { + ## Enables the logging of endpoint details to the conn log. + option extra_logging_all = T; + option extra_logging_all_cid = T; +} redef record conn_id += { orig_ep_status: string &log &optional; @@ -13,11 +18,34 @@ redef record conn_id += { resp_ep_source: string &log &optional; }; -event new_onnection(c: connection) &priority=4 - { - if ( c?$vlan ) - c$id$vlan = c$vlan; +event new_onnection(c: connection) &priority=-1 { + if (extra_logging_all) { + if ( !c$conn?$local_orig && !c$conn?$local_resp ) { + return; + } - if ( c?$inner_vlan ) - c$id$vlan_inner = c$inner_vlan; - } + # If the orig IP is local and in the list, update the conn log. + if ( c$conn?$local_orig && c$id$orig_h in hosts_data ) { + local orig_data = hosts_data[c$id$orig_h]; + if ( orig_data ?$ status) + c$id$orig_ep_status = orig_data$status; + if ( orig_data ?$ uid) + c$id$orig_ep_uid = orig_data$uid; + if ( orig_data ?$ cid && extra_logging_all_cid) + c$id$orig_ep_cid = orig_data$cid; + c$id$orig_ep_source = orig_data$source; + } + + # If the resp IP is local and in the list, update the conn log. + if ( c$conn?$local_resp && c$id$resp_h in hosts_data ) { + local resp_data = hosts_data[c$id$resp_h]; + if ( resp_data ?$ status) + c$id$resp_ep_status = resp_data$status; + if ( resp_data ?$ uid) + c$id$resp_ep_uid = resp_data$uid; + if ( resp_data ?$ cid && extra_logging_all_cid) + c$id$resp_ep_cid = resp_data$cid; + c$id$resp_ep_source = resp_data$source; + } + } +} diff --git a/scripts/known.zeek b/scripts/known.zeek index 9bb592f..84fac8c 100644 --- a/scripts/known.zeek +++ b/scripts/known.zeek @@ -49,8 +49,7 @@ function unknownEndpoint (ip: addr) { # priority of -5 to make sure the Known-entities creates an entry first # note: priority of -5, the connection will already be removed from memory -event connection_state_remove(c: connection) &priority=-5 -{ +event connection_state_remove(c: connection) &priority=-5 { if ( !c$conn?$local_orig && !c$conn?$local_resp ) { return; } diff --git a/scripts/x509.zeek b/scripts/x509.zeek index 90a4e82..8e2e42d 100644 --- a/scripts/x509.zeek +++ b/scripts/x509.zeek @@ -1,18 +1,32 @@ +module EndpointEnrichment; + +## Add VLAN to all logs with an "id" field. +export { + ## Enables the logging of endpoint details to the conn log. + option extra_logging_x509 = F; + option extra_logging_x509_cid = F; +} redef record X509::Info += { - vlan : int &log &optional; - vlan_inner : int &log &optional; + orig_ep_status: string &log &optional; + orig_ep_uid: string &log &optional; + orig_ep_cid: string &log &optional; + orig_ep_source: string &log &optional; + resp_ep_status: string &log &optional; + resp_ep_uid: string &log &optional; + resp_ep_cid: string &log &optional; + resp_ep_source: string &log &optional; }; -event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) - { - for ( id in f$conns ) - { - if ( id?$vlan ) - f$info$x509$vlan = id$vlan; - if ( id?$vlan_inner ) - f$info$x509$vlan_inner = id$vlan_inner; - # just grab the first one - break; - } - } +# event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) +# { +# for ( id in f$conns ) +# { +# if ( id?$vlan ) +# f$info$x509$vlan = id$vlan; +# if ( id?$vlan_inner ) +# f$info$x509$vlan_inner = id$vlan_inner; +# # just grab the first one +# break; +# } +# } diff --git a/zkg.meta b/zkg.meta index 2f28474..9053767 100644 --- a/zkg.meta +++ b/zkg.meta @@ -1,5 +1,5 @@ [package] -description = updated 23Dec20231014 - This package enriches the Known-Entities by adding information from a vulnerability scanner or endpoint agent. +description = updated 11Jan20241253 - This package enriches multiple logs by adding information from a vulnerability scanner or endpoint agent. script_dir = scripts [input hosts_data.tsv] From 1e6263e44eb881f3448f05fc3bc99d16ff5d0f92 Mon Sep 17 00:00:00 2001 From: James Lagermann Date: Fri, 12 Jan 2024 11:07:06 -0600 Subject: [PATCH 4/6] add new_conn --- scripts/__load__.zeek | 1 + scripts/conn.zeek | 2 +- scripts/id-logs.zeek | 3 ++- scripts/new_conn.zeek | 6 ++++++ zkg.meta | 2 +- 5 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 scripts/new_conn.zeek diff --git a/scripts/__load__.zeek b/scripts/__load__.zeek index 9579d45..886c422 100644 --- a/scripts/__load__.zeek +++ b/scripts/__load__.zeek @@ -1,3 +1,4 @@ +@load ./new_conn.zeek @load ./main.zeek @load ./known.zeek @load ./conn.zeek diff --git a/scripts/conn.zeek b/scripts/conn.zeek index 1e0ea31..75ef426 100644 --- a/scripts/conn.zeek +++ b/scripts/conn.zeek @@ -19,7 +19,7 @@ redef record Conn::Info += { }; -event new_connection(c: connection) &priority=-1 { +event new_connection(c: connection) { if (extra_logging_conn) { if ( !c$conn?$local_orig && !c$conn?$local_resp ) { return; diff --git a/scripts/id-logs.zeek b/scripts/id-logs.zeek index e55186a..6b4b650 100644 --- a/scripts/id-logs.zeek +++ b/scripts/id-logs.zeek @@ -18,7 +18,8 @@ redef record conn_id += { resp_ep_source: string &log &optional; }; -event new_onnection(c: connection) &priority=-1 { + +event new_connection(c: connection) { if (extra_logging_all) { if ( !c$conn?$local_orig && !c$conn?$local_resp ) { return; diff --git a/scripts/new_conn.zeek b/scripts/new_conn.zeek new file mode 100644 index 0000000..9700d2e --- /dev/null +++ b/scripts/new_conn.zeek @@ -0,0 +1,6 @@ +module Conn; + +event new_connection(c: connection) &priority=10 +{ + set_conn(c, F); +} diff --git a/zkg.meta b/zkg.meta index 9053767..415c29e 100644 --- a/zkg.meta +++ b/zkg.meta @@ -1,5 +1,5 @@ [package] -description = updated 11Jan20241253 - This package enriches multiple logs by adding information from a vulnerability scanner or endpoint agent. +description = updated 12Jan20241030 - This package enriches multiple logs by adding information from a vulnerability scanner or endpoint agent. script_dir = scripts [input hosts_data.tsv] From 72b571ebe24fa984180777e01981637740421ad0 Mon Sep 17 00:00:00 2001 From: James Lagermann Date: Fri, 12 Jan 2024 11:44:27 -0600 Subject: [PATCH 5/6] enable options --- scripts/id-logs.zeek | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/id-logs.zeek b/scripts/id-logs.zeek index 6b4b650..1ddab27 100644 --- a/scripts/id-logs.zeek +++ b/scripts/id-logs.zeek @@ -3,8 +3,8 @@ module EndpointEnrichment; ## Add VLAN to all logs with an "id" field. export { ## Enables the logging of endpoint details to the conn log. - option extra_logging_all = T; - option extra_logging_all_cid = T; + option extra_logging_all = F; + option extra_logging_all_cid = F; } redef record conn_id += { From 495a84c450763d624722558b28e32932888c1a70 Mon Sep 17 00:00:00 2001 From: James Lagermann Date: Fri, 12 Jan 2024 11:45:57 -0600 Subject: [PATCH 6/6] update meta Signed-off-by: James Lagermann --- zkg.meta | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zkg.meta b/zkg.meta index 415c29e..2519e47 100644 --- a/zkg.meta +++ b/zkg.meta @@ -1,5 +1,5 @@ [package] -description = updated 12Jan20241030 - This package enriches multiple logs by adding information from a vulnerability scanner or endpoint agent. +description = updated 12Jan20241200 - This package enriches multiple logs by adding information from a vulnerability scanner or endpoint agent. script_dir = scripts [input hosts_data.tsv]