Skip to content

0xxon/zeek-utils

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

Zeek utilities

This repository contains a few utility scripts for the Zeek Network Security Monitor.

zeek-influx-stats.pl

This script outputs information about running Zeek processes in influxdb line format. If the Zeek processes have been started using Zeekctl, it will also add information like the listening interface and the type of node.

Example output:

zeek,host=allison,interface='unknown',nodetype='logger-1' pmem=0.0,pcpu=87.4,vsize=3271596,rss=197424,cputimes=153,etimes=175
zeek,host=allison,interface='unknown',nodetype='manager' pmem=0.0,pcpu=0.5,vsize=686600,rss=89964,cputimes=0,etimes=174
zeek,host=allison,interface='unknown',nodetype='proxy-1' pmem=0.0,pcpu=0.4,vsize=684792,rss=85476,cputimes=0,etimes=173
zeek,host=allison,interface='af_packet::em2',nodetype='worker-1-1' pmem=0.0,pcpu=17.3,vsize=875652,rss=278452,cputimes=29,etimes=171
zeek,host=allison,interface='af_packet::em2',nodetype='worker-1-3' pmem=0.0,pcpu=23.2,vsize=875360,rss=278308,cputimes=39,etimes=171
zeek,host=allison,interface='af_packet::em2',nodetype='worker-1-11' pmem=0.0,pcpu=16.8,vsize=871848,rss=276724,cputimes=28,etimes=171

You can use software like Telegraf to submit the output to influxdb. The following configuration file snippet will run collection every 60 seconds:

[[inputs.exec]]
        commands = ["/home/johanna/do.pl"]
        timeout = "60s"
        data_format = "influx"

readToPsql.pl

Read Zeek log files into a postgresql database. Tables are automatically generated according to the type and path values in the Zeek logs.

Usage:

readToPsql.pl --db=[dbname] [--port=port] [logfiles]

readToGpDB.pl

Read Zeek log files into a greenplum database. Tables are automatically generated according to the type and path values in the Zeek logs.

Usage:

readToGpDB.pl --db=[dbname] [--port=port] [logfiles]

convert-blacklist.pl

Convert the SSL blacklist provided by abuse.ch to a format that is ingestible by the Zeek Intelligence Framework.

Usage:

convert-blacklist.pl infile > outfile

About

Little utility scripts for the Zeek Network Security Monitor

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages