Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
tree: 0f1c425f1d
Fetching contributors…

Cannot retrieve contributors at this time

file 43 lines (36 sloc) 1.252 kb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
@load global-ext

module KnownHosts;

export {
# The hosts whose existence should be logged.
# Choices are: LocalHosts, RemoteHosts, AllHosts
const logging = LocalHosts &redef;

# In case you are interested in more than logging just local assets
# you can split the log file.
const split_log_file = F &redef;

# Maintain the list of known hosts for 24 hours so that the existence
# of each individual address is logged each day.
global known_hosts: set[addr] &create_expire=1day &synchronized &persistent;
}

event bro_init()
{
LOG::create_logs("known-hosts", logging, split_log_file, T);
# Removed the header since it's fairly useless in this log.
#LOG::define_header("known-hosts", cat_sep("\t", "", "host"));
}

event connection_established(c: connection)
{
local id = c$id;

local log:file;
if ( id$orig_h !in known_hosts && addr_matches_hosts(id$orig_h, logging) )
{
log = LOG::get_file_by_addr("known-hosts", id$orig_h, F);
add known_hosts[id$orig_h];
print log, cat_sep("\t", "", id$orig_h);
}
if ( id$resp_h !in known_hosts && addr_matches_hosts(id$resp_h, logging) )
{
log = LOG::get_file_by_addr("known-hosts", id$resp_h, F);
add known_hosts[id$resp_h];
print log, cat_sep("\t", "", id$resp_h);
}
}
Something went wrong with that request. Please try again.