Skip to content

Commit 8a66a0c

Browse files
william-stearnscaffeinatedpixellisaSW
authored
Only create open_ logs if reading from an interface. (#8)
* Only create open_ logs if reading from an interface. * Update checks for processing only live traffic Co-Authored-By: Liza Tsibur <liza@activecountermeasures.com> --------- Co-authored-by: Naomi Kramer <naomi@activecountermeasures.com> Co-authored-by: Liza Tsibur <liza@activecountermeasures.com>
1 parent 8a7becc commit 8a66a0c

File tree

1 file changed

+25
-14
lines changed

1 file changed

+25
-14
lines changed

scripts/zeek_open_connections.zeek

Lines changed: 25 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -67,36 +67,47 @@ export {
6767

6868
event zeek_init() &priority=5
6969
{
70+
7071
Log::create_stream(LOG, [$columns=Conn::Info, $path="open_conn"]);
7172
Log::create_stream(SSL_LOG, [$columns=SSL::Info, $path="open_ssl"]);
7273
Log::create_stream(HTTP_LOG, [$columns=HTTP::Info, $path="open_http"]);
74+
7375
}
7476

7577

7678
function long_callback(c: connection, cnt: count): interval
7779
{
78-
79-
if ( c$duration >= ALERT_INTERVAL )
80+
# only process traffic if the packet came from a live interface
81+
# https://docs.zeek.org/en/master/scripts/base/init-bare.zeek.html#type-PacketSource
82+
local ps = packet_source();
83+
if ( ps?$live && ps$live )
8084
{
81-
Conn::set_conn_log_data_hack(c);
82-
Log::write(OpenConnection::LOG, c$conn);
83-
if ( c?$http )
84-
{
85-
Log::write(OpenConnection::HTTP_LOG, c$http);
86-
}
87-
if ( c?$ssl && |c$ssl$server_name| > 0 )
85+
if ( c$duration >= ALERT_INTERVAL )
8886
{
89-
Log::write(OpenConnection::SSL_LOG, c$ssl);
87+
Conn::set_conn_log_data_hack(c);
88+
Log::write(OpenConnection::LOG, c$conn);
89+
if ( c?$http )
90+
{
91+
Log::write(OpenConnection::HTTP_LOG, c$http);
92+
}
93+
if ( c?$ssl && |c$ssl$server_name| > 0 )
94+
{
95+
Log::write(OpenConnection::SSL_LOG, c$ssl);
96+
}
97+
return ALERT_INTERVAL;
9098
}
91-
return ALERT_INTERVAL;
99+
else
100+
return ALERT_INTERVAL - c$duration;
92101
}
93-
else
94-
return ALERT_INTERVAL - c$duration;
95102
}
96103

97-
#https://docs.zeek.org/en/v4.0.2/scripts/base/bif/event.bif.zeek.html#id-new_connection
104+
# https://docs.zeek.org/en/master/scripts/base/bif/event.bif.zeek.html#id-new_connection
98105
event new_connection(c: connection)
99106
{
107+
local ps = packet_source();
108+
if ( ps?$live && ps$live )
109+
{
100110
ConnPolling::watch(c, long_callback, 1, ALERT_INTERVAL);
111+
}
101112
}
102113

0 commit comments

Comments
 (0)