Skip to content
Set your logs on fire with Emoji-πŸ”₯!
Zeek Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs Added πŸ™ƒπŸ”₯ logo, expanded Readme ℹ️ Aug 16, 2019
scripts
testing Remove DNS test. Aug 30, 2019
LICENSE Updated meta data. Aug 16, 2019
README.md
zkg.meta Merge branch 'jsiwek-master' Sep 7, 2019

README.md

Set your logs on fire with Emoji-πŸ”₯

Emojifier is the πŸ”¨ of choice to get a fast overview on your Zeek connection log. On top, it also serves as the perfect management summary of your network's security status. πŸ‘ΉπŸ›‘οΈπŸ’

It adds an additional column to your conn.log showing emojis that give you information about the connections in your log. The following emojis are currently supported:

Emoji Meaning
πŸ„ HTTP Traffic
πŸ” DNS Traffic
πŸ“¨ SMTP Traffic
☎️ SIP Traffic
πŸ₯΅ Connection with many bytes
πŸ™ˆ Some bytes were missed
πŸ˜› TCP Connection was rejected
πŸ”„ Connection direction was flipped
🚨 There is a notice for this connection
πŸ₯΄ Zeek deems this connection weird
πŸ”₯ There was an Intel hit

Furthermore, there is an additional script to emojify default policies. Add @load emojifier/emojify-policies to your local.zeek to enable the following additional emojis:

Emoji Meaning
βŒ› Expired certificate
⏳ Certificate expires soon
πŸ˜• Old TLS version
πŸ’“ Heartbleed attack detected
πŸ’‰ SQL injection detected
πŸ’£ Vulnerable software version
πŸ€” Login with guessed SSH password

Usage 😎

The scripts are available as package for the Zeek Package Manager and can be installed using the following command: zkg install emojifier To set your logs on πŸ”₯ make sure the package is loaded: zkg load emojifier To enable the additional emojis including the corresponding policy scripts add @load emojifier/emojify-policies to your local.zeek. Please note that emojification (utf8 support) is a Zeek-only feature. If you haven't already upgraded to Zeek, πŸ‘† is the reason you should do it!

Extending 🧐

Want to put πŸ”₯? No problem, the emojifier can be easily extended. Just add your custom logic by handling an event and concatenating the additional emoji to the emoji_trail string in the connection record. The following example adds the πŸ•³ emoji.

event connection_state_remove(c: connection) &priority=5
	{
	if ( c?$tunnel )
		c$emoji_trail += "πŸ•³";
	}

Note that you need to use a priority > 0 in case you are handling the connection_state_remove event.

If you want to extend the Emoji-πŸ”₯ based on notices that is even easier. You just need to extend the Emojifier::custom_notices table:

redef custom_notices += {
	[Notice::Tally] = "🀭",
};

We are looking forward to merge your pull-request πŸ˜‰

Coming soon ⏱

Prepare yourself for fun with flags πŸ‡©πŸ‡ͺ πŸ‡ΊπŸ‡Έ πŸ‡―πŸ‡²! We are about to add Geo-IP-Support...

You can’t perform that action at this time.