Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 

Set your logs on fire with Emoji-πŸ”₯

Emojifier is the πŸ”¨ of choice to get a fast overview on your Zeek connection log. On top, it also serves as the perfect management summary of your network's security status. πŸ‘ΉπŸ›‘οΈπŸ’

It adds an additional column to your conn.log showing emojis that give you information about the connections in your log. The following emojis are currently supported:

Emoji Meaning
πŸ„ HTTP Traffic
πŸ” DNS Traffic
πŸ“¨ SMTP Traffic
☎️ SIP Traffic
πŸ₯΅ Connection with many bytes
πŸ™ˆ Some bytes were missed
πŸ˜› TCP Connection was rejected
πŸ”„ Connection direction was flipped
🚨 There is a notice for this connection
πŸ₯΄ Zeek deems this connection weird
πŸ”₯ There was an Intel hit

Furthermore, there is an additional script to emojify default policies. Add @load emojifier/emojify-policies to your local.zeek to enable the following additional emojis:

Emoji Meaning
βŒ› Expired certificate
⏳ Certificate expires soon
πŸ˜• Old TLS version
πŸ’“ Heartbleed attack detected
πŸ’‰ SQL injection detected
πŸ’£ Vulnerable software version
πŸ€” Login with guessed SSH password

Usage 😎

The scripts are available as package for the Zeek Package Manager and can be installed using the following command: zkg install emojifier To set your logs on πŸ”₯ make sure the package is loaded: zkg load emojifier To enable the additional emojis including the corresponding policy scripts add @load emojifier/emojify-policies to your local.zeek. Please note that emojification (utf8 support) is a Zeek-only feature. If you haven't already upgraded to Zeek, πŸ‘† is the reason you should do it!

Fun with Flags πŸ‡©πŸ‡ͺ πŸ‡ΊπŸ‡Έ πŸ‡―πŸ‡²

Of course, we have also added support for Zeek's GeoLocation framework. First you need to make sure that the framework is available (see Zeek Docs). For a quick test run a command like the following:

zeek -e "print lookup_location(8.8.8.8);"

If that works without any issues, you are ready to go. Just add @load emojifier/emojify-geo to your local.zeek.

Extending 🧐

Want to put πŸ”₯? No problem, the emojifier can be easily extended. Just add your custom logic by handling an event and concatenating the additional emoji to the emoji_trail string in the connection record. The following example adds the πŸ•³ emoji.

event connection_state_remove(c: connection) &priority=5
	{
	if ( c?$tunnel )
		c$emoji_trail += "πŸ•³";
	}

Note that you need to use a priority > 0 in case you are handling the connection_state_remove event.

If you want to extend the Emoji-πŸ”₯ based on notices that is even easier. You just need to extend the Emojifier::custom_notices table:

redef custom_notices += {
	[Notice::Tally] = "🀭",
};

We are looking forward to merge your pull-request πŸ˜‰

About

Set your logs on fire with Emoji-πŸ”₯!

Resources

License

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •