Skip to content
DoveHawk.io Anonymized Outgoing Partial Netflow
Zeek
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
scripts
.gitignore
LICENSE
README.md
__load__.bro
bro-pkg.meta
config.bro

README.md

Dovehawk.io Anonimized Outgoing Flow Collector Module for Zeek

This module colects outgoing flow counts to external IPs across an entire Cluster or Standalone Zeek instance. The local source IPs are not tracked and SUMSTATS is used to sum multiple requests over a specified time period anonymizing and grouping the requests across the entire network.

Local hostnames are stripped to further anonymize the data for external sharing.

Sticker 1 Sticker 2

Screencaps

DoveHawk Flow Reported

Dovehawk Flow Reports

DoveHawk flow.log Local Log

Dovehawk Flow Log

Requirements

Zeek > 2.6.1 (Some 2.5 versions may work but testing showed issues with triggering the SUMSTATS finished epoch).

Curl command line version used by ActiveHTTP

Database

See dovehawk_lambda for an AWS Lambda serverless function to store reporting in RDS Aurora.

Contact

Tyler McLellan @tylabs

You can’t perform that action at this time.