Skip to content
Permalink
Browse files

Fix process_open_sockets once again.

Looks like the previous fix got lost over the renaming merge.
  • Loading branch information
rsmmr committed Jan 8, 2020
1 parent 3043b3c commit 887796f79a63b4b0eee3b538548c9daff9f14652
@@ -1,5 +1,5 @@

0.4-9 | 2020-01-08 09:14:19 +0000
0.4-10 | 2020-01-08 11:42:42 +0000

* Rename from osquery framework to zeek-agent. (Robin Sommer, Corelight)

@@ -1 +1 @@
0.4-9
0.4-10
@@ -1,32 +1,21 @@
#! Logs process open sockets activity
#! Query processes activity.

@load zeek-agent

module zeek_agent;

export {
## Event to indicate that a new socket connection was created on a host
##
## <params missing>
global process_open_socket_added: event(t: time, host_id: string, pid: int, fd: int, family: int, protocol: int, local_address: string, remote_address: string, local_port: int, remote_port: int);

## Event to indicate that an existing socket connection terminated on a host
##
## <params missing>
global process_open_socket_removed: event(t: time, host_id: string, pid: int, fd: int, family: int, protocol: int, local_address: string, remote_address: string, local_port: int, remote_port: int);
global process_open_sockets_added: event(t: time, host_id: string, pid: int, fd: int, family: int, protocol: int, local_address: string, remote_address: string, local_port: int, remote_port: int);
}

event zeek_agent::table_process_open_sockets(resultInfo: zeek_agent::ResultInfo,
pid: int, fd: int, family: int, protocol: int, local_address: string, remote_address: string, local_port: int, remote_port: int) {
if (resultInfo$utype == zeek_agent::ADD && pid != -1) {
event zeek_agent::process_open_socket_added(network_time(), resultInfo$host, pid, fd, family, protocol, local_address, remote_address, local_port, remote_port);
event zeek_agent::table_process_open_sockets(resultInfo: zeek_agent::ResultInfo, pid: int, fd: int, family: int, protocol: int, local_address: string, remote_address: string, local_port: int, remote_port: int)
{
if ( resultInfo$utype == zeek_agent::ADD && pid != -1 )
event zeek_agent::process_open_sockets_added(network_time(), resultInfo$host, pid, fd, family, protocol, local_address, remote_address, local_port, remote_port);
}
if (resultInfo$utype == zeek_agent::REMOVE) {
event zeek_agent::process_open_socket_removed(network_time(), resultInfo$host, pid, fd, family, protocol, local_address, remote_address, local_port, remote_port);
}
}

event zeek_init() {
local query = [$ev=zeek_agent::table_process_open_sockets,$query="SELECT pid, fd, family, protocol, local_address, remote_address, local_port, remote_port FROM process_open_sockets WHERE family=2", $utype=zeek_agent::BOTH, $inter=zeek_agent::QUERY_INTERVAL];
event zeek_init()
{
local query = [$ev=zeek_agent::table_process_open_sockets, $query="SELECT pid, fd, family, protocol, local_address, remote_address, local_port, remote_port FROM process_open_sockets WHERE family=2", $utype=zeek_agent::BOTH, $inter=zeek_agent::QUERY_INTERVAL];
zeek_agent::subscribe(query);
}
}
@@ -41,5 +41,5 @@ event zeek_agent::process_open_sockets_added(t: time, host_id: string, pid: int,

event zeek_init()
{
Log::create_stream(LOG, [$columns=Info, $path="agent-process_open_sockets"]);
Log::create_stream(LOG, [$columns=Info, $path="agent-process_open_sockets"]);
}

0 comments on commit 887796f

Please sign in to comment.
You can’t perform that action at this time.