/
record-spicy-batch.zeek
90 lines (72 loc) · 2.01 KB
/
record-spicy-batch.zeek
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
##! Saves all input traffic in Spicy's batch format.
module SpicyBatch;
export {
const filename = "batch.dat" &redef;
}
redef tcp_content_deliver_all_orig=T;
redef tcp_content_deliver_all_resp=T;
redef udp_content_deliver_all_orig=T;
redef udp_content_deliver_all_resp=T;
global output: file;
global conns: set[conn_id];
global num_conns = 0;
function id(c: connection) : string
{
local cid = c$id;
local proto = "???";
if ( is_tcp_port(cid$orig_p) )
proto = "tcp";
else if ( is_udp_port(cid$orig_p) )
proto = "udp";
else if ( is_icmp_port(cid$orig_p) )
proto = "icmp";
return fmt("%s-%d-%s-%d-%s", cid$orig_h, cid$orig_p, cid$resp_h, cid$resp_p, proto);
}
function begin(c: connection, type_: string)
{
add conns[c$id];
++num_conns;
print fmt("tracking %s", c$id);
local id_ = id(c);
print output, fmt("@begin-conn %s %s %s-orig %s%%orig %s-resp %s%%resp\n", id_, type_, id_, c$id$resp_p, id_, c$id$resp_p);
}
event zeek_init()
{
output = open(filename);
enable_raw_output(output);
print output, "!spicy-batch v2\n";
}
event new_connection_contents(c: connection)
{
begin(c, "stream");
}
event tcp_contents(c: connection, is_orig: bool, seq: count, contents: string)
{
print output, fmt("@data %s-%s %d\n", id(c), (is_orig ? "orig" : "resp"), |contents|);
print output, contents;
print output, "\n";
}
event content_gap(c: connection, is_orig: bool, seq: count, length: count)
{
print output, fmt("@gap %s-%s %d\n", id(c), (is_orig ? "orig" : "resp"), length);
}
event udp_contents(c: connection, is_orig: bool, contents: string)
{
if ( c$id !in conns )
begin(c, "block");
print output, fmt("@data %s-%s %d\n", id(c), (is_orig ? "orig" : "resp"), |contents|);
print output, contents;
print output, "\n";
}
event connection_state_remove(c: connection)
{
if ( c$id !in conns )
return;
print output, fmt("@end-conn %s\n", id(c));
}
event zeek_done()
{
close(output);
print fmt("recorded %d session%s total", num_conns, (num_conns > 1 ? "s" : ""));
print fmt("output in %s", filename);
}