[Zeek] Zeek script to look for first few packets
Aashish Sharma
asharma at lbl.gov
Fri May 3 10:38:52 PDT 2019
Manju,
zeek conceptually works better at connection and protocol events than at packet levels. Infact
thats one of the strengths of it that it does all low level tcp and protocol
understandings for you and hands you events which are at more easier levels to
work with.
While you can work on packet, it is generally not recommended. More so if you
desire to operate at packet levels to save processing time, on the contrary you
are going on an non-optimal path.
You should consider event based approach. Your message doesn't quite explain
what your specifics are that helps you identify when you are done but here are
couple of examples which might help understand other approaches or way to think:
Problem: I'd like to only process if all three conditions are T
- IP is in local_nets
- dst port is acceptable port list &&
- response IP is not in list of acceptable hosts
event new_connection(c: connection)
{
local orig = c$id$orig_h ;
local resp = c$id$resp_h ;
local dport = c$id$resp_p ;
if (orig !in Site::local_nets)
return ;
if (dport !in ok_ports)
return ;
if (resp !in ok_hosts )
return ;
# do your processing
}
Similarly: lets say you want to only operate on Apache Server stuff:
event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5
{
if (name != "SERVER")
return ;
if (/Apache/ in value)
{
# do your processing
}
}
or alternatively:
if ( name == "SERVER" && /Apache/ in value)
# do processing
The way is you eliminate all the un-interesting traffic you don't care about -
this saves more processing than to go per packet level heuristics.
You should probably look at connection events:
https://docs.zeek.org/en/stable/scripts/base/bif/plugins/Bro_TCP.events.bif.bro.html
and definitely try avoiding working on packet events
Hope this helps,
Aashish
On Fri, May 03, 2019 at 10:08:09PM +0530, Manju Lalwani wrote:
> how can I make Zeek look for the first ten packets only in a tcp session ?
> The first ten packets are enough to fingerprint the traffic I am trying to
> identify and so would like to ensure my script looks at only the first 10
> packets to save processing time.
>
> Also the communication can be identified based on 7 packets immediately
> following the tcp handshake and using a custom service not categorised by
> zeek.. tcp_packet event has been the closest match for my script . Is there
> any Zeek event that can be a better match for this communication ?
>
> Thanks in advance,
> Manju
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
More information about the Zeek
mailing list