[Zeek] R: uid in files logs

Palumbo Mauro mauro.palumbo at aizoon.it
Thu Nov 7 00:46:11 PST 2019 

Hi Michal,
   thanks, it seems to me pretty easy to implement and corresponding uids for each file are already stored in the record fa_file.conns.

I believe the only reason not to include these uids in pe.log, x5009.log, etc. is that it is already available elsewhere and in general it is better to avoid duplicates. It is one extra columns, which will take some memory/disk space, etc. Unless there would be a significant performance hit I can’t see.

For us, adding this extra column will just to make our lives a bit easier in everyday work…

Mauro

Da: Michał Purzyński [mailto:michalpurzynski1 at gmail.com]
Inviato: giovedì 7 novembre 2019 00:46
A: Palumbo Mauro <mauro.palumbo at aizoon.it>
Cc: zeek <zeek at zeek.org>
Oggetto: Re: [Zeek] uid in files logs

While I have no idea why it's not default, I'll share a piece of code to achieve something similar, so you can adopt it to your needs

Here we wanted to kill logging X509 certificates into both files.log and x509.log - and by doing that we saved like 20% of our SIEM intake, globally (!!). Should be easy enough to extend x509.log to include data from conn.log, etc.

@load base/frameworks/files
@load base/files/hash

module X509;

export {
    redef record X509::Info += {
        fuid: string &log &optional;
        md5: string &log &optional;
    };
}

event file_state_remove(f: fa_file) &priority=40
{
    if ( ! f$info?$x509 )
        return;

    f$info$x509$fuid = f$info$fuid;
    f$info$x509$md5 = f$info$md5;
}

On Wed, Nov 6, 2019 at 2:17 AM Palumbo Mauro <mauro.palumbo at aizoon.it<mailto:mauro.palumbo at aizoon.it>> wrote:
Hi everybody,
   it would be useful for us to have the conn uids in the logs from file analyzers (pe.log, x509.log,…). I know this information can be gathered by cross-cehcking different bro logs, but it will save some time to have it already in pe.log, etc. I believe this data is available in the record fa_file.conns, available in events in the file framework, so it seems not difficult to add.
Is there any reason why it is not added by default?

Thanks,
Mauro
_______________________________________________
Zeek mailing list
zeek at zeek.org<mailto:zeek at zeek.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191107/73e477c2/attachment.html

More information about the Zeek mailing list