[Zeek] Adding connection data to the SSL log
Virgil
0psec1 at protonmail.com
Fri Jan 24 10:08:39 PST 2020
Hello Zeek community,
I'm trying to add connection data including duration, orig_bytes, and resp_bytes to some of the logs that don't usually have these fields. Keying off of the connection_state_remove event, I'm able to add the fields to some logs, such as RDP, but I'm having trouble adding the fields to the SSL log. When I run my script against different pcap files containing SSL traffic, the desired fields appear in the log but aren't populated. Putting a "print c$ssl;" in the script shows that at least when the script is running, the fields appear to be populated correctly, but somehow aren't then written to the SSL log. The logic of the script that works to populate these fields successfully in the RDP log doesn't appear to work the same for the SSL log. Would appreciate any help you can provide. Thank you kindly.
export {
redef record SSL::Info += {
duration: interval &log &optional;
orig_ip_bytes: count &log &optional;
resp_ip_bytes: count &log &optional;
};
}
event connection_state_remove (c: connection)
{
if (! c?$ssl) return;
if ( c?$ssl && c?$duration){
c$ssl$duration = c$duration;
}
if ( c?$ssl && c$conn?$orig_ip_bytes){
c$ssl$orig_ip_bytes = c$conn$orig_ip_bytes;
}
if ( c?$ssl && c$conn?$orig_ip_bytes){
c$ssl$orig_ip_bytes = c$conn$orig_ip_bytes;
}
#print c$ssl;
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200124/82defa7d/attachment-0001.html
More information about the Zeek
mailing list