[Zeek] Adding connection data to the SSL log

[Steve Smoot]

SSL doesn't write its log on connection_state_remove, you'll want hook
ssl_finishing instead
-s

On Fri, Jan 24, 2020 at 10:11 AM Virgil <0psec1 at protonmail.com> wrote:
>
> Hello Zeek community,
> I'm trying to add connection data including duration, orig_bytes, and resp_bytes to some of the logs that don't usually have these fields. Keying off of the connection_state_remove event, I'm able to add the fields to some logs, such as RDP, but I'm having trouble adding the fields to the SSL log. When I run my script against different pcap files containing SSL traffic, the desired fields appear in the log but aren't populated. Putting a "print c$ssl;" in the script shows that at least when the script is running, the fields appear to be populated correctly, but somehow aren't then written to the SSL log. The logic of the script that works to populate these fields successfully in the RDP log doesn't appear to work the same for the SSL log. Would appreciate any help you can provide. Thank you kindly.
>
> export {
> redef record SSL::Info += {
> duration: interval &log &optional;
> orig_ip_bytes: count &log &optional;
> resp_ip_bytes: count &log &optional;
> };
> }
>
> event connection_state_remove (c: connection)
> {
> if (! c?$ssl) return;
> if ( c?$ssl && c?$duration){
> c$ssl$duration = c$duration;
> }
> if ( c?$ssl && c$conn?$orig_ip_bytes){
> c$ssl$orig_ip_bytes = c$conn$orig_ip_bytes;
> }
> if ( c?$ssl && c$conn?$orig_ip_bytes){
> c$ssl$orig_ip_bytes = c$conn$orig_ip_bytes;
> }
> #print c$ssl;
> }
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Stephen R. Smoot, PhD
VP, Customer Success
Corelight