CapOne-Zeek-Docker/capitalone/extensions/ip_to_application/main.zeek

# Who               When            What
# -----------------------------------------------------------------------------
# Aaron Eppert      02/20/2019      Initial commit
# Aaron Eppert      04/22/2019      Change from 'addr' to 'subnet' to allow CIDR block inclusion trivially
#                                   Note: Individual IPv4 entries necessitate a /32 moving forward
#

@load base/protocols/conn
@load base/protocols/ssl

module IP_TO_APP;

export {
    type Val: record {
        range: subnet;
        application: string &optional;
    };

    type Cidr: record {
        cidr: subnet;
    };
    
    global ipToAppTbl: table[subnet] of string = table();
    global ipHomeNetSet: set[subnet] = set();

    const ip_to_application = @DIR + "/ip-to-application.csv" &redef;
    const ip_homenet = @DIR + "/ip-homenet.csv" &redef;
}

redef record Conn::Info$application += { &log };


event ipToApp_event(description: Input::EventDescription, t: Input::Event, data: Val) {
    ipToAppTbl[data$range] = data$application;
}

event ipHomenet_event(description: Input::EventDescription, t: Input::Event, data: Cidr) {
    add ipHomeNetSet[data$cidr];
}


event zeek_init() &priority=-11
{
    Input::add_event([$source=ip_to_application,
                      $name="ipToApp",
                      $fields=Val,
                      $ev=ipToApp_event,
                      $mode=Input::REREAD]);

    Input::add_event([$source=ip_homenet,
                      $name="ipHomenet",
                      $fields=Cidr,
                      $ev=ipHomenet_event,
                      $mode=Input::REREAD]);
}

event connection_state_remove(c: connection) &priority=-4
{
     if(c$conn?$application) {
         if(c$id$resp_h in ipToAppTbl) {
             c$conn$application = ipToAppTbl[c$conn$id$resp_h];
         }

         if(c$id$orig_h in ipToAppTbl) {
             c$conn$application = ipToAppTbl[c$conn$id$orig_h];
         }

     }
}