CapOne-Zeek-Docker/capitalone/enrichments/asn-conn.zeek

# Sourced from https://threathuntingtails.com/zeek-asn-enrichment/

@load base/utils/site


export {


     redef record Conn::Info += {

         orig_h_asn: geo_autonomous_system &log &optional;
         resp_h_asn: geo_autonomous_system &log &optional;

     };

}


event connection_state_remove(c: connection) &priority=0
{

      local orig: addr = c$conn$id$orig_h;
      if ( !Site::is_private_addr(orig)){

            c$conn$orig_h_asn = lookup_autonomous_system(orig);
      }
      local resp: addr = c$conn$id$resp_h;
      if ( !Site::is_private_addr(resp)){

            c$conn$resp_h_asn = lookup_autonomous_system(resp);
      }

}