pk/CapOne-Zeek-Docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
CapOne-Zeek-Docker/capitalone/extensions/ip_to_application/main.zeek
Patrick Kelley 04da5c1250 Inital
2025-05-28 14:31:31 -04:00

70 lines
1.9 KiB
Plaintext
Raw Blame History

# Who When What
# -----------------------------------------------------------------------------
# Aaron Eppert 02/20/2019 Initial commit
# Aaron Eppert 04/22/2019 Change from 'addr' to 'subnet' to allow CIDR block inclusion trivially
# Note: Individual IPv4 entries necessitate a /32 moving forward
#
@load base/protocols/conn
@load base/protocols/ssl
module IP_TO_APP;
export {
type Val: record {
range: subnet;
application: string &optional;
};
type Cidr: record {
cidr: subnet;
};
global ipToAppTbl: table[subnet] of string = table();
global ipHomeNetSet: set[subnet] = set();
const ip_to_application = @DIR + "/ip-to-application.csv" &redef;
const ip_homenet = @DIR + "/ip-homenet.csv" &redef;
}
redef record Conn::Info$application += { &log };
event ipToApp_event(description: Input::EventDescription, t: Input::Event, data: Val) {
ipToAppTbl[data$range] = data$application;
}
event ipHomenet_event(description: Input::EventDescription, t: Input::Event, data: Cidr) {
add ipHomeNetSet[data$cidr];
}
event zeek_init() &priority=-11
{
Input::add_event([$source=ip_to_application,
$name="ipToApp",
$fields=Val,
$ev=ipToApp_event,
$mode=Input::REREAD]);
Input::add_event([$source=ip_homenet,
$name="ipHomenet",
$fields=Cidr,
$ev=ipHomenet_event,
$mode=Input::REREAD]);
}
event connection_state_remove(c: connection) &priority=-4
{
if(c$conn?$application) {
if(c$id$resp_h in ipToAppTbl) {
c$conn$application = ipToAppTbl[c$conn$id$resp_h];
}
if(c$id$orig_h in ipToAppTbl) {
c$conn$application = ipToAppTbl[c$conn$id$orig_h];
}
}
}
Reference in New Issue View Git Blame Copy Permalink