Merge pull request #4 from activecm/3-track-udp-icmp

Track Non-TCP connections in open_conn log
activecm · Jun 16, 2021 · a90a276 · a90a276
2 parents 8f59afc + a29eae7
commit a90a276
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 By default, Zeek will only log connection information after the connection as been closed or Zeek has been stopped. This means that long running connections could run for hours, days, or even weeks before they are noticed. For threat hunters, this behavior is highly undesirable.
 
-This Zeek plugin will cause Zeek to periodically write out connection information for open connections. The information is written out to a file named "conn_log.log". The information written to the log file is identical to what is written to conn.log. Each entry contains the TOTAL duration and bytes transferred by the open connection.
+This Zeek plugin will cause Zeek to periodically write out connection information for open connections. The information is written out to a file named "open_conn.log". The information written to the log file is identical to what is written to conn.log. Each entry contains the TOTAL duration and bytes transferred by the open connection.
 
 The entries are written out at an interval that is specified by the user. The default interval is to write out an entry after the connection has been open for 1 hour and then every hour after that first hour.
 

diff --git a/scripts/zeek_open_connections.zeek b/scripts/zeek_open_connections.zeek
@@ -72,7 +72,7 @@ redef record connection += {
 
 event zeek_init() &priority=5
         {
-        Log::create_stream(LOG, [$columns=Conn::Info, $path="conn_long"]);
+        Log::create_stream(LOG, [$columns=Conn::Info, $path="open_conn"]);
         }
 
 
@@ -89,12 +89,9 @@ function long_callback(c: connection, cnt: count): interval
                 return ALERT_INTERVAL - c$duration;
         }
 
-event connection_established(c: connection)
+#https://docs.zeek.org/en/v4.0.2/scripts/base/bif/event.bif.zeek.html#id-new_connection
+event new_connection(c: connection)
         {
                 ConnPolling::watch(c, long_callback, 1, ALERT_INTERVAL);
         }
 
-event partial_connection(c: connection)
-        {
-                ConnPolling::watch(c, long_callback, 1, ALERT_INTERVAL);
-        }