From 8915092e01df09f604167798243da1e5450cd94c Mon Sep 17 00:00:00 2001 From: Logan Lembke Date: Tue, 15 Jun 2021 18:46:51 -0600 Subject: [PATCH 1/3] Update zeek_open_connections.zeek --- scripts/zeek_open_connections.zeek | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/scripts/zeek_open_connections.zeek b/scripts/zeek_open_connections.zeek index 6244ed0..3b08f5f 100644 --- a/scripts/zeek_open_connections.zeek +++ b/scripts/zeek_open_connections.zeek @@ -89,12 +89,16 @@ function long_callback(c: connection, cnt: count): interval return ALERT_INTERVAL - c$duration; } -event connection_established(c: connection) +#Prefer connection_successful to new_connection in order to filter out SYN scans +#https://github.com/zeek/zeek/blob/release/3.1/CHANGES#L1279 +@if ( Version::number >= 30100 ) +#https://docs.zeek.org/en/v3.1.0/scripts/base/bif/event.bif.zeek.html#id-connection_successful +event connection_successful(c: connection) +@else +#https://docs.zeek.org/en/v3.1.0/scripts/base/bif/event.bif.zeek.html#id-new_connection +event new_connection(c: connection) +@endif { ConnPolling::watch(c, long_callback, 1, ALERT_INTERVAL); } -event partial_connection(c: connection) - { - ConnPolling::watch(c, long_callback, 1, ALERT_INTERVAL); - } From 1ced3d92c5fe68610f27c99915ec8c2cbcdb250d Mon Sep 17 00:00:00 2001 From: fmc Date: Wed, 16 Jun 2021 16:38:43 -0600 Subject: [PATCH 2/3] Change event to be just new_connection, change log file from conn_long to open_conn --- scripts/zeek_open_connections.zeek | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/scripts/zeek_open_connections.zeek b/scripts/zeek_open_connections.zeek index 3b08f5f..8ba94a1 100644 --- a/scripts/zeek_open_connections.zeek +++ b/scripts/zeek_open_connections.zeek @@ -72,7 +72,7 @@ redef record connection += { event zeek_init() &priority=5 { - Log::create_stream(LOG, [$columns=Conn::Info, $path="conn_long"]); + Log::create_stream(LOG, [$columns=Conn::Info, $path="open_conn"]); } @@ -89,15 +89,8 @@ function long_callback(c: connection, cnt: count): interval return ALERT_INTERVAL - c$duration; } -#Prefer connection_successful to new_connection in order to filter out SYN scans -#https://github.com/zeek/zeek/blob/release/3.1/CHANGES#L1279 -@if ( Version::number >= 30100 ) -#https://docs.zeek.org/en/v3.1.0/scripts/base/bif/event.bif.zeek.html#id-connection_successful -event connection_successful(c: connection) -@else -#https://docs.zeek.org/en/v3.1.0/scripts/base/bif/event.bif.zeek.html#id-new_connection +#https://docs.zeek.org/en/v4.0.2/scripts/base/bif/event.bif.zeek.html#id-new_connection event new_connection(c: connection) -@endif { ConnPolling::watch(c, long_callback, 1, ALERT_INTERVAL); } From a29eae79c1ef4d30c951b058b0db32645c525722 Mon Sep 17 00:00:00 2001 From: fullmetalcache Date: Wed, 16 Jun 2021 17:00:05 -0600 Subject: [PATCH 3/3] Update readme to state correct output file --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index baca757..5a1f182 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ By default, Zeek will only log connection information after the connection as been closed or Zeek has been stopped. This means that long running connections could run for hours, days, or even weeks before they are noticed. For threat hunters, this behavior is highly undesirable. -This Zeek plugin will cause Zeek to periodically write out connection information for open connections. The information is written out to a file named "conn_log.log". The information written to the log file is identical to what is written to conn.log. Each entry contains the TOTAL duration and bytes transferred by the open connection. +This Zeek plugin will cause Zeek to periodically write out connection information for open connections. The information is written out to a file named "open_conn.log". The information written to the log file is identical to what is written to conn.log. Each entry contains the TOTAL duration and bytes transferred by the open connection. The entries are written out at an interval that is specified by the user. The default interval is to write out an entry after the connection has been open for 1 hour and then every hour after that first hour.