Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Allow for logging of the VLAN data about a connection in conn.log

Browse source
This commit is contained in:
Aaron Brown 2015-07-22 14:13:17 -04:00
parent d76c7a2657
commit f29dbb90a5
17 changed files with 298 additions and 217 deletions
Download patch file Download diff file Expand all files Collapse all files

7
scripts/base/init-bare.bro
View file

@ -345,6 +345,12 @@ type connection: record {
## for the connection unless the :bro:id:`tunnel_changed` event is
## handled and reassigns this field to the new encapsulation.
tunnel: EncapsulatingConnVector &optional;
## The vlan, if applicable, for this connection
vlan: int &optional;
## The inner vlan, if applicable, for this connection
inner_vlan: int &optional;
};
## Default amount of time a file can be inactive before the file analysis
@ -1511,6 +1517,7 @@ type l2_hdr: record {
src: string &optional; ##< L2 source (if Ethernet).
dst: string &optional; ##< L2 destination (if Ethernet).
vlan: count &optional; ##< Outermost VLAN tag if any (and Ethernet).
inner_vlan: count &optional; ##< Innermost VLAN tag if any (and Ethernet).
eth_type: count &optional; ##< Innermost Ethertype (if Ethernet).
proto: layer3_proto; ##< L3 protocol.
};

30
scripts/policy/protocols/conn/vlan-logging.bro Normal file
View file

@ -0,0 +1,30 @@
##! This script add VLAN information to the connection logs
@load base/protocols/conn
module Conn;
redef record Info += {
## The Outer VLAN for this connection, if applicable
vlan: int &log &optional;
## The Inner VLAN for this connection, if applicable
inner_vlan: int &log &optional;
};
# Add the VLAN information to the Conn::Info structure after the connection has
# been removed. This ensures it's only done once, and is done before
# the connection information is written to the log.
event connection_state_remove(c: connection) &priority=5
{
if (c?$vlan)
{
c$conn$vlan = c$vlan;
}
if (c?$inner_vlan)
{
c$conn$inner_vlan = c$inner_vlan;
}
}

4
scripts/site/local.bro
View file

@ -84,3 +84,7 @@
# Uncomment the following line to enable detection of the heartbleed attack. Enabling
# this might impact performance a bit.
# @load policy/protocols/ssl/heartbleed
# Uncomment the following line to enable logging of connection VLANs. Enabling
# this changes the format of the conn.log file to add two VLAN fields.
# @load policy/protocols/conn/vlan-logging

1
scripts/test-all-policy.bro
View file

@ -62,6 +62,7 @@
@load misc/trim-trace-file.bro
@load protocols/conn/known-hosts.bro
@load protocols/conn/known-services.bro
@load protocols/conn/vlan-logging.bro
@load protocols/conn/weirds.bro
@load protocols/dhcp/known-devices-and-hostnames.bro
@load protocols/dns/auth-addl.bro