mirror of
https://github.com/zeek/zeek.git
synced 2025-10-04 07:38:19 +00:00
597a4d6704
- policy/ renamed to scripts/ - By default BROPATH now contains: - scripts/ - scripts/policy - scripts/site - *Nearly* all tests pass. - All of scripts/base/ is loaded by main.cc - Can be disabled by setting $BRO_NO_BASE_SCRIPTS - Scripts in scripts/base/ don't use relative path loading to ease use of BRO_NO_BASE_SCRIPTS (to copy and paste that script). - The scripts in scripts/base/protocols/ only (or soon will only) do logging and state building. - The scripts in scripts/base/frameworks/ add functionality without causing any additional overhead. - All "detection" activity happens through scripts in scripts/policy/. - Communications framework modified temporarily to need an environment variable to actually enable (ENABLE_COMMUNICATION=1) - This is so the communications framework can be loaded as part of the base without causing trouble when it's not needed. - This will be removed once a resolution to ticket #540 is reached.
50 lines
1.5 KiB
Text
50 lines
1.5 KiB
Text
##! This script logs hosts that Bro determines have performed complete TCP
|
|
##! handshakes and logs the address once per day (by default). The log that
|
|
##! output provides an easy way to determine a count of the IP addresses in
|
|
##! use on a network per day.
|
|
|
|
module KnownHosts;
|
|
|
|
export {
|
|
redef enum Log::ID += { KNOWN_HOSTS };
|
|
|
|
type Info: record {
|
|
## The timestamp at which the host was detected.
|
|
ts: time &log;
|
|
## The address that was detected originating or responding to a TCP
|
|
## connection.
|
|
host: addr &log;
|
|
};
|
|
|
|
## The hosts whose existence should be logged and tracked.
|
|
## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
|
|
const asset_tracking = LOCAL_HOSTS &redef;
|
|
|
|
## The set of all known addresses to store for preventing duplicate
|
|
## logging of addresses. It can also be used from other scripts to
|
|
## inspect if an address has been seen in use.
|
|
## Maintain the list of known hosts for 24 hours so that the existence
|
|
## of each individual address is logged each day.
|
|
global known_hosts: set[addr] &create_expire=1day &synchronized &redef;
|
|
|
|
global log_known_hosts: event(rec: Info);
|
|
}
|
|
|
|
event bro_init()
|
|
{
|
|
Log::create_stream(KNOWN_HOSTS, [$columns=Info, $ev=log_known_hosts]);
|
|
}
|
|
|
|
event connection_established(c: connection) &priority=5
|
|
{
|
|
local id = c$id;
|
|
|
|
for ( host in set(id$orig_h, id$resp_h) )
|
|
{
|
|
if ( host !in known_hosts && addr_matches_host(host, asset_tracking) )
|
|
{
|
|
add known_hosts[host];
|
|
Log::write(KNOWN_HOSTS, [$ts=network_time(), $host=host]);
|
|
}
|
|
}
|
|
}
|