-
Notifications
You must be signed in to change notification settings - Fork 0
/
connadd.bro
52 lines (43 loc) · 1.76 KB
/
connadd.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
##! This script is to modify conn.log output to only output specific fields
##! as well as include GEO-IP and pcap capture
##! Built (or more accurately, copied and pasted) by Theory
@load base/utils/site
@load base/frameworks/files
module Conn;
export {
redef record Conn::Info += {
## Country code for the originator of the connection based
## on a GeoIP lookup.
orig_cc: string &optional &log;
## Country code for the responser of the connection based
## on a GeoIP lookup.
resp_cc: string &optional &log;
};
}
#establish event
event connection_established(c: connection)
{
if (Site::is_local_addr(c$id$local_orig) == F)
{
TimeMachine::dump_conn(c);
}
}
event connection_state_remove(c: connection)
{
local orig_loc = lookup_location(c$id$orig_h);
if ( orig_loc?$country_code )
c$conn$orig_cc = orig_loc$country_code;
local resp_loc = lookup_location(c$id$resp_h);
if ( resp_loc?$country_code )
c$conn$resp_cc = resp_loc$country_code;
}
event bro_init()
{
Log::add_filter(Conn::LOG, [$name="aprilfilter",
$exclude=set("uid","duration","orig_bytes","resp_bytes","missed_bytes", "history", "orig_pkts","resp_pkts","resp_ip_bytes")]);
Log::remove_filter(Conn::LOG, "default");
Log::remove_filter(HTTP::LOG, "default");
Log::remove_filter(SSH::LOG, "default");
Log::remove_filter(SMTP::LOG, "default");
Log::remove_filter(PacketFilter::LOG, "default");
}