Extract IP Header Options

Justin_Mullins · April 4, 2019, 8:45pm

Hi,

I was wondering is there an existing way in Zeek to log IP Header Options? The conn log has a lot of the IP Header fields but not the IP Header “Options” field data. Specifically looking at logging data related to CIPSO packet labeling (reference: https://tools.ietf.org/html/draft-ietf-cipso-ipsecurity-01).

If not, can anyone point me to a decent example of a bro script logging similar data from the IP Header? (it’s been quite a few years since I’ve looked at bro scripts and I haven’t found any examples doing something similar to what I want)

Thank guys any information you can provide would be helpful!

Jon_Siwek · April 4, 2019, 11:19pm

Doesn't look like it, but you can try hacking it in. For example, add
the Options data as a field to the ip4_hdr record:

https://github.com/zeek/zeek/blob/3f7bbf2784d094787e6c7cb32adb0fc658fb8a86/scripts/base/init-bare.bro#L1515-L1524

Add code to populate it here:

https://github.com/zeek/zeek/blob/3f7bbf2784d094787e6c7cb32adb0fc658fb8a86/src/IP.cc#L311-L322

Then consume the data via a new_packet event handler:

https://docs.zeek.org/en/latest/scripts/base/bif/event.bif.bro.html#id-new_packet

- Jon

Topic		Replies	Views
packet post-processor plugin Zeek	9	78	May 6, 2022
Adding interface to bro logs Zeek	2	50	May 6, 2022
New to Bro... Question about recording HTTP User Agents Zeek	2	64	May 6, 2022
Bro traffic logging Zeek	2	45	May 6, 2022
Bro Not Extracting Host Fields from HTTP Traffic Zeek	4	65	May 6, 2022

Extract IP Header Options

Related Topics