Hi!
Dear Team!
I have installed zeek on my individual linux ubuntu system for test. When a new connection goes from inside the network to outside, I want to know which process Initiates that connection, that is, how to add a new field named “process” to conn.log?
Thank you very much!
Hi Nick, welcome!
Out of the box Zeek does not provide any host-based analysis capability, so there’s nothing that would provide process IDs or other non-network-visible information. However, we’re working on a host agent that provides exactly that kind of context. Take a look here and let us know how it goes.
Best,
Christian
Thank you for your reply!
I have seen zeek-agent-v2, but that architecture does not fit my need, I just deploy zeek on one machine.
I have wrote a zeek script to deal my problem through the use of Exec::run.