We are implementing zeek with a network probe, to send data to a SIEM.
I am currently working on how to create an inventory through network traffic, for this I have looked at the log generated called know_hosts.
The problem is that this file only reflects the computers that have made TCP connections, so it would leave out of an inventory for example a dns server of the local network that only answers UDP queries.
Then I found the following script:
/opt/zeek/share/zeek/policy/tuning/track-all-assets.zeek
If I understand correctly, it creates a list in different namespaces so it does not create a unified list with all the hosts which is exactly what I need.
Could you tell me how to get this unified list of hosts?
The problem is that this file only reflects the computers that have made TCP connections, so it would leave out of an inventory for example a dns server of the local network that only answers UDP queries.
You may start with your own custom script that recognizes UDP “connections” with some heuristic that both originator and responder are sending data. Then raise the event similar as is done in connection_estbalished():
If this works well, we might take it upstream (though there have been thoughts of moving all known-* scripts into an individual package.
Could you tell me how to get this unified list of hosts?
Hmm, possibly take inspiration of the individual known-* scripts and create your own that writes everything into a single log?
Might be best to first try to load your own custom scripts and if you’re comfortable with a bit of coding, these tasks should be achievable, but feel free to ask more questions.
I would like to be able to create my own script but I think I should first understand the method by which the computers are collected in the known_hosts file to create my own script.