How to enrich conn logs through a CSV file?

Zeek
1

I am currently learning Zeek scripting, and I want to enrich Zeek’s conn logs using a CSV file. I referred to this code: GitHub - abousteif/Conn-Zeek-enrichment: Enrich Conn log with input file matches. Pretty much copied justin's script :) and modified slightly, but the enrichment_table is always empty. I tried adding the Input::end_of_data event, only to find that the Input::end_of_data event always runs after the connection_state_remove event, so it doesn’t work. I want to know what I should do now to modify it? Where should I go to learn about these?"

event zeek_init()
{
    Input::add_table([
        $source="Connenrichment.csv",
        $name="Connenrichment_table",
        $idx=Idx,
        $val=Val,
        $destination=Connenrichment_table,
        $mode=Input::REREAD
    ]);
}
# Add additional conn fields based on input framework
#Extending the conn.log - adding the following field to the record (conn info is what is logged)
redef record Conn::Info += {
	Reputation: Val &log &optional;
};

#The event that will be used to observe all the connections
event connection_state_remove(c: connection)
{
	if ( c$id$resp_h in Connenrichment_table ){
		c$conn$Reputation=Connenrichment_table[c$id$resp_h];
	}
}
2

That sound like you’re testing this using zeek -r to process a PCAP. If so, processing of the packets might already been done once your file is read. To pause processing until your file is loaded you can use suspend_processing() and continue_processing(). You can find examples in some of Zeek’s tests: https://github.com/zeek/zeek/blob/master/testing/btest/scripts/policy/frameworks/intel/whitelisting.zeek

2 Likes
3

Thank you very much, it is working now.