Hi all,
I would like to create new log that is a combination of conn log and application protocol log (http, dns, smb …) with same uid.
Could zeek scripts be able to do that or any suggestion? Thank you!
Hi all,
I would like to create new log that is a combination of conn log and application protocol log (http, dns, smb …) with same uid.
Could zeek scripts be able to do that or any suggestion? Thank you!
If that’s really what you want, it’s much better done with post-processing of some sort.
There are two major problems with doing it inside Zeek. First, logs need to have schemas. Once you combine the different application-layer logs with the conn log, the schema will become enormous, and in many contexts unwieldy. Second, the different logs are generated asynchronously with respect to one another, so there’s no easy point to do the combining. What you could do, though, is use a log filtering predicate to remember logs associated with a given UID, and a timer to then look for all of the UIDs that have last been added to a good while ago (say 30 seconds), and then generate the combined log entry (for a new log, with the combined schema). But really not recommended!