Obtain equipment data for inventory

Zeek
1

Good afternoon.

I find myself trying to create an inventory with all the computers in the network. For this I not only need to get the computers that have to make TCP connections as are the data we get in known_hosts, so I rely on getting all the computers found in the event: event new_connection(c: connection).
Is this the correct way?

Then I find myself with another doubt, I need that besides having an inventory with the equipments these have data like the ones that zeek already obtains by default in the logs of software, services and ntml.

I have the doubt of how to obtain this data, since I can think of the following ways:

  1. by accessing the module tables, which contain the final results.
  2. Reading the logs already generated (known_services.log, software.log, ntml.log).
  3. Importing script configuration to obtain the final result of these.

I am going to indicate which I think are the best options in order of priority and justify why.

  1. Accessing the tables of the modules, which contain the final results.
  • Conclusion: I think this way is the most convenient because it is very direct and could be worked in memory without waiting for the logs to be written.
  1. Reading the logs already generated (known_services.log, software.log, ntml.log)
  • Conclusion: I see this as a good option but I find two disadvantages, the first one is that we would have to wait for the data to be written to read them, so they would not be as accessible as the first option. Also as second disadvantage is to have possible errors of reading because they are writing data at the same time that they are reading others.
  1. Importing script configuration to obtain the final result of these.
    -Conclusion: I definitely think this is the worst option because I have tried to import the Known::log_known_services event, even though the data does not match with the logs generated for example in the known services script. I think it is because in addition to this event, there are other important parts such as checking the services obtained with the parsers found, ie you must have a very good view of the script from which you want to import the functionality and also not enough to import only one part, but you have to import many parts of the script.

I hope you can guide me and thank you in advance!

2

Hey Francisco,

Sorry for not getting back to you sooner. This is a complex topic and your best option depends on what you want to do with the inventory data. If you need to react to the appearance of a new host in real-time, for example, then you’d likely want to do something within Zeek’s scripts to do so. If the use is more offline, then I see no downside in working with Zeek’s logs (including conn.log), since it avoids the complexities of distributed state in Zeek’s cluster and can be easier to analyze depending on your data ingestion/querying setup.

Regarding the new_connection event, it depends on whether you want to base your analysis on hosts conducting connection attempts, or those successfully establishing connections. new_connection triggers on any connection attempt, whereas connection_established triggers only on completed handshakes. That’s also what known-hosts uses.

Best,
Christian