Spent weeks on making ssl and http loggin using zeek

Zeek
1

I would like to log 2 things in zeek

  • HTTP/HTTPS(SSL) Request SNI(domain name, hostname)
  • HTTP(s) response time , end to end, like calculation of dns, http handshae ssl handshake , anything in one request that how much appliction level http request takes time like in ngnix and apche we get response time

i tried every script on earth, i always get into weird errors which i cannot solve. tried with latest zeek 7.2 , on ubuntu.

here is one script i tried

@load base/protocols/http
#@load base/protocols/ssl
@load policy/protocols/ssl
# Define a global variable to store HTTP request timestamps
global http_request_times: table[conn_id] of time;

# Event handler for SSL connections
event ssl_established(c: connection, ssl: ssl_info) {
    # Log the SNI (Server Name Indication)
    if (ssl$sni != "") {
        print fmt("SSL established: %s SNI: %s", c$id, ssl$sni);
    }
}

# Event handler for HTTP requests
event http_request(c: connection, method: string, original_uri: string, host: string, user_agent: string) {
    # Record the request time
    http_request_times[c$id] = network_time();
    # Log the HTTP request details
    print fmt("HTTP Request: %s %s %s (User-Agent: %s)", c$id, method, original_uri, user_agent);
}

# Event handler for HTTP responses
event http_response(c: connection, resp: http_response_info) {
    # Check if we have a recorded request time
    if (http_request_times[c$id] != 0) {
        # Calculate response time in milliseconds
        local response_time = (resp$timestamp - http_request_times[c$id]) * 1000.0;
        # Log the HTTP response details
        print fmt("HTTP Response: %s %s %s Response Time: %.2f ms",
                   c$id, resp$status, resp$uri, response_time);
    }
}

# Event handler for when the script is loaded
event zeek_init() {
    print "Zeek script loaded. Ready to log HTTP requests, SSL SNI, and response times.";
}

but it give errors

root@vm:/usr/local/zeek# zeekctl deploy
checking configurations ...
zeek scripts failed.
error in /usr/local/zeek/share/zeek/policy/misc/sni.zeek, line 3: Failed to open package '/usr/local/zeek/share/zeek/policy/protocols/ssl': missing '__load__.zeek' file
fatal error in /usr/local/zeek/share/zeek/policy/misc/sni.zeek, line 3: can't open /usr/local/zeek/share/zeek/policy/protocols/ssl/__load__.zeek
2

First, you should debug your script offline against a PCAP before trying it with zeekctl.

Second, the error you’re getting is because policy/protocols/ssl/ is not a single coherent set of scripts, but rather a collection of individual scripts that you should load individually. If you’re trying to get general SSL analysis, that would come from base/protocols/ssl, which is a single coherent collection (and can therefore be loaded as a directory).

Third, you have the load for base/protocols/ssl commented out, but one for base/protocols/http still active. You shouldn’t need either unless you’re invoking Zeek with -b for “bare mode” - you pretty much never want to do that, it’s an option just for testing and certain forms of advanced development.