Hi,
Is there any event in zeek, which will be fired when any application above Layer 4 ( eg. tcp/udp) is being detected by Zeek?
Zeek has support for conn.log, but that will be generated once connection will be removed. There is connection_status_update(), but that is again depends on interval. It will be useful to get connection details once application is detected.
Regards,
Biswa
I am not sure I understand what you mean by “any application above Layer 4 ( eg. tcp/udp)” since there are a number of layers between layer 4 and the application layer.
For actual software the software framework raises a number of events of which Software::register might be helpful.
If you are interested in which Zeek analyzers are attached to a connection, you can use the analyzer_confirmation_info event (see base/bif/event.bif.zeek — Book of Zeek (v6.2.1)).
However this event is only thrown when Zeek has a parser for the protocol that is used in the connection.
Yes, above L4 there are L5-L7 or above layers present, Zeek also reports about these protocols for ex. http, https, dns, and many more… and I think even if I don’t enable protocol parser files explicitly in local.zeek, zeek will report these services in conn.log (service field). So, it will be helpful if there is an event once zeek detects the service and report the service detected above proto (tcp/udp).
Yes, but what I need is to more control over the connection internals. Zeek is maintaining state machine for each connection and also detects services. What I need is to get one event that X service has been detected for connection C. So that I don’t have to wait for connection remove event to get this information. To do that obviously I don’t want to enable protocol parsers separately.
The machinery that detects services (that are listed in conn.log) is deeply ingrained with protocol parsers.
analyzer_confirmation_info is exactly the event that is used for this by Zeek internally, and is what populates the information that you see in conn.log.
Hi,
can you tell me how to use analyzer_confirmation_info for packet analyzer?
As stated in document,
“For packet analyzers, a confirmation is only raised if there’s a session (connection) associated with a given packet. Confirmations are raised only once per session. Tunnel protocols like VXLAN or Geneve are examples for this behavior.”
So, what is the standard procedure to use this event for packet analyzer as I can’t able to get confirmation event similar to protocol analyzer!
Thanks
Biswa
I have written a custom packet analyzer, but it seems there are some fundamental differences in term of analyzer confirmation between protocol and packet analyzer. Is my understanding correct? How do we use this confirm analyzer in case of VXLAN or Geneve?