Manju,
zeek conceptually works better at connection and protocol events than at packet levels. Infact
thats one of the strengths of it that it does all low level tcp and protocol
understandings for you and hands you events which are at more easier levels to
work with.
While you can work on packet, it is generally not recommended. More so if you
desire to operate at packet levels to save processing time, on the contrary you
are going on an non-optimal path.
You should consider event based approach. Your message doesn't quite explain
what your specifics are that helps you identify when you are done but here are
couple of examples which might help understand other approaches or way to think:
Problem: I'd like to only process if all three conditions are T
- IP is in local_nets
- dst port is acceptable port list &&
- response IP is not in list of acceptable hosts
event new_connection(c: connection)
{
local orig = c$id$orig_h ;
local resp = c$id$resp_h ;
local dport = c$id$resp_p ;
if (orig !in Site::local_nets)
return ;
if (dport !in ok_ports)
return ;
if (resp !in ok_hosts )
return ;
# do your processing
}
Similarly: lets say you want to only operate on Apache Server stuff:
event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5
{
if (name != "SERVER")
return ;
if (/Apache/ in value)
{
# do your processing
}
}
or alternatively:
if ( name == "SERVER" && /Apache/ in value)
# do processing
The way is you eliminate all the un-interesting traffic you don't care about -
this saves more processing than to go per packet level heuristics.
You should probably look at connection events:
https://docs.zeek.org/en/stable/scripts/base/bif/plugins/Bro_TCP.events.bif.bro.html
and definitely try avoiding working on packet events
Hope this helps,
Aashish