This repository has been archived by the owner on Apr 19, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 10
/
sensortab.zeek
82 lines (70 loc) · 2.06 KB
/
sensortab.zeek
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
@load ./readfile
module SecurityOnion;
@load base/frameworks/input
@load base/frameworks/cluster
export {
## Event to capture when the interface is discovered.
global SecurityOnion::found_interface: event(inter: string);
## Event to capture when the interface is discovered.
global SecurityOnion::found_sensorname: event(name: string);
## Interface being sniffed.
global interface = "";
## Name of the sensor.
global sensorname = "";
## The filename where the sensortab is located.
const sensortab_file = "/opt/bro/etc/node.cfg" &redef;
}
event zeek_init()
{
if ( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::WORKER )
{
local node = Cluster::node;
if ( node in Cluster::nodes && Cluster::nodes[node]?$interface )
{
interface = Cluster::nodes[node]$interface;
# If af_packet plugin is enabled, we need to strip "af_packet::" off the interface name
interface = subst_string(interface, "af_packet::", "");
event SecurityOnion::found_interface(interface);
}
}
else if ( Cluster::local_node_type() != Cluster::MANAGER )
{
# If running in standalone mode...
when ( local nodefile = readfile(sensortab_file) )
{
local lines = split_string_all(nodefile, /\n/);
for ( i in lines )
{
if ( /^[[:blank:]]*#/ in lines[i] )
next;
local fields = split_string_all(lines[i], /[[:blank:]]*=[[:blank:]]*/);
if ( 2 in fields && fields[0] == "interface" )
{
interface = fields[2];
event SecurityOnion::found_interface(interface);
}
}
}
}
}
event SecurityOnion::found_interface(interface: string)
{
when ( local r = readfile("/etc/nsm/sensortab") )
{
local lines = split_string_all(r, /\n/);
for ( i in lines )
{
local fields = split_string_all(lines[i], /\t/);
if ( 6 !in fields )
next;
local name = fields[0];
local iface = fields[6];
if ( SecurityOnion::iface == interface )
{
#print "Sensorname: " + sensorname + " -- Interface: " + sensor_interface;
sensorname = name;
event SecurityOnion::found_sensorname(sensorname);
}
}
}
}