-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathbro_conn_parse.lua
104 lines (93 loc) · 3.44 KB
/
bro_conn_parse.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
require('parse_helpers')
function bro_conn_prefix_all(tag, timestamp, record)
return 1, timestamp, record_prefix_all(record, "zeek_connection_")
end
function bro_conn_parse_direction(tag, timestamp, record)
local local_orig = variable_to_boolean(record["zeek_connection_local_orig"])
local local_resp = variable_to_boolean(record["zeek_connection_local_resp"])
if local_orig == true and local_resp == true then
record["network_direction"] = "internal"
return 1, timestamp, record
end
if local_orig == false and local_resp == false then
record["network_direction"] = "external"
return 1, timestamp, record
end
if local_orig == true and local_resp == false then
record["network_direction"] = "outbound"
return 1, timestamp, record
end
if local_orig == false and local_resp == true then
record["network_direction"] = "inbound"
return 1, timestamp, record
end
record["network_direction"] = "unknown"
return 1, timestamp, record
end
function bro_conn_parse_bytes(tag, timestamp, record)
local bytes = 0
if tonumber(record["zeek_connection_orig_ip_bytes"]) ~= nil then
record["source_bytes"] = tonumber(record["zeek_connection_orig_ip_bytes"])
bytes = bytes + record["source_bytes"]
end
if tonumber(record["zeek_connection_resp_ip_bytes"]) ~= nil then
record["destination_bytes"] = tonumber(record["zeek_connection_resp_ip_bytes"])
bytes = bytes + record["destination_bytes"]
end
if bytes > 0 then
record["network_bytes"] = bytes
return 1, timestamp, record
else
return 0, timestamp, record
end
end
function bro_conn_parse_packets(tag, timestamp, record)
local packets = 0
if tonumber(record["source_packets"]) ~= nil then
packets = packets + tonumber(record["source_packets"])
end
if tonumber(record["destination_packets"]) ~= nil then
packets = packets + tonumber(record["destination_packets"])
end
if packets > 0 then
record["network_packets"] = packets
return 1, timestamp, record
else
return 0, timestamp, record
end
end
function bro_conn_parse_state(tag, timestamp, record)
local state_codes = {
["S0"] = "Connection attempt seen, no reply",
["S1"] = "Connection established, not terminated",
["SF"] = "Normal establishment and termination",
["REJ"] = "Connection attempt rejected",
["S2"] = "Connection established and close attempt by originator seen",
["S3"] = "Connection established and close attempt by responder seen",
["RSTO"] = "Connection established, originator aborted",
["RSTR"] = "Responder sent a RST",
["RSTOS0"] = "Originator sent a SYN followed by a RST",
["RSTRH"] = "Responder sent a SYN ACK followed by a RST",
["SH"] = "Originator sent a SYN followed by a FIN",
["SHR"] = "Responder sent a SYN ACK followed by a FIN",
["OTH"] = "No SYN seen"
}
if state_codes[record["zeek_connection_conn_state"]] ~= nil then
record["zeek_connection_state_msg"] = state_codes[record["zeek_connection_conn_state"]]
return 1, timestamp, record
else
return 0, timestamp, record
end
end
function bro_conn_parse_icmp(tag, timestamp, record)
if record["network_transport"] == "icmp" then
record["icmp_type"] = record["source_port"]
record["icmp_code"] = record["destination_port"]
record["source_port"] = nil
record["destination_port"] = nil
record["zeek_connection_conn_state"] = nil
return 1, timestamp, record
else
return 0, timestamp, record
end
end