From 31ae8a2c262323cf0bb7dd813e27a6da9a865066 Mon Sep 17 00:00:00 2001
From: Josh Brower <Josh@Defensivedepth.com>
Date: Thu, 26 Mar 2020 16:33:47 -0400
Subject: [PATCH] Zeek - enable Community ID policy

---
 salt/zeek/files/local.zeek                    |  5 +++-
 .../policy/securityonion/communityid.zeek     | 25 +++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 salt/zeek/policy/securityonion/communityid.zeek

diff --git a/salt/zeek/files/local.zeek b/salt/zeek/files/local.zeek
index bbb4a78be..f32052328 100644
--- a/salt/zeek/files/local.zeek
+++ b/salt/zeek/files/local.zeek
@@ -125,5 +125,8 @@ redef LogAscii::json_timestamps = JSON::TS_ISO8601;
 # BPF Configuration
 @load securityonion/bpfconf
 
+# Community ID
+@load securityonion/communityid
+
 # Extracted files
-@load securityonion/file-extraction
+@load securityonion/file-extraction
\ No newline at end of file
diff --git a/salt/zeek/policy/securityonion/communityid.zeek b/salt/zeek/policy/securityonion/communityid.zeek
new file mode 100644
index 000000000..add9e28ec
--- /dev/null
+++ b/salt/zeek/policy/securityonion/communityid.zeek
@@ -0,0 +1,25 @@
+# Bro package & plugin for adding community hash IDs to conn.log.
+# This is loaded when a user activates the plugin.
+#
+module CommunityID;
+
+export {
+    # An unsigned 16-bit number to seed our hashing
+    const seed: count = 0 &redef;
+
+    # Whether to add a base64 pass over the hash digest.
+    # Enabled by default, since it shortens the output.
+    const do_base64: bool = T &redef;
+
+    # Verbose debugging log output to the console.
+    const verbose: bool = F &redef;
+
+    # Add the ID string field to the connection log record.
+    redef record Conn::Info += {
+        community_id: string &optional &log;
+    };
+}
+
+event connection_state_remove(c: connection) {
+    c$conn$community_id = hash_conn(c);
+}
\ No newline at end of file