From f02db7a815950b2bf891b6c6448822eba78d86d8 Mon Sep 17 00:00:00 2001
From: Mike Reeves <mike.reeves@securityonionsolutions.com>
Date: Fri, 16 Sep 2022 09:05:16 -0400
Subject: [PATCH] Zeek Test

---
 salt/zeek/policy/custom/filters/conn | 19 +++++++++++++++++++
 salt/zeek/soc_zeek.yaml              |  5 +++++
 2 files changed, 24 insertions(+)
 create mode 100644 salt/zeek/policy/custom/filters/conn

diff --git a/salt/zeek/policy/custom/filters/conn b/salt/zeek/policy/custom/filters/conn
new file mode 100644
index 000000000..e9181cc1e
--- /dev/null
+++ b/salt/zeek/policy/custom/filters/conn
@@ -0,0 +1,19 @@
+module Filterconn;
+
+export {
+     global ignore_services: set[string] = {"dns", "krb", "krb_tcp"};
+  }
+
+hook Conn::log_policy(rec: Conn::Info, id: Log::ID, filter: Log::Filter)
+    {
+    # Record only connections not in the ignored services
+    if ( ! rec?$service || rec$service in ignore_services )
+        break;
+    }
+
+event zeek_init()
+{
+    Log::remove_default_filter(Conn::LOG);
+    local filter: Log::Filter = [$name="conn-filter"];
+    Log::add_filter(Conn::LOG, filter);
+}
\ No newline at end of file
diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml
index adb534281..6ae5c22a7 100644
--- a/salt/zeek/soc_zeek.yaml
+++ b/salt/zeek/soc_zeek.yaml
@@ -17,6 +17,11 @@ zeek:
       CompressLogs:
         description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU.
   policy:
+    custom:
+      filters: 
+        conn:
+          description: Conn Filter for Zeek
+          file: True
     file_extraction:
       description: This is a list of mime types Zeek will extract from the network streams.
     load: