CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 17:52:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Zeek Test

Browse Source
This commit is contained in:
Mike Reeves
2022-09-16 09:05:16 -04:00
parent 58ab91ea84
commit f02db7a815
2 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
salt/zeek/policy/custom/filters/conn Normal file
View File

@@ -0,0 +1,19 @@
module Filterconn;
export {
global ignore_services: set[string] = {"dns", "krb", "krb_tcp"};
}
hook Conn::log_policy(rec: Conn::Info, id: Log::ID, filter: Log::Filter)
{
# Record only connections not in the ignored services
if ( ! rec?$service || rec$service in ignore_services )
break;
}
event zeek_init()
{
Log::remove_default_filter(Conn::LOG);
local filter: Log::Filter = [$name="conn-filter"];
Log::add_filter(Conn::LOG, filter);
}

5
salt/zeek/soc_zeek.yaml
View File

@@ -17,6 +17,11 @@ zeek:
CompressLogs: CompressLogs:
description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU. description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU.
policy: policy:
custom:
filters:
conn:
description: Conn Filter for Zeek
file: True
file_extraction: file_extraction:
description: This is a list of mime types Zeek will extract from the network streams. description: This is a list of mime types Zeek will extract from the network streams.
load: load: