forked from pmphry/netbase
-
Notifications
You must be signed in to change notification settings - Fork 0
/
labels.bro
126 lines (106 loc) · 3.42 KB
/
labels.bro
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
@load ./main
@load base/frameworks/cluster
export {
redef Netbase::observation += {
# Label fields
## Static and dynamic labels associated with the device
ip_labels: set[string] &optional &log;
## Static and dynmaic labels associated with conns the device was involved in
flow_labels: set[string] &optional &log;
};
## Holds the set of all known hosts. Keys in the store are addresses
## and their associated value will always be the "true" boolean.
global Netbase::labels: Cluster::StoreInfo;
## Record for
type conn_labels: record {
orig: set[string] &optional &log;
resp: set[string] &optional &log;
flow: set[string] &optional &log;
};
##
redef record Conn::Info += {
labels: conn_labels &log &optional;
};
## The Broker topic name to use for the Netbase::labels data store
const ip_labels_ds_name = "zeek/netbase/labels" &redef;
}
## Create the IP labels data store
event bro_init()
{
Netbase::labels = Cluster::create_store(Known::ip_labels_ds_name);
}
# Function to retrieve labels from the data store
function get_labels(ip: addr)
{
when ( local res = Broker::get(Netbase::labels, ip) )
{
if ( res as set[string] )
}
# All data store queries must specify a timeout
timeout 3sec
{ print "timeout", key; }
}
# Function to gather labels
function get_labels(c: connection)
{
local orig = c$id$orig_h;
local resp = c$id$resp_h;
if ( c?$labels )
{
if ( orig in profiles && c$labels?$orig && |c$labels$orig| > 0 )
{
for ( ol in c$labels$orig )
{
add profiles[orig]$ip_labels[ol];
}
if ( c$labels?$flow && |c$labels$flow| > 0 )
{
for ( ofl in c$labels$flow )
{
add profiles[orig]$flow_labels[ofl];
}
}
}
if ( resp in profiles && c$labels?$resp && |c$labels$resp| > 0 )
{
for ( rl in c$labels$resp )
{
add profiles[resp]$ip_labels[rl];
}
if ( c$labels?$flow && |c$labels$flow| > 0 )
{
for ( rfl in c$labels$flow )
{
add profiles[resp]$flow_labels[rfl];
}
}
}
}
}
# Initialize label containers for each connection.
event new_connection(c: connection)
{
c$labels = conn_fields();
c$labels$orig = set();
c$labels$resp = set();
c$labels$flow = set();
}
event flow_labeled(c: connection)
{
# Do nothing if we are missing conn Info record or needed site fields
if ( ! c?$conn || (! c$conn?$local_orig || ! c$conn?$local_resp ))
{
return;
}
# Make sure we have profiles for these IPs
get_labels(c);
}
event bro_init() {
if ( static_cidr_labels != "" ) {
Input::add_event([$source=static_cidr_labels,
$reader=Input::READER_ASCII,
$mode=Input::REREAD,
$name="cidr_labels",
$fields=flow_labels::cidr_label_entry,
$ev=flow_labels::read_cidr_labels]);
}