Adapt to Zeek "files" log losing conn_uids+tx_hosts+rx_hosts and gain…

…ing uid+id (#2981)
brimdata · Jan 23, 2024 · eec89c3 · eec89c3
1 parent c9b29b0
commit eec89c3
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 16 deletions.
diff --git a/apps/zui/src/plugins/brimcap/zeek/correlations.ts b/apps/zui/src/plugins/brimcap/zeek/correlations.ts
@@ -29,7 +29,7 @@ export function activateZeekCorrelations() {
       return zedScript`
         from ${session.poolName} 
         | md5==${getMd5()} 
-        | count() by tx_hosts 
+        | count() by tx_host:=id.resp_h 
         | sort -r 
         | head 5`
     },
@@ -41,7 +41,7 @@ export function activateZeekCorrelations() {
       return zedScript`
           from ${session.poolName} 
           | md5==${getMd5()} 
-          | count() by rx_hosts 
+          | count() by rx_host:=id.orig_h 
           | sort -r 
           | head 5`
     },

diff --git a/apps/zui/src/plugins/brimcap/zeek/queries.ts b/apps/zui/src/plugins/brimcap/zeek/queries.ts
@@ -6,7 +6,7 @@ export function uidQuery(pool: string, uid: string) {
 }
 
 export function uidFilter(uid: string) {
-  return zedScript`uid==${uid} or ${uid} in conn_uids or ${uid} in uids or referenced_file.uid==${uid}`
+  return zedScript`uid==${uid} or ${uid} in uids or referenced_file.uid==${uid}`
 }
 
 export function communityConnFilter(data: CommunityConnArgs) {
@@ -25,6 +25,7 @@ export function findConnLog(pool: string, uid: string) {
   | (` +
     uidFilter(uid) +
     `)
+  | _path=="conn" 
   | is(ts, <time>) 
   | is(duration, <duration>) 
   | is(uid, <string>)

diff --git a/apps/zui/src/plugins/brimcap/zeek/util.ts b/apps/zui/src/plugins/brimcap/zeek/util.ts
@@ -7,7 +7,6 @@ export function findUid(value: zed.Value) {
   }
 
   const specialUids = {
-    files: "conn_uids",
     dhcp: "uids",
   }
   if (value.has("_path")) {

diff --git a/apps/zui/src/ppl/detail/models/Correlation.ts b/apps/zui/src/ppl/detail/models/Correlation.ts
@@ -2,7 +2,6 @@ import {get} from "lodash"
 import * as zed from "@brimdata/zed-js"
 
 const specialUids = {
-  files: "conn_uids",
   dhcp: "uids",
 }
 

diff --git a/apps/zui/src/ppl/zeek/descriptions.ts b/apps/zui/src/ppl/zeek/descriptions.ts
@@ -244,19 +244,14 @@ export default {
       desc: "An identifier associated with a single file.",
     },
     {
-      name: "tx_hosts",
-      type: "table",
-      desc: "If this file was transferred over a network connection this should show the host or hosts that the data sourced from.",
-    },
-    {
-      name: "rx_hosts",
-      type: "table",
-      desc: "If this file was transferred over a network connection this should show the host or hosts that the data traveled to.",
+      name: "uid",
+      type: "string",
+      desc: "Unique ID for the connection.",
     },
     {
-      name: "conn_uids",
-      type: "table",
-      desc: "Connection UIDs over which the file was transferred.",
+      name: "id",
+      type: "record conn_id",
+      desc: "The connection's 4-tuple of endpoint addresses/ports.",
     },
     {
       name: "source",