corelight · jlagermann · Sep 25, 2024 · Nov 7, 2024 · Nov 7, 2024
diff --git a/scripts/conn.zeek b/scripts/conn.zeek
@@ -5,17 +5,20 @@ export {
     ## Enables the logging of endpoint details to the conn log.
     option extra_logging_conn = F;
     option extra_logging_conn_cid = F;
+    option extra_logging_conn_hostname = F;
 }
 
 redef record Conn::Info += {
     orig_ep_status: string &log &optional;
     orig_ep_uid: string &log &optional;
     orig_ep_cid: string &log &optional;
     orig_ep_source: string &log &optional;
+    orig_ep_name: string &log &optional;
     resp_ep_status: string &log &optional;
     resp_ep_uid: string &log &optional;
     resp_ep_cid: string &log &optional;
     resp_ep_source: string &log &optional;
+    resp_ep_name: string &log &optional;
 };
 
 
@@ -32,6 +35,8 @@ event new_connection(c: connection) {
                 c$conn$orig_ep_status = orig_data$status;
             if ( orig_data ?$ uid)
                 c$conn$orig_ep_uid = orig_data$uid;
+            if ( orig_data ?$ hostname && extra_logging_conn_hostname)
+                c$conn$orig_ep_name = orig_data$hostname;
             if ( orig_data ?$ cid && extra_logging_conn_cid)
                 c$conn$orig_ep_cid = orig_data$cid;
             c$conn$orig_ep_source = orig_data$source;
@@ -44,6 +49,67 @@ event new_connection(c: connection) {
                 c$conn$resp_ep_status = resp_data$status;
             if ( resp_data ?$ uid)
                 c$conn$resp_ep_uid = resp_data$uid;
+            if ( resp_data ?$ hostname && extra_logging_conn_hostname)
+                c$conn$resp_ep_name = resp_data$hostname;
+            if ( resp_data ?$ cid && extra_logging_conn_cid)
+                c$conn$resp_ep_cid = resp_data$cid;
+            c$conn$resp_ep_source = resp_data$source;
+        }
+    }
+}
+
+event connection_flipped(c: connection) {
+    if ( extra_logging_conn && c?$conn ) {
+        if ( !c$conn?$local_orig && !c$conn?$local_resp ) {
+            return;
+        }
+        # Clear old fields set before the connection flipped.
+        if ( c$conn ?$ orig_ep_status)
+            c$conn$orig_ep_status = "";
+        if ( c$conn ?$ orig_ep_uid)
+            c$conn$orig_ep_uid = "";
+        if ( c$conn ?$ orig_ep_cid)
+            c$conn$orig_ep_cid = "";
+        if ( c$conn ?$ orig_ep_source)
+            c$conn$orig_ep_source = "";
+        if ( c$conn ?$ orig_ep_name)
+            c$conn$orig_ep_name = "";
+        if ( c$conn ?$ resp_ep_status)
+            c$conn$resp_ep_status = "";
+        if ( c$conn ?$ resp_ep_uid)
+            c$conn$resp_ep_uid = "";
+        if ( c$conn ?$ resp_ep_cid)
+            c$conn$resp_ep_cid = "";
+        if ( c$conn ?$ resp_ep_source)
+            c$conn$resp_ep_source = "";
+        if ( c$conn ?$ resp_ep_name)
+            c$conn$resp_ep_name = "";
+
+        # Once the old fields are erased, run through the enrichment again.
+
+        # If the orig IP is local and in the list, update the conn log.
+        if ( c$conn?$local_orig && c$id$orig_h in hosts_data ) {
+            local orig_data = hosts_data[c$id$orig_h];
+            if ( orig_data ?$ status)
+                c$conn$orig_ep_status = orig_data$status;
+            if ( orig_data ?$ uid)
+                c$conn$orig_ep_uid = orig_data$uid;
+            if ( orig_data ?$ hostname && extra_logging_conn_hostname)
+                c$conn$orig_ep_name = orig_data$hostname;
+            if ( orig_data ?$ cid && extra_logging_conn_cid)
+                c$conn$orig_ep_cid = orig_data$cid;
+            c$conn$orig_ep_source = orig_data$source;
+        }
+
+        # If the resp IP is local and in the list, update the conn log.
+        if ( c$conn?$local_resp && c$id$resp_h in hosts_data ) {
+            local resp_data = hosts_data[c$id$resp_h];
+            if ( resp_data ?$ status)
+                c$conn$resp_ep_status = resp_data$status;
+            if ( resp_data ?$ uid)
+                c$conn$resp_ep_uid = resp_data$uid;
+            if ( resp_data ?$ hostname && extra_logging_conn_hostname)
+                c$conn$resp_ep_name = resp_data$hostname;
             if ( resp_data ?$ cid && extra_logging_conn_cid)
                 c$conn$resp_ep_cid = resp_data$cid;
             c$conn$resp_ep_source = resp_data$source;

diff --git a/scripts/id-logs.zeek b/scripts/id-logs.zeek
@@ -5,16 +5,19 @@ export {
     ## Enables the logging of endpoint details to the conn log.
     option extra_logging_all = F;
     option extra_logging_all_cid = F;
+    option extra_logging_all_hostname = F;
 }
 
 redef record conn_id += {
     orig_ep_status: string &log &optional;
     orig_ep_uid: string &log &optional;
     orig_ep_cid: string &log &optional;
+    orig_ep_name: string &log &optional;
     orig_ep_source: string &log &optional;
     resp_ep_status: string &log &optional;
     resp_ep_uid: string &log &optional;
     resp_ep_cid: string &log &optional;
+    resp_ep_name: string &log &optional;
     resp_ep_source: string &log &optional;
 };
 
@@ -32,6 +35,8 @@ event new_connection(c: connection) {
                 c$id$orig_ep_status = orig_data$status;
             if ( orig_data ?$ uid)
                 c$id$orig_ep_uid = orig_data$uid;
+            if ( orig_data ?$ hostname && extra_logging_all_hostname)
+                c$id$orig_ep_name = orig_data$hostname;
             if ( orig_data ?$ cid && extra_logging_all_cid)
                 c$id$orig_ep_cid = orig_data$cid;
             c$id$orig_ep_source = orig_data$source;
@@ -44,6 +49,67 @@ event new_connection(c: connection) {
                 c$id$resp_ep_status = resp_data$status;
             if ( resp_data ?$ uid)
                 c$id$resp_ep_uid = resp_data$uid;
+            if ( resp_data ?$ hostname && extra_logging_all_hostname)
+                c$id$resp_ep_name = resp_data$hostname;
+            if ( resp_data ?$ cid && extra_logging_all_cid)
+                c$id$resp_ep_cid = resp_data$cid;
+            c$id$resp_ep_source = resp_data$source;
+        }
+    }
+}
+
+event connection_flipped(c: connection) {
+    if ( extra_logging_all  && c?$conn ) {
+        if ( !c$conn?$local_orig && !c$conn?$local_resp ) {
+            return;
+        }
+        # Clear old fields set before the connection flipped.
+        if ( c$id ?$ orig_ep_status)
+            c$id$orig_ep_status = "";
+        if ( c$id ?$ orig_ep_uid)
+            c$id$orig_ep_uid = "";
+        if ( c$id ?$ orig_ep_cid)
+            c$id$orig_ep_cid = "";
+        if ( c$id ?$ orig_ep_source)
+            c$id$orig_ep_source = "";
+        if ( c$id ?$ orig_ep_name)
+            c$id$orig_ep_name = "";
+        if ( c$id ?$ resp_ep_status)
+            c$id$resp_ep_status = "";
+        if ( c$id ?$ resp_ep_uid)
+            c$id$resp_ep_uid = "";
+        if ( c$id ?$ resp_ep_cid)
+            c$id$resp_ep_cid = "";
+        if ( c$id ?$ resp_ep_source)
+            c$id$resp_ep_source = "";
+        if ( c$id ?$ resp_ep_name)
+            c$id$resp_ep_name = "";
+
+        # Once the old fields are erased, run through the enrichment again.
+
+        # If the orig IP is local and in the list, update the conn log.
+        if ( c$conn?$local_orig && c$id$orig_h in hosts_data ) {
+            local orig_data = hosts_data[c$id$orig_h];
+            if ( orig_data ?$ status)
+                c$id$orig_ep_status = orig_data$status;
+            if ( orig_data ?$ uid)
+                c$id$orig_ep_uid = orig_data$uid;
+            if ( orig_data ?$ hostname && extra_logging_all_hostname)
+                c$id$orig_ep_name = orig_data$hostname;
+            if ( orig_data ?$ cid && extra_logging_all_cid)
+                c$id$orig_ep_cid = orig_data$cid;
+            c$id$orig_ep_source = orig_data$source;
+        }
+
+        # If the resp IP is local and in the list, update the conn log.
+        if ( c$conn?$local_resp && c$id$resp_h in hosts_data ) {
+            local resp_data = hosts_data[c$id$resp_h];
+            if ( resp_data ?$ status)
+                c$id$resp_ep_status = resp_data$status;
+            if ( resp_data ?$ uid)
+                c$id$resp_ep_uid = resp_data$uid;
+            if ( resp_data ?$ hostname && extra_logging_all_hostname)
+                c$id$resp_ep_name = resp_data$hostname;
             if ( resp_data ?$ cid && extra_logging_all_cid)
                 c$id$resp_ep_cid = resp_data$cid;
             c$id$resp_ep_source = resp_data$source;

diff --git a/scripts/main.zeek b/scripts/main.zeek
@@ -21,15 +21,14 @@ type Val: record {
     criticality: string &log &optional;
     ## The MAC address of the endpoint host.
     mac: string &optional;
-    ## The hostname of the vulnerable host.
-    hostname: string &optional;
+    ## The hostname of the endpoint host.
+    hostname: string &log &optional;
     ## The machine domain of the endpoint host.
     machine_domain: string &optional;
 };
 
 global hosts_data: table[addr] of Val = table();
-# # source to use for all unknown IPs
-# global unknownSource: string;
+
 
 event zeek_init() {
     Input::add_table([

diff --git a/zkg.meta b/zkg.meta
@@ -1,7 +1,7 @@
 [package]
-description = v3.0 - This package enriches multiple logs by adding information from a vulnerability scanner or endpoint agent.
+description = v4.0 - This package enriches multiple logs by adding information from a vulnerability scanner or endpoint agent.
 script_dir = scripts
-version=3.0.0
+version=4.0.0
 
 [input hosts_data.tsv]
 summary=List of all known hosts address.