Scripting

Zeek has their own scripting language that lets us analyze traffic, log information and make decisions based on what we're seeing.

Init simple function

We will create a simple test.zeek file and call the InternetDB function and print the results:

event zeek_init() {
    print InternetDB::lookup_internetdb_api(1.1.1.1);
    print InternetDB::lookup_internetdb_sqlite(1.1.1.1);
}

Running the file will give the output:

$ zeek test.zeek 
[ip=1.1.1.1, cpes=[], hostnames=["one.one.one.one"], ports=[53,80,443], tags=[], vulns=[]]
Opened database successfully
[ip=1.1.1.1, cpes=[], hostnames=[one.one.one.one], ports=[53,80,443], tags=[], vulns=[]]

Block specific ip port

One of the components in the Zeek framework is NetControl which helps users monitor and control network access, including the ability to block IPs, redirect connections and more. For example, the below shows how to use the NetControl package to block traffic to 1.1.1.1 on port 53 for the next minute:

function test_drop_connection(ip: addr, p: port, t: interval) {
    # As a first step, create the NetControl::Entity that we want to block
    local f = NetControl::Flow($des_h=addr_to_subnet(ip), $des_p=p);
    local e = NetControl::Entity($ty=NetControl::FLOW, $flow=f);

    # Then, use the entity to create the rule to drop the entity in the forward path
    local r = NetControl::Rule($ty=NetControl::DROP,
        $target=NetControl::FORWARD, $entity=e, $expire=t);

    # Add the rule
    local id = NetControl::add_rule(r);

    if ( id == "" )
        print "Error while dropping";
}

event NetControl::init() {
    local debug_plugin = NetControl::create_debug(T);
    NetControl::activate(debug_plugin, 0);
}

event NetControl::init_done() {
    # Block traffic to IP 1.1.1.1 on port 53 for 1 minute
    test_drop_connection(1.1.1.1, 53/tcp, 1min);
}

Running this script will automatically create netcontrol.log file , which contains information about all actions that are taken by NetControl:

$ zeek test.zeek 
$ cat netcontrol.log 
#separator \x09
#set_separator    ,
#empty_field    (empty)
#unset_field    -
#path    netcontrol
#open    2022-09-24-23-17-31
#fields    ts    rule_id    category    cmd    state    action    target    entity_type    entity    mod    msg    priority    expire    location    plugin
#types    time    string    enum    string    enum    string    enum    string    string    string    string    int    interval    string    string
1664036251.529525    -    NetControl::MESSAGE    -    -    -    -    -    -    -activating plugin with priority 0    -    -    -    Debug-All
1664036251.529525    -    NetControl::MESSAGE    -    -    -    -    -    -    -activation finished    -    -    -    Debug-All
1664036251.529525    -    NetControl::MESSAGE    -    -    -    -    -    -    -plugin initialization done    -    -    -    -
1664036251.529525    2    NetControl::RULE    ADD    NetControl::REQUESTED    NetControl::DROP    NetControl::FORWARD    NetControl::FLOW    */*->1.1.1.1/32/53    -    -    0    60.000000    -    Debug-All
1664036251.529525    2    NetControl::RULE    ADD    NetControl::SUCCEEDED    NetControl::DROP    NetControl::FORWARD    NetControl::FLOW    */*->1.1.1.1/32/53    -    -    0    60.000000    -    Debug-All
#close    2022-09-24-23-17-31

As you can see there are 2 NetControl::RULE entries; the first one is requested and the following line shows that the rule was successfully added. In this case, we use Netcontrol::DROP action that blocks the connection. There are other methods that you can use like Redirect, Modify, Whitelist. Please note that this example blocks this ip for 1 minutes but you can also block it for other intervals or forever.