Zeek has their own scripting language that lets us analyze traffic, log information and make decisions based on what we're seeing.
We will create a simple test.zeek file and call the InternetDB function and print the results:
event zeek_init() {
print InternetDB::lookup_internetdb_api(1.1.1.1);
print InternetDB::lookup_internetdb_sqlite(1.1.1.1);
}
Running the file will give the output:
$ zeek test.zeek
[ip=1.1.1.1, cpes=[], hostnames=["one.one.one.one"], ports=[53,80,443], tags=[], vulns=[]]
Opened database successfully
[ip=1.1.1.1, cpes=[], hostnames=[one.one.one.one], ports=[53,80,443], tags=[], vulns=[]]
One of the components in the Zeek framework is NetControl which helps users monitor and control network access, including the ability to block IPs, redirect connections and more. For example, the below shows how to use the NetControl package to block traffic to 1.1.1.1 on port 53 for the next minute:
function test_drop_connection(ip: addr, p: port, t: interval) {
# As a first step, create the NetControl::Entity that we want to block
local f = NetControl::Flow($des_h=addr_to_subnet(ip), $des_p=p);
local e = NetControl::Entity($ty=NetControl::FLOW, $flow=f);
# Then, use the entity to create the rule to drop the entity in the forward path
local r = NetControl::Rule($ty=NetControl::DROP,
$target=NetControl::FORWARD, $entity=e, $expire=t);
# Add the rule
local id = NetControl::add_rule(r);
if ( id == "" )
print "Error while dropping";
}
event NetControl::init() {
local debug_plugin = NetControl::create_debug(T);
NetControl::activate(debug_plugin, 0);
}
event NetControl::init_done() {
# Block traffic to IP 1.1.1.1 on port 53 for 1 minute
test_drop_connection(1.1.1.1, 53/tcp, 1min);
}
Running this script will automatically create netcontrol.log file , which contains information about all actions that are taken by NetControl:
$ zeek test.zeek
$ cat netcontrol.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path netcontrol
#open 2022-09-24-23-17-31
#fields ts rule_id category cmd state action target entity_type entity mod msg priority expire location plugin
#types time string enum string enum string enum string string string string int interval string string
1664036251.529525 - NetControl::MESSAGE - - - - - - -activating plugin with priority 0 - - - Debug-All
1664036251.529525 - NetControl::MESSAGE - - - - - - -activation finished - - - Debug-All
1664036251.529525 - NetControl::MESSAGE - - - - - - -plugin initialization done - - - -
1664036251.529525 2 NetControl::RULE ADD NetControl::REQUESTED NetControl::DROP NetControl::FORWARD NetControl::FLOW */*->1.1.1.1/32/53 - - 0 60.000000 - Debug-All
1664036251.529525 2 NetControl::RULE ADD NetControl::SUCCEEDED NetControl::DROP NetControl::FORWARD NetControl::FLOW */*->1.1.1.1/32/53 - - 0 60.000000 - Debug-All
#close 2022-09-24-23-17-31
As you can see there are 2 NetControl::RULE entries; the first one is requested and the following line shows that the rule was successfully added. In this case, we use Netcontrol::DROP action that blocks the connection. There are other methods that you can use like Redirect, Modify, Whitelist. Please note that this example blocks this ip for 1 minutes but you can also block it for other intervals or forever.
Next: Blocking with InternetDB function