From 8d1b3e18706ec4b3c32b70bcb8260f33922b1b76 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 12 Jul 2022 10:00:48 +0200 Subject: [PATCH 1/2] Bulk reformat. No other changes. --- scripts/table/files.zeek | 33 +++++++---------- scripts/table/processes.zeek | 29 ++++++--------- scripts/table/sockets.zeek | 30 ++++++---------- scripts/table/ssh.zeek | 66 ++++++++++++++-------------------- scripts/table/system-logs.zeek | 33 +++++++---------- scripts/table/users.zeek | 30 ++++++---------- tests/zeek-agent/hello.zeek | 24 ++++++------- 7 files changed, 93 insertions(+), 152 deletions(-) diff --git a/scripts/table/files.zeek b/scripts/table/files.zeek index ea5af0e..a07e0ee 100644 --- a/scripts/table/files.zeek +++ b/scripts/table/files.zeek @@ -11,9 +11,7 @@ export { option subscription = ZeekAgent::Differences; ## Logging stream identifier for the tables.log. - redef enum Log::ID += { - LOG - }; + redef enum Log::ID += { LOG }; ## File system paths matching one of our patterns. type Columns: record { @@ -39,38 +37,31 @@ export { } event ZeekAgent_Files::query_result(ctx: ZeekAgent::Context, columns: Columns) -{ - local info = Info( - $t=network_time(), - $hid=ctx$agent_id, - $host=ZeekAgent::hostname(ctx), - $columns=columns); + { + local info = Info($t=network_time(), $hid=ctx$agent_id, + $host=ZeekAgent::hostname(ctx), $columns=columns); if ( ctx?$change ) info$change = ZeekAgent::change_type(ctx); Log::write(LOG, info); -} + } event zeek_init() -{ + { if ( |paths_to_watch| == 0 ) return; local field_name_map = ZeekAgent::log_column_map(Columns, "columns."); Log::create_stream(LOG, [$columns=Info, $policy=log_policy]); Log::remove_default_filter(LOG); - Log::add_filter(LOG, [ - $name="default", - $path="zeek-agent-files", + Log::add_filter(LOG, [$name="default", $path="zeek-agent-files", $field_name_map=field_name_map]); - for ( p in paths_to_watch ) { + for ( p in paths_to_watch ) + { local stmt = fmt("SELECT * FROM files_list(\"%s\")", p); - ZeekAgent::query([ - $sql_stmt=stmt, - $event_=query_result, - $schedule_=query_interval, - $subscription=subscription]); + ZeekAgent::query([$sql_stmt=stmt, $event_=query_result, + $schedule_=query_interval, $subscription=subscription]); + } } -} diff --git a/scripts/table/processes.zeek b/scripts/table/processes.zeek index 7aa0562..8c37052 100644 --- a/scripts/table/processes.zeek +++ b/scripts/table/processes.zeek @@ -8,9 +8,7 @@ export { option subscription = ZeekAgent::Differences; ## Logging stream identifier for the tables.log. - redef enum Log::ID += { - LOG - }; + redef enum Log::ID += { LOG }; type Columns: record { name: string &optional &log; @@ -36,32 +34,25 @@ export { event ZeekAgent_Processes::query_result(ctx: ZeekAgent::Context, columns: Columns) -{ - local info = Info( - $t=network_time(), - $hid=ctx$agent_id, - $host=ZeekAgent::hostname(ctx), - $columns=columns); + { + local info = Info($t=network_time(), $hid=ctx$agent_id, + $host=ZeekAgent::hostname(ctx), $columns=columns); if ( ctx?$change ) info$change = ZeekAgent::change_type(ctx); Log::write(LOG, info); -} + } event zeek_init() -{ + { local field_name_map = ZeekAgent::log_column_map(Columns, "columns."); Log::create_stream(LOG, [$columns=Info, $policy=log_policy]); Log::remove_default_filter(LOG); - Log::add_filter(LOG, [ - $name="default", - $path="zeek-agent-processes", + Log::add_filter(LOG, [$name="default", $path="zeek-agent-processes", $field_name_map=field_name_map]); - ZeekAgent::query([ - $sql_stmt="SELECT name,pid,uid,gid,ppid,priority,startup FROM processes", - $event_=query_result, - $schedule_=query_interval, + ZeekAgent::query([$sql_stmt="SELECT name,pid,uid,gid,ppid,priority,startup FROM processes", + $event_=query_result, $schedule_=query_interval, $subscription=subscription]); -} + } diff --git a/scripts/table/sockets.zeek b/scripts/table/sockets.zeek index 52ebe37..49df943 100644 --- a/scripts/table/sockets.zeek +++ b/scripts/table/sockets.zeek @@ -8,9 +8,7 @@ export { option subscription = ZeekAgent::Differences; ## Logging stream identifier for the tables.log. - redef enum Log::ID += { - LOG - }; + redef enum Log::ID += { LOG }; ## Open network sockets. type Columns: record { @@ -38,32 +36,24 @@ export { } event ZeekAgent_Sockets::query_result(ctx: ZeekAgent::Context, columns: Columns) -{ - local info = Info( - $t=network_time(), - $hid=ctx$agent_id, - $host=ZeekAgent::hostname(ctx), - $columns=columns); + { + local info = Info($t=network_time(), $hid=ctx$agent_id, + $host=ZeekAgent::hostname(ctx), $columns=columns); if ( ctx?$change ) info$change = ZeekAgent::change_type(ctx); Log::write(LOG, info); -} + } event zeek_init() -{ + { local field_name_map = ZeekAgent::log_column_map(Columns, "columns."); Log::create_stream(LOG, [$columns=Info, $policy=log_policy]); Log::remove_default_filter(LOG); - Log::add_filter(LOG, [ - $name="default", - $path="zeek-agent-sockets", + Log::add_filter(LOG, [$name="default", $path="zeek-agent-sockets", $field_name_map=field_name_map]); - ZeekAgent::query([ - $sql_stmt="SELECT * FROM sockets", - $event_=query_result, - $schedule_=query_interval, - $subscription=subscription]); -} + ZeekAgent::query([$sql_stmt="SELECT * FROM sockets", $event_=query_result, + $schedule_=query_interval, $subscription=subscription]); + } diff --git a/scripts/table/ssh.zeek b/scripts/table/ssh.zeek index 4ad14bb..98eb922 100644 --- a/scripts/table/ssh.zeek +++ b/scripts/table/ssh.zeek @@ -16,10 +16,7 @@ export { option subscription = ZeekAgent::Differences; ## Logging stream identifier for the tables.log. - redef enum Log::ID += { - LOG_CONFIGS, - LOG_KEYS - }; + redef enum Log::ID += { LOG_CONFIGS, LOG_KEYS }; ## Configuration option extracgt from a configuratin file. type ConfigOption: record { @@ -68,75 +65,66 @@ export { event ZeekAgent_SSH::query_result_configs(ctx: ZeekAgent::Context, columns: ColumnsConfigs) -{ - local info = InfoConfigs( - $t=network_time(), - $hid=ctx$agent_id, - $host=ZeekAgent::hostname(ctx), - $columns=columns); + { + local info = InfoConfigs($t=network_time(), $hid=ctx$agent_id, + $host=ZeekAgent::hostname(ctx), $columns=columns); if ( ctx?$change ) info$change = ZeekAgent::change_type(ctx); Log::write(LOG_CONFIGS, info); -} + } event ZeekAgent_SSH::query_result_keys(ctx: ZeekAgent::Context, columns: ColumnsKeys) -{ - local info = InfoKeys( - $t=network_time(), - $hid=ctx$agent_id, - $host=ZeekAgent::hostname(ctx), - $columns=columns); + { + local info = InfoKeys($t=network_time(), $hid=ctx$agent_id, + $host=ZeekAgent::hostname(ctx), $columns=columns); if ( ctx?$change ) info$change = ZeekAgent::change_type(ctx); Log::write(LOG_KEYS, info); -} + } event zeek_init() -{ - if ( |config_paths_to_watch| != 0 ) { + { + if ( |config_paths_to_watch| != 0 ) + { local field_name_map_configs = ZeekAgent::log_column_map(ColumnsConfigs, "columns."); - Log::create_stream(LOG_CONFIGS, [ - $columns=InfoConfigs, + Log::create_stream(LOG_CONFIGS, [$columns=InfoConfigs, $policy=log_policy_configs]); Log::remove_default_filter(LOG_CONFIGS); - Log::add_filter(LOG_CONFIGS, [ - $name="default", - $path="zeek-agent-ssh-configs", + Log::add_filter(LOG_CONFIGS, [$name="default", $path="zeek-agent-ssh-configs", $field_name_map=field_name_map_configs]); - for ( p in config_paths_to_watch ) { - local stmt_configs = fmt("SELECT * FROM files_columns(\"%s\", \"$1:text,$2:text\")", p); - ZeekAgent::query([ - $sql_stmt=stmt_configs, - $event_=query_result_configs, + for ( p in config_paths_to_watch ) + { + local stmt_configs = fmt("SELECT * FROM files_columns(\"%s\", \"$1:text,$2:text\")", + p); + ZeekAgent::query([$sql_stmt=stmt_configs, $event_=query_result_configs, $schedule_=query_interval, $subscription=subscription]); + } } - } - if ( |key_paths_to_watch| != 0 ) { + if ( |key_paths_to_watch| != 0 ) + { local field_name_map_keys = ZeekAgent::log_column_map(ColumnsKeys, "columns."); Log::create_stream(LOG_KEYS, [$columns=InfoKeys, $policy=log_policy_keys]); Log::remove_default_filter(LOG_KEYS); - Log::add_filter(LOG_KEYS, [ - $name="default", + Log::add_filter(LOG_KEYS, [$name="default", $path="zeek-agent-ssh-authorized-keys", $field_name_map=field_name_map_keys]); - for ( p in key_paths_to_watch ) { + for ( p in key_paths_to_watch ) + { local stmt_keys = fmt("SELECT * FROM files_lines(\"%s\")", p); - ZeekAgent::query([ - $sql_stmt=stmt_keys, - $event_=query_result_keys, + ZeekAgent::query([$sql_stmt=stmt_keys, $event_=query_result_keys, $schedule_=query_interval, $subscription=subscription]); + } } } -} diff --git a/scripts/table/system-logs.zeek b/scripts/table/system-logs.zeek index 29ab5b7..a26664c 100644 --- a/scripts/table/system-logs.zeek +++ b/scripts/table/system-logs.zeek @@ -8,9 +8,7 @@ export { option subscription = ZeekAgent::Differences; ## Logging stream identifier for the tables.log. - redef enum Log::ID += { - LOG - }; + redef enum Log::ID += { LOG }; ## Log messages recorded by the operating systems. type Columns: record { @@ -33,29 +31,22 @@ export { event ZeekAgent_SystemLogs::query_result(ctx: ZeekAgent::Context, columns: Columns) -{ - local info = Info( - $t=network_time(), - $hid=ctx$agent_id, - $host=ZeekAgent::hostname(ctx), - $columns=columns); + { + local info = Info($t=network_time(), $hid=ctx$agent_id, + $host=ZeekAgent::hostname(ctx), $columns=columns); Log::write(LOG, info); -} + } event zeek_init() -{ + { local field_name_map = ZeekAgent::log_column_map(Columns, "columns."); Log::create_stream(LOG, [$columns=Info, $policy=log_policy]); Log::remove_default_filter(LOG); - Log::add_filter(LOG, [ - $name="default", - $path="zeek-agent-system-logs", + Log::add_filter(LOG, [$name="default", $path="zeek-agent-system-logs", $field_name_map=field_name_map]); - ZeekAgent::query([ - $sql_stmt="SELECT * FROM system_logs_events", - $event_=query_result, - $schedule_=query_interval, - $subscription=ZeekAgent::Events, - $requires_tables=set("system_logs_events")]); -} + ZeekAgent::query([$sql_stmt="SELECT * FROM system_logs_events", + $event_=query_result, $schedule_=query_interval, + $subscription=ZeekAgent::Events, $requires_tables=set( + "system_logs_events")]); + } diff --git a/scripts/table/users.zeek b/scripts/table/users.zeek index 4ece2af..20924c9 100644 --- a/scripts/table/users.zeek +++ b/scripts/table/users.zeek @@ -8,9 +8,7 @@ export { option subscription = ZeekAgent::Differences; ## Logging stream identifier for the tables.log. - redef enum Log::ID += { - LOG - }; + redef enum Log::ID += { LOG }; ## List of users on system type Columns: record { @@ -38,32 +36,24 @@ export { } event ZeekAgent_Users::query_result(ctx: ZeekAgent::Context, columns: Columns) -{ - local info = Info( - $t=network_time(), - $hid=ctx$agent_id, - $host=ZeekAgent::hostname(ctx), - $columns=columns); + { + local info = Info($t=network_time(), $hid=ctx$agent_id, + $host=ZeekAgent::hostname(ctx), $columns=columns); if ( ctx?$change ) info$change = ZeekAgent::change_type(ctx); Log::write(LOG, info); -} + } event zeek_init() -{ + { local field_name_map = ZeekAgent::log_column_map(Columns, "columns."); Log::create_stream(LOG, [$columns=Info, $policy=log_policy]); Log::remove_default_filter(LOG); - Log::add_filter(LOG, [ - $name="default", - $path="zeek-agent-users", + Log::add_filter(LOG, [$name="default", $path="zeek-agent-users", $field_name_map=field_name_map]); - ZeekAgent::query([ - $sql_stmt="SELECT * FROM users", - $event_=query_result, - $schedule_=query_interval, - $subscription=subscription]); -} + ZeekAgent::query([$sql_stmt="SELECT * FROM users", $event_=query_result, + $schedule_=query_interval, $subscription=subscription]); + } diff --git a/tests/zeek-agent/hello.zeek b/tests/zeek-agent/hello.zeek index c9c4ad1..a3dac9d 100644 --- a/tests/zeek-agent/hello.zeek +++ b/tests/zeek-agent/hello.zeek @@ -12,26 +12,26 @@ redef Broker::default_port = to_port(getenv("ZEEK_PORT")); global n = 0; event send_hello() -{ + { # We simulate an agent here by faking a corresponding "hello" event. - local ctx: ZeekAgent::Context = [ - $agent_id="fake_agent", - $query_id="fake_query", - $host_time=network_time()]; + local ctx: ZeekAgent::Context = [$agent_id="fake_agent", + $query_id="fake_query", $host_time=network_time()]; - if ( ++n < 3 ) { - local hello: ZeekAgentAPI::AgentHelloV1 = [ - $agent_id="fake_agent", + if ( ++n < 3 ) + { + local hello: ZeekAgentAPI::AgentHelloV1 = [$agent_id="fake_agent", $instance_id="fake_instance"]; event ZeekAgentAPI::agent_hello_v1(ctx, hello); schedule 0.1 secs { send_hello() }; - } else { + } + else + { event ZeekAgentAPI::agent_shutdown_v1(ctx); terminate(); + } } -} event zeek_init() -{ + { schedule 0 secs { send_hello() }; -} + } From 39ea015af2b3a022ffea6430d117079ffeccb4d2 Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Tue, 12 Jul 2022 10:02:06 +0200 Subject: [PATCH 2/2] By default, listen on 0.0.0.0 for WebSocket. Zeek's default is 127.0.0.1. --- scripts/framework/main.zeek | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/framework/main.zeek b/scripts/framework/main.zeek index 2f41473..ee575c5 100644 --- a/scripts/framework/main.zeek +++ b/scripts/framework/main.zeek @@ -360,7 +360,11 @@ event zeek_init() &priority=100 event zeek_init() &priority=-10 { @if ( Version::number >= 50000 ) - Broker::listen_websocket(); + if ( Broker::default_listen_address_websocket != "" ) + Broker::listen_websocket(); + else + # Default is 127.0.0.1, which isn't very helpful for us. + Broker::listen_websocket("0.0.0.0"); @else if ( listen_port != 0/tcp ) Broker::listen(listen_address, listen_port, listen_retry);