Prior to version 5.0, Zeek has been giving you only the capability to enrich your data with the AS Number (Autonomous Systems Number – https://en.wikipedia.org/wiki/Autonomous_system_(Internet) ) by using the lookup_asn function ( https://docs.zeek.org/en/master/scripts/base/bif/zeek.bif.zeek.html#id-lookup_asn ). But this is not so handy for the analyst, because he has to look up which organization belongs to that number. With the new version (v5.0) of Zeek, this problem has gone. The lookup_autonomous_system function ( https://docs.zeek.org/en/master/scripts/base/bif/zeek.bif.zeek.html#id-lookup_autonomous_system ) enriches your logs with the organization name that is bound in the AS in the MaxMind database. Hence the analyst has a faster and better understanding of where the log originated and this can improve the time to determine if it is a benign, a false-positive, or something that he has to take a better look at.
But why do I have to do that when many SIEM/SOAR do that automatically? For instance, ELK enriches all the logs with AS Organization Name out of the box.
I am writing these lines because some SIEM or log viewers do not give you the freedom to edit their pipelines. For example, with IBM QRadar, the only thing that does is to provide you with the country to which the IP belongs. In order to resolve this barrier, where the SIEM doesn’t give you the capability to edit the log pipeline, Zeek is here to help you. With a few lines of Zeek code, you can add to your Zeek logs the AS Organization Name.
A simple Zeek script that can give us this functionality is something like:
@load base/utils/site
export {
redef record Conn::Info += {
orig_h_asn: geo_autonomous_system &log &optional;
resp_h_asn: geo_autonomous_system &log &optional;
};
}
event connection_state_remove(c: connection) &priority=0
{
local orig: addr = c$conn$id$orig_h;
if ( !Site::is_private_addr(orig)){
c$conn$orig_h_asn = lookup_autonomous_system(orig);
}
local resp: addr = c$conn$id$resp_h;
if ( !Site::is_private_addr(resp)){
c$conn$resp_h_asn = lookup_autonomous_system(resp);
}
}By declaring the orig_h_asn, resp_h_asn as geo_autonomous_system when it is printed to log, it is expanded to the AS Number and AS Organization Name, so we have all the information we can get from the MaxMind database. Of course, it is clear that the output applies only in the conn.log. If we want, the power of Zeek gives us the capability to add it everywhere, but why add more load to our system when we can correlate all the logs of a specific connection based on UID?
Also, try not to forget to add a cron job to update the MaxMind database once a day with the geoipupdate command in order to have a “fresh” MaxMind database.
