继续,尝试完成简单的zeek脚本,在原来的默认zeek脚本上,新增一些输出内容。
    默认zeek脚本目录如下:/opt/zeek/share/zeek/base/protocols
    image.png
    给http协议新增解析展示数据
    进入目录:/opt/zeek/share/zeek/base/protocols/http
    新建文件request.zeek,新增请求数据的解析
    request_body配置
    新建/usr/local/zeek/share/zeek/base/protocols/http/request.zeek文件,文件内容:

    2. ##! This script reassembles full HTTP bodies and raises an event with the
    3. ##! complete contents.
    4. module HTTP;
    5. export {
    6.     redef record Info += {
    7.         request_body:           string     &log &optional;
    8.         };
    9. }
    10. ## Users write a handler for this event to process the current HTTP body.
    11. event http_entity_data(c: connection , is_orig: bool , length: count , data: string ) &priority=5
    12.         {
    13.         set_state(c,is_orig);
    14.         if(is_orig)
    15.                 {
    16.                 c$http$request_body = data;
    17.                 }
    18.         }


    load.zeek文件中添加:@load ./request

    所有http_header配置
    新建/usr/local/zeek/share/zeek/base/protocols/http/header-all.zeek,文件内容:

    module HTTP;
export {
    redef record Info +=  {
        request_header:  vector of string &log &optional;
        response_header:  vector of string &log &optional;
        };
   option log_request_header = T;
   option log_response_header = T;
}
event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5
    {
    if ( ! c?$http )
        return;
    if ( is_orig )
        {
        if ( log_request_header )
            {
            if ( ! c$http?$request_header )
                c$http$request_header = vector();
            c$http$request_header += name;
            c$http$request_header += value;
            }
        }
    else
        {
        if ( log_response_header )
            {
            if ( ! c$http?$response_header )
                c$http$response_header = vector();
            c$http$response_header += name;
            c$http$response_header += value;
            }
        }
}

    load.zeek文件中添加:@load ./header-all

    新建/usr/local/zeek/share/zeek/base/protocols/http/request.zeek文件,文件内容:

    module HTTP;
export {
    redef record Info += {
       response_body: string &log &optional;
    };
    ## Flag that indicates whether to hook reply bodies.
    const hook_reply_bodies = T &redef;
}
## Users write a handler for this event to process the current HTTP body.
event http_begin_entity(c: connection, is_orig: bool)
    {
    if ( (is_orig) || (! is_orig && ! hook_reply_bodies) )
        return;
    c$http$response_body= "";
    }
event http_entity_data(c: connection, is_orig: bool, length: count,
                       data: string) &priority=5
    {
    if ( ! c$http?$response_body)
        return;
    c$http$response_body += data;
    }

    load.zeek文件中添加:@load ./response

    zeekctl deploy #部署
    注意:修改相关文件或配置需要执行zeekcctl deploy命令
    image.png
    然后查看日志
    image.png
    成功解析出数据,如下。
    数据说明:根据业务实际需要,提取自己所需要的字段即可。

    id.orig_h:原IP,必要字段
    id.orig_p:原端口,必要字段
    id.resp_h:目标IP,必要字段
    id.resp_p:目标端口,必要字段
    trans_depth:未知字段
    method:请求方法,必要字段
    host:请求包host,非必要字段
    referrer:请求包referrer,非必要字段
    version:请求包协议版本,非必要字段
    user_agent:请求包user_agent,非必要字段
    origin:请求包origin,非必要字段
    request_body_len:请求体长度,非必要字段
    response_body_len:返回体长度,非必要字段
    status_code:http状态码,必要字段
    status_msg:未知字段
    tags:未知字段
    orig_fuids:未知字段
    orig_mime_types:未知字段
    resp_fuids:未知字段
    resp_mime_types:未知字段
    request_body:请求体内容,必要字段
    request_header:所有请求头,必要字段
    response_header:所有返回头,必要字段
    response_body:返回包内容,必要字段