zeek-known-outbound

https://github.com/dopheide-esnet/zeek-known-outbound
3 7 1 1 Last Push 6/15/20, 9:14 PM

zeek-known-outbound

Requires zeek built against libmaxmind and GeoIP databases (typically GeoLite2)

This script provides the ability to track and alert on outbound service usage to a list of 'watched' countries. It also adds the country codes for your orig and resp in conn.log. To help reduce repeated entries, it uses a persistent Broker data store.

You may want to redefine the list of watched countries: redef Known::outbound_watch_countries += {"XX","YY","ZZ"};

"Outbound" is determined by your Site::local_nets or networks.cfg.

Package Version :

Description :

This script provides the ability to monitor and throw notices for outbound connections to a list of watched countries. It also adds orig and resp country codes to conn.log. It depends on having libmaxmind configured for GeoIP lookups.

Script Dir :

scripts

Test Command :

cd tests && btest -d outbound-tests

Depends :

zeek >=3.0.0

Tags :

notice, known, services, outbound