emojifier

Set your logs on fire with Emoji-πŸ”₯

Emojifier is the πŸ”¨ of choice to get a fast overview on your Zeek connection log. On top, it also serves as the perfect management summary of your network's security status. πŸ‘ΉπŸ›‘οΈπŸ’

It adds an additional column to your conn.log showing emojis that give you information about the connections in your log. The following emojis are currently supported:

EmojiMeaning
πŸ„HTTP Traffic
πŸ”DNS Traffic
πŸ“¨SMTP Traffic
☎️SIP Traffic
πŸ₯΅Connection with many bytes
πŸ™ˆSome bytes were missed
πŸ˜›TCP Connection was rejected
πŸ”„Connection direction was flipped
🚨There is a notice for this connection
πŸ₯΄Zeek deems this connection weird
πŸ”₯There was an Intel hit

Furthermore, there is an additional script to emojify default policies. Add @load emojifier/emojify-policies to your local.zeek to enable the following additional emojis:

EmojiMeaning
βŒ›Expired certificate
⏳Certificate expires soon
πŸ˜•Old TLS version
πŸ’“Heartbleed attack detected
πŸ’‰SQL injection detected
πŸ’£Vulnerable software version
πŸ€”Login with guessed SSH password

Usage 😎

The scripts are available as package for the Zeek Package Manager and can be installed using the following command: zkg install emojifier To set your logs on πŸ”₯ make sure the package is loaded: zkg load emojifier To enable the additional emojis including the corresponding policy scripts add @load emojifier/emojify-policies to your local.zeek. Please note that emojification (utf8 support) is a Zeek-only feature. If you haven't already upgraded to Zeek, πŸ‘† is the reason you should do it!

Fun with Flags πŸ‡©πŸ‡ͺ πŸ‡ΊπŸ‡Έ πŸ‡―πŸ‡²

Of course, we have also added support for Zeek's GeoLocation framework. First you need to make sure that the framework is available (see Zeek Docs). For a quick test run a command like the following:

zeek -e "print lookup_location(8.8.8.8);"

If that works without any issues, you are ready to go. Just add @load emojifier/emojify-geo to your local.zeek.

Extending 🧐

Want to put πŸ”₯? No problem, the emojifier can be easily extended. Just add your custom logic by handling an event and concatenating the additional emoji to the emoji_trail string in the connection record. The following example adds the πŸ•³ emoji.

event connection_state_remove(c: connection) &priority=5
	{
	if ( c?$tunnel )
		c$emoji_trail += "πŸ•³";
	}

Note that you need to use a priority > 0 in case you are handling the connection_state_remove event.

If you want to extend the Emoji-πŸ”₯ based on notices that is even easier. You just need to extend the Emojifier::custom_notices table:

redef custom_notices += {
	[Notice::Tally] = "🀭",
};

We are looking forward to merge your pull-request πŸ˜‰

Package Version :