"Community ID" flow hashing for Zeek
This Zeek package provides support for "community ID" flow hashing, a
standardized way of labeling traffic flows in network monitors. When
loaded, the package adds a
community_id string field to
conn.log. This is work in progress between the Zeek and Suricata
communities, to enable correlation of flows in the outputs of both
tools. Feedback is very welcome, also from users/developers of other
This package implements a BiF to implement the hashing logic and thus needs binary compilation, so it's also a Zeek plugin. Here's an example of a resulting conn.log:
#separator \x09 #set_separator , #empty_field (empty) #unset_field - #path conn #open 2018-01-31-13-06-56 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents community_id #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] string 1071580904.891921 CPcWB54kqKkvkdNEXe 22.214.171.124 34855 126.96.36.199 80 tcp - 0.311104 496 1731 SF - - 2227 ShADadfF 6 816 6 2051 - 1:LQU9qZlK+B5F3KDmev6m5PMibrg= #close 2018-01-31-13-06-56
The Community ID spec currently envisions support for a number of protocol constellations for which Zeek does not track flow-level state because its analyzers wouldn't know what to do with the traffic. For such flows Zeek never triggers the connection-related events used by the package, so there won't be output in conn.log anyway. (If there were protocols Zeek tracks at the flow level but the plugin doesn't support, the reported ID would be empty.) We currently support TCP and UDP over IPv4 or IPv6, as well as ICMPv4 and ICMPv6. We do not support other transport-level protocols (such as SCTP), or general IP-address-pair flows for unsupported transport layer protocols.
Using the package
The package's name is
zeek-community-id; the plugin's name is
Corelight::CommunityID. You can see the package's configuration
options in the corresponding Zeek policy.
The package's master branch supports Zeek 3.0 and newer. For older versions, take a look at the zeek/X.Y branches. Specifically, the zeek/3.0 branch will work with late 2.x releases, as well as 3.0.
The package includes btests that verify plugin loading and crunch
included test pcaps through Zeek to check baselined Zeek console
output. You can run these by saying
btest -c btest.cfg in the tests
For questions and feedback, please get in touch on the Zeek mailing list or contact Christian Kreibich (email@example.com).