Set your logs on fire with Emoji-π₯
Emojifier is the π¨ of choice to get a fast overview on your Zeek connection log. On top, it also serves as the perfect management summary of your network's security status. πΉπ‘οΈπ’
It adds an additional column to your conn.log showing emojis that give you information about the connections in your log. The following emojis are currently supported:
| Emoji | Meaning |
|---|---|
| π | HTTP Traffic |
| π | DNS Traffic |
| π¨ | SMTP Traffic |
| βοΈ | SIP Traffic |
| π₯΅ | Connection with many bytes |
| π | Some bytes were missed |
| π | TCP Connection was rejected |
| π | Connection direction was flipped |
| π¨ | There is a notice for this connection |
| π₯΄ | Zeek deems this connection weird |
| π₯ | There was an Intel hit |
Furthermore, there is an additional script to emojify default policies.
Add @load emojifier/emojify-policies to your local.zeek to enable the following additional emojis:
| Emoji | Meaning |
|---|---|
| β | Expired certificate |
| β³ | Certificate expires soon |
| π | Old TLS version |
| π | Heartbleed attack detected |
| π | SQL injection detected |
| π£ | Vulnerable software version |
| π€ | Login with guessed SSH password |
Usage π
The scripts are available as package for the Zeek Package Manager and can be installed using the following command: zkg install emojifier
To set your logs on π₯ make sure the package is loaded: zkg load emojifier
To enable the additional emojis including the corresponding policy scripts add @load emojifier/emojify-policies to your local.zeek.
Please note that emojification (utf8 support) is a Zeek-only feature. If you haven't already upgraded to Zeek, π is the reason you should do it!
Fun with Flags π©πͺ πΊπΈ π―π²
Of course, we have also added support for Zeek's GeoLocation framework. First you need to make sure that the framework is available (see Zeek Docs). For a quick test run a command like the following:
zeek -e "print lookup_location(8.8.8.8);"
If that works without any issues, you are ready to go. Just add @load emojifier/emojify-geo to your local.zeek.
Extending π§
Want to put π₯? No problem, the emojifier can be easily extended. Just add your custom logic by handling an event and concatenating the additional emoji to the emoji_trail string in the connection record. The following example adds the π³ emoji.
event connection_state_remove(c: connection) &priority=5
{
if ( c?$tunnel )
c$emoji_trail += "π³";
}
Note that you need to use a priority > 0 in case you are handling the connection_state_remove event.
If you want to extend the Emoji-π₯ based on notices that is even easier. You just need to extend the Emojifier::custom_notices table:
redef custom_notices += {
[Notice::Tally] = "π€",
};
We are looking forward to merge your pull-request π