zeek-spicy-ipsec

IPSec

This is a Zeek protocol analyzer that detects IPSec VPN based on Spicy. You must install Spicy to use this package.

A blog detailing the development of this analyzer:

RFCs:

Example Logs

#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	conn
#open	2021-11-23-13-52-52
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
1421270042.835161	CHhAvVGS1DHFjwGM9	192.168.0.10	500	144.76.154.114	500	udp	spicy_ipsec_ike_udp	0.032969	880	308	SF	-	-	0	Dd	1	908	1	336	-
1421270042.910124	ClEkJM2Vm5giqnMf4h	192.168.0.10	4500	144.76.154.114	4500	udp	spicy_ipsec_udp	2.000258	10416	0	S0	-	-	0	D	3	10500	0	0	-
#close	2021-11-23-13-52-52
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	ipsec
#open	2021-11-23-13-52-52
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	is_orig	initiator_spi	responder_spi	maj_ver	min_ver	exchange_type	flag_e	flag_c	flag_a	flag_i	flag_v	flag_r	message_id	vendor_ids	notify_messages	transforms	ke_dh_groups	proposals	certificates	transform_attributes	length	hash
#types	time	string	addr	port	addr	port	bool	string	string	count	count	count	bool	bool	bool	bool	bool	bool	count	vector[string]	vector[string]	vector[string]	vector[count]	vector[count]	vector[string]	vector[string]	count	string
1421270042.835161	CHhAvVGS1DHFjwGM9	192.168.0.10	500	144.76.154.114	500	T	238671c80375a0fb	0000000000000000	2	0	34	F	F	F	T	F	F	0	MS NT5 ISAKMPOAKLEY,MS-Negotiation Discovery Capable,Microsoft Initial-Contact,UNKNOWN:01528bbbc00696121849ab9a1c5b2a5100000002	NAT_DETECTION_SOURCE_IP,NAT_DETECTION_DESTINATION_IP	(empty)	2	1,2,3,4,5,6,7,8,9,10,11,12	(empty)	(empty)	880	d1cd39840e0aaa5420b8f65984bb4f5f
1421270042.868130	CHhAvVGS1DHFjwGM9	192.168.0.10	500	144.76.154.114	500	F	238671c80375a0fb	73d16a42f60ef7f0	2	0	34	F	F	F	F	F	T	0	(empty)	NAT_DETECTION_SOURCE_IP,NAT_DETECTION_DESTINATION_IP,MULTIPLE_AUTH_SUPPORTED	(empty)	2	1	(empty)	(empty)	308	f1885551a5b169444dd961e94d683d61
1421270042.910124	ClEkJM2Vm5giqnMf4h	192.168.0.10	4500	144.76.154.114	4500	T	238671c80375a0fb	73d16a42f60ef7f0	2	0	35	F	F	F	T	F	F	1	(empty)	(empty)	(empty)	(empty)	(empty)	(empty)	(empty)	3468	-
1421270043.910245	ClEkJM2Vm5giqnMf4h	192.168.0.10	4500	144.76.154.114	4500	T	238671c80375a0fb	73d16a42f60ef7f0	2	0	35	F	F	F	T	F	F	1	(empty)	(empty)	(empty)	(empty)	(empty)	(empty)	(empty)	3468	-
1421270044.910382	ClEkJM2Vm5giqnMf4h	192.168.0.10	4500	144.76.154.114	4500	T	238671c80375a0fb	73d16a42f60ef7f0	2	0	35	F	F	F	T	F	F	1	(empty)	(empty)	(empty)	(empty)	(empty)	(empty)	(empty)	3468	-
#close	2021-11-23-13-52-52

Testing PCAPs:

The test suite comes with a set of traces collected from a variety of places that we document below. While these traces are all coming from public sources, please note that they may carry their own licenses. We collect them here for convenience only.

Package Version :