Emojifier is the π¨ of choice to get a fast overview on your Zeek connection log. On top, it also serves as the perfect management summary of your network's security status. πΉπ‘οΈπ’
It adds an additional column to your conn.log showing emojis that give you information about the connections in your log. The following emojis are currently supported:
| Emoji | Meaning |
|---|---|
| π | HTTP Traffic |
| π | DNS Traffic |
| π¨ | SMTP Traffic |
| βοΈ | SIP Traffic |
| π₯΅ | Connection with many bytes |
| π | Some bytes were missed |
| π | TCP Connection was rejected |
| π | Connection direction was flipped |
| π¨ | There is a notice for this connection |
| π₯΄ | Zeek deems this connection weird |
| π₯ | There was an Intel hit |
Furthermore, there is an additional script to emojify default policies.
Add @load emojifier/emojify-policies to your local.zeek to enable the following additional emojis:
| Emoji | Meaning |
|---|---|
| β | Expired certificate |
| β³ | Certificate expires soon |
| π | Old TLS version |
| π | Heartbleed attack detected |
| π | SQL injection detected |
| π£ | Vulnerable software version |
| π€ | Login with guessed SSH password |
The scripts are available as package for the Zeek Package Manager and can be installed using the following command: zkg install emojifier
To set your logs on π₯ make sure the package is loaded: zkg load emojifier
To enable the additional emojis including the corresponding policy scripts add @load emojifier/emojify-policies to your local.zeek.
Please note that emojification (utf8 support) is a Zeek-only feature. If you haven't already upgraded to Zeek, π is the reason you should do it!
Want to put π₯? No problem, the emojifier can be easily extended. Just add your custom logic by handling an event and concatenating the additional emoji to the emoji_trail string in the connection record. The following example adds the π³ emoji.
event connection_state_remove(c: connection) &priority=5
{
if ( c?$tunnel )
c$emoji_trail += "π³";
}
Note that you need to use a priority > 0 in case you are handling the connection_state_remove event.
If you want to extend the Emoji-π₯ based on notices that is even easier. You just need to extend the Emojifier::custom_notices table:
redef custom_notices += {
[Notice::Tally] = "π€",
};
We are looking forward to merge your pull-request π
Prepare yourself for fun with flags π©πͺ πΊπΈ π―π²! We are about to add Geo-IP-Support...