search

gravwell / kits

A collection of open source Gravwell kits
BSD 2-Clause "Simplified" License
3 stars 15 forks source link

Corelight/Zeek: Add Actionable for ports #177

Open Lawrence-Wellman-Gravwell opened 1 month ago

Lawrence-Wellman-Gravwell commented 1 month ago

What is the enhancement to be made?

Add actionable for port into Corelight Kit. Verfiy other kits have actionable where valid

Why should we make this change? (Business justification? What problem is the feature trying to solve?)

Useful and call out from discord user

Additional notes / Tasks

  1. Implement for both zeek and corelight
  2. make these highlight only actionables
  3. Make templates that trigger on ports (src or dst)
  4. Make investigative dashboard for port activity built around the templates

Regex is

^([1-9][0-9]{0,3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$
john-floren-gravwell commented 1 month ago

so just to be clear, they'd like us to have an actionable which fires on... any number less than 65000?

Lawrence-Wellman-Gravwell commented 1 month ago

'Text Selection' similar to 'IPFIX Network Port' currently in the IPFIX kit.