Pastein: global INTEL_LOG = "/tmp/zeek_block_intel.log"; function log_event(msg: string) { local f = open_for_append(INTEL_LOG); print f, msg; close(f); } event http

Загрузка данных

global INTEL_LOG = "/tmp/zeek_block_intel.log";

function log_event(msg: string)
{
    local f = open_for_append(INTEL_LOG);
    print f, msg;
    close(f);
}

event http_request(c: connection, method: string,
                   original_URI: string, unescaped_URI: string,
                   version: string)
{
    if ( c$http?$host && /zapret\.telegram/ in c$http$host )
    {
        log_event(fmt("HTTP_HOST:%s", c$http$host));
    }

    if ( c$http?$user_agent && /Windows PowerShell/ in c$http$user_agent )
    {
        log_event(fmt("HTTP_UA:%s", c$http$user_agent));
    }
}

event connection_established(c: connection)
{
    if ( c$id$resp_p == 21/tcp )
    {
        log_event(fmt("FTP_PORT:%s->%s", c$id$resp_h, c$id$orig_h));
        print fmt("[ZEEK] FTP DETECTED %s", c$id$orig_h);
    }
}

Больше возможностей при регистрации: