Record long running connections with a large footprint in conn_footprint.log
.
This can aid in finding per-connection state growth, but does come with a
certain runtime overhead due to the usage of val_footprint()
.
zkg install https://github.com/awelzel/zeek-conn-footprint.git
{
"ts": 1687514059.546506,
"node": "worker-1-1",
"start_time": 1687513335.154572,
"uid": "CRwAQ83P7xzkhv6iBc",
"history": "ShAdD",
"id.orig_h": "172.17.0.1",
"id.orig_p": 57386,
"id.resp_h": "172.17.0.2",
"id.resp_p": 445,
"duration": 724.3919339179993,
"total_size": 675932369,
"total_packets": 3400106,
"total_bytes_ip": 3400106,
"footprint": 6937177,
"service": [
"NTLM",
"DCE_RPC",
"SMB"
],
"details": "dce_rpc_backing=6936805 {entries 199975}, service_violation=0, ntlm=27 {domainname=1, id=8, username=1, done=1, uid=1, hostname=1, server_nb_computer_name=1, server_dns_computer_name=1, ts=1}, uid=1, history=1, resp=12 {size=1, state=1, num_bytes_ip=1, l2_addr=1, num_pkts=1, flow_label=1}, service=9 {entries 3}, extract_resp=1, ftp_data_reuse=1, start_time=1, removal_hooks=6 {entries 2}, smb_state=231 {tid_map=22 {entries 1}, current_cmd=76, fid_map=0, pending_cmds=79 {entries 1}, pipe_map=0, recent_files=0, current_tree=19, current_file=27}, duration=1, orig=12 {size=1, state=1, num_bytes_ip=1, l2_addr=1, num_pkts=1, flow_label=1}, id=8 {orig_h=1, resp_p=1, resp_h=1, orig_p=1}, dce_rpc_state=9 {named_pipe=1, ctx_to_uuid=4 {entries 1}, uuid=1}, extract_orig=1"
}
ConnFootprint::conn_create_expire: interval = 12hr;
ConnFootprint::min_duration = 1min;
ConnFootprint::min_footprint = 10000;
ConnFootprint::min_footprint_details = 20000;
ConnFootprint::report_interval = 1min;