zeek日志添加源目的IP是否为本地IP的判断

以http日志为例

新建文件 /opt/zeek/share/zeek/base/protocols/httpdirection.zeek

@load base/protocols/http

module HTTP;

export {

    redef record Info += {
        local_orig:   bool            &log &optional;
        local_resp:   bool            &log &optional;
  };

}

event http_request(c: connection, method: string, original_URI: string,
                   unescaped_URI: string, version: string) &priority=5
        {
        if( |Site::local_nets| > 0 )
                {
                c$http$local_orig=Site::is_local_addr(c$id$orig_h);
                c$http$local_resp=Site::is_local_addr(c$id$resp_h);
                }
        }

修改/opt/zeek/share/zeek/base/protocols/http/__load__.zeek，添加一行

@load ./httpdirection.zeek

 重启zeek

zeekctl deploy

查看日志

more /opt/zeek/logs/current/http.log

可看到日志中多了如下字段

"local_orig":true,"local_resp":false