{"id":206,"date":"2023-03-11T21:57:56","date_gmt":"2023-03-12T03:57:56","guid":{"rendered":"https:\/\/drkeithjones.com\/?p=206"},"modified":"2023-03-27T08:49:46","modified_gmt":"2023-03-27T12:49:46","slug":"how-to-connect-zeek-to-python","status":"publish","type":"post","link":"https:\/\/drkeithjones.com\/index.php\/2023\/03\/11\/how-to-connect-zeek-to-python\/","title":{"rendered":"How To Connect Zeek To Python"},"content":{"rendered":"\n

I was recently asked how to send data from Zeek to Python. After flipping through the Zeek Broker documentation<\/a> I couldn’t find a good example to reference, so here is my example.<\/p>\n\n\n\n

The code for this demo is available here: <\/p>\n\n\n\n

https:\/\/github.com\/keithjjones\/zeek-python-broker-demo<\/a><\/p>\n\n\n\n

The first piece of our source code is the Python program here:<\/p>\n\n\n\n

https:\/\/github.com\/keithjjones\/zeek-python-broker-demo\/blob\/master\/broker-test.py<\/a><\/p>\n\n\n\n

There is a prerequisite for this Python script, the Zeek Python Broker bindings must be downloaded and installed. You can find the installation instructions here: <\/p>\n\n\n\n

https:\/\/docs.zeek.org\/projects\/broker\/en\/master\/python.html#installation-in-a-virtual-environment<\/a><\/p>\n\n\n\n

The trick is you must install the version of broker that corresponds to your Zeek’s version.<\/em> Be sure to read that last sentence again. I figured this out the hard way.<\/p>\n\n\n\n

Your version of Broker can be looked up by visiting the Zeek repository and selecting your Zeek version in the branch dropdown, such as v5.0.4. Then, go into the “auxil” directory to find Broker:<\/p>\n\n\n\n

https:\/\/github.com\/zeek\/zeek\/tree\/v5.0.4\/auxil<\/a><\/p>\n\n\n\n

If you click into the Broker directory you will enter its repository at the version used in Zeek v5.0.4. If you click on “VERSION”, you will find version 2.3.5 of Broker is used in Zeek v5.0.4: <\/p>\n\n\n\n

https:\/\/github.com\/zeek\/broker\/blob\/a7d55f8da2c47bf8b3de2524b24e1d8bfec1c2ce\/VERSION<\/a><\/p>\n\n\n\n

You can download Broker v2.3.5 here:<\/p>\n\n\n\n

https:\/\/github.com\/zeek\/broker\/releases<\/a><\/p>\n\n\n\n

Once you download Broker and install the Python bindings using the instructions linked above, you can finally execute the Python script. Here is the script’s content: <\/p>\n\n\n\n

import sys\nimport broker\n\n# Setup endpoint and connect to Zeek.\nwith broker.Endpoint() as ep, \\\n    ep.make_subscriber(\"\/topic\/test\") as sub:\n\n    ep.listen(\"127.0.0.1\", 60000)\n\n    while True:\n        (t, d) = sub.get()\n        pong = broker.zeek.Event(d)\n        print(\"received {}  --   {}\".format(pong.name(), pong.args()))\n\n        python_results = broker.zeek.Event(\"python_results\", pong.args()[0]);\n        ep.publish(\"\/topic\/test\", python_results);<\/code><\/pre>\n\n\n\n
The script is relatively simple.  The following lines set up a Zeek Broker listener on 127.0.0.1:60000 via Python: <\/p>\n\n\n\n
https:\/\/github.com\/keithjjones\/zeek-python-broker-demo\/blob\/master\/broker-test.py#L5-L8<\/a>  <\/p>\n\n\n\n
Then, the Python script runs in an infinite loop pulling messages from Broker via the “get” function:<\/p>\n\n\n\n
https:\/\/github.com\/keithjjones\/zeek-python-broker-demo\/blob\/master\/broker-test.py#L11<\/a><\/p>\n\n\n\n
Here “t” is the message’s topic, and “d” is the message’s raw data.  Line 12 then translates the data pulled from Broker into a Python event object called “pong”.  The name “pong” is not important, I wanted to show that this object could be named anything because the “.name()” function will tell you the true event name.  <\/p>\n\n\n\n
The last two lines in the script then create an event object and publishes it through Broker so that the “python_results” event will fire back in Zeek.  The event will have the same argument that was originally passed to the Python process from Zeek (“pong.args()[0]”).  Here is example output from the Python script:<\/p>\n\n\n\n
received some_test_event  --   [(IPv4Address('172.20.32.121'), 47808\/udp, IPv4Address('172.20.32.255'), 47808\/udp)]\nreceived some_test_event  --   [(IPv4Address('172.20.32.109'), 47808\/udp, IPv4Address('172.20.32.255'), 47808\/udp)]\nreceived some_test_event  --   [(IPv4Address('172.20.32.200'), 47808\/udp, IPv4Address('172.20.32.115'), 47808\/udp)]\nreceived some_test_event  --   [(IPv4Address('172.20.32.200'), 47808\/udp, IPv4Address('172.20.32.112'), 47808\/udp)]\nreceived some_test_event  --   [(IPv4Address('172.20.32.200'), 47808\/udp, IPv4Address('172.20.32.110'), 47808\/udp)]\nreceived some_test_event  --   [(IPv4Address('172.20.32.200'), 47808\/udp, IPv4Address('172.20.32.121'), 47808\/udp)]\nreceived some_test_event  --   [(IPv4Address('172.20.32.200'), 47808\/udp, IPv4Address('172.20.32.109'), 47808\/udp)]<\/code><\/pre>\n\n\n\n
In the Zeek script content below you will find the event “python_results” is handled here:<\/p>\n\n\n\n
https:\/\/github.com\/keithjjones\/zeek-python-broker-demo\/blob\/master\/broker-test.zeek#L6<\/a><\/p>\n\n\n\n
It just prints the arguments to the event.  In “connection_state_remove” the script sends the “c$id” conn_id record to Python:  <\/p>\n\n\n\n
https:\/\/github.com\/keithjjones\/zeek-python-broker-demo\/blob\/master\/broker-test.zeek#L11-L14<\/a>  <\/p>\n\n\n\n
Therefore, this is the same data that will be printed when it is returned via “python_results”.<\/p>\n\n\n\n
global test_topic = \"\/topic\/test\";\n\nglobal some_test_event: event(c_id: conn_id);\n\nevent python_results(c_id: conn_id)\n{\n\tprint(cat(\"Got Python Results: \", c_id));\n}\n\nevent connection_state_remove(c: connection)\n{\n    Broker::publish(test_topic, some_test_event, c$id);\n}\n\nevent zeek_init()\n{\n\tBroker::peer(addr_to_uri(127.0.0.1), 60000\/tcp);\n\tBroker::subscribe(test_topic);\n}<\/code><\/pre>\n\n\n\n
The two lines in “zeek_init” take care of connecting to the Python process before publishing the results to the “\/topic\/test” topic in Zeek’s Broker.<\/p>\n\n\n\n
When running the Zeek script on a PCAP while the Python script is executing in another window, you will see the connection ID records printed from the Zeek and the Python processes in their respective windows as they are processed.  This will prove that the data was transferred from your PCAP through Zeek, into Python over Zeek’s Broker, and back to Zeek again over Broker. This is example output from the Zeek script:<\/p>\n\n\n\n
Got Python Results: [orig_h=172.20.32.200, orig_p=47808\/udp, resp_h=172.20.32.115, resp_p=47808\/udp]\nGot Python Results: [orig_h=172.20.32.200, orig_p=47808\/udp, resp_h=172.20.32.112, resp_p=47808\/udp]\nGot Python Results: [orig_h=172.20.32.200, orig_p=47808\/udp, resp_h=172.20.32.110, resp_p=47808\/udp]\nGot Python Results: [orig_h=172.20.32.200, orig_p=47808\/udp, resp_h=172.20.32.121, resp_p=47808\/udp]\nGot Python Results: [orig_h=172.20.32.200, orig_p=47808\/udp, resp_h=172.20.32.109, resp_p=47808\/udp]<\/code><\/pre>\n\n\n\n
Now imagine all the new types of processing you can do in Python that may have been more difficult with Zeek alone!<\/p>\n","protected":false},"excerpt":{"rendered":"
I was recently asked how to send data from Zeek to Python. After flipping through the Zeek Broker documentation I couldn’t find a good example to reference, so here is my example. The code for this demo is available here: https:\/\/github.com\/keithjjones\/zeek-python-broker-demo The first piece of our source code is the Python program here: https:\/\/github.com\/keithjjones\/zeek-python-broker-demo\/blob\/master\/broker-test.py There […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[74,91,45,61,4],"tags":[42,44,43,27],"class_list":["post-206","post","type-post","status-publish","format-standard","hentry","category-how-to","category-open-source","category-python","category-tools","category-zeek","tag-broker","tag-howto","tag-python","tag-zeek"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts\/206","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/comments?post=206"}],"version-history":[{"count":0,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/posts\/206\/revisions"}],"wp:attachment":[{"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/media?parent=206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/categories?post=206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drkeithjones.com\/index.php\/wp-json\/wp\/v2\/tags?post=206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}