Enable Community ID Flow Hashing in Zeek (Bro)

Community ID is a hash that allows network connections to be correlated across monitoring tools. It is currently supported by a variety of tools such as Moloch, Suricata, Zeek, and osquery.

This guide assumes that Zeek is already configured and running.

Install

First, download and install the bro-community-id. In a standard installation of Zeek, this is a simple process:

curl https://codeload.github.com/corelight/bro-community-id/tar.gz/1.2 | tar xz
cd bro-community-id-1.2
./configure && make && make install

Configure

Now configure Zeek to load the plugin. Add the following line to /usr/local/zeek/share/zeek/site/local.zeek:

@load Corelight/CommunityID

Restart Zeek with the new configuration:

zeekctl deploy

Results

After deploying Zeek with the plugin enabled, community_id will be logged with each line in conn.log:

#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents	community_id
#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]	string
1582669664.493402	CekmRF4lAqVfyGzl9	172.17.0.2	42712	13.227.76.23	443	tcp	-	-	-	-	OTH	T	F	0	C	0	0	0	0-1:SwKn4banS3LmbnnPQY3v/GizI6Y=
1582669664.511666	CQtGuT0o6vBPbZaHh	172.17.0.2	42712	13.227.76.23	443	tcp	-	0.099788	0	5361	SHR	T	F	0	^hCadCfA	1	4019	6129	-	1:SwKn4banS3LmbnnPQY3v/GizI6Y=
1582669664.432935	CgLYju1JMl2vJTdwe7	172.17.0.2	52026	192.168.65.1	53	udp	dns	0.032179	0	344	SHR	T	T	0	Cd	0	0	2400	-	1:yjs9zFb2Jr5uBSTY6/+SdB5ZWDQ=