Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Remove the Stepping Stone analyzer

Browse source 
This commit removes the stepping stone analyzer. It has been deactivated
by default since at least Zeek 2.0, is dysfunctional in cluster settings
and has a bunch of other issued.

Relates to GH-1573
This commit is contained in:
Johanna Amann 2021-06-03 14:03:21 +01:00
parent 41b077d2cf
commit 011ac442a1
17 changed files with 0 additions and 428 deletions
Download patch file Download diff file Expand all files Collapse all files

20
src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
View file

@ -10,7 +10,6 @@
#include "zeek/analyzer/protocol/tcp/TCP_Flags.h"
#include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h"
#include "zeek/analyzer/protocol/pia/PIA.h"
#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h"
#include "zeek/analyzer/protocol/conn-size/ConnSize.h"
#include "zeek/packet_analysis/protocol/tcp/TCP.h"
@ -1604,7 +1603,6 @@ bool TCPSessionAdapter::IsReuse(double t, const u_char* pkt)
void TCPSessionAdapter::AddExtraAnalyzers(Connection* conn)
{
static analyzer::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE");
static analyzer::Tag analyzer_stepping = analyzer_mgr->GetComponentTag("STEPPINGSTONE");
static analyzer::Tag analyzer_tcpstats = analyzer_mgr->GetComponentTag("TCPSTATS");
// We have to decide whether to reassamble the stream.
@ -1634,24 +1632,6 @@ void TCPSessionAdapter::AddExtraAnalyzers(Connection* conn)
if ( reass )
EnableReassembly();
if ( analyzer_mgr->IsEnabled(analyzer_stepping) )
{
// Add a SteppingStone analyzer if requested. The port
// should really not be hardcoded here, but as it can
// handle non-reassembled data, it doesn't really fit into
// our general framing ... Better would be to turn it
// on *after* we discover we have interactive traffic.
uint16_t resp_port = ntohs(Conn()->RespPort());
if ( resp_port == 22 || resp_port == 23 || resp_port == 513 )
{
static auto stp_skip_src = id::find_val<TableVal>("stp_skip_src");
auto src = make_intrusive<AddrVal>(Conn()->OrigAddr());
if ( ! stp_skip_src->FindOrDefault(src) )
AddChildAnalyzer(new analyzer::stepping_stone::SteppingStone_Analyzer(conn), false);
}
}
if ( analyzer_mgr->IsEnabled(analyzer_tcpstats) )
// Add TCPStats analyzer. This needs to see packets so
// we cannot add it as a normal child.