Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

GH-1119: add base/protcols/conn/removal-hooks.zeek

Browse source 
This adds two new functions: `Conn::register_removal_hook()` and
`Conn::unregister_removal_hook()` for registering a hook function to be
called back during `connection_state_remove`.  The benefit of using hook
callback approach is better scalability: the overhead of unrelated
protocols having to dispatch no-op `connection_state_remove` handlers is
avoided.
This commit is contained in:
Jon Siwek 2020-09-10 21:19:14 -07:00
parent 49e2047da0
commit 05cf511f18
31 changed files with 659 additions and 386 deletions
Download patch file Download diff file Expand all files Collapse all files

8
scripts/base/protocols/dce-rpc/main.zeek
View file

@ -1,5 +1,6 @@
@load ./consts
@load base/frameworks/dpd
@load base/protocols/conn/removal-hooks
module DCE_RPC;
@ -46,6 +47,9 @@ export {
info: Info;
state: State;
};
## DCE_RPC finalization hook. Remaining DCE_RPC info may get logged when it's called.
global finalize_dce_rpc: Conn::RemovalHook;
}
redef DPD::ignore_violations += { Analyzer::ANALYZER_DCE_RPC };
@ -83,6 +87,8 @@ function set_state(c: connection, state_x: BackingState)
c$dce_rpc$endpoint = uuid_endpoint_map[c$dce_rpc_state$uuid];
if ( c$dce_rpc_state?$named_pipe )
c$dce_rpc$named_pipe = c$dce_rpc_state$named_pipe;
Conn::register_removal_hook(c, finalize_dce_rpc);
}
function set_session(c: connection, fid: count)
@ -209,7 +215,7 @@ event dce_rpc_response(c: connection, fid: count, ctx_id: count, opnum: count, s
}
}
event connection_state_remove(c: connection)
hook finalize_dce_rpc(c: connection)
{
if ( ! c?$dce_rpc )
return;