Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 16:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

GH-1119: add base/protcols/conn/removal-hooks.zeek

Browse source 
This adds two new functions: `Conn::register_removal_hook()` and
`Conn::unregister_removal_hook()` for registering a hook function to be
called back during `connection_state_remove`.  The benefit of using hook
callback approach is better scalability: the overhead of unrelated
protocols having to dispatch no-op `connection_state_remove` handlers is
avoided.
This commit is contained in:
Jon Siwek 2020-09-10 21:19:14 -07:00
parent 49e2047da0
commit 05cf511f18
31 changed files with 659 additions and 386 deletions
Download patch file Download diff file Expand all files Collapse all files

16
scripts/base/protocols/dnp3/main.zeek
View file

@ -1,8 +1,9 @@
##! A very basic DNP3 analysis script that just logs requests and replies.
module DNP3;
@load ./consts
@load base/protocols/conn/removal-hooks
module DNP3;
export {
redef enum Log::ID += { LOG };
@ -25,6 +26,9 @@ export {
## Event that can be handled to access the DNP3 record as it is sent on
## to the logging framework.
global log_dnp3: event(rec: Info);
## DNP3 finalization hook. Remaining DNP3 info may get logged when it's called.
global finalize_dnp3: Conn::RemovalHook;
}
redef record connection += {
@ -43,7 +47,10 @@ event zeek_init() &priority=5
event dnp3_application_request_header(c: connection, is_orig: bool, application_control: count, fc: count)
{
if ( ! c?$dnp3 )
{
c$dnp3 = [$ts=network_time(), $uid=c$uid, $id=c$id];
Conn::register_removal_hook(c, finalize_dnp3);
}
c$dnp3$ts = network_time();
c$dnp3$fc_request = function_codes[fc];
@ -52,7 +59,10 @@ event dnp3_application_request_header(c: connection, is_orig: bool, application_
event dnp3_application_response_header(c: connection, is_orig: bool, application_control: count, fc: count, iin: count)
{
if ( ! c?$dnp3 )
{
c$dnp3 = [$ts=network_time(), $uid=c$uid, $id=c$id];
Conn::register_removal_hook(c, finalize_dnp3);
}
c$dnp3$ts = network_time();
c$dnp3$fc_reply = function_codes[fc];
@ -63,7 +73,7 @@ event dnp3_application_response_header(c: connection, is_orig: bool, application
delete c$dnp3;
}
event connection_state_remove(c: connection) &priority=-5
hook finalize_dnp3(c: connection)
{
if ( ! c?$dnp3 )
return;