Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

GH-1119: add base/protcols/conn/removal-hooks.zeek

Browse source 
This adds two new functions: `Conn::register_removal_hook()` and
`Conn::unregister_removal_hook()` for registering a hook function to be
called back during `connection_state_remove`.  The benefit of using hook
callback approach is better scalability: the overhead of unrelated
protocols having to dispatch no-op `connection_state_remove` handlers is
avoided.
This commit is contained in:
Jon Siwek 2020-09-10 21:19:14 -07:00
parent 49e2047da0
commit 05cf511f18
31 changed files with 659 additions and 386 deletions
Download patch file Download diff file Expand all files Collapse all files

9
scripts/base/protocols/ntlm/main.zeek
View file

@ -1,4 +1,5 @@
@load base/frameworks/dpd
@load base/protocols/conn/removal-hooks
module NTLM;
@ -34,6 +35,9 @@ export {
## has already been logged.
done: bool &default=F;
};
## NTLM finalization hook. Remaining NTLM info may get logged when it's called.
global finalize_ntlm: Conn::RemovalHook;
}
redef DPD::ignore_violations += { Analyzer::ANALYZER_NTLM };
@ -50,7 +54,10 @@ event zeek_init() &priority=5
function set_session(c: connection)
{
if ( ! c?$ntlm )
{
c$ntlm = NTLM::Info($ts=network_time(), $uid=c$uid, $id=c$id);
Conn::register_removal_hook(c, finalize_ntlm);
}
}
event ntlm_negotiate(c: connection, request: NTLM::Negotiate) &priority=5
@ -106,7 +113,7 @@ event gssapi_neg_result(c: connection, state: count) &priority=-3
}
}
event connection_state_remove(c: connection) &priority=-5
hook finalize_ntlm(c: connection)
{
if ( c?$ntlm && ! c$ntlm$done )
{