Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'J-Gras/topic/jgras/add-unknown-proto-count'

Browse source 
* J-Gras/topic/jgras/add-unknown-proto-count:
  Add btest for unknown_protocols.log
  Add protocol_id count to unknown protocol record
This commit is contained in:
Tim Wojtulewicz 2024-12-10 16:15:57 -07:00
commit 0701895132
5 changed files with 34 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

9
CHANGES
View file

@ -1,3 +1,12 @@
7.1.0-dev.745 | 2024-12-10 16:15:57 -0700
* Add btest for unknown_protocols.log (Jan Grashoefer, Corelight)
* Add protocol_id count to unknown protocol record (Jan Grashoefer, Corelight)
The count representation is not logged and added for access to the value
in log policy hooks without converting the logged hex representation.
7.1.0-dev.742 | 2024-12-10 14:41:10 -0700 7.1.0-dev.742 | 2024-12-10 14:41:10 -0700
* NEWS tweaks [skip ci] (Christian Kreibich, Corelight) * NEWS tweaks [skip ci] (Christian Kreibich, Corelight)

2
VERSION
View file

@ -1 +1 @@
7.1.0-dev.742 7.1.0-dev.745

8
scripts/policy/misc/unknown-protocols.zeek
View file

@ -19,9 +19,14 @@ export {
## The string name of the analyzer attempting to forward the protocol. ## The string name of the analyzer attempting to forward the protocol.
analyzer: string &log; analyzer: string &log;
## The identifier of the protocol being forwarded. ## The identifier of the protocol being forwarded in hex notation.
protocol_id: string &log; protocol_id: string &log;
## The identifier of the protocol being forwarded as count.
## Note: The count value is not logged by default. It is provided for
## easy access in log policy hooks.
protocol_id_num: count;
## A certain number of bytes at the start of the unknown protocol's ## A certain number of bytes at the start of the unknown protocol's
## header. ## header.
first_bytes: string &log; first_bytes: string &log;
@ -40,6 +45,7 @@ event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: stri
info$ts = network_time(); info$ts = network_time();
info$analyzer = analyzer_name; info$analyzer = analyzer_name;
info$protocol_id = fmt("0x%x", protocol); info$protocol_id = fmt("0x%x", protocol);
info$protocol_id_num = protocol;
info$first_bytes = bytestring_to_hexstr(first_bytes); info$first_bytes = bytestring_to_hexstr(first_bytes);
info$analyzer_history = analyzer_history; info$analyzer_history = analyzer_history;

11
testing/btest/Baseline/core.unknown-protocol-log/unknown_protocols.log Normal file
View file

@ -0,0 +1,11 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path unknown_protocols
#open XXXX-XX-XX-XX-XX-XX
#fields ts analyzer protocol_id protocol_id_num first_bytes analyzer_history
#types time string string count string vector[string]
XXXXXXXXXX.XXXXXX ETHERNET 0x88cc 35020 02070400222d81db1004 ETHERNET
#close XXXX-XX-XX-XX-XX-XX

6
testing/btest/core/unknown-protocol-log.zeek Normal file
View file

@ -0,0 +1,6 @@
# @TEST-EXEC: zeek -b -r $TRACES/lldp.pcap %INPUT
# @TEST-EXEC: btest-diff unknown_protocols.log
@load misc/unknown-protocols
redef record UnknownProtocol::Info$protocol_id_num += { &log };