Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-10 02:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Add DPD::max_violations option

Browse source 
This allows one to tune the number of protocol violations to tolerate
from any given analyzer type before just disabling a given instance
of it.

Also removes the "disabled_aids" field from the DPD::Info record
since it serves no purpose: in this case, calling disable_analyzer
multiple times for the same analyzer is a no-op.
This commit is contained in:
Jon Siwek 2019-07-10 20:45:58 -07:00
parent b0b4a2ffb1
commit 07e0dba3c6
6 changed files with 399 additions and 317 deletions
Download patch file Download diff file Expand all files Collapse all files

10
testing/btest/scripts/base/frameworks/dpd/max_violations.zeek Normal file
View file

@ -0,0 +1,10 @@
# This test is somewhat awkward -- it's just using a baseline of an http.log
# that would have otherwise logged a few more "400 Bad Request" responses if
# we had not throttled the protocol violation limit to zero and disabled the
# analyzer right away. But that's proof enough for this unit test that the
# DPD::max_violations option works.
# @TEST-EXEC: zeek -r $TRACES/http/methods.trace %INPUT
# @TEST-EXEC: btest-diff http.log
redef DPD::max_violations += { [Analyzer::ANALYZER_HTTP] = 0 };