DPD: change policy script for service violation logging; add NEWS

This commit renames the `service_violation` column that can be added via a policy script to `failed_service`. This expresses the intent of it better - the column contains services that failed and were removed after confirmation. Furthermore, the script is fixed so it actually does this - before it would sometimes add services to the list that were not actually removed. In the course of this, the type of the column was changed from a vector to an ordered set. Due to the column rename, the policy script itself is also renamed. Also adds a NEWS entry for the DPD changes.
2025-10-02 06:38:20 +00:00 · 2025-02-05 16:42:26 +00:00 · 2025-02-05 16:42:26 +00:00 · 0fa1ecce8f
commit 0fa1ecce8f
parent e3493bc110
7 changed files with 84 additions and 32 deletions
--- a/scripts/policy/protocols/conn/failed-service-logging.zeek
+++ b/scripts/policy/protocols/conn/failed-service-logging.zeek
@ -0,0 +1,38 @@
+##! This script adds the new column ``failed_service`` to the connection log.
+##! The column contains the list of protocols in a connection that raised protocol
+##! violations causing the analyzer to be removed. Protocols are listed in order
+##! that they were removed.
+
+@load base/protocols/conn
+
+module Conn;
+
+redef record Conn::Info += {
+	## List of analyzers in a connection that raised violations
+	## causing their removal.
+	## Analyzers are listed in order that they were removed.
+	failed_service: set[string] &log &optional &ordered;
+};
+
+hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=-1000
+	{
+	if ( ! is_protocol_analyzer(atype) && ! is_packet_analyzer(atype) )
+		return;
+
+
+	# Only add if previously confirmed
+	if ( Analyzer::name(atype) !in c$service )
+		return;
+
+	set_conn(c, F);
+
+	local aname = to_lower(Analyzer::name(atype));
+	# No duplicate logging
+	if ( c$conn?$failed_service && aname in c$conn$failed_service )
+		return;
+
+	if ( ! c$conn?$failed_service )
+		c$conn$failed_service = set();
+
+	add c$conn$failed_service[aname];
+	}
--- a/scripts/policy/protocols/conn/service-violation-logging.zeek
+++ b/scripts/policy/protocols/conn/service-violation-logging.zeek
@ -1,27 +0,0 @@
-##! This script adds the new column ``service_violation`` to the connection log.
-##! The column contains the list of protocols in a connection that raised protocol
-##! violations causing the analyzer to be removed. Protocols are listed in order
-##! that they were removed.
-
-@load base/protocols/conn
-
-module Conn;
-
-redef record Conn::Info += {
-	## List of protocols in a connection that raised protocol violations
-	## causing the analyzer to be removed.
-	## Protocols are listed in order that they were removed.
-	service_violation: vector of string  &log &optional;
-};
-
-# Not using connection removal hook, as this has to run for every connection.
-event connection_state_remove(c: connection) &priority=4
-	{
-	if ( c?$conn && |c$service_violation| > 0 )
-		{
-		c$conn$service_violation = {};
-		local sv: string;
-		for ( sv in c$service_violation)
-			c$conn$service_violation += to_lower(sv);
-		}
-	}
--- a/scripts/test-all-policy.zeek
+++ b/scripts/test-all-policy.zeek
@ -98,7 +98,7 @@
@load misc/unknown-protocols.zeek
@load protocols/conn/community-id-logging.zeek
@load protocols/conn/disable-unknown-ip-proto-support.zeek
-@load protocols/conn/service-violation-logging.zeek
+@load protocols/conn/failed-service-logging.zeek
@load protocols/conn/ip-proto-name-logging.zeek
@load protocols/conn/known-hosts.zeek
@load protocols/conn/known-services.zeek