Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

init-bare: Add conn_id_ctx to conn_id

Browse source 
This nested record can be used to discriminate orig_h or resp_h being
observed in different "contexts". A context can be based on VLAN tags,
but any custom ConnKey implementation should populate the ctx field,
allowing to write context-aware Zeek scripts without needing to know
what the context really is.
This commit is contained in:
Arne Welzel 2025-06-27 12:49:51 +02:00
parent 5847a2d32e
commit 25fc4d5d98
3 changed files with 16 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
scripts/base/init-bare.zeek
View file

@ -203,6 +203,15 @@ type transport_proto: enum {
icmp ##< ICMP. icmp ##< ICMP.
}; };
## A record type containing the context of a conn_id instance.
##
## This context is used to discriminate between :zeek:see:`conn_id` instances
## with identical five tuples, but not otherwise related due to, e.g. being observed
## on different VLANs, or within independent tunnel connections like VXLAN or Geneve.
##
## This record type is meant to be extended by custom ConnKey implementations.
type conn_id_ctx: record { };
## A connection's identifying 4-tuple of endpoints and ports. ## A connection's identifying 4-tuple of endpoints and ports.
## ##
## .. note:: It's actually a 5-tuple: the transport-layer protocol is stored as ## .. note:: It's actually a 5-tuple: the transport-layer protocol is stored as
@ -218,6 +227,7 @@ type conn_id: record {
resp_h: addr &log; ##< The responder's IP address. resp_h: addr &log; ##< The responder's IP address.
resp_p: port &log; ##< The responder's port number. resp_p: port &log; ##< The responder's port number.
proto: count &default=65535; ##< The transport protocol ID. Defaults to 65535 as an "unknown" value. proto: count &default=65535; ##< The transport protocol ID. Defaults to 65535 as an "unknown" value.
ctx: conn_id_ctx &log &default=conn_id_ctx(); ##< The context in which this connection exists.
}; };
## The identifying 4-tuple of a uni-directional flow. ## The identifying 4-tuple of a uni-directional flow.

3
testing/btest/Baseline/coverage.record-fields/out.bare
View file

@ -6,6 +6,9 @@ connection {
* history: string, log=F, optional=F * history: string, log=F, optional=F
* id: record conn_id, log=F, optional=F * id: record conn_id, log=F, optional=F
conn_id { conn_id {
* ctx: record conn_id_ctx, log=T, optional=T
conn_id_ctx {
}
* orig_h: addr, log=T, optional=F * orig_h: addr, log=T, optional=F
* orig_p: port, log=T, optional=F * orig_p: port, log=T, optional=F
* proto: count, log=F, optional=T * proto: count, log=F, optional=T

3
testing/btest/Baseline/coverage.record-fields/out.default
View file

@ -8,6 +8,9 @@ connection {
* history: string, log=T, optional=T * history: string, log=T, optional=T
* id: record conn_id, log=T, optional=F * id: record conn_id, log=T, optional=F
conn_id { conn_id {
* ctx: record conn_id_ctx, log=T, optional=T
conn_id_ctx {
}
* orig_h: addr, log=T, optional=F * orig_h: addr, log=T, optional=F
* orig_p: port, log=T, optional=F * orig_p: port, log=T, optional=F
* proto: count, log=F, optional=T * proto: count, log=F, optional=T