Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add packet analyzer history

Browse source
This commit is contained in:
Jan Grashoefer 2024-08-12 11:59:30 +02:00
parent f943366e8e
commit 29bc84e1d6
5 changed files with 45 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

9
scripts/policy/misc/unknown-protocols.zeek
View file

@ -25,16 +25,23 @@ export {
## A certain number of bytes at the start of the unknown protocol's
## header.
first_bytes: string &log;
## The chain of packet analyzers that processed the packet up to this
## point. This includes the history of encapsulating packets in case
## of tunneling.
analyzer_history: vector of string &log;
};
}
event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: string)
event unknown_protocol(analyzer_name: string, protocol: count, first_bytes: string,
analyzer_history: string_vec)
{
local info : Info;
info$ts = network_time();
info$analyzer = analyzer_name;
info$protocol_id = fmt("0x%x", protocol);
info$first_bytes = bytestring_to_hexstr(first_bytes);
info$analyzer_history = analyzer_history;
Log::write(LOG, info);
}