Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge remote-tracking branch 'origin/topic/johanna/analyzer-log-proto'

Browse source 
* origin/topic/johanna/analyzer-log-proto:
  Add proto to analyzer.log
This commit is contained in:
Johanna Amann 2025-08-06 14:37:50 +01:00
commit 2f2f328a72
15 changed files with 43 additions and 33 deletions
Download patch file Download diff file Expand all files Collapse all files

7
CHANGES
View file

@ -1,3 +1,10 @@
8.1.0-dev.14 | 2025-08-06 14:37:50 +0100
* Add proto to analyzer.log (Johanna Amann, Corelight)
The analyzer.log file was missing the protocol field to distinguish
tcp/udp connections.
8.1.0-dev.12 | 2025-08-06 09:10:08 -0400 8.1.0-dev.12 | 2025-08-06 09:10:08 -0400
* GH-4722: Fix record coercion with compatible types (Evan Typanski, Corelight) * GH-4722: Fix record coercion with compatible types (Evan Typanski, Corelight)

2
VERSION
View file

@ -1 +1 @@
8.1.0-dev.12 8.1.0-dev.14

5
scripts/base/frameworks/analyzer/logging.zeek
View file

@ -23,8 +23,10 @@ export {
uid: string &log &optional; uid: string &log &optional;
## File UID if available. ## File UID if available.
fuid: string &log &optional; fuid: string &log &optional;
## Connection identifier if available ## Connection identifier if available.
id: conn_id &log &optional; id: conn_id &log &optional;
## Transport protocol for the violation, if available.
proto: transport_proto &log &optional;
## Failure or violation reason, if available. ## Failure or violation reason, if available.
failure_reason: string &log; failure_reason: string &log;
## Data causing failure or violation if available. Truncated ## Data causing failure or violation if available. Truncated
@ -62,6 +64,7 @@ function log_analyzer_failure(ts: time, atype: AllAnalyzers::Tag, info: Analyzer
{ {
rec$id = info$c$id; rec$id = info$c$id;
rec$uid = info$c$uid; rec$uid = info$c$uid;
rec$proto = get_port_transport_proto(info$c$id$orig_p);
} }
if ( info?$f ) if ( info?$f )

6
testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/analyzer.log
View file

@ -5,7 +5,7 @@
#unset_field - #unset_field -
#path analyzer #path analyzer
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data #fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data
#types time string string string string addr port addr port string string #types time string string string string addr port addr port enum string string
XXXXXXXXXX.XXXXXX packet GTPV1 CHhAvVGS1DHFjwGM9 - 173.86.159.28 2152 213.72.147.186 2152 Truncated GTPv1 - XXXXXXXXXX.XXXXXX packet GTPV1 CHhAvVGS1DHFjwGM9 - 173.86.159.28 2152 213.72.147.186 2152 udp Truncated GTPv1 -
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-empty-av-pair-seq/analyzer.log
View file

@ -5,7 +5,7 @@
#unset_field - #unset_field -
#path analyzer #path analyzer
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data #fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data
#types time string string string string addr port addr port string string #types time string string string string addr port addr port enum string string
XXXXXXXXXX.XXXXXX protocol NTLM CHhAvVGS1DHFjwGM9 - 192.168.0.173 1068 192.168.0.2 4997 NTLM AV Pair loop underflow - XXXXXXXXXX.XXXXXX protocol NTLM CHhAvVGS1DHFjwGM9 - 192.168.0.173 1068 192.168.0.2 4997 tcp NTLM AV Pair loop underflow -
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.dce-rpc.ntlm-unterminated-av-pair-seq/analyzer.log
View file

@ -5,7 +5,7 @@
#unset_field - #unset_field -
#path analyzer #path analyzer
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data #fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data
#types time string string string string addr port addr port string string #types time string string string string addr port addr port enum string string
XXXXXXXXXX.XXXXXX protocol NTLM CHhAvVGS1DHFjwGM9 - 192.168.0.173 1068 192.168.0.2 4997 NTLM AV Pair loop underflow - XXXXXXXXXX.XXXXXX protocol NTLM CHhAvVGS1DHFjwGM9 - 192.168.0.173 1068 192.168.0.2 4997 tcp NTLM AV Pair loop underflow -
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.ftp.ftp-invalid-reply-code/analyzer.log
View file

@ -5,7 +5,7 @@
#unset_field - #unset_field -
#path analyzer #path analyzer
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data #fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data
#types time string string string string addr port addr port string string #types time string string string string addr port addr port enum string string
XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51354 127.0.0.1 21 non-numeric reply code 99 PASV invalid XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51354 127.0.0.1 21 tcp non-numeric reply code 99 PASV invalid
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-reply-code/analyzer.log
View file

@ -5,7 +5,7 @@
#unset_field - #unset_field -
#path analyzer #path analyzer
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data #fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data
#types time string string string string addr port addr port string string #types time string string string string addr port addr port enum string string
XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51344 127.0.0.1 21 non-numeric reply code SYST not supported XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51344 127.0.0.1 21 tcp non-numeric reply code SYST not supported
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.ftp.ftp-missing-space-after-reply-code/analyzer.log
View file

@ -5,7 +5,7 @@
#unset_field - #unset_field -
#path analyzer #path analyzer
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data #fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data
#types time string string string string addr port addr port string string #types time string string string string addr port addr port enum string string
XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51346 127.0.0.1 21 invalid reply line 230_no_space XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 127.0.0.1 51346 127.0.0.1 21 tcp invalid reply line 230_no_space
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/scripts.base.protocols.http.http-11-request-then-cruft/analyzer.log
View file

@ -5,7 +5,7 @@
#unset_field - #unset_field -
#path analyzer #path analyzer
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data #fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data
#types time string string string string addr port addr port string string #types time string string string string addr port addr port enum string string
XXXXXXXXXX.XXXXXX protocol HTTP CHhAvVGS1DHFjwGM9 - 192.168.12.5 51792 192.0.78.212 80 not a http request line - XXXXXXXXXX.XXXXXX protocol HTTP CHhAvVGS1DHFjwGM9 - 192.168.12.5 51792 192.0.78.212 80 tcp not a http request line -
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

4
testing/btest/Baseline/scripts.base.protocols.postgresql.bad-backend-message/analyzer.cut
View file

@ -1,3 +1,3 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data
1673270800.189652 protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 127.0.0.1 54958 127.0.0.1 5432 error while parsing PostgreSQL: &requires failed: (self.length >= 4) (...) - 1673270800.189652 protocol POSTGRESQL CHhAvVGS1DHFjwGM9 - 127.0.0.1 54958 127.0.0.1 5432 tcp error while parsing PostgreSQL: &requires failed: (self.length >= 4) (...) -

6
testing/btest/Baseline/scripts.policy.frameworks.analyzer.packet-segment-logging/analyzer.log
View file

@ -5,7 +5,7 @@
#unset_field - #unset_field -
#path analyzer #path analyzer
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data packet_segment #fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data packet_segment
#types time string string string string addr port addr port string string string #types time string string string string addr port addr port enum string string string
XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 2001:470:1f05:17a6:d69a:20ff:fefd:6b88 24316 2001:6a8:a40::21 21 non-numeric reply code SSH-2.0-mod_sftp/0.9.7 \xd4\x9a \xfdk\x88\x00\x80\xc8\xb9\xc2\x06\x86\xdd`\x00\x00\x00\x00t\x067 \x01\x06\xa8\x0a@\x00\x00\x00\x00\x00\x00\x00\x00\x00! \x01\x04p\x1f\x05\x17\xa6\xd6\x9a \xff\xfe\xfdk\x88\x00\x15^\xfc\x1f]\xed\x1b\xa9\x9f`\xf1P\x18\x00\x09~n\x00\x00SSH-2.0-mod_sftp/0.9.7\x0d\x0a\x00\x00\x00D\x08\x01\x00\x00\x00\x0c\x00\x00\x00)Maximum connections for host/user reached\x00\x00\x00\x05en-USI\xf8\xb9C\xae\xcf`\xc4 XXXXXXXXXX.XXXXXX protocol FTP CHhAvVGS1DHFjwGM9 - 2001:470:1f05:17a6:d69a:20ff:fefd:6b88 24316 2001:6a8:a40::21 21 tcp non-numeric reply code SSH-2.0-mod_sftp/0.9.7 \xd4\x9a \xfdk\x88\x00\x80\xc8\xb9\xc2\x06\x86\xdd`\x00\x00\x00\x00t\x067 \x01\x06\xa8\x0a@\x00\x00\x00\x00\x00\x00\x00\x00\x00! \x01\x04p\x1f\x05\x17\xa6\xd6\x9a \xff\xfe\xfdk\x88\x00\x15^\xfc\x1f]\xed\x1b\xa9\x9f`\xf1P\x18\x00\x09~n\x00\x00SSH-2.0-mod_sftp/0.9.7\x0d\x0a\x00\x00\x00D\x08\x01\x00\x00\x00\x0c\x00\x00\x00)Maximum connections for host/user reached\x00\x00\x00\x05en-USI\xf8\xb9C\xae\xcf`\xc4
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

6
testing/btest/Baseline/spicy.parse-error/analyzer.log
View file

@ -5,7 +5,7 @@
#unset_field - #unset_field -
#path analyzer #path analyzer
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p failure_reason failure_data #fields ts analyzer_kind analyzer_name uid fuid id.orig_h id.orig_p id.resp_h id.resp_p proto failure_reason failure_data
#types time string string string string addr port addr port string string #types time string string string string addr port addr port enum string string
XXXXXXXXXX.XXXXXX protocol SPICY_SSH CHhAvVGS1DHFjwGM9 - 192.150.186.169 49244 131.159.14.23 22 failed to match regular expression (<...>/test.spicy:9:15-9:22) SSH-2.0-OpenSSH_3.8.1p1\x0a XXXXXXXXXX.XXXXXX protocol SPICY_SSH CHhAvVGS1DHFjwGM9 - 192.150.186.169 49244 131.159.14.23 22 tcp failed to match regular expression (<...>/test.spicy:9:15-9:22) SSH-2.0-OpenSSH_3.8.1p1\x0a
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

2
testing/external/commit-hash.zeek-testing vendored
View file

@ -1 +1 @@
270d4b46fa1ab9f2951c2945937bdf739e864304 6dafc6fd68d9821f33b7f8f4d7d4d877b5827ae3

2
testing/external/commit-hash.zeek-testing-private vendored
View file

@ -1 +1 @@
034c859753b435dc2a6368fa46ecf3e92c98d9da 1edbd3ae959471e8573c9edc0374235727970710