Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Allow to track service violations in conn.log.

Browse source 
This introduces ian options, DPD::track_removed_services_in_connection.
It adds failed services to the services column, prefixed with a
"-".

Alternatively, this commit also adds
policy/protocols/conn/failed-services.zeek, which provides the same
information in a new column in conn.log.
This commit is contained in:
Johanna Amann 2025-01-30 16:32:32 +00:00
parent ac7bbe6949
commit 2f712c3c24
8 changed files with 67 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

19
scripts/base/frameworks/analyzer/dpd.zeek
View file

@ -35,13 +35,16 @@ export {
## Ignore violations which go this many bytes into the connection.
## Set to 0 to never ignore protocol violations.
option ignore_violations_after = 10 * 1024;
## Add removed services to conn.log, with a - in front of them.
option track_removed_services_in_connection = F;
}
redef record connection += {
dpd: Info &optional;
## The set of services (analyzers) for which Zeek has observed a
## violation after the same service had previously been confirmed.
service_violation: set[string] &default=set();
service_violation: set[string] &default=set() &ordered;
};
event zeek_init() &priority=5
@ -77,9 +80,6 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
if ( analyzer !in c$service || analyzer in c$service_violation )
return;
# No longer delete a service once it has been confirmed.
# FIXME: track failed analyzers somehow - either by changing how they are logged, or by adding a new column
# delete c$service[analyzer];
add c$service_violation[analyzer];
local dpd: Info;
@ -120,7 +120,16 @@ event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationI
if ( ignore_violations_after > 0 && size > ignore_violations_after )
return;
disable_analyzer(c$id, aid, F);
local disabled = disable_analyzer(c$id, aid, F);
# add "-service" to the list of services on removal due to violation, if analyzer was confirmed before
if ( track_removed_services_in_connection && disabled && Analyzer::name(atype) in c$service )
{
local rname = fmt("-%s", Analyzer::name(atype));
if ( rname !in c$service )
add c$service[rname];
}
}
event analyzer_violation_info(atype: AllAnalyzers::Tag, info: AnalyzerViolationInfo ) &priority=-5