Allow to track service violations in conn.log.

This introduces ian options, DPD::track_removed_services_in_connection. It adds failed services to the services column, prefixed with a "-". Alternatively, this commit also adds policy/protocols/conn/failed-services.zeek, which provides the same information in a new column in conn.log.
2025-10-17 14:08:20 +00:00 · 2025-01-30 16:32:32 +00:00 · 2025-01-30 16:32:32 +00:00 · 2f712c3c24
commit 2f712c3c24
parent ac7bbe6949
8 changed files with 67 additions and 6 deletions
--- a/scripts/policy/protocols/conn/failed-services.zeek
+++ b/scripts/policy/protocols/conn/failed-services.zeek
@ -0,0 +1,27 @@
+##! This script adds the new column ``service_violation`` to the connection log.
+##! The column contains the list of protocols in a connection that raised protocol
+##! violations causing the analyzer to be removed. Protocols are listed in order
+##! that they were removed.
+
+@load base/protocols/conn
+
+module Conn;
+
+redef record Conn::Info += {
+	## List of protocols in a connection that raised protocol violations
+	## causing the analyzer to be removed.
+	## Protocols are listed in order that they were removed.
+	service_violation: vector of string  &log &optional;
+};
+
+# Not using connection removal hook, as this has to run for every connection.
+event connection_state_remove(c: connection) &priority=4
+	{
+	if ( c?$conn && |c$service_violation| > 0 )
+		{
+		c$conn$service_violation = {};
+		local sv: string;
+		for ( sv in c$service_violation)
+			c$conn$service_violation += to_lower(sv);
+		}
+	}