mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
Merge remote-tracking branch 'origin/topic/johanna/remove-stepping-stone'
* origin/topic/johanna/remove-stepping-stone: Remove the Stepping Stone analyzer
This commit is contained in:
Tim Wojtulewicz
commit
30973af94a
19 changed files with 10 additions and 429 deletions
9
CHANGES
9
CHANGES
|
|
@ -1,3 +1,12 @@
|
|||
4.1.0-dev.750 | 2021-06-21 16:14:03 -0700
|
||||
|
||||
* Remove the Stepping Stone analyzer
|
||||
|
||||
This commit removes the stepping stone analyzer. It has been deactivated
|
||||
by default since at least Zeek 2.0, is dysfunctional in cluster settings
|
||||
and has a bunch of other issued.
|
||||
|
||||
Relates to GH-1573 (Johanna Amann, Corelight)
|
||||
|
||||
4.1.0-dev.748 | 2021-06-21 15:41:29 -0700
|
||||
|
||||
|
|
|
|||
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
|||
4.1.0-dev.748
|
||||
4.1.0-dev.750
|
||||
|
|
|
|||
|
|
@ -124,7 +124,6 @@ export {
|
|||
## A set of analyzers to disable by default at startup. The default set
|
||||
## contains legacy analyzers that are no longer supported.
|
||||
global disabled_analyzers: set[Analyzer::Tag] = {
|
||||
ANALYZER_STEPPINGSTONE,
|
||||
ANALYZER_TCPSTATS,
|
||||
} &redef;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4118,15 +4118,6 @@ type PE::SectionHeader: record {
|
|||
}
|
||||
module GLOBAL;
|
||||
|
||||
## Internal to the stepping stone detector.
|
||||
const stp_delta: interval &redef;
|
||||
|
||||
## Internal to the stepping stone detector.
|
||||
const stp_idle_min: interval &redef;
|
||||
|
||||
## Internal to the stepping stone detector.
|
||||
global stp_skip_src: set[addr] &redef;
|
||||
|
||||
## Description of a signature match.
|
||||
##
|
||||
## .. zeek:see:: signature_match
|
||||
|
|
|
|||
|
|
@ -157,9 +157,6 @@ int dns_skip_all_auth;
|
|||
int dns_skip_all_addl;
|
||||
int dns_max_queries;
|
||||
|
||||
double stp_delta;
|
||||
double stp_idle_min;
|
||||
|
||||
double table_expire_interval;
|
||||
double table_expire_delay;
|
||||
int table_incremental_step;
|
||||
|
|
@ -312,11 +309,6 @@ void init_net_var()
|
|||
dns_skip_all_addl = id::find_val("dns_skip_all_addl")->AsBool();
|
||||
dns_max_queries = id::find_val("dns_max_queries")->AsCount();
|
||||
|
||||
stp_delta = 0.0;
|
||||
if ( const auto& v = id::find_val("stp_delta") ) stp_delta = v->AsInterval();
|
||||
stp_idle_min = 0.0;
|
||||
if ( const auto& v = id::find_val("stp_idle_min") ) stp_delta = v->AsInterval();
|
||||
|
||||
orig_addr_anonymization = 0;
|
||||
if ( const auto& id = id::find("orig_addr_anonymization") )
|
||||
if ( const auto& v = id->GetVal() )
|
||||
|
|
|
|||
|
|
@ -59,8 +59,6 @@ extern int dns_skip_all_auth;
|
|||
extern int dns_skip_all_addl;
|
||||
extern int dns_max_queries;
|
||||
|
||||
extern double stp_delta;
|
||||
extern double stp_idle_min;
|
||||
extern double table_expire_interval;
|
||||
extern double table_expire_delay;
|
||||
extern int table_incremental_step;
|
||||
|
|
|
|||
|
|
@ -37,7 +37,6 @@ extern "C" {
|
|||
#include "zeek/plugin/Manager.h"
|
||||
#include "zeek/broker/Manager.h"
|
||||
#include "zeek/packet_analysis/Manager.h"
|
||||
#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h"
|
||||
|
||||
extern "C" {
|
||||
extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
|
||||
|
|
@ -46,8 +45,6 @@ extern int select(int, fd_set *, fd_set *, fd_set *, struct timeval *);
|
|||
static double last_watchdog_proc_time = 0.0; // value of above during last watchdog
|
||||
extern int signal_val;
|
||||
|
||||
using namespace zeek::analyzer::stepping_stone;
|
||||
|
||||
namespace zeek::run_state {
|
||||
namespace detail {
|
||||
|
||||
|
|
@ -197,9 +194,6 @@ void init_run(const std::optional<std::string>& interface,
|
|||
|
||||
session_mgr = new session::Manager();
|
||||
|
||||
// Initialize the stepping stone manager. We intentionally throw away the result here.
|
||||
SteppingStoneManager::Get();
|
||||
|
||||
if ( do_watchdog )
|
||||
{
|
||||
// Set up the watchdog to make sure we don't wedge.
|
||||
|
|
@ -414,7 +408,6 @@ void delete_run()
|
|||
util::detail::set_processing_status("TERMINATING", "delete_run");
|
||||
|
||||
delete session_mgr;
|
||||
delete SteppingStoneManager::Get();
|
||||
|
||||
for ( int i = 0; i < zeek::detail::NUM_ADDR_ANONYMIZATION_METHODS; ++i )
|
||||
delete zeek::detail::ip_anonymizer[i];
|
||||
|
|
|
|||
|
|
@ -9,7 +9,6 @@
|
|||
|
||||
#include "zeek/analyzer/protocol/conn-size/ConnSize.h"
|
||||
#include "zeek/analyzer/protocol/pia/PIA.h"
|
||||
#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h"
|
||||
#include "zeek/analyzer/protocol/tcp/TCP.h"
|
||||
#include "zeek/packet_analysis/protocol/ip/IPBasedAnalyzer.h"
|
||||
#include "zeek/packet_analysis/protocol/ip/SessionAdapter.h"
|
||||
|
|
|
|||
|
|
@ -40,7 +40,6 @@ add_subdirectory(snmp)
|
|||
add_subdirectory(socks)
|
||||
add_subdirectory(ssh)
|
||||
add_subdirectory(ssl)
|
||||
add_subdirectory(stepping-stone)
|
||||
add_subdirectory(syslog)
|
||||
add_subdirectory(tcp)
|
||||
add_subdirectory(teredo)
|
||||
|
|
|
|||
|
|
@ -1,9 +0,0 @@
|
|||
|
||||
include(ZeekPlugin)
|
||||
|
||||
include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
|
||||
|
||||
zeek_plugin_begin(Zeek SteppingStone)
|
||||
zeek_plugin_cc(SteppingStone.cc Plugin.cc)
|
||||
zeek_plugin_bif(events.bif)
|
||||
zeek_plugin_end()
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
// See the file in the main distribution directory for copyright.
|
||||
|
||||
#include "zeek/plugin/Plugin.h"
|
||||
#include "zeek/analyzer/Component.h"
|
||||
#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h"
|
||||
|
||||
namespace zeek::plugin::detail::Zeek_SteppingStone {
|
||||
|
||||
class Plugin : public zeek::plugin::Plugin {
|
||||
public:
|
||||
zeek::plugin::Configuration Configure() override
|
||||
{
|
||||
AddComponent(new zeek::analyzer::Component("SteppingStone", zeek::analyzer::stepping_stone::SteppingStone_Analyzer::Instantiate));
|
||||
|
||||
zeek::plugin::Configuration config;
|
||||
config.name = "Zeek::SteppingStone";
|
||||
config.description = "Stepping stone analyzer";
|
||||
return config;
|
||||
}
|
||||
} plugin;
|
||||
|
||||
} // namespace zeek::plugin::detail::Zeek_SteppingStone
|
||||
|
|
@ -1,227 +0,0 @@
|
|||
// See the file "COPYING" in the main distribution directory for copyright.
|
||||
|
||||
#include "zeek/zeek-config.h"
|
||||
#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h"
|
||||
|
||||
#include <stdlib.h>
|
||||
|
||||
#include "zeek/Event.h"
|
||||
#include "zeek/RunState.h"
|
||||
#include "zeek/NetVar.h"
|
||||
#include "zeek/analyzer/protocol/tcp/TCP.h"
|
||||
#include "zeek/util.h"
|
||||
|
||||
#include "zeek/analyzer/protocol/stepping-stone/events.bif.h"
|
||||
|
||||
namespace zeek::analyzer::stepping_stone {
|
||||
|
||||
SteppingStoneManager* SteppingStoneManager::instance = nullptr;
|
||||
|
||||
SteppingStoneEndpoint::SteppingStoneEndpoint(analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m)
|
||||
{
|
||||
endp = e;
|
||||
stp_max_top_seq = 0;
|
||||
stp_last_time = stp_resume_time = 0.0;
|
||||
stp_manager = m;
|
||||
stp_id = stp_manager->NextID();
|
||||
|
||||
CreateEndpEvent(e->IsOrig());
|
||||
|
||||
// Make sure the connection does not get deleted.
|
||||
Ref(endp->TCP()->Conn());
|
||||
}
|
||||
|
||||
SteppingStoneEndpoint::~SteppingStoneEndpoint()
|
||||
{
|
||||
Unref(endp->TCP()->Conn());
|
||||
}
|
||||
|
||||
void SteppingStoneEndpoint::Done()
|
||||
{
|
||||
if ( RefCnt() > 1 )
|
||||
return;
|
||||
|
||||
SteppingStoneEndpoint* ep;
|
||||
|
||||
for ( const auto& entry : stp_inbound_endps )
|
||||
{
|
||||
ep = entry.second;
|
||||
ep->stp_outbound_endps.erase(stp_id);
|
||||
Event(stp_remove_pair, ep->stp_id, stp_id);
|
||||
Unref(ep);
|
||||
}
|
||||
|
||||
for ( const auto& entry : stp_outbound_endps )
|
||||
{
|
||||
ep = entry.second;
|
||||
ep->stp_inbound_endps.erase(stp_id);
|
||||
Event(stp_remove_pair, stp_id, ep->stp_id);
|
||||
Unref(ep);
|
||||
}
|
||||
|
||||
Event(stp_remove_endp, stp_id);
|
||||
}
|
||||
|
||||
bool SteppingStoneEndpoint::DataSent(double t, uint64_t seq, int len, int caplen,
|
||||
const u_char* data, const IP_Hdr* /* ip */,
|
||||
const struct tcphdr* tp)
|
||||
{
|
||||
if ( caplen < len )
|
||||
len = caplen;
|
||||
|
||||
if ( len <= 0 )
|
||||
return false;
|
||||
|
||||
double tmin = t - zeek::detail::stp_delta;
|
||||
|
||||
while ( ! stp_manager->OrderedEndpoints().empty() )
|
||||
{
|
||||
auto e = stp_manager->OrderedEndpoints().front();
|
||||
|
||||
if ( e->stp_resume_time < tmin )
|
||||
{
|
||||
stp_manager->OrderedEndpoints().pop_front();
|
||||
e->Done();
|
||||
Unref(e);
|
||||
}
|
||||
else
|
||||
break;
|
||||
}
|
||||
|
||||
uint64_t ack = endp->ToRelativeSeqSpace(endp->AckSeq(), endp->AckWraps());
|
||||
uint64_t top_seq = seq + len;
|
||||
|
||||
if ( top_seq <= ack || top_seq <= stp_max_top_seq )
|
||||
// There is no new data in this packet
|
||||
return false;
|
||||
|
||||
stp_max_top_seq = top_seq;
|
||||
|
||||
if ( stp_last_time && t <= stp_last_time + zeek::detail::stp_idle_min )
|
||||
{
|
||||
stp_last_time = t;
|
||||
return true;
|
||||
}
|
||||
|
||||
// Either just starts, or resumes from an idle period.
|
||||
stp_last_time = stp_resume_time = t;
|
||||
|
||||
Event(stp_resume_endp, stp_id);
|
||||
for ( auto ep : stp_manager->OrderedEndpoints() )
|
||||
{
|
||||
if ( ep->endp->TCP() != endp->TCP() )
|
||||
{
|
||||
Ref(ep);
|
||||
Ref(this);
|
||||
|
||||
stp_inbound_endps[ep->stp_id] = ep;
|
||||
ep->stp_outbound_endps[stp_id] = this;
|
||||
|
||||
Event(stp_correlate_pair, ep->stp_id, stp_id);
|
||||
}
|
||||
|
||||
else
|
||||
{ // ep and this belong to same connection
|
||||
}
|
||||
}
|
||||
|
||||
stp_manager->OrderedEndpoints().push_back(this);
|
||||
Ref(this);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
void SteppingStoneEndpoint::Event(EventHandlerPtr f, int id1, int id2)
|
||||
{
|
||||
if ( ! f )
|
||||
return;
|
||||
|
||||
if ( id2 >= 0 )
|
||||
endp->TCP()->EnqueueConnEvent(f, val_mgr->Int(id1), val_mgr->Int(id2));
|
||||
else
|
||||
endp->TCP()->EnqueueConnEvent(f, val_mgr->Int(id1));
|
||||
}
|
||||
|
||||
void SteppingStoneEndpoint::CreateEndpEvent(bool is_orig)
|
||||
{
|
||||
if ( ! stp_create_endp )
|
||||
return;
|
||||
|
||||
endp->TCP()->EnqueueConnEvent(stp_create_endp,
|
||||
endp->TCP()->ConnVal(),
|
||||
val_mgr->Int(stp_id),
|
||||
val_mgr->Bool(is_orig)
|
||||
);
|
||||
}
|
||||
|
||||
SteppingStone_Analyzer::SteppingStone_Analyzer(Connection* c)
|
||||
: analyzer::tcp::TCP_ApplicationAnalyzer("STEPPINGSTONE", c)
|
||||
{
|
||||
stp_manager = SteppingStoneManager::Get();
|
||||
|
||||
orig_endp = resp_endp = nullptr;
|
||||
orig_stream_pos = resp_stream_pos = 1;
|
||||
}
|
||||
|
||||
void SteppingStone_Analyzer::Init()
|
||||
{
|
||||
analyzer::tcp::TCP_ApplicationAnalyzer::Init();
|
||||
|
||||
assert(TCP());
|
||||
orig_endp = new SteppingStoneEndpoint(TCP()->Orig(), stp_manager);
|
||||
resp_endp = new SteppingStoneEndpoint(TCP()->Resp(), stp_manager);
|
||||
}
|
||||
|
||||
void SteppingStone_Analyzer::DeliverPacket(int len, const u_char* data,
|
||||
bool is_orig, uint64_t seq,
|
||||
const IP_Hdr* ip, int caplen)
|
||||
{
|
||||
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverPacket(len, data, is_orig, seq,
|
||||
ip, caplen);
|
||||
|
||||
if ( is_orig )
|
||||
orig_endp->DataSent(run_state::network_time, seq, len, caplen, data, nullptr, nullptr);
|
||||
else
|
||||
resp_endp->DataSent(run_state::network_time, seq, len, caplen, data, nullptr, nullptr);
|
||||
}
|
||||
|
||||
void SteppingStone_Analyzer::DeliverStream(int len, const u_char* data,
|
||||
bool is_orig)
|
||||
{
|
||||
analyzer::tcp::TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
|
||||
|
||||
if ( is_orig )
|
||||
{
|
||||
orig_endp->DataSent(run_state::network_time, orig_stream_pos, len, len,
|
||||
data, nullptr, nullptr);
|
||||
orig_stream_pos += len;
|
||||
}
|
||||
|
||||
else
|
||||
{
|
||||
resp_endp->DataSent(run_state::network_time, resp_stream_pos, len, len,
|
||||
data, nullptr, nullptr);
|
||||
resp_stream_pos += len;
|
||||
}
|
||||
}
|
||||
|
||||
void SteppingStone_Analyzer::Done()
|
||||
{
|
||||
analyzer::tcp::TCP_ApplicationAnalyzer::Done();
|
||||
|
||||
orig_endp->Done();
|
||||
resp_endp->Done();
|
||||
|
||||
Unref(orig_endp);
|
||||
Unref(resp_endp);
|
||||
}
|
||||
|
||||
SteppingStoneManager* SteppingStoneManager::Get()
|
||||
{
|
||||
if ( ! instance && stp_correlate_pair )
|
||||
instance = new SteppingStoneManager();
|
||||
|
||||
return instance;
|
||||
}
|
||||
|
||||
} // namespace zeek::analyzer::stepping_stone
|
||||
|
|
@ -1,91 +0,0 @@
|
|||
// See the file "COPYING" in the main distribution directory for copyright.
|
||||
|
||||
#pragma once
|
||||
|
||||
#include <deque>
|
||||
|
||||
#include "zeek/analyzer/protocol/tcp/TCP.h"
|
||||
|
||||
namespace zeek {
|
||||
|
||||
namespace analyzer::stepping_stone {
|
||||
|
||||
class SteppingStoneEndpoint;
|
||||
class SteppingStoneManager;
|
||||
|
||||
class SteppingStoneEndpoint : public Obj {
|
||||
public:
|
||||
SteppingStoneEndpoint(analyzer::tcp::TCP_Endpoint* e, SteppingStoneManager* m);
|
||||
~SteppingStoneEndpoint() override;
|
||||
void Done();
|
||||
|
||||
bool DataSent(double t, uint64_t seq, int len, int caplen, const u_char* data,
|
||||
const IP_Hdr* ip, const struct tcphdr* tp);
|
||||
|
||||
protected:
|
||||
void Event(EventHandlerPtr f, int id1, int id2 = -1);
|
||||
void CreateEndpEvent(bool is_orig);
|
||||
|
||||
analyzer::tcp::TCP_Endpoint* endp;
|
||||
uint64_t stp_max_top_seq;
|
||||
double stp_last_time;
|
||||
double stp_resume_time;
|
||||
SteppingStoneManager* stp_manager;
|
||||
|
||||
// Hashes for inbound/outbound endpoints that are correlated
|
||||
// at least once with this endpoint. They are necessary for
|
||||
// removing correlated endpoint pairs in Bro, since there is
|
||||
// no LOOP in Bro language.
|
||||
int stp_id;
|
||||
std::map<int, SteppingStoneEndpoint*> stp_inbound_endps;
|
||||
std::map<int, SteppingStoneEndpoint*> stp_outbound_endps;
|
||||
};
|
||||
|
||||
class SteppingStone_Analyzer : public analyzer::tcp::TCP_ApplicationAnalyzer {
|
||||
public:
|
||||
explicit SteppingStone_Analyzer(Connection* c);
|
||||
~SteppingStone_Analyzer() override {};
|
||||
|
||||
void Init() override;
|
||||
void Done() override;
|
||||
|
||||
static analyzer::Analyzer* Instantiate(Connection* conn)
|
||||
{ return new SteppingStone_Analyzer(conn); }
|
||||
|
||||
protected:
|
||||
// We support both packet and stream input and can be put in place even
|
||||
// if the TCP analyzer is not yet reassebmling.
|
||||
void DeliverPacket(int len, const u_char* data, bool is_orig,
|
||||
uint64_t seq, const IP_Hdr* ip, int caplen) override;
|
||||
void DeliverStream(int len, const u_char* data, bool is_orig) override;
|
||||
|
||||
int orig_stream_pos;
|
||||
int resp_stream_pos;
|
||||
|
||||
SteppingStoneManager* stp_manager;
|
||||
SteppingStoneEndpoint* orig_endp;
|
||||
SteppingStoneEndpoint* resp_endp;
|
||||
};
|
||||
|
||||
// Manages ids for the possible stepping stone connections.
|
||||
class SteppingStoneManager {
|
||||
public:
|
||||
|
||||
using EndpointQueue = std::deque<SteppingStoneEndpoint*>;
|
||||
|
||||
EndpointQueue& OrderedEndpoints() { return ordered_endps; }
|
||||
|
||||
// Use postfix ++, since the first ID needs to be even.
|
||||
int NextID() { return endp_cnt++; }
|
||||
|
||||
static SteppingStoneManager* Get();
|
||||
|
||||
protected:
|
||||
EndpointQueue ordered_endps;
|
||||
int endp_cnt = 0;
|
||||
|
||||
static SteppingStoneManager* instance;
|
||||
};
|
||||
|
||||
} // namespace analyzer::stepping_stone
|
||||
} // namespace zeek
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
## Deprecated. Will be removed.
|
||||
event stp_create_endp%(c: connection, e: int, is_orig: bool%);
|
||||
|
||||
# ##### Internal events. Not further documented.
|
||||
|
||||
## Event internal to the stepping stone detector.
|
||||
event stp_resume_endp%(e: int%);
|
||||
|
||||
## Event internal to the stepping stone detector.
|
||||
event stp_correlate_pair%(e1: int, e2: int%);
|
||||
|
||||
## Event internal to the stepping stone detector.
|
||||
event stp_remove_pair%(e1: int, e2: int%);
|
||||
|
||||
## Event internal to the stepping stone detector.
|
||||
event stp_remove_endp%(e: int%);
|
||||
|
||||
|
|
@ -10,7 +10,6 @@
|
|||
#include "zeek/analyzer/protocol/tcp/TCP_Flags.h"
|
||||
#include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h"
|
||||
#include "zeek/analyzer/protocol/pia/PIA.h"
|
||||
#include "zeek/analyzer/protocol/stepping-stone/SteppingStone.h"
|
||||
#include "zeek/analyzer/protocol/conn-size/ConnSize.h"
|
||||
#include "zeek/packet_analysis/protocol/tcp/TCP.h"
|
||||
|
||||
|
|
@ -1604,7 +1603,6 @@ bool TCPSessionAdapter::IsReuse(double t, const u_char* pkt)
|
|||
void TCPSessionAdapter::AddExtraAnalyzers(Connection* conn)
|
||||
{
|
||||
static analyzer::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE");
|
||||
static analyzer::Tag analyzer_stepping = analyzer_mgr->GetComponentTag("STEPPINGSTONE");
|
||||
static analyzer::Tag analyzer_tcpstats = analyzer_mgr->GetComponentTag("TCPSTATS");
|
||||
|
||||
// We have to decide whether to reassamble the stream.
|
||||
|
|
@ -1634,24 +1632,6 @@ void TCPSessionAdapter::AddExtraAnalyzers(Connection* conn)
|
|||
if ( reass )
|
||||
EnableReassembly();
|
||||
|
||||
if ( analyzer_mgr->IsEnabled(analyzer_stepping) )
|
||||
{
|
||||
// Add a SteppingStone analyzer if requested. The port
|
||||
// should really not be hardcoded here, but as it can
|
||||
// handle non-reassembled data, it doesn't really fit into
|
||||
// our general framing ... Better would be to turn it
|
||||
// on *after* we discover we have interactive traffic.
|
||||
uint16_t resp_port = ntohs(Conn()->RespPort());
|
||||
if ( resp_port == 22 || resp_port == 23 || resp_port == 513 )
|
||||
{
|
||||
static auto stp_skip_src = id::find_val<TableVal>("stp_skip_src");
|
||||
auto src = make_intrusive<AddrVal>(Conn()->OrigAddr());
|
||||
|
||||
if ( ! stp_skip_src->FindOrDefault(src) )
|
||||
AddChildAnalyzer(new analyzer::stepping_stone::SteppingStone_Analyzer(conn), false);
|
||||
}
|
||||
}
|
||||
|
||||
if ( analyzer_mgr->IsEnabled(analyzer_tcpstats) )
|
||||
// Add TCPStats analyzer. This needs to see packets so
|
||||
// we cannot add it as a normal child.
|
||||
|
|
|
|||
|
|
@ -26,8 +26,6 @@
|
|||
#include "zeek/iosource/IOSource.h"
|
||||
#include "zeek/packet_analysis/Manager.h"
|
||||
|
||||
#include "zeek/analyzer/protocol/stepping-stone/events.bif.h"
|
||||
|
||||
zeek::session::Manager* zeek::session_mgr = nullptr;
|
||||
zeek::session::Manager*& zeek::sessions = zeek::session_mgr;
|
||||
|
||||
|
|
|
|||
|
|
@ -200,7 +200,6 @@ scripts/base/init-frameworks-and-bifs.zeek
|
|||
build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_SteppingStone.events.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_Syslog.events.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
|
||||
|
|
|
|||
|
|
@ -200,7 +200,6 @@ scripts/base/init-frameworks-and-bifs.zeek
|
|||
build/scripts/base/bif/plugins/Zeek_SSL.events.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_SSL.functions.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_SSL.consts.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_SteppingStone.events.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_Syslog.events.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
|
||||
build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
|
||||
|
|
|
|||
|
|
@ -1,5 +1,4 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
0.000000 MetaHookPost CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> <no result>
|
||||
|
|
@ -66,7 +65,6 @@
|
|||
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
|
||||
0.000000 MetaHookPost CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> <no result>
|
||||
|
|
@ -776,7 +774,6 @@
|
|||
0.000000 MetaHookPost LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) -> -1
|
||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) -> -1
|
||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -> -1
|
||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_SteppingStone.events.bif.zeek, <...>/Zeek_SteppingStone.events.bif.zeek) -> -1
|
||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) -> -1
|
||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> -1
|
||||
0.000000 MetaHookPost LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> -1
|
||||
|
|
@ -1033,7 +1030,6 @@
|
|||
0.000000 MetaHookPost QueueEvent(NetControl::init()) -> false
|
||||
0.000000 MetaHookPost QueueEvent(filter_change_tracking()) -> false
|
||||
0.000000 MetaHookPost QueueEvent(zeek_init()) -> false
|
||||
0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE))
|
||||
0.000000 MetaHookPre CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
|
||||
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
|
||||
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp))
|
||||
|
|
@ -1100,7 +1096,6 @@
|
|||
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp))
|
||||
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
|
||||
0.000000 MetaHookPre CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
|
||||
0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE))
|
||||
0.000000 MetaHookPre CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
|
||||
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
|
||||
0.000000 MetaHookPre CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp))
|
||||
|
|
@ -1810,7 +1805,6 @@
|
|||
0.000000 MetaHookPre LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_SteppingStone.events.bif.zeek, <...>/Zeek_SteppingStone.events.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek)
|
||||
0.000000 MetaHookPre LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
|
||||
|
|
@ -2067,7 +2061,6 @@
|
|||
0.000000 MetaHookPre QueueEvent(NetControl::init())
|
||||
0.000000 MetaHookPre QueueEvent(filter_change_tracking())
|
||||
0.000000 MetaHookPre QueueEvent(zeek_init())
|
||||
0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE)
|
||||
0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
|
||||
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
|
||||
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp)
|
||||
|
|
@ -2134,7 +2127,6 @@
|
|||
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp)
|
||||
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
|
||||
0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
|
||||
0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE)
|
||||
0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
|
||||
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
|
||||
0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp)
|
||||
|
|
@ -2843,7 +2835,6 @@
|
|||
0.000000 | HookLoadFile ./Zeek_SSL.events.bif.zeek <...>/Zeek_SSL.events.bif.zeek
|
||||
0.000000 | HookLoadFile ./Zeek_SSL.functions.bif.zeek <...>/Zeek_SSL.functions.bif.zeek
|
||||
0.000000 | HookLoadFile ./Zeek_SSL.types.bif.zeek <...>/Zeek_SSL.types.bif.zeek
|
||||
0.000000 | HookLoadFile ./Zeek_SteppingStone.events.bif.zeek <...>/Zeek_SteppingStone.events.bif.zeek
|
||||
0.000000 | HookLoadFile ./Zeek_Syslog.events.bif.zeek <...>/Zeek_Syslog.events.bif.zeek
|
||||
0.000000 | HookLoadFile ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek
|
||||
0.000000 | HookLoadFile ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue