Add conn.log entries for connections with unhandled IP protocols

scripts/base/frameworks/notice/weird.zeek

@@ -448,7 +448,8 @@ event flow_weird(name: string, src: addr, dst: addr, addl: string, source: strin
 	# We add the source and destination as port 0/unknown because that is
 	# what fits best here.
 	local id = conn_id($orig_h=src, $orig_p=count_to_port(0, unknown_transport),
-	                   $resp_h=dst, $resp_p=count_to_port(0, unknown_transport));
+	                   $resp_h=dst, $resp_p=count_to_port(0, unknown_transport),
+	                   $proto=256);
 
 	local i = Info($ts=network_time(), $name=name, $id=id, $identifier=flow_id_string(src,dst));
 

scripts/base/init-bare.zeek

@@ -213,11 +213,12 @@ type transport_proto: enum {
 ##    see :ref:`the manual's description of the connection record
 ##    <writing-scripts-connection-record>`.
 type conn_id: record {
-	orig_h: addr;	##< The originator's IP address.
-	orig_p: port;	##< The originator's port number.
-	resp_h: addr;	##< The responder's IP address.
-	resp_p: port;	##< The responder's port number.
-} &log;
+	orig_h: addr &log;	##< The originator's IP address.
+	orig_p: port &log;	##< The originator's port number.
+	resp_h: addr &log;	##< The responder's IP address.
+	resp_p: port &log;	##< The responder's port number.
+	proto: count;
+};
 
 ## The identifying 4-tuple of a uni-directional flow.
 ##
@@ -1300,21 +1301,27 @@ const non_analyzed_lifetime = 0 secs &redef;
 ## If a TCP connection is inactive, time it out after this interval. If 0 secs,
 ## then don't time it out.
 ##
-## .. zeek:see:: udp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout
+## .. zeek:see:: udp_inactivity_timeout icmp_inactivity_timeout unknown_ip_inactivity_timeout set_inactivity_timeout
 const tcp_inactivity_timeout = 5 min &redef;
 
 ## If a UDP flow is inactive, time it out after this interval. If 0 secs, then
 ## don't time it out.
 ##
-## .. zeek:see:: tcp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout
+## .. zeek:see:: tcp_inactivity_timeout icmp_inactivity_timeout unknown_ip_inactivity_timeout set_inactivity_timeout
 const udp_inactivity_timeout = 1 min &redef;
 
 ## If an ICMP flow is inactive, time it out after this interval. If 0 secs, then
 ## don't time it out.
 ##
-## .. zeek:see:: tcp_inactivity_timeout udp_inactivity_timeout set_inactivity_timeout
+## .. zeek:see:: tcp_inactivity_timeout udp_inactivity_timeout unknown_ip_inactivity_timeout set_inactivity_timeout
 const icmp_inactivity_timeout = 1 min &redef;
 
+## If a flow with an unknown IP-based protocol is inactive, time it out after
+## this interval. If 0 secs, then don't time it out.
+##
+## .. zeek:see:: tcp_inactivity_timeout udp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout
+const unknown_ip_inactivity_timeout = 1 min &redef;
+
 ## Number of FINs/RSTs in a row that constitute a "storm". Storms are reported
 ## as ``weird`` via the notice framework, and they must also come within
 ## intervals of at most :zeek:see:`tcp_storm_interarrival_thresh`.

scripts/base/packet-protocols/ip/main.zeek

@@ -1,5 +1,10 @@
 module PacketAnalyzer::IP;
 
+export {
+	## Default analyzer
+	const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_UNKNOWN_IP_TRANSPORT &redef;
+}
+
 const IPPROTO_TCP : count = 6;
 const IPPROTO_UDP : count = 17;
 const IPPROTO_ICMP : count = 1;

scripts/base/protocols/conn/main.zeek

@@ -158,6 +158,9 @@ export {
 		## *uid* values for any encapsulating parent connections
 		## used over the lifetime of this inner connection.
 		tunnel_parents: set[string] &log &optional;
+		## The numeric identifier for the transport protocol for this
+		## connection.
+		protocol_id:   count      &log &optional;
 	};
 
 	## Event that can be handled to access the :zeek:type:`Conn::Info`
@@ -281,6 +284,8 @@ function set_conn(c: connection, eoc: bool)
 		if ( c$history != "" )
 			c$conn$history=c$history;
 		}
+
+	c$conn$protocol_id = c$id$proto;
 	}
 
 event content_gap(c: connection, is_orig: bool, seq: count, length: count) &priority=5